Cisco WS-C2960-24LC-S Software Configuration Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Router
  5. WS-C2960-24LC-S
  6. Software configuration manual

Cisco WS-C2960-24LC-S Software Configuration Manual

Software guide
Hide thumbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
Table of Contents

Advertisement

Quick Links

Download this manual
Catalyst 2960 Switch
Software Configuration Guide
Cisco IOS Release 12.2(40)SE
Revised September 2007
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-8603-04

Advertisement

Table of Contents
loading

Related Manuals for Cisco WS-C2960-24LC-S

Summary of Contents for Cisco WS-C2960-24LC-S

  • Page 1 Catalyst 2960 Switch Software Configuration Guide Cisco IOS Release 12.2(40)SE Revised September 2007 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-8603-04...
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.;...

  • Page 3: Table Of Contents

    C O N T E N T S Preface xxix Audience xxix Purpose xxix Conventions Related Publications Obtaining Documentation, Obtaining Support, and Security Guidelines xxxii Overview C H A P T E R Features Ease-of-Deployment and Ease-of-Use Features Performance Features Management Options Manageability Features Availability and Redundancy Features...
  • Page 4 Contents Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands 2-10 Accessing the CLI 2-10...
  • Page 5 Initial Configuration Incremental (Partial) Configuration Synchronized Configuration Configuring Cisco IOS Agents Enabling Automated CNS Configuration Enabling the CNS Event Agent Enabling the Cisco IOS CNS Agent Enabling an Initial Configuration Enabling a Partial Configuration 4-11 Displaying CNS Configuration 4-12 Clustering Switches...
  • Page 6 Contents Hostnames 5-12 Passwords 5-13 SNMP Community Strings 5-13 TACACS+ and RADIUS 5-14 LRE Profiles 5-14 Using the CLI to Manage Switch Clusters 5-14 Catalyst 1900 and Catalyst 2820 CLI Considerations 5-14 Using SNMP to Manage Switch Clusters 5-15 Administering the Switch C H A P T E R Managing the System Time and Date Understanding the System Clock...
  • Page 7 Contents MAC Addresses and VLANs 6-20 Default MAC Address Table Configuration 6-21 Changing the Address Aging Time 6-21 Removing Dynamic Address Entries 6-22 Configuring MAC Address Notification Traps 6-22 Adding and Removing Static Address Entries 6-24 Configuring Unicast MAC Address Filtering 6-25 Displaying Address Table Entries 6-26...
  • Page 8 Contents Starting TACACS+ Accounting 8-17 Displaying the TACACS+ Configuration 8-17 Controlling Switch Access with RADIUS 8-17 Understanding RADIUS 8-18 RADIUS Operation 8-19 Configuring RADIUS 8-19 Default RADIUS Configuration 8-20 Identifying the RADIUS Server Host 8-20 Configuring RADIUS Login Authentication 8-23 Defining AAA Server Groups 8-25 Configuring RADIUS Authorization for User Privileged Access and Network Services...
  • Page 9 Contents Configuring IEEE 802.1x Port-Based Authentication C H A P T E R Understanding IEEE 802.1x Port-Based Authentication Device Roles Authentication Process Authentication Initiation and Message Exchange Ports in Authorized and Unauthorized States IEEE 802.1x Host Mode IEEE 802.1x Accounting IEEE 802.1x Accounting Attribute-Value Pairs Using IEEE 802.1x Authentication with VLAN Assignment Using IEEE 802.1x Authentication with Guest VLAN...
  • Page 10 Contents Configuring the Inaccessible Authentication Bypass Feature 9-33 Configuring IEEE 802.1x Authentication with WoL 9-35 Configuring MAC Authentication Bypass 9-36 Configuring NAC Layer 2 IEEE 802.1x Validation 9-37 Configuring Web Authentication 9-38 Disabling IEEE 802.1x Authentication on the Port 9-40 Resetting the IEEE 802.1x Authentication Configuration to the Default Values 9-41 Displaying IEEE 802.1x Statistics and Status...
  • Page 11 Default Smartports Macro Configuration 11-2 Smartports Macro Configuration Guidelines 11-2 Creating Smartports Macros 11-4 Applying Smartports Macros 11-5 Applying Cisco-Default Smartports Macros 11-6 Displaying Smartports Macros 11-8 Configuring VLANs 12-1 C H A P T E R Understanding VLANs 12-1...
  • Page 12 Contents Load Sharing Using STP Port Priorities 12-20 Load Sharing Using STP Path Cost 12-22 Configuring VMPS 12-23 Understanding VMPS 12-24 Dynamic-Access Port VLAN Membership 12-24 Default VMPS Client Configuration 12-25 VMPS Configuration Guidelines 12-25 Configuring the VMPS Client 12-25 Entering the IP Address of the VMPS 12-26 Configuring Dynamic-Access Ports on VMPS Clients...
  • Page 13 Configuring Voice VLAN 14-3 Default Voice VLAN Configuration 14-3 Voice VLAN Configuration Guidelines 14-3 Configuring a Port Connected to a Cisco 7960 IP Phone 14-4 Configuring Cisco IP Phone Voice Traffic 14-4 Configuring the Priority of Incoming Data Frames 14-6...
  • Page 14 Contents Configuring the Root Switch 15-14 Configuring a Secondary Root Switch 15-16 Configuring Port Priority 15-16 Configuring Path Cost 15-18 Configuring the Switch Priority of a VLAN 15-19 Configuring Spanning-Tree Timers 15-20 Configuring the Hello Time 15-20 Configuring the Forwarding-Delay Time for a VLAN 15-21 Configuring the Maximum-Aging Time for a VLAN 15-21...
  • Page 15 Contents Configuring a Secondary Root Switch 16-18 Configuring Port Priority 16-19 Configuring Path Cost 16-20 Configuring the Switch Priority 16-21 Configuring the Hello Time 16-22 Configuring the Forwarding-Delay Time 16-23 Configuring the Maximum-Aging Time 16-23 Configuring the Maximum-Hop Count 16-24 Specifying the Link Type to Ensure Rapid Transitions 16-24 Designating the Neighbor Type...
  • Page 16 Contents Joining a Multicast Group 18-3 Leaving a Multicast Group 18-5 Immediate Leave 18-5 IGMP Configurable-Leave Timer 18-5 IGMP Report Suppression 18-6 Configuring IGMP Snooping 18-6 Default IGMP Snooping Configuration 18-6 Enabling or Disabling IGMP Snooping 18-7 Setting the Snooping Method 18-8 Configuring a Multicast Router Port 18-9...
  • Page 17 Contents Default Storm Control Configuration 19-3 Configuring Storm Control and Threshold Levels 19-3 Configuring Protected Ports 19-5 Default Protected Port Configuration 19-6 Protected Port Configuration Guidelines 19-6 Configuring a Protected Port 19-6 Configuring Port Blocking 19-7 Default Port Blocking Configuration 19-7 Blocking Flooded Traffic on an Interface 19-7...
  • Page 18 Contents Monitoring and Maintaining LLDP and LLDP-MED 21-7 Configuring UDLD 22-1 C H A P T E R Understanding UDLD 22-1 Modes of Operation 22-1 Methods to Detect Unidirectional Links 22-2 Configuring UDLD 22-4 Default UDLD Configuration 22-4 Configuration Guidelines 22-4 Enabling UDLD Globally 22-5...
  • Page 19 Contents Creating an RSPAN Destination Session and Configuring Incoming Traffic 23-20 Specifying VLANs to Filter 23-21 Displaying SPAN and RSPAN Status 23-22 Configuring RMON 24-1 C H A P T E R Understanding RMON 24-1 Configuring RMON 24-2 Default RMON Configuration 24-3 Configuring RMON Alarms and Events 24-3...
  • Page 20 Configuring Cisco IOS IP SLAs Operations 27-1 C H A P T E R Understanding Cisco IOS IP SLAs 27-1 Using Cisco IOS IP SLAs to Measure Network Performance 27-2 IP SLAs Responder and IP SLAs Control Protocol 27-3 Response Time Computation for IP SLAs...
  • Page 21 Contents Packet Modification 28-18 Configuring Auto-QoS 28-19 Generated Auto-QoS Configuration 28-20 Effects of Auto-QoS on the Configuration 28-24 Auto-QoS Configuration Guidelines 28-25 Enabling Auto-QoS for VoIP 28-25 Auto-QoS Configuration Example 28-27 Displaying Auto-QoS Information 28-29 Configuring Standard QoS 28-29 Default Standard QoS Configuration 28-30 Default Ingress Queue Configuration 28-30...
  • Page 22 Contents Configuring the Ingress Priority Queue 28-61 Configuring Egress Queue Characteristics 28-62 Configuration Guidelines 28-62 Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set 28-62 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID 28-65 Configuring SRR Shaped Weights on Egress Queues 28-66...
  • Page 23 Contents Configuring IPv6 MLD Snooping 30-5 Default MLD Snooping Configuration 30-5 MLD Snooping Configuration Guidelines 30-6 Enabling or Disabling MLD Snooping 30-6 Configuring a Static Multicast Group 30-8 Configuring a Multicast Router Port 30-8 Enabling MLD Immediate Leave 30-9 Configuring MLD Snooping Queries 30-10 Disabling MLD Listener Message Suppression 30-11...
  • Page 24 Contents Troubleshooting 32-1 C H A P T E R Recovering from a Software Failure 32-2 Recovering from a Lost or Forgotten Password 32-3 Procedure with Password Recovery Enabled 32-4 Procedure with Password Recovery Disabled 32-6 Recovering from a Command Switch Failure 32-7 Replacing a Failed Command Switch with a Cluster Member 32-8...
  • Page 25 Contents Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System Displaying Available File Systems Setting the Default File System Displaying Information about Files on a File System...
  • Page 26 Working with Software Images B-23 Image Location on the Switch B-24 tar File Format of Images on a Server or Cisco.com B-24 Copying Image Files By Using TFTP B-25 Preparing to Download or Upload an Image File By Using TFTP...
  • Page 27 Contents Interface Commands Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands MAC Address Commands Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Miscellaneous Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Network Address Translation (NAT) Commands Unsupported Privileged EXEC Commands Unsupported Global Configuration Command Unsupported Interface Configuration Commands...
  • Page 28 Contents Catalyst 2960 Switch Software Configuration Guide xxviii OL-8603-04...
  • Page 29 This guide is for the networking professional managing the Catalyst 2960 switch, hereafter referred to as the switch module. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.

  • Page 30: Related Publications

    Means reader be careful. In this situation, you might do something that could result in equipment Caution damage or loss of data. Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/en/US/products/ps6406/tsd_products_support_series_home.html Before installing, configuring, or upgrading the switch, see these documents: Note For initial configuration information, see the “Using Express Setup”...
  • Page 31 For upgrading information, see the “Downloading Software” section in the release notes. • You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the URL referenced in the “Obtaining Documentation, Obtaining...
  • Page 32 For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...

  • Page 33: Features

    Some features described in this chapter are available only on the cryptographic (supports encryption) version of the software. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, see the release notes for this release.

  • Page 34: Chapter 1 Overview

    Telnet passwords, and Simple Network Management Protocol (SNMP) information through a browser-based program. For more information about Express Setup, see the getting started guide. User-defined and Cisco-default Smartports macros for creating custom switch configurations for • simplified deployment across the network.

  • Page 35: Management Options

    • Cisco IOS IP Service Level Agreements (SLAs), a part of Cisco IOS software that uses active traffic monitoring for measuring network performance Support for Cisco IOS IP Service Level Agreements (SLAs) responder that allows the system to anticipate and respond to Cisco IOS IP SLAs request packets for monitoring network performance.

  • Page 36: Manageability Features

    Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external • source Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • Catalyst 2960 Switch Software Configuration Guide...
  • Page 37 (requires the cryptographic version of the software) Configuration replacement and rollback to replace the running configuration on a switch with any • saved Cisco IOS configuration file Catalyst 2960 Switch Software Configuration Guide OL-8603-04...

  • Page 38: Availability And Redundancy Features

    Chapter 1 Overview Features Availability and Redundancy Features These are the availability and redundancy features: • Enhanced object tracking, which separates the tracking mechanism from HSRP and creates a separate, standalone tracking process that can be used by processes other than HSRP UniDirectional Link Detection (UDLD) and aggressive UDLD for detecting and disabling •...

  • Page 39: Vlan Features

    Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts • and servers, and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch. RPS support through the Cisco RPS 300 and Cisco RPS 675 for enhancing power reliability •...
  • Page 40 – Port security for controlling access to IEEE 802.1x ports – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized – or unauthorized state of the port IP phone detection enhancement to detect and recognize a Cisco IP phone.

  • Page 41: Qos And Cos Features

    Trusted port states (CoS, DSCP, and IP precedence) within a QoS domain and with a port – bordering another QoS domain Trusted boundary for detecting the presence of a Cisco IP Phone, trusting the CoS value – received, and ensuring port security Policing •...

  • Page 42: Monitoring Features

    Chapter 22, “Configuring DHCP Features and IP Source Guard.” Switch cluster is disabled. For more information about switch clusters, see Chapter 5, “Clustering • Switches,” and the Getting Started with Cisco Network Assistant, available on Cisco.com. Catalyst 2960 Switch Software Configuration Guide 1-10 OL-8603-04...
  • Page 43 Chapter 1 Overview Default Settings After Initial Switch Configuration No passwords are defined. For more information, see Chapter 6, “Administering the Switch.” • System name and prompt is Switch. For more information, see Chapter 6, “Administering the • Switch.” • NTP is enabled.

  • Page 44: Network Configuration Examples

    Chapter 1 Overview Network Configuration Examples IGMP throttling setting is deny. For more information, see Chapter 18, “Configuring IGMP • Snooping and MVR.” The IGMP snooping querier feature is disabled. For more information, see Chapter 18, “Configuring • IGMP Snooping and MVR.” MVR is disabled.
  • Page 45 Chapter 1 Overview Network Configuration Examples Table 1-1 describes what can cause network performance to degrade and how you can configure your network to increase the bandwidth available to your network users. Table 1-1 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network Create smaller network segments so that fewer users share the bandwidth, and use •...
  • Page 46 1-1)—For • high-speed access to network resources, you can use the Cisco Catalyst 2960 switches in the access layer to provide Gigabit Ethernet to the desktop. To prevent congestion, use QoS DSCP marking priorities on these switches. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch with routing capability, such as a Catalyst 3750 switch, or to a router.
  • Page 47 Chapter 1 Overview Network Configuration Examples Cisco 2600 router Access-layer Catalyst switches Server aggregation (Figure 1-2)—You can use the switches to interconnect groups of servers, • centralizing physical security and administration of your network. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to multilayer switches with routing capability.

  • Page 48: Small To Medium-Sized Network Using Catalyst 2960 Switches

    Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet.

  • Page 49: Long-Distance, High-Bandwidth Transport Configuration

    The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, see the Cisco CWDM GBIC and CWDM SFP Installation Note. Catalyst 2960 Switch Software Configuration Guide...

  • Page 50: Where To Go Next

    Chapter 1 Overview Where to Go Next Figure 1-4 Long-Distance, High-Bandwidth Transport Configuration Access layer Aggregation layer 8 Gbps CWDM CWDM OADM OADM Catalyst 4500 modules modules Eight multilayer 1-Gbps switches connections Catalyst switches Where to Go Next Before configuring the switch, review these sections for startup information: Chapter 2, “Using the Command-Line Interface”...

  • Page 51: Understanding Command Modes

    C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 2960 switch. It contains these sections: Understanding Command Modes, page 2-1 •...

  • Page 52: C H A P T E R 2 Using The Command-Line Interface

    Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 2-1 Command Mode Summary Mode...

  • Page 53: Understanding The Help System

    Chapter 2 Using the Command-Line Interface Understanding the Help System Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method About This Mode Interface While in global To exit to global Use this mode to configure Switch(config-if)# configuration configuration mode, configuration mode, parameters for the Ethernet...

  • Page 54: Understanding Abbreviated Commands

    Chapter 2 Using the Command-Line Interface Understanding Abbreviated Commands Table 2-2 Help Summary (continued) Command Purpose List all commands available for a particular command mode. For example: Switch> ? command ? List the associated keywords for a command. For example: Switch>...

  • Page 55: Understanding Cli Error Messages

    Using Configuration Logging Beginning with Cisco IOS Release 12.2(25)SED, you can log and view changes to the switch configuration. You can use the Configuration Change Logging and Notification feature to track changes on a per-session and per-user basis. The logger tracks each configuration command that is applied, the user who entered the command, the time that the command was entered, and the parser return code for the command.

  • Page 56: Using Command History

    Chapter 2 Using the Command-Line Interface Using Command History Using Command History The software provides a history or record of commands that you have entered. The command history feature is particularly useful for recalling long or complex commands or entries, including access lists. You can customize this feature to suit your needs as described in these sections: Changing the Command History Buffer Size, page 2-6 (optional)

  • Page 57: Disabling The Command History Feature

    Chapter 2 Using the Command-Line Interface Using Editing Features Disabling the Command History Feature The command history feature is automatically enabled. You can disable it for the current terminal session or for the command line. These procedures are optional. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command.
  • Page 58 Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Press Ctrl-F, or press the Move the cursor forward one character. right arrow key. Press Ctrl-A. Move the cursor to the beginning of the command line. Press Ctrl-E.

  • Page 59: Editing Command Lines That Wrap

    Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Scroll down a line or screen on Press the Return key. Scroll down one line. displays that are longer than the terminal screen can display.

  • Page 60: Searching And Filtering Output Of Show And More Commands

    Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see.

  • Page 61: Chapter 3 Assigning The Switch Ip Address And Default Gateway

    For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...

  • Page 62: Assigning Switch Information

    Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The boot loader provides access to the flash file system before the operating system is loaded. Normally, the boot loader is used only to load, uncompress, and launch the operating system. After the boot loader gives the operating system control of the CPU, the boot loader is not active until the next system reset or power-on.

  • Page 63: Default Switch Information

    Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information These sections contain this configuration information: Default Switch Information, page 3-3 • • Understanding DHCP-Based Autoconfiguration, page 3-3 • Manually Assigning IP Information, page 3-10 Default Switch Information Table 3-1 shows the default switch information.

  • Page 64: Dhcp Client Request Process

    Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Client Request Process When you boot up your switch, the DHCP client is invoked and requests configuration information from a DHCP server when the configuration file is not present on the switch. If the configuration file is present and the configuration includes the ip address dhcp interface configuration command on specific routed interfaces, the DHCP client is invoked and requests the IP address information for those interfaces.

  • Page 65: Configuring Dhcp-Based Autoconfiguration

    Example Configuration, page 3-8 • If your DHCP server is a Cisco device, for additional information about configuring DHCP, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...

  • Page 66: Configuring The Dns

    If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.

  • Page 67: Obtaining Configuration Files

    On interface 10.0.0.2: router(config-if)# ip helper-address 20.0.0.2 router(config-if)# ip helper-address 20.0.0.3 router(config-if)# ip helper-address 20.0.0.4 On interface 20.0.0.1 router(config-if)# ip helper-address 10.0.0.1 Figure 3-2 Relay Device Used in Autoconfiguration Switch Cisco router (DHCP client) (Relay) 10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2 20.0.0.3 20.0.0.4...

  • Page 68: Example Configuration

    Figure 3-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (tftpserver) Table 3-2 shows the configuration of the reserved leases on the DHCP server.
  • Page 69 Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 3-2 DHCP Server Configuration (continued) Switch A Switch B Switch C Switch D Boot filename (configuration file) switcha-confg switchb-confg switchc-confg switchd-confg (optional) Hostname (optional) switcha switchb switchc switchd DNS Server Configuration...

  • Page 70: Manually Assigning Ip Information

    Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs): Command Purpose Step 1 configure terminal...

  • Page 71: Modifying The Startup Configuration

    EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Modifying the Startup Configuration...

  • Page 72: Default Boot Configuration

    Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot-up cycle.

  • Page 73: Booting Manually

    Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration To return to the default setting, use the no boot config-file global configuration command. Booting Manually By default, the switch automatically boots up; however, you can configure it to manually boot up. Beginning in privileged EXEC mode, follow these steps to configure the switch to manually boot up during the next boot cycle: Command...

  • Page 74: Booting A Specific Software Image

    Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Booting a Specific Software Image By default, the switch attempts to automatically boot up the system using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system.
  • Page 75 Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.

  • Page 76: Scheduling A Reload Of The Software Image

    Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example, late at night or during the weekend when the switch is used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network).

  • Page 77: Displaying Scheduled Reload Information

    Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image This example shows how to reload the software on the switch at a future time: Switch# reload at 02:00 jun 20 Reload scheduled for 02:00:00 UTC Thu Jun 20 1996 (in 344 hours and 53 minutes) Proceed with reload? [confirm] To cancel a previously scheduled reload, use the reload cancel privileged EXEC command.
  • Page 78 Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 2960 Switch Software Configuration Guide 3-18 OL-8603-04...

  • Page 79: Chapter 4 Configuring Cisco Ios Cns Agents

    C H A P T E R Configuring Cisco IOS CNS Agents This chapter describes how to configure the Cisco IOS CNS agents on the Catalyst 2960 switch. Note For complete configuration information for the Cisco Configuration Engine, see this URL on Cisco.com http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.html...

  • Page 80: Chapter 4 Configuring Cisco Io Cn Agent

    URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.

  • Page 81: Event Service

    Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine.

  • Page 82: Deviceid

    Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.

  • Page 83: Understanding Cisco Ios Agents

    Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: Initial Configuration, page 4-5 •...

  • Page 84: Incremental (Partial) Configuration

    NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 4-6.
  • Page 85 For more information about running the setup program and creating templates on the Configuration Note Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux at this URL: http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/products_installation_and_configuration_ guide_book09186a00803b59db.html...

  • Page 86: Enabling The Cns Event Agent

    Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch:...

  • Page 87: Enabling The Cisco Ios Cns Agent

    Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: The cns config initial global configuration command enables the Cisco IOS agent and initiates an •...
  • Page 88 ID, or enter an arbitrary text string for string string as the unique ID. Step 8 cns config initial {ip-address | hostname} Enable the Cisco IOS agent, and initiate an initial [port-number] [event] [no-persist] [page page] configuration. [source ip-address] [syntax-check] For {ip-address | hostname}, enter the IP address or •...

  • Page 89: Enabling A Partial Configuration

    RemoteSwitch(config)# cns id Ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 10.1.1.1 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...

  • Page 90: Displaying Cns Configuration

    Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed. show cns config stats Displays statistics about the Cisco IOS agent.

  • Page 91: Chapter 5 Clustering Switches

    Network Assistant has a Cluster Conversion Wizard to help you convert a cluster to a community. For more information about Network Assistant, including introductory information on managing switch clusters and converting a switch cluster to a community, see Getting Started with Cisco Network Assistant, available on Cisco.com.
  • Page 92 Table 5-1 Switch Software and Cluster Capability Switch Cisco IOS Release Cluster Capability Catalyst 3750 12.1(11)AX or later Member or command switch Catalyst 3560 12.1(19)EA1b or later...

  • Page 93: Cluster Command Switch Characteristics

    It has an IP address. • • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). It is not a command or cluster member switch of another cluster. • It is connected to the standby cluster command switches through the management VLAN and to the •...

  • Page 94: Planning A Switch Cluster

    Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.

  • Page 95: Discovery Through Cdp Hops

    Chapter 5 Clustering Switches Planning a Switch Cluster Following these connectivity guidelines ensures automatic discovery of the switch cluster, cluster candidates, connected switch clusters, and neighboring edge devices: Discovery Through CDP Hops, page 5-5 • • Discovery Through Non-CDP-Capable and Noncluster-Capable Devices, page 5-6 Discovery Through Different VLANs, page 5-6 •...

  • Page 96: Discovery Through Non-Cdp-Capable And Noncluster-Capable Devices

    Planning a Switch Cluster Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.

  • Page 97: Discovery Through Different Management Vlans

    Chapter 5 Clustering Switches Planning a Switch Cluster Figure 5-3 Discovery Through Different VLANs Command device VLAN 62 VLAN trunk 9,16 VLAN 50 VLAN 62 VLAN trunk 9,16 VLAN 16 VLAN trunk 4,16 Discovery Through Different Management VLANs Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches can discover and manage cluster member switches in different VLANs and different management VLANs.

  • Page 98: Discovery Of Newly Installed Switches

    Chapter 5 Clustering Switches Planning a Switch Cluster Figure 5-4 Discovery Through Different Management VLANs with a Layer 3 Cluster Command Switch Command Standby command device device VLAN 9 VLAN 16 VLAN 62 VLAN 9 Device 3 (management VLAN 16) Device 5 Device 6 (management...

  • Page 99: Hsrp And Standby Cluster Command Switches

    Chapter 5 Clustering Switches Planning a Switch Cluster Figure 5-5 Discovery of Newly Installed Switches Command device VLAN 9 VLAN 16 Device A Device B VLAN 9 VLAN 16 New (out-of-box) New (out-of-box) candidate device candidate device HSRP and Standby Cluster Command Switches The switch uses Hot Standby Router Protocol (HSRP) so that you can configure a group of standby cluster command switches.

  • Page 100: Virtual Ip Addresses

    Chapter 5 Clustering Switches Planning a Switch Cluster These connectivity guidelines ensure automatic discovery of the switch cluster, cluster candidates, connected switch clusters, and neighboring edge devices. These topics also provide more detail about standby cluster command switches: Virtual IP Addresses, page 5-10 •...

  • Page 101: Automatic Recovery Of Cluster Configuration

    Chapter 5 Clustering Switches Planning a Switch Cluster All standby-group members must be members of the cluster. • Note There is no limit to the number of switches that you can assign as standby cluster command switches. However, the total number of switches in the cluster—which would include the active cluster command switch, standby-group members, and cluster member switches—cannot be more than 16.

  • Page 102: Ip Addresses

    Chapter 5 Clustering Switches Planning a Switch Cluster Automatic discovery has these limitations: This limitation applies only to clusters that have Catalyst 2950, Catalyst 3550, Catalyst 3560, and • Catalyst 3750 command and standby cluster command switches: If the active cluster command switch and standby cluster command switch become disabled at the same time, the passive cluster command switch with the highest priority becomes the active cluster command switch.

  • Page 103: Passwords

    Chapter 5 Clustering Switches Planning a Switch Cluster If a switch joins a cluster and it does not have a hostname, the cluster command switch appends a unique member number to its own hostname and assigns it sequentially as each switch joins the cluster. The number means the order in which the switch was added to the cluster.

  • Page 104: Tacacs+ And Radius

    Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.

  • Page 105: Using Snmp To Manage Switch Clusters

    Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Command-switch privilege levels map to the Catalyst 1900 and Catalyst 2820 cluster member switches running standard and Enterprise Edition Software as follows: If the command-switch privilege level is 1 to 14, the cluster member switch is accessed at privilege •...
  • Page 106 Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters If a cluster member switch has its own IP address and community strings, they can be used in addition to the access provided by the cluster command switch. For more information about SNMP and community strings, see Chapter 26, “Configuring SNMP.”...

  • Page 107: Managing The System Time And Date

    Network Time Protocol (NTP), or manual configuration methods. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.

  • Page 108: Chapter 6 Administering The Switch

    Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.

  • Page 109: Configuring Ntp

    Switch F Workstations If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is synchronized through NTP, when in fact it has learned the time by using other means. Other devices then synchronize to that device through NTP.

  • Page 110: Default Ntp Configuration

    Chapter 6 Administering the Switch Managing the System Time and Date These sections contain this configuration information: Default NTP Configuration, page 6-4 • • Configuring NTP Authentication, page 6-4 • Configuring NTP Associations, page 6-5 Configuring NTP Broadcast Service, page 6-6 •...

  • Page 111: Configuring Ntp Associations

    Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 3 ntp authentication-key number md5 value Define the authentication keys. By default, none are defined. For number, specify a key number. The range is 1 to •...

  • Page 112: Configuring Ntp Broadcast Service

    Chapter 6 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp peer ip-address [version number] Configure the switch system clock to synchronize a peer or to be [key keyid] [source interface] [prefer] synchronized by a peer (peer association).
  • Page 113 Chapter 6 Administering the Switch Managing the System Time and Date The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it.

  • Page 114: Configuring Ntp Access Restrictions

    Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 5 ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the switch and the NTP broadcast server. The default is 3000 microseconds; the range is 1 to 999999. Step 6 Return to privileged EXEC mode.
  • Page 115 Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 3 access-list access-list-number permit Create the access list. source [source-wildcard] For access-list-number, enter the number specified in Step 2. • • Enter the permit keyword to permit access if the conditions are matched.

  • Page 116: Configuring The Source Ip Address For Ntp Packets

    Chapter 6 Administering the Switch Managing the System Time and Date Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default. Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on an interface: Command Purpose...

  • Page 117: Displaying The Ntp Configuration

    • Note For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.

  • Page 118: Displaying The Time And Date Configuration

    Chapter 6 Administering the Switch Managing the System Time and Date Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate).

  • Page 119: Configuring Summer Time (Daylight Saving Time)

    Chapter 6 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1...

  • Page 120: Configuring A System Name And Prompt

    A greater-than symbol [>] is appended. The prompt is updated whenever the system name changes. For complete syntax and usage information for the commands used in this section, from the Cisco.com page, select Documentation > Cisco IOS Software > 12.2 Mainline > Command References and see the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols.

  • Page 121: Default System Name And Prompt Configuration

    Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.

  • Page 122: Default Dns Configuration

    Chapter 6 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: Default DNS Configuration, page 6-16 • • Setting Up DNS, page 6-16 • Displaying the DNS Configuration, page 6-17 Default DNS Configuration Table 6-2 shows the default DNS configuration.

  • Page 123: Displaying The Dns Configuration

    If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.

  • Page 124: Configuring A Message-Of-The-Day Login Banner

    Chapter 6 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1...

  • Page 125: Configuring A Login Banner

    Chapter 6 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1...

  • Page 126: Building The Address Table

    Chapter 6 Administering the Switch Managing the MAC Address Table These sections contain this configuration information: Building the Address Table, page 6-20 • • MAC Addresses and VLANs, page 6-20 • Default MAC Address Table Configuration, page 6-21 Changing the Address Aging Time, page 6-21 •...

  • Page 127: Default Mac Address Table Configuration

    Chapter 6 Administering the Switch Managing the MAC Address Table Default MAC Address Table Configuration Table 6-3 shows the default MAC address table configuration. Table 6-3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured...

  • Page 128: Removing Dynamic Address Entries

    Chapter 6 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode. You can also remove a specific MAC address (clear mac address-table dynamic address mac-address), remove all addresses on the specified physical port or port channel (clear mac address-table dynamic interface interface-id), or remove all addresses on a specified VLAN (clear mac address-table dynamic vlan vlan-id).
  • Page 129 Chapter 6 Administering the Switch Managing the MAC Address Table Command Purpose Step 5 mac address-table notification [interval value] | Enter the trap interval time and the history table size. [history-size value] (Optional) For interval value, specify the • notification trap interval in seconds between each set of traps that are generated to the NMS.

  • Page 130: Adding And Removing Static Address Entries

    Chapter 6 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. It can be a unicast or multicast address. •...

  • Page 131: Configuring Unicast Mac Address Filtering

    Chapter 6 Administering the Switch Managing the MAC Address Table Configuring Unicast MAC Address Filtering When unicast MAC address filtering is enabled, the switch drops packets with specific source or destination MAC addresses. This feature is disabled by default and only supports unicast static addresses.

  • Page 132: Displaying Address Table Entries

    (represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, see the Cisco IOS Release 12.2 documentation from the Cisco.com page under Note Documentation >...

  • Page 133: Chapter 7 Configuring Sdm Templates

    C H A P T E R Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 2960 switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.

  • Page 134: Configuring The Switch Sdm Template

    Chapter 7 Configuring SDM Templates Configuring the Switch SDM Template Table 7-1 Approximate Number of Feature Resources Allowed by Each Template (continued) Resource Default Dual IPv6 multicast groups Directly connected IPv6 addresses Indirect IPv6 unicast routes IPv4 policy-based routing aces IPv4 MAC QoS ACEs IPv4 MAC security ACEs IPv6 policy-based routing aces...

  • Page 135: Displaying The Sdm Templates

    Chapter 7 Configuring SDM Templates .Displaying the SDM Templates Command Purpose Step 2 sdm prefer {default | dual-ipv4-and-ipv6 Specify the SDM template to be used on the switch: default | qos} The keywords have these meanings: • default—Gives balance to all functions. •...
  • Page 136 Chapter 7 Configuring SDM Templates .Displaying the SDM Templates Catalyst 2960 Switch Software Configuration Guide OL-8603-04...

  • Page 137: Configuring Switch-Based Authentication

    C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 2960 switch. It consists of these sections: Preventing Unauthorized Access to Your Switch, page 8-1 • Protecting Access to Privileged EXEC Commands, page 8-2 •...

  • Page 138: C H A P T E R 8 Configuring Switch-Based Authentication

    Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2 from the Cisco.com page under Documentation >...

  • Page 139: Setting Or Changing A Static Enable Password

    Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1...
  • Page 140 The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined. (Optional) For encryption-type, only type 5, a Cisco • proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you...

  • Page 141: Disabling Password Recovery

    Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.

  • Page 142: Setting A Telnet Password For A Terminal Line

    Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password.

  • Page 143: Configuring Multiple Privilege Levels

    Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.

  • Page 144: Setting The Privilege Level For A Command

    Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting the Privilege Level for a Command Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode: Command Purpose Step 1 configure terminal Enter global configuration mode.

  • Page 145: Changing The Default Privilege Level For Lines

    Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose Step 1 configure terminal Enter global configuration mode.

  • Page 146: Controlling Switch Access With Tacacs

    TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
  • Page 147 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 8-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ Catalyst 6500 server 1) series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers).

  • Page 148: Tacacs+ Operation

    Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user.

  • Page 149: Default Tacacs+ Configuration

    Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.

  • Page 150: Configuring Tacacs+ Login Authentication

    Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 3 aaa new-model Enable AAA. Step 4 aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server...
  • Page 151 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 3 aaa authentication login {default | Create a login authentication method list. list-name} method1 [method2...] To create a default list that is used when a named list is not specified •...

  • Page 152: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services

    HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...

  • Page 153: Starting Tacacs+ Accounting

    RADIUS is facilitated through AAA and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2 from the Cisco.com page under Documentation >...

  • Page 154: Understanding Radius

    Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.

  • Page 155: Radius Operation

    Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Figure 8-2 Transitioning from RADIUS to TACACS+ Services RADIUS server RADIUS server TACACS+ server Remote TACACS+ server Workstation RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: The user is prompted to enter a username and password.

  • Page 156: Default Radius Configuration

    Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.
  • Page 157 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses. To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the switch.
  • Page 158 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or hostname of the remote RADIUS server host.

  • Page 159: Configuring Radius Login Authentication

    Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: Switch(config)# radius-server host host1 You also need to configure some settings on the RADIUS server. These settings include the IP address Note of the switch and the key string to be shared by both the server and the switch.
  • Page 160 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 3 aaa authentication login {default | Create a login authentication method list. list-name} method1 [method2...] To create a default list that is used when a named list is not specified •...

  • Page 161: Defining Aaa Server Groups

    HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...
  • Page 162 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or hostname of the remote RADIUS server host.

  • Page 163: Configuring Radius Authorization For User Privileged Access And Network Services

    Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 8-23.

  • Page 164: Starting Radius Accounting

    (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...

  • Page 165: Configuring Settings For All Radius Servers

    1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
  • Page 166 For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, see the Note “RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.

  • Page 167: Configuring The Switch For Vendor-Proprietary Radius Server Communication

    Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.

  • Page 168: Configuring The Switch For Local Authentication And Authorization

    Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.

  • Page 169: Configuring The Switch For Secure Shell

    You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.

  • Page 170: Limitations

    Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell The switch supports an SSHv1 or an SSHv2 server. The switch supports an SSHv1 client. SSH supports the Data Encryption Standard (DES) encryption algorithm, the Triple DES (3DES) encryption algorithm, and password-based user authentication. SSH also supports these user authentication methods: •...

  • Page 171: Setting Up The Switch To Run Ssh

    Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, see the release notes for this release. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server.

  • Page 172: Configuring The Ssh Server

    Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring the SSH Server Beginning in privileged EXEC mode, follow these steps to configure the SSH server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip ssh version [1 | 2] (Optional) Configure the switch to run SSH Version 1 or SSH Version 2.

  • Page 173: Displaying The Ssh Configuration And Status

    Displaying Secure HTTP Server and Client Status, page 8-43 • For configuration examples and complete syntax and usage information for the commands used in this section, see the “HTTPS - HTTP Server and Client with SSL 3.0” feature description for Cisco IOS Release 12.2(15)T at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a008015a4c6.

  • Page 174: Certificate Authority Trustpoints

    (pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.

  • Page 175: Ciphersuites

    For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.

  • Page 176: Configuring Secure Http Servers And Clients

    Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Configuring Secure HTTP Servers and Clients These sections contain this configuration information: • Default SSL Configuration, page 8-40 SSL Configuration Guidelines, page 8-40 • • Configuring a CA Trustpoint, page 8-40 Configuring the Secure HTTP Server, page 8-41 •...

  • Page 177: Configuring The Secure Http Server

    Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Purpose Step 7 enrollment http-proxy host-name (Optional) Configure the switch to obtain certificates from the CA port-number through an HTTP proxy server. Step 8 crl query url Configure the switch to request a certificate revocation list (CRL) to ensure that the certificate of the peer has not been revoked.
  • Page 178 Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Purpose Step 5 ip http secure-ciphersuite (Optional) Specify the CipherSuites (encryption algorithms) to be used {[3des-ede-cbc-sha] [rc4-128-md5] for encryption over the HTTPS connection. If you do not have a reason to [rc4-128-sha] [des-cbc-sha]} specify a particularly CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support.

  • Page 179: Configuring The Secure Http Client

    Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Configuring the Secure HTTP Client The standard HTTP client and secure HTTP client are always enabled. A certificate authority is required for secure HTTP client certification. This procedure assumes that you have previously configured a CA trustpoint on the switch.

  • Page 180: Information About Secure Copy

    A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.

  • Page 181: Understanding Ieee 802.1X Port-Based Authentication

    For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the “RADIUS Commands” section in the Cisco IOS Security Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...

  • Page 182: C H A P T E R 9 Configuring Ieee 802.1X Port-Based Authentication

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication IEEE 802.1x Accounting, page 9-8 • IEEE 802.1x Accounting Attribute-Value Pairs, page 9-8 • • Using IEEE 802.1x Authentication with VLAN Assignment, page 9-9 • Using IEEE 802.1x Authentication with Guest VLAN, page 9-11 Using IEEE 802.1x Authentication with Restricted VLAN, page 9-12 •...

  • Page 183: Authentication Process

    Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
  • Page 184 Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 9-2 shows the authentication process. Figure 9-2 Authentication Flowchart Start Is the client IEEE IEEE 802.1x authentication Is MAC authentication 802.1x capable? process times out. bypass enabled? The switch gets an EAPOL message, and the EAPOL...

  • Page 185: Authentication Initiation And Message Exchange

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during re-authentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the attribute value is DEFAULT), the IEEE 802.1x session ends, and connectivity is lost during re-authentication.
  • Page 186 Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 9-3 Message Exchange Authentication server Client (RADIUS) EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS Access-Request EAP-Request/OTP RADIUS Access-Challenge EAP-Response/OTP RADIUS Access-Request EAP-Success RADIUS Access-Accept Port Authorized EAPOL-Logoff Port Unauthorized If IEEE 802.1x authentication times out while waiting for an EAPOL message exchange and MAC authentication bypass is enabled, the switch can authorize the client when the switch detects an Ethernet packet from the client.

  • Page 187: Ports In Authorized And Unauthorized States

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Ports in Authorized and Unauthorized States During IEEE 802.1x authentication, depending on the switch port state, the switch can grant a client access to the network. The port starts in the unauthorized state. While in this state, the port that is not configured as a voice VLAN port disallows all ingress and egress traffic except for IEEE 802.1x authentication, CDP, and STP packets.

  • Page 188: Ieee 802.1X Accounting

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication In multiple-hosts mode, you can attach multiple hosts to a single IEEE 802.1x-enabled port. Figure 9-5 on page 9-8 shows IEEE 802.1x port-based authentication in a wireless LAN. In this mode, only one of the attached clients must be authorized for all clients to be granted network access.

  • Page 189: Using Ieee 802.1X Authentication With Vlan Assignment

    You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_book09186a008...
  • Page 190 Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication When configured on the switch and the RADIUS server, IEEE 802.1x authentication with VLAN assignment has these characteristics: If no VLAN is supplied by the RADIUS server or if IEEE 802.1x authentication is disabled, the port •...

  • Page 191: Using Ieee 802.1X Authentication With Guest Vlan

    VLAN state. In Cisco IOS Release 12.2(25)SEE and later, if devices send EAPOL packets to the switch during the lifetime of the link, the switch no longer allows clients that fail authentication access to the guest VLAN.

  • Page 192: Using Ieee 802.1X Authentication With Restricted Vlan

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication client access to the network. If authorization fails, the switch assigns the port to the guest VLAN if one is specified. For more information, see the“Using IEEE 802.1x Authentication with MAC Authentication Bypass”...

  • Page 193: Using Ieee 802.1X Authentication With Inaccessible Authentication Bypass

    Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass In Cisco IOS Release 12.2(25)SEE and later, when the switch cannot reach the configured RADIUS servers and hosts cannot be authenticated, you can configure the switch to allow network access to the hosts connected to critical ports.

  • Page 194: Using Ieee 802.1X Authentication With Voice Vlan Ports

    If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.

  • Page 195: Using Ieee 802.1X Authentication With Wake-On-Lan

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication IEEE 802.1x authentication authenticates the port, and port security manages network access for all MAC addresses, including that of the client. You can then limit the number or group of clients that can access the network through an IEEE 802.1x port.

  • Page 196: Using Ieee 802.1X Authentication With Mac Authentication Bypass

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If PortFast is not enabled on the port, the port is forced to the bidirectional state. Note When you configure a port as unidirectional by using the dot1x control-direction in interface configuration command, the port changes to the spanning-tree forwarding state.

  • Page 197: Using Network Admission Control Layer 2 Ieee 802.1X Validation

    • Using Network Admission Control Layer 2 IEEE 802.1x Validation In Cisco IOS Release 12.2(25)SED and later, the switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which checks the antivirus condition or posture of endpoint systems or clients before granting the devices network access. With NAC Layer 2 IEEE 802.1x...

  • Page 198: Web Authentication With Automatic Mac Check

    IEEE 802.1x authentication and then to use web authorization if the client does not support IEEE 802.1x authentication. Web authentication requires two Cisco Attribute-Value (AV) pair attributes: The first attribute, , must always be set to 15. This sets the privilege level of the user •...

  • Page 199: Default Ieee 802.1X Authentication Configuration

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Changing the Quiet Period, page 9-26 (optional) • Changing the Switch-to-Client Retransmission Time, page 9-27 (optional) • • Setting the Switch-to-Client Frame-Retransmission Number, page 9-28 (optional) • Setting the Re-Authentication Number, page 9-28 (optional) Configuring IEEE 802.1x Accounting, page 9-29 (optional)

  • Page 200: Ieee 802.1X Authentication Configuration Guidelines

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Table 9-2 Default IEEE 802.1x Authentication Configuration (continued) Feature Default Setting Retransmission time 30 seconds (number of seconds that the switch should wait for a response to an EAP request/identity frame from the client before resending the request). Maximum retransmission number 2 times (number of times that the switch will send an EAP-request/identity frame before restarting the authentication process).

  • Page 201: Vlan Assignment, Guest Vlan, Restricted Vlan, And Inaccessible Authentication Bypass

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication The IEEE 802.1x protocol is supported on Layer 2 static-access ports and voice VLAN ports, but it • is not supported on these port types: Trunk port—If you try to enable IEEE 802.1x authentication on a trunk port, an error message –...

  • Page 202: Mac Authentication Bypass

    • Upgrading from a Previous Software Release In Cisco IOS Release 12.2(25)SEE, the implementation for IEEE 802.1x authentication changed from the previous releases. When IEEE 802.1x authentication is enabled, information about Port Fast is no longer added to the configuration and this information appears in the running configuration: dot1x pae authenticator Configuring IEEE 802.1x Authentication...
  • Page 203 Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication The switch sends a start message to an accounting server. Step 4 Re-authentication is performed, as necessary. Step 5 Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication.

  • Page 204: Configuring The Switch-To-Radius-Server Communication

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.

  • Page 205: Configuring The Host Mode

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation.

  • Page 206: Manually Re-Authenticating A Client Connected To A Port

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to enable periodic re-authentication of the client and to configure the number of seconds between re-authentication attempts. This procedure is optional. Command Purpose Step 1...

  • Page 207: Changing The Switch-To-Client Retransmission Time

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to change the quiet period. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode.

  • Page 208: Setting The Switch-To-Client Frame-Retransmission Number

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication This example shows how to set 60 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request: Switch(config-if)# dot1x timeout tx-period 60 Setting the Switch-to-Client Frame-Retransmission Number In addition to changing the switch-to-client retransmission time, you can change the number of times...

  • Page 209: Configuring Ieee 802.1X Accounting

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to set the re-authentication number. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode.

  • Page 210: Configuring A Guest Vlan

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 3 aaa accounting dot1x default Enable IEEE 802.1x accounting using the list of all RADIUS servers. start-stop group radius Step 4 aaa accounting system default (Optional) Enables system accounting (using the list of all RADIUS start-stop group radius servers) and generates system accounting reload event messages when the switch reloads.

  • Page 211: Configuring A Restricted Vlan

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication To disable and remove the guest VLAN, use the no dot1x guest-vlan interface configuration command. The port returns to the unauthorized state. This example shows how to enable VLAN 2 as an IEEE 802.1x guest VLAN: Switch(config)# interface gigabitethernet0/2 Switch(config-if)# dot1x guest-vlan 2 This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that...
  • Page 212 Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication You can configure the maximum number of authentication attempts allowed before a user is assigned to the restricted VLAN by using the dot1x auth-fail max-attempts interface configuration command. The range of allowable authentication attempts is 1 to 3.

  • Page 213: Configuring The Inaccessible Authentication Bypass Feature

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring the Inaccessible Authentication Bypass Feature You can configure the inaccessible bypass feature, also referred to as critical authentication or the AAA fail policy. Beginning in privileged EXEC mode, follow these steps to configure the port as a critical port and enable the inaccessible authentication bypass feature.
  • Page 214 Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 radius-server host ip-address (Optional) Configure the RADIUS server parameters by using these [acct-port udp-port] [auth-port keywords: udp-port] [test username name acct-port udp-port—Specify the UDP port for the RADIUS •...

  • Page 215: Configuring Ieee 802.1X Authentication With Wol

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 7 dot1x critical [recovery action Enable the inaccessible authentication bypass feature, and use these reinitialize | vlan vlan-id] keywords to configure the feature: recovery action reinitialize—Enable the recovery feature, and •...

  • Page 216: Configuring Mac Authentication Bypass

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable IEEE 802.1x authentication with WoL, use the no dot1x control-direction interface configuration command.

  • Page 217: Configuring Nac Layer 2 Ieee 802.1X Validation

    Configuring IEEE 802.1x Authentication Configuring NAC Layer 2 IEEE 802.1x Validation In Cisco IOS Release 12.2(25)SED or later, you can configure NAC Layer 2 IEEE 802.1x validation, which is also referred to as IEEE 802.1x authentication with a RADIUS server.

  • Page 218: Configuring Web Authentication

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring Web Authentication Beginning in privileged EXEC mode, follow these steps to configure authentication, authorization, accounting (AAA) and RADIUS on a switch before configuring web authentication. The steps enable AAA by using RADIUS authentication and enable device tracking.
  • Page 219 The same rule cannot be used for both web authentication and NAC Layer 2 IP validation. For more information, see the Network Admission Control Software Configuration Guide Cisco.com. Step 3 interface interface-id Specify the port to be configured, and enter interface configuration mode.

  • Page 220: Disabling Ieee 802.1X Authentication On The Port

    For more information about the ip admission name and ip access-group commands, see the Network Admission Control Software Configuration Guide on Cisco.com. Disabling IEEE 802.1x Authentication on the Port You can disable IEEE 802.1x authentication on the port by using the no dot1x pae interface configuration command.

  • Page 221: Resetting The Ieee 802.1X Authentication Configuration To The Default Values

    Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.1x Statistics and Status To configure the port as an IEEE 802.1x port access entity (PAE) authenticator, which enables IEEE 802.1x on the port but does not allow clients connected to the port to be authorized, use the dot1x pae authenticator interface configuration command.
  • Page 222 Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.1x Statistics and Status Catalyst 2960 Switch Software Configuration Guide 9-42 OL-8603-04...

  • Page 223: Understanding Interface Types

    For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the Cisco IOS Interface Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.

  • Page 224: C H A P T E R 10 Configuring Interface Characteristics

    Chapter 10 Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 12, “Configuring VLANs.”...

  • Page 225: Trunk Ports

    Catalyst 6500 series switch; the Catalyst 2960 switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 14, “Configuring Voice VLAN.”...

  • Page 226: Dual-Purpose Uplink Ports

    Host A in VLAN 20 sends data to Host B in VLAN 30, the data must go from Host A to the switch, to the router, back to the switch, and then to Host B. Figure 10-1 Connecting VLANs with Layer 2 Switches Cisco router Switch Host A Host B...

  • Page 227: Procedures For Configuring Interfaces

    Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode You can also configure a range of interfaces (see the “Configuring a Range of Interfaces” section on page 10-6). To configure a physical interface (port), specify the interface type, module number, and switch port number, and enter interface configuration mode.

  • Page 228: Configuring A Range Of Interfaces

    Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode After you configure an interface, verify its status by using the show privileged EXEC commands listed Step 4 in the “Monitoring and Maintaining the Interfaces” section on page 10-18. Enter the show interfaces privileged EXEC command to see a list of all interfaces on or configured for the switch.

  • Page 229: Configuring And Using Interface Range Macros

    Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode gigabitethernet module/{first port} - {last port}, where the module is always 0 – port-channel port-channel-number - port-channel-number, where the port-channel-number – is 1 to 6 Note When you use the interface range command with port channels, the first and last port-channel number must be active port channels.
  • Page 230 Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode Beginning in privileged EXEC mode, follow these steps to define an interface range macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 define interface-range macro_name Define the interface-range macro, and save it in NVRAM. interface-range •...

  • Page 231: Configuring Ethernet Interfaces

    Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to define an interface-range named enet_list to include ports 1 and 2 and to verify the macro configuration: Switch# configure terminal Switch(config)# define interface-range enet_list gigabitethernet0/1 - 2 Switch(config)# end Switch# show running-config | include define define interface-range enet_list GigabitEthernet0/1 - 2...

  • Page 232: Setting The Type Of A Dual-Purpose Uplink Port

    Enabled. Note The switch might not support a pre-standard powered device—such as Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether auto-MIDX is enabled on the switch port.
  • Page 233 Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 3 media-type {auto-select | rj45 | sfp} Select the interface and type of a dual-purpose uplink port. The keywords have these meanings: auto-select—The switch dynamically selects the type. When link •...

  • Page 234: Configuring Interface Speed And Duplex Mode

    Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces The switch does not have this behavior with 100BASE-FX-GE SFP modules. Configuring Interface Speed and Duplex Mode Ethernet interfaces on the switch operate at 10, 100, or 1000 Mb/s and in either full- or half-duplex mode. In full-duplex mode, two stations can send and receive traffic at the same time.

  • Page 235: Setting The Interface Speed And Duplex Parameters

    Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Setting the Interface Speed and Duplex Parameters Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface: Command Purpose Step 1 configure terminal Enter global configuration mode.

  • Page 236: Configuring Ieee 802.3X Flow Control

    Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces For interfaces gi0/1 to gi0/16, speed and duplex settings do not apply, as they are only internal Note server-facing interfaces. For interfaces 17 to 20, speed and duplex do not apply when they are operating in SFP module mode.

  • Page 237: Configuring Auto-Mdix On An Interface

    Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces To disable flow control, use the flowcontrol receive off interface configuration command. This example shows how to turn on flow control on a port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# flowcontrol receive on Switch(config-if)# end Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (auto-MDIX) is enabled on an interface, the...

  • Page 238: Adding A Description For An Interface

    Chapter 10 Configuring Interface Characteristics Configuring the System MTU This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# mdix auto Switch(config-if)# end Adding a Description for an Interface You can add a description about an interface to help you remember its function.
  • Page 239 Chapter 10 Configuring Interface Characteristics Configuring the System MTU Gigabit Ethernet ports are not affected by the system mtu command; 10/100 ports are not affected by the system jumbo mtu command. If you do not configure the system mtu jumbo command, the setting of the system mtu command applies to all Gigabit Ethernet interfaces.

  • Page 240: Monitoring And Maintaining The Interfaces

    ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.

  • Page 241: Clearing And Resetting Interfaces And Counters

    Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 10-4 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 10-4 Clear Commands for Interfaces Command Purpose clear counters [interface-id]...
  • Page 242 Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 2960 Switch Software Configuration Guide 10-20 OL-8603-04...

  • Page 243: Chapter 11 Configuring Smartports Macros

    When the macro is applied to an interface, the existing interface configurations are not lost. The new commands are added to the interface and are saved in the running configuration file. There are Cisco-default Smartports macros embedded in the switch software (see Table 11-1).

  • Page 244: Configuring Smartports Macros

    Description cisco-phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
  • Page 245 Cisco-default macro with the required values by using the parameter value keywords. The Cisco-default macros use the $ character to help identify required keywords. There is no restriction on using the $ character to define keywords when you create a macro.

  • Page 246: Creating Smartports Macros

    Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Creating Smartports Macros Beginning in privileged EXEC mode, follow these steps to create a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro name macro-name Create a macro definition, and enter a macro name. A macro definition can contain up to 3000 characters.

  • Page 247: Applying Smartports Macros

    Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} Apply each individual command defined in the macro to the switch by macro-name [parameter {value}] entering macro global apply macro-name.

  • Page 248: Applying Cisco-Default Smartports Macros

    Enter global configuration mode. Step 4 macro global {apply | trace} Append the Cisco-default macro with the required values by using the macro-name [parameter {value}] parameter value keywords and apply the macro to the switch. [parameter {value}] [parameter...
  • Page 249 You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command. This example shows how to display the cisco-desktop macro, how to apply the macro, and to set the access VLAN ID to 25 on an interface:...

  • Page 250: Displaying Smartports Macros

    Chapter 11 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 11-2. Table 11-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros.

  • Page 251: Chapter 12 Configuring Vlans

    C H A P T E R Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 2960 switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS).

  • Page 252: Supported Vlans

    VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. Interface VLAN membership on the switch is assigned manually on an interface-by-interface basis.

  • Page 253: Vlan Port Membership Modes

    Dynamic-Access Ports on VMPS Clients” section on page 12-26. Voice VLAN A voice VLAN port is an access port attached to a Cisco VTP is not required; it has no affect on a IP Phone, configured to use one VLAN for voice traffic voice VLAN.

  • Page 254: Configuring Normal-Range Vlans

    Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or VTP transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database.

  • Page 255: Token Ring Vlans

    Chapter 12 Configuring VLANs Configuring Normal-Range VLANs These sections contain normal-range VLAN configuration information: Token Ring VLANs, page 12-5 • • Normal-Range VLAN Configuration Guidelines, page 12-5 • VLAN Configuration Mode Options, page 12-6 Saving VLAN Configuration, page 12-6 • Default Ethernet VLAN Configuration, page 12-7 •...

  • Page 256: Vlan Configuration Mode Options

    Chapter 12 Configuring VLANs Configuring Normal-Range VLANs are several adjacent switches that all have run out of spanning-tree instances. You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances.

  • Page 257: Default Ethernet Vlan Configuration

    Chapter 12 Configuring VLANs Configuring Normal-Range VLANs When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the switch, the switch configuration is selected as follows: If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP •...

  • Page 258: Creating Or Modifying An Ethernet Vlan

    Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Creating or Modifying an Ethernet VLAN Each Ethernet VLAN in the VLAN database has a unique, 4-digit ID that can be a number from 1 to 1001. VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs. To create a normal-range VLAN to be added to the VLAN database, assign a number and name to the VLAN.

  • Page 259: Deleting A Vlan

    Chapter 12 Configuring VLANs Configuring Normal-Range VLANs You can also create or modify Ethernet VLANs by using the VLAN database configuration mode. Note VLAN database configuration mode does not support RSPAN VLAN configuration or extended-range VLANs. Beginning in privileged EXEC mode, follow these steps to use VLAN database configuration mode to create or modify an Ethernet VLAN: Command Purpose...

  • Page 260: Assigning Static-Access Ports To A Vlan

    Chapter 12 Configuring VLANs Configuring Normal-Range VLANs When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated Caution with the VLAN (and thus inactive) until you assign them to a new VLAN. Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch: Command Purpose Step 1...

  • Page 261: Configuring Extended-Range Vlans

    Chapter 12 Configuring VLANs Configuring Extended-Range VLANs Command Purpose Step 7 show interfaces interface-id switchport Verify your entries in the Administrative Mode and the Access Mode VLAN fields of the display. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return an interface to its default configuration, use the default interface interface-id interface configuration command.

  • Page 262: Extended-Range Vlan Configuration Guidelines

    Chapter 12 Configuring VLANs Configuring Extended-Range VLANs Extended-Range VLAN Configuration Guidelines Follow these guidelines when creating extended-range VLANs: • To add an extended-range VLAN, you must use the vlan vlan-id global configuration command and access config-vlan mode. You cannot add extended-range VLANs in VLAN database configuration mode (accessed by entering the vlan database privileged EXEC command).

  • Page 263: Displaying Vlans

    Chapter 12 Configuring VLANs Displaying VLANs Command Purpose Step 3 vlan vlan-id Enter an extended-range VLAN ID and enter config-vlan mode. The range is 1006 to 4094. Step 4 mtu mtu-size (Optional) Modify the VLAN by changing the MTU size. Although all VLAN commands appear in the CLI help in Note config-vlan mode, only the mtu mtu-size, and remote-span...

  • Page 264: Configuring Vlan Trunks

    Chapter 12 Configuring VLANs Configuring VLAN Trunks Table 12-3 VLAN Monitoring Commands (continued) Command Command Mode Purpose show interfaces [vlan Privileged EXEC Display characteristics for all interfaces or for the specified vlan-id] VLAN configured on the switch. show vlan [id vlan-id] Privileged EXEC Display parameters for all VLANs or the specified VLAN on the switch.

  • Page 265: Ieee 802.1Q Configuration Considerations

    VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.

  • Page 266: Default Layer 2 Ethernet Interface Vlan Configuration

    Chapter 12 Configuring VLANs Configuring VLAN Trunks Default Layer 2 Ethernet Interface VLAN Configuration Table 12-5 shows the default Layer 2 Ethernet interface VLAN configuration. Table 12-5 Default Layer 2 Ethernet Interface VLAN Configuration Feature Default Setting Interface mode switchport mode dynamic auto Allowed VLAN range VLANs 1 to 4094 VLAN range eligible for pruning...

  • Page 267: Configuring A Trunk Port

    Chapter 12 Configuring VLANs Configuring VLAN Trunks If you try to enable IEEE 802.1x on a trunk port, an error message appears, and IEEE 802.1x is not • enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, the port mode is not changed.

  • Page 268: Defining The Allowed Vlans On A Trunk

    Note VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.

  • Page 269: Changing The Pruning-Eligible List

    Chapter 12 Configuring VLANs Configuring VLAN Trunks To return to the default allowed VLAN list of all VLANs, use the no switchport trunk allowed vlan interface configuration command. This example shows how to remove VLAN 2 from the allowed VLAN list on a port: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport trunk allowed vlan remove 2 Switch(config-if)# end...

  • Page 270: Configuring Trunk Ports For Load Sharing

    Chapter 12 Configuring VLANs Configuring VLAN Trunks For information about IEEE 802.1Q configuration issues, see the “IEEE 802.1Q Configuration Considerations” section on page 12-15. Beginning in privileged EXEC mode, follow these steps to configure the native VLAN on an IEEE 802.1Q trunk: Command Purpose Step 1...
  • Page 271 Chapter 12 Configuring VLANs Configuring VLAN Trunks VLANs 3 through 6 are assigned a port priority of 16 on Trunk 2. • VLANs 8 through 10 retain the default port priority of 128 on Trunk 2. • In this way, Trunk 1 carries traffic for VLANs 8 through 10, and Trunk 2 carries traffic for VLANs 3 through 6.

  • Page 272: Load Sharing Using Stp Path Cost

    Chapter 12 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 16 interface gigabitethernet 0/1 Define the interface to set the STP port priority, and enter interface configuration mode. Step 17 spanning-tree vlan 8-10 port-priority 16 Assign the port priority of 16 for VLANs 8 through 10. Step 18 exit Return to global configuration mode.

  • Page 273: Configuring Vmps

    Chapter 12 Configuring VLANs Configuring VMPS Command Purpose Step 4 exit Return to global configuration mode. Step 5 Repeat Steps 2 through 4 on a second interface in Switch A. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries.

  • Page 274: Understanding Vmps

    Chapter 12 Configuring VLANs Configuring VMPS Understanding VMPS Each time the client switch receives the MAC address of a new host, it sends a VQP query to the VMPS. When the VMPS receives this query, it searches its database for a MAC-address-to-VLAN mapping. The server response is based on this mapping and whether or not the server is in open or secure mode.

  • Page 275: Default Vmps Client Configuration

    Chapter 12 Configuring VLANs Configuring VMPS Dynamic-access ports can be used for direct host connections, or they can connect to a network. A maximum of 20 MAC addresses are allowed per port on the switch. A dynamic-access port can belong to only one VLAN at a time, but the VLAN can change over time, depending on the MAC addresses seen.

  • Page 276: Entering The Ip Address Of The Vmps

    Chapter 12 Configuring VLANs Configuring VMPS Entering the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client. If the VMPS is being defined for a cluster of switches, enter the address on the command switch. Note Beginning in privileged EXEC mode, follow these steps to enter the IP address of the VMPS: Command...

  • Page 277: Reconfirming Vlan Memberships

    Chapter 12 Configuring VLANs Configuring VMPS Command Purpose Step 6 show interfaces interface-id switchport Verify your entries in the Operational Mode field of the display. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To return an interface to its default configuration, use the default interface interface-id interface configuration command.

  • Page 278: Changing The Retry Count

    Chapter 12 Configuring VLANs Configuring VMPS Changing the Retry Count Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server: Command Purpose Step 1 configure terminal Enter global configuration mode.

  • Page 279: Troubleshooting Dynamic-Access Port Vlan Membership

    Chapter 12 Configuring VLANs Configuring VMPS This is an example of output for the show vmps privileged EXEC command: Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.87 Reconfirmation status ---------------------...
  • Page 280 Chapter 12 Configuring VLANs Configuring VMPS Figure 12-4 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Router Server 1 172.20.26.150 172.20.22.7 Client switch B Dynamic-access port 172.20.26.151 station 1 Trunk port Switch C Catalyst 6500 series 172.20.26.152 Secondary VMPS Server 2...

  • Page 281: Configuring Vtp

    C H A P T E R Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 2960 switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.

  • Page 282: Chapter 13 Configuring Vtp

    Chapter 13 Configuring VTP Understanding VTP These sections contain this conceptual information: The VTP Domain, page 13-2 • • VTP Modes, page 13-3 • VTP Advertisements, page 13-3 VTP Version 2, page 13-4 • VTP Pruning, page 13-4 • The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name.

  • Page 283: Vtp Modes

    Chapter 13 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 13-1. Table 13-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain.

  • Page 284: Vtp Version 2

    Chapter 13 Configuring VTP Understanding VTP MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each • VLAN. Frame format • VTP advertisements distribute this VLAN information for each configured VLAN: VLAN IDs (IEEE 802.1Q) • • VLAN name VLAN type •...
  • Page 285 Chapter 13 Configuring VTP Understanding VTP Figure 13-1 shows a switched network without VTP pruning enabled. Port 1 on Switch A and Port 2 on Switch D are assigned to the Red VLAN. If a broadcast is sent from the host connected to Switch A, Switch A floods the broadcast and every switch in the network receives it, even though Switches C, E, and F have no ports in the Red VLAN.

  • Page 286: Default Vtp Configuration

    Chapter 13 Configuring VTP Configuring VTP See the “Enabling VTP Pruning” section on page 13-14. VTP pruning takes effect several seconds after you enable it. VTP pruning does not prune traffic from VLANs that are pruning-ineligible. VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs higher than 1005) are also pruning-ineligible.

  • Page 287: Vtp Configuration Options

    Chapter 13 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. • VTP Configuration in Global Configuration Mode, page 13-7 VTP Configuration in VLAN Database Configuration Mode, page 13-7 • You access VLAN database configuration mode by entering the vlan database privileged EXEC command.

  • Page 288: Vtp Configuration Guidelines

    Chapter 13 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name.

  • Page 289: Configuration Requirements

    Chapter 13 Configuring VTP Configuring VTP Do not enable VTP Version 2 on a switch unless all of the switches in the same VTP domain are • Version-2-capable. When you enable Version 2 on a switch, all of the Version-2-capable switches in the domain enable Version 2.
  • Page 290 Chapter 13 Configuring VTP Configuring VTP When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain. To return the switch to a no-password state, use the no vtp password global configuration command. This example shows how to use global configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# config terminal...

  • Page 291: Configuring A Vtp Client

    Chapter 13 Configuring VTP Configuring VTP Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly.

  • Page 292: Disabling Vtp (Vtp Transparent Mode)

    Chapter 13 Configuring VTP Configuring VTP Disabling VTP (VTP Transparent Mode) When you configure the switch for VTP transparent mode, VTP is disabled on the switch. The switch does not send VTP updates and does not act on VTP updates received from other switches. However, a VTP transparent switch running VTP Version 2 does forward received VTP advertisements on its trunk links.

  • Page 293: Enabling Vtp Version 2

    Chapter 13 Configuring VTP Configuring VTP Enabling VTP Version 2 VTP Version 2 is disabled by default on VTP Version 2-capable switches. When you enable VTP Version 2 on a switch, every VTP Version 2-capable switch in the VTP domain enables Version 2. You can only configure the version when the switches are in VTP server or transparent mode.

  • Page 294: Enabling Vtp Pruning

    Chapter 13 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode.
  • Page 295 Chapter 13 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Command Purpose Step 1 show vtp status Check the VTP configuration revision number.

  • Page 296: Monitoring Vtp

    Chapter 13 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 13-3 shows the privileged EXEC commands for monitoring VTP activity.

  • Page 297: Chapter 14 Configuring Voice Vlan

    The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the switch is connected to a Cisco 7960 IP Phone, the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS.

  • Page 298: Cisco Ip Phone Voice Traffic

    Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...

  • Page 299: Configuring Voice Vlan

    • voice VLAN, the Port Fast feature is not automatically disabled. If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the • same IP subnet. These conditions indicate that they are in the same VLAN: –...

  • Page 300: Configuring A Port Connected To A Cisco 7960 Ip Phone

    Because a Cisco 7960 IP Phone also supports a connection to a PC or other device, a port connecting the switch to a Cisco IP Phone can carry mixed traffic. You can configure a port to decide how the Cisco IP Phone carries voice traffic and data traffic.
  • Page 301 (Optional) Save your entries in the configuration file. This example shows how to configure a port connected to a Cisco IP Phone to use the CoS value to classify incoming traffic, to use IEEE 802.1p priority tagging for voice traffic, and to use the default...

  • Page 302: Configuring The Priority Of Incoming Data Frames

    Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
  • Page 303 This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Catalyst 2960 switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.

  • Page 304: Configuring Stp

    Chapter 15 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility, page 15-10 • STP and IEEE 802.1Q Trunks, page 15-10 • For configuration information, see the “Configuring Spanning-Tree Features” section on page 15-10. For information about optional spanning-tree features, see Chapter 17, “Configuring Optional Spanning-Tree Features.”...

  • Page 305: Spanning-Tree Topology And Bpdus

    Chapter 15 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch.

  • Page 306: Bridge Id, Switch Priority, And Extended System Id

    Chapter 15 Configuring STP Understanding Spanning-Tree Features Bridge ID, Switch Priority, and Extended System ID The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which controls the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+, the same switch must have a different bridge IDs for each configured VLAN.
  • Page 307 Chapter 15 Configuring STP Understanding Spanning-Tree Features An interface moves through these states: From initialization to blocking • • From blocking to listening or to disabled • From listening to learning or to disabled From learning to forwarding or to disabled •...

  • Page 308: Blocking State

    Chapter 15 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches.

  • Page 309: Disabled State

    Chapter 15 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational. A disabled interface performs these functions: Discards frames received on the interface •...

  • Page 310: Spanning Tree And Redundant Connectivity

    Chapter 15 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 15-3. Spanning tree automatically disables one interface but enables it if the other one fails.

  • Page 311: Spanning-Tree Modes And Protocols

    Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.

  • Page 312: Spanning-Tree Interoperability And Backward Compatibility

    VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.

  • Page 313: Default Spanning-Tree Configuration

    Chapter 15 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree, page 15-14 (optional) • Configuring the Root Switch, page 15-14 (optional) • • Configuring a Secondary Root Switch, page 15-16 (optional) • Configuring Port Priority, page 15-16 (optional) Configuring Path Cost, page 15-18 (optional) •...

  • Page 314: Spanning-Tree Configuration Guidelines

    Chapter 15 Configuring STP Configuring Spanning-Tree Features Spanning-Tree Configuration Guidelines If more VLANs are defined in the VTP than there are spanning-tree instances, you can enable PVST+ or rapid PVST+ on only 128 VLANs on the switch. The remaining VLANs operate with spanning tree disabled.

  • Page 315: Changing The Spanning-Tree Mode

    Chapter 15 Configuring STP Configuring Spanning-Tree Features Changing the Spanning-Tree Mode. The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the PVST+ protocol. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required.

  • Page 316: Disabling Spanning Tree

    Chapter 15 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 15-9. Disable spanning tree only if you are sure there are no loops in the network topology.
  • Page 317 Chapter 15 Configuring STP Configuring Spanning-Tree Features The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not Note configure an access switch as the spanning-tree primary root. Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).

  • Page 318: Configuring A Secondary Root Switch

    Chapter 15 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch When you configure a switch as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails.
  • Page 319 Chapter 15 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.

  • Page 320: Configuring Path Cost

    Chapter 15 Configuring STP Configuring Spanning-Tree Features Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.

  • Page 321: Configuring The Switch Priority Of A Vlan

    Chapter 15 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree path costs, see the “Configuring Trunk Ports for Load Sharing”...

  • Page 322: Configuring Spanning-Tree Timers

    Chapter 15 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 15-4 describes the timers that affect the entire spanning-tree performance. Table 15-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.

  • Page 323: Configuring The Forwarding-Delay Time For A Vlan

    Chapter 15 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.

  • Page 324: Configuring The Transmit Hold-Count

    Chapter 15 Configuring STP Displaying the Spanning-Tree Status Configuring the Transmit Hold-Count You can configure the BPDU burst size by changing the transmit hold count value. Changing this parameter to a higher value can have a significant impact on CPU utilization, especially Note in Rapid-PVST mode.

  • Page 325: Chapter 16 Configuring Mstp

    C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 2960 switch. The multiple spanning-tree (MST) implementation in Cisco IOS Release 12.2(25)SED is based on the Note IEEE 802.1s standard.

  • Page 326: Understanding Mstp

    Chapter 16 Configuring MSTP Understanding MSTP This chapter consists of these sections: Understanding MSTP, page 16-2 • • Understanding RSTP, page 16-8 • Configuring MSTP Features, page 16-14 Displaying the MST Configuration and Status, page 16-26 • Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances.

  • Page 327: Ist, Cist, And Cst

    Chapter 16 Configuring MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning trees: An internal spanning tree (IST), which is the spanning tree that runs in an MST region. •...

  • Page 328: Operations Between Mst Regions

    Chapter 16 Configuring MSTP Understanding MSTP For correct operation, all switches in the MST region must agree on the same CIST regional root. Therefore, any two switches in the region only synchronize their port roles for an MST instance if they converge to a common CIST regional root.

  • Page 329: Ieee 802.1S Terminology

    IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network.

  • Page 330: Boundary Ports

    The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.

  • Page 331: Port Role Naming Change

    The boundary role is no longer in the final MST standard, but this boundary concept is maintained in Cisco’s implementation. However, an MST instance port at a boundary of the region might not follow the state of the corresponding CIST port. Two cases exist now: •...

  • Page 332: Detecting Unidirectional Link Failure

    Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.

  • Page 333: Port Roles And The Active Topology

    Learning Enabled Forwarding Forwarding Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Catalyst 2960 Switch Software Configuration Guide 16-9 OL-8603-04...

  • Page 334: Rapid Convergence

    Chapter 16 Configuring MSTP Understanding RSTP Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN. It provides rapid convergence for edge ports, new root ports, and ports connected through point-to-point links as follows: Edge ports—If you configure a port as an edge port on an RSTP switch by using the spanning-tree •...

  • Page 335: Synchronization Of Port Roles

    Chapter 16 Configuring MSTP Understanding RSTP Figure 16-4 Proposal and Agreement Handshaking for Rapid Convergence Switch A Switch B Proposal Designated Root switch Agreement Designated Switch C Root switch Proposal Designated Root switch Agreement DP = designated port RP = root port F = forwarding Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root...

  • Page 336: Bridge Protocol Data Unit Format And Processing

    Chapter 16 Configuring MSTP Understanding RSTP After ensuring that all of the ports are synchronized, the switch sends an agreement message to the designated switch corresponding to its root port. When the switches connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 16-5.

  • Page 337: Processing Superior Bpdu Information

    Chapter 16 Configuring MSTP Understanding RSTP The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal.

  • Page 338: Configuring Mstp Features

    Chapter 16 Configuring MSTP Configuring MSTP Features Propagation—When an RSTP switch receives a TC message from another switch through a • designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them.

  • Page 339: Mstp Configuration Guidelines

    Chapter 16 Configuring MSTP Configuring MSTP Features Table 16-4 Default MSTP Configuration (continued) Feature Default Setting Spanning-tree port priority (configurable on a per-CIST port basis) 128. Spanning-tree port cost (configurable on a per-CIST port basis) 1000 Mbps: 4. 100 Mbps: 19. 10 Mbps: 100.

  • Page 340: Specifying The Mst Region Configuration And Enabling Mstp

    Chapter 16 Configuring MSTP Configuring MSTP Features Partitioning the network into a large number of regions is not recommended. However, if this • situation is unavoidable, we recommend that you partition the switched LAN into smaller LANs interconnected by routers or non-Layer 2 devices. For configuration guidelines about UplinkFast and BackboneFast, see the “Optional Spanning-Tree •...

  • Page 341: Configuring The Root Switch

    Chapter 16 Configuring MSTP Configuring MSTP Features Command Purpose Step 9 Return to privileged EXEC mode. Step 10 show running-config Verify your entries. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default MST region configuration, use the no spanning-tree mst configuration global configuration command.

  • Page 342: Configuring A Secondary Root Switch

    Chapter 16 Configuring MSTP Configuring MSTP Features The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword, which is available only for MST instance 0, to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).

  • Page 343: Configuring Port Priority

    Chapter 16 Configuring MSTP Configuring MSTP Features You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command.

  • Page 344: Configuring Path Cost

    Chapter 16 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the MSTP port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.

  • Page 345: Configuring The Switch Priority

    Chapter 16 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the MSTP cost of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.

  • Page 346: Configuring The Hello Time

    Chapter 16 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the switch priority. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id priority priority Configure the switch priority.

  • Page 347: Configuring The Forwarding-Delay Time

    Chapter 16 Configuring MSTP Configuring MSTP Features Configuring the Forwarding-Delay Time Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst forward-time seconds Configure the forward time for all MST instances.

  • Page 348: Configuring The Maximum-Hop Count

    Chapter 16 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Hop Count Beginning in privileged EXEC mode, follow these steps to configure the maximum-hop count for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-hops hop-count Specify the number of hops in a region before the BPDU is...

  • Page 349: Designating The Neighbor Type

    Chapter 16 Configuring MSTP Configuring MSTP Features Designating the Neighbor Type A topology could contain both prestandard and IEEE 802.1s standard compliant devices. By default, ports can automatically detect prestandard devices, but they can still receive both standard and prestandard BPDUs. When there is a mismatch between a device and its neighbor, only the CIST runs on the interface.

  • Page 350: Displaying The Mst Configuration And Status

    Chapter 16 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 16-5: Table 16-5 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration...

  • Page 351: Understanding Optional Spanning-Tree Features

    C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 2960 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+).

  • Page 352: C H A P T E R 17 Configuring Optional Spanning-Tree Features

    Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. You can use Port Fast on interfaces connected to a single workstation or server, as shown in Figure 17-1, to allow those devices to...

  • Page 353: Understanding Bpdu Filtering

    Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the port receives a BPDU, it is put in the error-disabled state.
  • Page 354 Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 17-2 Switches in a Hierarchical Network Backbone switches Root bridge Distribution switches Access switches Active link Blocked link If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port.

  • Page 355: Understanding Backbonefast

    Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 17-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure...
  • Page 356 Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The switch tries to find if it has an alternate path to the root switch. If the inferior BPDU arrives on a blocked interface, the root port and other blocked interfaces on the switch become alternate paths to the root switch.

  • Page 357: Understanding Etherchannel Guard

    Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 17-6 BackboneFast Example After Indirect Link Failure Switch A (Root) Switch B Link failure BackboneFast changes port through listening and learning states to forwarding state. Switch C If a new switch is introduced into a shared-medium topology as shown in Figure 17-7, BackboneFast is not activated because the inferior BPDUs did not come from the recognized designated switch...

  • Page 358: Understanding Root Guard

    Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Root Guard The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root switch, as shown in Figure 17-8.

  • Page 359: Understanding Loop Guard

    Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Understanding Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is enabled on the entire switched network.

  • Page 360: Optional Spanning-Tree Configuration Guidelines

    Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Optional Spanning-Tree Configuration Guidelines You can configure PortFast, BPDU guard, BPDU filtering, EtherChannel guard, root guard, or loop guard if your switch is running PVST+, rapid PVST+, or MSTP. You can configure the UplinkFast or the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.

  • Page 361: Enabling Bpdu Guard

    Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can use the spanning-tree portfast default global configuration command to globally enable the Note Port Fast feature on all nontrunking ports. To disable the Port Fast feature, use the spanning-tree portfast disable interface configuration command.

  • Page 362: Enabling Bpdu Filtering

    Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features To disable BPDU guard, use the no spanning-tree portfast bpduguard default global configuration command. You can override the setting of the no spanning-tree portfast bpduguard default global configuration command by using the spanning-tree bpduguard enable interface configuration command. Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast-enabled interfaces, it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs.

  • Page 363: Enabling Uplinkfast For Use With Redundant Links

    Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority. To enable UplinkFast on a VLAN with switch priority configured, first restore the switch priority on the VLAN to the default value by using the no spanning-tree vlan vlan-id priority global configuration command.

  • Page 364: Enabling Etherchannel Guard

    Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can configure the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. Beginning in privileged EXEC mode, follow these steps to enable BackboneFast. This procedure is optional.

  • Page 365: Enabling Root Guard

    Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Root Guard Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure.

  • Page 366: Displaying The Spanning-Tree Status

    Chapter 17 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Command Purpose Step 3 spanning-tree loopguard default Enable loop guard. By default, loop guard is disabled. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.

  • Page 367: Understanding Igmp Snooping

    For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the “IP Multicast Routing Commands” section in the Cisco IOS IP Command Reference, Volume 3 of 3:Multicast, Release 12.2 from the Cisco.com page under Documentation >...

  • Page 368: Chapter 18 Configuring Igmp Snooping And Mvr

    Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients.

  • Page 369: Joining A Multicast Group

    An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast (SSM) feature. For more information about source-specific multicast with IGMPv3 and IGMP, see the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guide09186a008008048a. html Joining a Multicast Group When a host connected to the switch wants to join an IP multicast group and it is an IGMP Version 2 client, it sends an unsolicited IGMP join message, specifying the IP multicast group to join.
  • Page 370 Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Router A sends a general query to the switch, which forwards the query to ports 2 through 5, which are all members of the same VLAN. Host 1 wants to join multicast group 224.1.2.3 and multicasts an IGMP membership report (IGMP join message) to the group.

  • Page 371: Leaving A Multicast Group

    Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Leaving a Multicast Group The router sends periodic multicast general queries, and the switch forwards these queries through all ports in the VLAN. Interested hosts respond to the queries. If at least one host in the VLAN wishes to receive multicast traffic, the router continues forwarding the multicast traffic to the VLAN.

  • Page 372: Igmp Report Suppression

    Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports. The switch uses IGMP report suppression to forward only one IGMP report per multicast router query to multicast devices.

  • Page 373: Enabling Or Disabling Igmp Snooping

    Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Table 18-3 Default IGMP Snooping Configuration (continued) Feature Default Setting Multicast router learning (snooping) method PIM-DVMRP IGMP snooping Immediate Leave Disabled Static groups None configured flood query count TCN query solicitation Disabled IGMP snooping querier Disabled...

  • Page 374: Setting The Snooping Method

    Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector • Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global •...

  • Page 375: Configuring A Multicast Router Port

    Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To return to the default learning method, use the no ip igmp snooping vlan vlan-id mrouter learn cgmp global configuration command. This example shows how to configure IGMP snooping to use CGMP packets as the learning method: Switch# configure terminal Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp Switch(config)# end...

  • Page 376: Configuring A Host Statically To Join A Group

    Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring a Host Statically to Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure a host on an interface. Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command Purpose...

  • Page 377: Configuring The Igmp Leave Timer

    Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping vlan vlan-id Verify that Immediate Leave is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable IGMP Immediate Leave on a VLAN, use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command.

  • Page 378: Configuring Tcn-Related Commands

    Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring TCN-Related Commands These sections describe how to control flooded multicast traffic during a TCN event: • Controlling the Multicast Flooding Time After a TCN Event, page 18-12 Recovering from Flood Mode, page 18-12 •...

  • Page 379: Disabling Multicast Flooding During A Tcn Event

    Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to enable the switch to send the global leave message whether or not it is the spanning-tree root: Command Purpose Step 1 configure terminal Enter global configuration mode.

  • Page 380: Configuring The Igmp Snooping Querier

    Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring the IGMP Snooping Querier Follow these guidelines when configuring the IGMP snooping querier: • Configure the VLAN in global configuration mode. Configure an IP address on the VLAN interface. When enabled, the IGMP snooping querier uses the •...

  • Page 381: Disabling Igmp Report Suppression

    Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This example shows how to set the IGMP snooping querier source address to 10.0.0.64: Switch# configure terminal Switch(config)# ip igmp snooping querier 10.0.0.64 Switch(config)# end This example shows how to set the IGMP snooping querier maximum response time to 25 seconds: Switch# configure terminal Switch(config)# ip igmp snooping querier query-interval 25 Switch(config)# end...
  • Page 382 Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 18-4. Table 18-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN.

  • Page 383: Understanding Multicast Vlan Registration

    Chapter 18 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service-provider network (for example, the broadcast of multiple television channels over a service-provider network).

  • Page 384: Using Mvr In A Multicast Television Application

    VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. Figure 18-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server Switch B Multicast Multicast...

  • Page 385: Configuring Mvr

    Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message for the multicast stream. The switch CPU sends a MAC-based general query through the receiver port VLAN.

  • Page 386: Mvr Configuration Guidelines And Limitations

    Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR Table 18-5 Default MVR Configuration (continued) Feature Default Setting Interface (per port) default Neither a receiver nor a source port Immediate Leave Disabled on all ports MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: Receiver ports can only be access ports;...

  • Page 387: Configuring Mvr Interfaces

    Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 4 mvr querytime value (Optional) Define the maximum time to wait for IGMP report memberships on a receiver port before removing the port from multicast group membership. The value is in units of tenths of a second. The range is 1 to 100, and the default is 5 tenths or one-half second.
  • Page 388 Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 4 mvr type {source | receiver} Configure an MVR port as one of these: source—Configure uplink ports that receive and send multicast data as • source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN.

  • Page 389: Displaying Mvr Information

    Chapter 18 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface. Beginning in privileged EXEC mode, use the commands in Table 18-6 to display MVR configuration: Table 18-6 Commands for Displaying MVR Information Command...

  • Page 390: Default Igmp Filtering And Throttling Configuration

    Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling IGMP filtering is applicable only to the dynamic learning of IP multicast group addresses, not static configuration. With the IGMP throttling feature, you can set the maximum number of IGMP groups that a Layer 2 interface can join.

  • Page 391: Applying Igmp Profiles

    Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling permit: Specifies that matching addresses are permitted. • range: Specifies a range of IP addresses for the profile. You can enter a single IP address or a range •...

  • Page 392: Setting The Maximum Number Of Igmp Groups

    Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Beginning in privileged EXEC mode, follow these steps to apply an IGMP profile to a switch port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface, and enter interface configuration mode.

  • Page 393: Configuring The Igmp Throttling Action

    Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling To remove the maximum group limitation and return to the default of no maximum, use the no ip igmp max-groups interface configuration command. This example shows how to limit to 25 the number of IGMP groups that a port can join. Switch(config)# interface gigabitethernet0/2 Switch(config-if)# ip igmp max-groups 25 Switch(config-if)# end...

  • Page 394: Displaying Igmp Filtering And Throttling Configuration

    Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show running-config interface Verify the configuration. interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default action of dropping the report, use the no ip igmp max-groups action interface configuration command.

  • Page 395: Configuring Storm Control

    C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 2960 switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
  • Page 396 When the storm control threshold for multicast traffic is reached, all multicast traffic except control Note traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. The graph in Figure 19-1 shows broadcast traffic patterns on an interface over a given period of time.

  • Page 397: C H A P T E R 19 Configuring Port-Based Traffic Control

    Chapter 19 Configuring Port-Based Traffic Control Configuring Storm Control Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic Note activity is measured can affect the behavior of storm control. You use the storm-control interface configuration commands to set the threshold value for each traffic type.
  • Page 398 Chapter 19 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 3 storm-control {broadcast | multicast | Configure broadcast, multicast, or unicast storm control. By unicast} level {level [level-low] | bps bps default, storm control is disabled. [bps-low] | pps pps [pps-low]} The keywords have these meanings: For level, specify the rising threshold level for broadcast, •...

  • Page 399: Configuring Protected Ports

    Chapter 19 Configuring Port-Based Traffic Control Configuring Protected Ports Command Purpose Step 6 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed.

  • Page 400: Default Protected Port Configuration

    Chapter 19 Configuring Port-Based Traffic Control Configuring Protected Ports Default Protected Port Configuration The default is to have no protected ports defined. Protected Port Configuration Guidelines You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5).

  • Page 401: Configuring Port Blocking

    Chapter 19 Configuring Port-Based Traffic Control Configuring Port Blocking Configuring Port Blocking By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other ports.

  • Page 402: Configuring Port Security

    Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.

  • Page 403: Security Violations

    Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky interface configuration command.

  • Page 404: Default Port Security Configuration

    Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Table 19-1 shows the violation mode and the actions taken when you configure an interface for port security. Table 19-1 Security Violation Mode Actions Violation Traffic is Sends SNMP Sends syslog Displays error counter Violation Mode...

  • Page 405: Enabling And Configuring Port Security

    IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
  • Page 406 Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 4 switchport voice vlan vlan-id Enable voice VLAN on a port. vlan-id—Specify the VLAN to be used for voice traffic. Step 5 switchport port-security Enable port security on the interface. Step 6 switchport port-security (Optional) Set the maximum number of secure MAC addresses for the...
  • Page 407 Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 7 switchport port-security [violation (Optional) Set the violation mode, the action to be taken when a security {protect | restrict | shutdown | violation is detected, as one of these: shutdown vlan}] protect—When the number of port secure MAC addresses reaches the •...
  • Page 408 Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 8 switchport port-security (Optional) Enter a secure MAC address for the interface. You can use this [mac-address mac-address [vlan command to enter the maximum number of secure MAC addresses. If you {vlan-id | {access | voice}}] configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
  • Page 409 Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table.

  • Page 410: Enabling And Configuring Port Security Aging

    Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security This example shows how to enable sticky port security on a port, to manually configure MAC addresses for data VLAN and voice VLAN, and to set the total maximum number of secure addresses to 20 (10 for data VLAN and 10 for voice VLAN).

  • Page 411: Displaying Port-Based Traffic Control Settings

    Chapter 19 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Command Purpose Step 3 switchport port-security aging {static | time time | Enable or disable static aging for the secure port, or set the type {absolute | inactivity}} aging time or type. The switch does not support port security aging of Note sticky secure addresses.
  • Page 412 Chapter 19 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings To display traffic control information, use one or more of the privileged EXEC commands in Table 19-4. Table 19-4 Commands for Displaying Traffic Control Status and Configuration Command Purpose show interfaces [interface-id] switchport Displays the administrative and operational status of all switching (nonrouting) ports or the specified port, including port blocking and...

  • Page 413: Chapter 20 Configuring Cdp

    Monitoring and Maintaining CDP, page 20-4 Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.

  • Page 414: Configuring Cdp

    Chapter 20 Configuring CDP Configuring CDP Configuring CDP These sections contain this configuration information: • Default CDP Configuration, page 20-2 Configuring the CDP Characteristics, page 20-2 • Disabling and Enabling CDP, page 20-3 • Disabling and Enabling CDP on an Interface, page 20-4 •...

  • Page 415: Disabling And Enabling Cdp

    Disabling and Enabling CDP CDP is enabled by default. Note Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 5, “Clustering Switches”...

  • Page 416: Disabling And Enabling Cdp On An Interface

    Chapter 20 Configuring CDP Monitoring and Maintaining CDP Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and to receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on a port: Command Purpose Step 1...
  • Page 417 Chapter 20 Configuring CDP Monitoring and Maintaining CDP Command Description show cdp entry entry-name Display information about a specific neighbor. [protocol version] You can enter an asterisk (*) to display all CDP neighbors, or you can enter the name of the neighbor about which you want information. You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device.
  • Page 418 Chapter 20 Configuring CDP Monitoring and Maintaining CDP Catalyst 2960 Switch Software Configuration Guide 20-6 OL-8603-04...

  • Page 419: Chapter 21 Configuring Lldp And Lldp-Med

    • Understanding LLDP The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches). CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network.

  • Page 420: Understanding Lldp-Med

    Chapter 21 Configuring LLDP and LLDP-MED Understanding LLDP and LLDP-MED LLDP supports a set of attributes that it uses to discover neighbor devices. These attributes contain type, length, and value descriptions and are referred to as TLVs. LLDP supported devices can use TLVs to receive and send information to their neighbors.

  • Page 421: Configuring Lldp And Lldp-Med

    Chapter 21 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Inventory management TLV • Allows an endpoint to send detailed inventory information about itself to the switch, including information hardware revision, firmware version, software version, serial number, manufacturer name, model name, and asset ID TLV. Location TLV •...

  • Page 422: Configuring Lldp Characteristics

    Chapter 21 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Table 21-1 Default LLDP Configuration Feature Default Setting LLDP interface state Enabled LLDP receive Enabled LLDP transmit Enabled LLDP med-tlv-select Enabled to send all LLDP-MED TLVs Configuring LLDP Characteristics You can configure the frequency of LLDP updates, the amount of time to hold the information before discarding it, and the initialization delay time.

  • Page 423: Disabling And Enabling Lldp Globally

    Chapter 21 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Disabling and Enabling LLDP Globally LLDP is enabled by default. Beginning in privileged EXEC mode, follow these steps to globally disable LLDP: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no lldp run Disable LLDP.

  • Page 424: Configuring Lldp-Med Tlvs

    Chapter 21 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Command Purpose Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Beginning in privileged EXEC mode, follow these steps to enable LLDP on an interface when it has been disabled: Command Purpose...

  • Page 425: Monitoring And Maintaining Lldp And Lldp-Med

    Chapter 21 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Beginning in privileged EXEC mode, follow these steps to disable a TLV on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are configuring a LLDP-MED TLV, and enter interface configuration mode.
  • Page 426 Chapter 21 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Command Description show lldp neighbors [interface-id] Display information about neighbors, including device type, interface type and [detail] number, holdtime settings, capabilities, and port ID. You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information.

  • Page 427: Chapter 22 Configuring Udld

    C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 2960 switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.

  • Page 428: Methods To Detect Unidirectional Links

    Chapter 22 Configuring UDLD Understanding UDLD In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection. If the ports are connected correctly but the traffic is one way, UDLD does not detect the unidirectional link because the Layer 1 mechanism, which is supposed to detect this condition, does not do so.
  • Page 429 Chapter 22 Configuring UDLD Understanding UDLD If the detection window ends and no valid reply message is received, the link might shut down, depending on the UDLD mode. When UDLD is in normal mode, the link might be considered undetermined and might not be shut down. When UDLD is in aggressive mode, the link is considered unidirectional, and the port is disabled.

  • Page 430: Configuring Udld

    Chapter 22 Configuring UDLD Configuring UDLD Configuring UDLD These sections contain this configuration information: • Default UDLD Configuration, page 22-4 Configuration Guidelines, page 22-4 • Enabling UDLD Globally, page 22-5 • Enabling UDLD on an Interface, page 22-5 • Resetting an Interface Disabled by UDLD, page 22-6 •...

  • Page 431: Enabling Udld Globally

    Chapter 22 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch: Command Purpose Step 1...

  • Page 432: Resetting An Interface Disabled By Udld

    Chapter 22 Configuring UDLD Displaying UDLD Status Command Purpose Step 3 udld port [aggressive] UDLD is disabled by default. udld port—Enables UDLD in normal mode on the specified port. • • udld port aggressive—Enables UDLD in aggressive mode on the specified port.

  • Page 433: Chapter 23 Configuring Span And Rspan

    You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.

  • Page 434: Local Span

    Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: Local SPAN, page 23-2 • • Remote SPAN, page 23-2 • SPAN and RSPAN Concepts and Terminology, page 23-3 SPAN and RSPAN Interaction with Other Features, page 23-8 •...

  • Page 435: Span And Rspan Concepts And Terminology

    Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 23-2 Example of RSPAN Configuration RSPAN destination ports RSPAN Switch C destination session Intermediate switches must support RSPAN VLAN RSPAN VLAN Switch A Switch B RSPAN RSPAN source source session A session B RSPAN...

  • Page 436: Monitored Traffic

    Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch.

  • Page 437: Source Ports

    The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).

  • Page 438: Source Vlans

    Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN It can be an access port, trunk port, or voice VLAN port. • It cannot be a destination port. • • Source ports can be in the same or different VLANs. •...

  • Page 439: Rspan Vlan

    Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN A destination port has these characteristics: For a local SPAN session, the destination port must reside on the same switch as the source port. For • an RSPAN session, it is located on the switch containing the RSPAN destination session. There is no destination port on a switch running only an RSPAN source session.

  • Page 440: Span And Rspan Interaction With Other Features

    Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN For VLANs 1 to 1005 that are visible to VLAN Trunking Protocol (VTP), the VLAN ID and its associated RSPAN characteristic are propagated by VTP. If you assign an RSPAN VLAN ID in the extended VLAN range (1006 to 4094), you must manually configure all intermediate switches.

  • Page 441: Configuring Span And Rspan

    Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN A secure port cannot be a SPAN destination port. • For SPAN sessions, do not enable port security on ports with monitored egress when ingress forwarding is enabled on the destination port. For RSPAN source sessions, do not enable port security on any ports with monitored egress.

  • Page 442: Span Configuration Guidelines

    Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN SPAN Configuration Guidelines Follow these guidelines when configuring SPAN: For SPAN sources, you can monitor traffic for a single port or VLAN or a series or range of ports • or VLANs for each session.
  • Page 443 Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 3 monitor session session_number source Specify the SPAN session and the source port (monitored port). {interface interface-id | vlan vlan-id} [, | -] For session_number, the range is 1 to 66. [both | rx | tx] For interface-id, specify the source port or source VLAN to monitor.
  • Page 444 Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 5 Return to privileged EXEC mode. Step 6 show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.

  • Page 445: Creating A Local Span Session And Configuring Incoming Traffic

    VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating a Local SPAN Session”...

  • Page 446: Specifying Vlans To Filter

    Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN To delete a SPAN session, use the no monitor session session_number global configuration command. To remove a source or destination port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command or the no monitor session session_number destination interface interface-id global configuration command.

  • Page 447: Configuring Rspan

    Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 5 monitor session session_number Specify the SPAN session and the destination port (monitoring port). destination {interface interface-id [, | -] For session_number, specify the session number entered in Step 3. [encapsulation {dot1q | replicate}]} For interface-id, specify the destination port.

  • Page 448: Rspan Configuration Guidelines

    Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN RSPAN Configuration Guidelines Follow these guidelines when configuring RSPAN: All the items in the “SPAN Configuration Guidelines” section on page 23-10 apply to RSPAN. • As RSPAN VLANs have special properties, you should reserve a few VLANs across your network •...

  • Page 449: Creating An Rspan Source Session

    Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Beginning in privileged EXEC mode, follow these steps to create an RSPAN VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan vlan-id Enter a VLAN ID to create a VLAN, or enter the VLAN ID of an existing VLAN, and enter VLAN configuration mode.
  • Page 450 Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 3 monitor session session_number source Specify the RSPAN session and the source port (monitored port). {interface interface-id | vlan vlan-id} [, | -] For session_number, the range is 1 to 66. [both | rx | tx] Enter a source port or source VLAN for the RSPAN session: •...

  • Page 451: Creating An Rspan Destination Session

    Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating an RSPAN Destination Session You configure the RSPAN destination session on a different switch; that is, not the switch on which the source session was configured. Beginning in privileged EXEC mode, follow these steps to define the RSPAN VLAN on that switch, to create an RSPAN destination session, and to specify the source RSPAN VLAN and the destination port: Command Purpose...

  • Page 452: Creating An Rspan Destination Session And Configuring Incoming Traffic

    RSPAN VLAN and the destination port, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating an RSPAN Destination...

  • Page 453: Specifying Vlans To Filter

    Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 5 Return to privileged EXEC mode. Step 6 show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete an RSPAN session, use the no monitor session session_number global configuration command.

  • Page 454: Displaying Span And Rspan Status

    Chapter 23 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Command Purpose Step 5 monitor session session_number Specify the RSPAN session and the destination remote VLAN destination remote vlan vlan-id (RSPAN VLAN). For session_number, enter the session number specified in step 3. For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port.

  • Page 455: Chapter 24 Configuring Rmon

    For complete syntax and usage information for the commands used in this chapter, see the “System Note Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References. This chapter consists of these sections: Understanding RMON, page 24-1 •...

  • Page 456: Configuring Rmon

    Chapter 24 Configuring RMON Configuring RMON Figure 24-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled. Workstations Workstations The switch supports these RMON groups (defined in RFC 1757): Statistics (RMON group 1)—Collects Ethernet statistics (including Fast Ethernet and Gigabit •...

  • Page 457: Default Rmon Configuration

    Chapter 24 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station.
  • Page 458 Chapter 24 Configuring RMON Configuring RMON Command Purpose Step 3 rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. For number, assign an event number. The range •...

  • Page 459: Collecting Group History Statistics On An Interface

    Chapter 24 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface.

  • Page 460: Displaying Rmon Status

    For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.

  • Page 461: Chapter 25 Configuring System Message Logging

    This chapter describes how to configure system message logging on the Catalyst 2960 switch. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation >...

  • Page 462: Configuring System Message Logging

    Chapter 25 Configuring System Message Logging Configuring System Message Logging You can access logged system messages by using the switch command-line interface (CLI) or by saving them to a properly configured syslog server. The switch software saves syslog messages in an internal buffer.

  • Page 463: Default System Message Logging Configuration

    Chapter 25 Configuring System Message Logging Configuring System Message Logging Table 25-1 describes the elements of syslog messages. Table 25-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured.

  • Page 464: Disabling Message Logging

    Chapter 25 Configuring System Message Logging Configuring System Message Logging Table 25-2 Default System Message Logging Configuration (continued) Feature Default Setting Time stamps Disabled. Synchronous logging Disabled. Logging server Disabled. Syslog server IP address None configured. Configuration change logger Disabled Server facility Local7 (see Table 25-4 on page...

  • Page 465: Setting The Message Display Destination Device

    Chapter 25 Configuring System Message Logging Configuring System Message Logging Setting the Message Display Destination Device If message logging is enabled, you can send messages to specific locations in addition to the console. Beginning in privileged EXEC mode, use one or more of the following commands to specify the locations that receive messages.

  • Page 466: Synchronizing Log Messages

    Chapter 25 Configuring System Message Logging Configuring System Message Logging The logging buffered global configuration command copies logging messages to an internal buffer. The buffer is circular, so newer messages overwrite older messages after the buffer is full. To display the messages that are logged in the buffer, use the show logging privileged EXEC command.

  • Page 467: Enabling And Disabling Time Stamps On Log Messages

    Chapter 25 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 3 logging synchronous [level [severity-level | Enable synchronous logging of messages. all] | limit number-of-buffers] (Optional) For level severity-level, specify the message severity • level. Messages with a severity level equal to or higher than this value are printed asynchronously.

  • Page 468: Enabling And Disabling Sequence Numbers In Log Messages

    Chapter 25 Configuring System Message Logging Configuring System Message Logging This example shows part of a logging display with the service timestamps log uptime global configuration command enabled: 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up Enabling and Disabling Sequence Numbers in Log Messages Because there is a chance that more than one log message can have the same time stamp, you can display messages with sequence numbers so that you can unambiguously see a single message.
  • Page 469 Chapter 25 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 4 logging trap level Limit messages logged to the syslog servers. By default, syslog servers receive informational messages and numerically lower levels (see Table 25-3 on page 25-9).

  • Page 470: Limiting Syslog Messages Sent To The History Table And To Snmp

    Chapter 25 Configuring System Message Logging Configuring System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table.
  • Page 471 [end-number] | statistics} [provisioning] privileged EXEC command to display the complete configuration log or the log for specified parameters. The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter0918 6a00801a8086.html#wp1114989...

  • Page 472: Configuring Unix Syslog Servers

    Add a line such as the following to the file /etc/syslog.conf: Step 1 cisco.log local7.debug /usr/adm/logs/ The local7 keyword specifies the logging facility to be used; see Table 25-4 on page 25-13 information on the facilities.

  • Page 473: Displaying The Logging Configuration

    To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation >...
  • Page 474 Chapter 25 Configuring System Message Logging Displaying the Logging Configuration Catalyst 2960 Switch Software Configuration Guide 25-14 OL-8603-04...

  • Page 475: Chapter 26 Configuring Snmp

    For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References. This chapter consists of these sections: Understanding SNMP, page 26-1 •...

  • Page 476: Snmp Versions

    Chapter 26 Configuring SNMP Understanding SNMP SNMP Community Strings, page 26-4 • Using SNMP to Access MIB Variables, page 26-4 • • SNMP Notifications, page 26-5 • SNMP ifIndex MIB Object Values, page 26-6 SNMP Versions This software release supports these SNMP versions: SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in •...

  • Page 477: Snmp Manager Functions

    Chapter 26 Configuring SNMP Understanding SNMP Table 26-1 identifies the characteristics of the different combinations of security models and levels. Table 26-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No...

  • Page 478: Snmp Agent Functions

    (@esN, where N is the switch number) to the first configured RW and RO community strings on the command switch and propagates them to the member switches. For more information, Chapter 5, “Clustering Switches” and see Getting Started with Cisco Network Assistant, available on Cisco.com. Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software.

  • Page 479: Snmp Notifications

    Chapter 26 Configuring SNMP Understanding SNMP As shown in Figure 26-1, the SNMP agent gathers data from the MIB. The agent can send traps, or notification of certain events, to the SNMP manager, which receives and processes the traps. Traps alert the SNMP manager to a condition on the network such as improper user authentication, restarts, link status (up or down), MAC address tracking, and so forth.

  • Page 480: Configuring Snmp

    Chapter 26 Configuring SNMP Configuring SNMP SNMP ifIndex MIB Object Values In an NMS, the IF-MIB generates and assigns an interface index (ifIndex) object value that is a unique number greater than zero to identify a physical or a logical interface. When the switch reboots or the switch software is upgraded, the switch uses this same value for the interface.

  • Page 481: Default Snmp Configuration

    Modifying the group's notify view affects all users associated with that group. See the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 for information about when you should configure notify views.

  • Page 482: Disabling The Snmp Agent

    The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
  • Page 483 Chapter 26 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure a community string on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server community string [view Configure the community string. view-name] [ro | rw] [access-list-number] •...

  • Page 484: Configuring Snmp Groups And Users

    Chapter 26 Configuring SNMP Configuring SNMP This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent: Switch(config)# snmp-server community comaccess ro 4 Configuring SNMP Groups and Users You can specify an identification name (engine ID) for the local or remote SNMP server engine on the...
  • Page 485 Chapter 26 Configuring SNMP Configuring SNMP Command Purpose Step 3 snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] For groupname, specify the name of the group. •...

  • Page 486: Configuring Snmp Notifications

    By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Many commands use the word traps in the command syntax. Unless there is an option in the command Note to select either traps or informs, the keyword traps refers to either traps, informs, or both.
  • Page 487 Generates a trap for Open Shortest Path First (OSPF) changes. You can enable any or all of these traps: Cisco specific, errors, link-state advertisement, rate limit, retransmit, and state changes. Generates a trap for Protocol-Independent Multicast (PIM) changes. You can enable any or all of these traps: invalid PIM messages, neighbor changes, and rendezvous point (RP)-mapping changes.
  • Page 488 Chapter 26 Configuring SNMP Configuring SNMP Though visible in the command-line help strings, the cpu [threshold], insertion, and removal keywords Note are not supported. To enable the sending of SNMP inform notifications, use the snmp-server enable traps global configuration command combined with the snmp-server host host-addr informs global configuration command.

  • Page 489: Setting The Agent Contact And Location Information

    Chapter 26 Configuring SNMP Configuring SNMP Command Purpose Step 6 snmp-server enable traps Enable the switch to send traps or informs and specify the type of notification-types notifications to be sent. For a list of notification types, see Table 26-5 on page 26-12, or enter snmp-server enable traps ? To enable multiple types of traps, you must enter a separate snmp-server...

  • Page 490: Limiting Tftp Servers Used Through Snmp

    Chapter 26 Configuring SNMP Configuring SNMP Command Purpose Step 3 snmp-server location text Set the system location string. For example: snmp-server location Building 3/Room 222 Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.

  • Page 491: Snmp Examples

    Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...

  • Page 492: Displaying Snmp Status

    EXEC command. You also can use the other privileged EXEC commands in Table 26-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Table 26-6 Commands for Displaying SNMP Information...

  • Page 493: Chapter 27 Configuring Cisco Ios Ip Slas Operations

    This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the Catalyst 2960 switch. Cisco IP SLAs is a part of Cisco IOS software that allows Cisco customers to analyze IP service levels for IP applications and services by using active traffic monitoring—the generation of traffic in a continuous, reliable, and predictable manner—for measuring network performance.

  • Page 494: Using Cisco Ios Ip Slas To Measure Network Performance

    Virtual Private Network (VPN) routing/forwarding instance (VRF), and URL web address. Because Cisco IP SLAs is Layer 2 transport independent, you can configure end-to-end operations over disparate networks to best reflect the metrics that an end user is likely to experience. IP SLAs collects a...

  • Page 495: Ip Slas Responder And Ip Slas Control Protocol

    EXEC command to verify that the operation type is supported on your software image. IP SLAs Responder and IP SLAs Control Protocol The IP SLAs responder is a component embedded in the destination Cisco device that allows the system to anticipate and respond to IP SLAs request packets. The responder provides accurate measurements without the need for dedicated probes.

  • Page 496: Response Time Computation For Ip Slas

    Understanding Cisco IOS IP SLAs The IP SLAs responder can be a Cisco IOS Layer 2, responder-configurable switch, such as a Note Catalyst 2960 or Cisco ME 2400 switch. The responder does not need to support full IP SLAs functionality. Figure 27-1 shows where the Cisco IOS IP SLAs responder fits in the IP network.

  • Page 497: Configuring Ip Slas Operations

    This section does not include configuration information for all available operations as the configuration information details are included in the Cisco IOS IP SLAs Configuration Guide. It includes only the procedure for configuring the responder, ad the Catalyst 2960 switch includes only responder support.

  • Page 498: Configuring The Ip Slas Responder

    The IP SLAs responder is available only on Cisco IOS software-based devices, including some Layer 2 switches that do not support full IP SLAs functionality, such as the Catalyst 2960 or the Cisco ME 2400 switch. Beginning in privileged EXEC mode, follow these steps to configure the IP SLAs responder on...

  • Page 499: Monitoring Ip Slas Operations

    Chapter 27 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations Monitoring IP SLAs Operations Use the User EXEC or Privileged EXEC commands in Table 27-1 to display IP SLAs operations configuration. Table 27-1 Monitoring IP SLAs Operations Command...
  • Page 500 Chapter 27 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations Catalyst 2960 Switch Software Configuration Guide 27-8 OL-8603-04...

  • Page 501: Chapter 28 Configuring Qos

    • The switch supports some of the modular QoS CLI (MQC) commands. For more information about the MQC commands, see the “Modular Quality of Service Command-Line Interface Overview” at this site: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918 6a00800bd908.html Understanding QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner.
  • Page 502 Chapter 28 Configuring QoS Understanding QoS The QoS implementation is based on the Differentiated Services (Diff-Serv) architecture, an emerging standard from the Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry into the network. The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (ToS) field to carry the classification (class) information.

  • Page 503: Basic Qos Model

    Chapter 28 Configuring QoS Understanding QoS Figure 28-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 IP header Data header Layer 2 ISL Frame ISL header Encapsulated frame 1... (26 bytes) (24.5 KB) (4 bytes) 3 bits used for CoS Layer 2 802.1Q and 802.1p Frame Start frame Preamble...
  • Page 504 Chapter 28 Configuring QoS Understanding QoS Figure 28-2 shows the basic QoS model. Actions at the ingress port include classifying traffic, policing, marking, queueing, and scheduling: Classifying a distinct path for a packet by associating it with a QoS label. The switch maps the CoS •...

  • Page 505: Classification

    Chapter 28 Configuring QoS Understanding QoS Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs.
  • Page 506 Chapter 28 Configuring QoS Understanding QoS After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Figure 28-3 Classification Flowchart Start Get the clasification result for the packet. Is a policer configured for this packet? Check if the packet is in profile by querying the policer.

  • Page 507: Classification Based On Qos Acls

    Chapter 28 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: •...

  • Page 508: Policing And Marking

    Chapter 28 Configuring QoS Understanding QoS The policy map can contain the police and police aggregate policy-map class configuration commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. To enable the policy map, you attach it to a port by using the service-policy interface configuration command.

  • Page 509: Policing On Physical Ports

    Chapter 28 Configuring QoS Understanding QoS Policing on Physical Ports In policy maps on physical ports, you can create these types of policers: Individual—QoS applies the bandwidth limits specified in the policer separately to each matched • traffic class. You configure this type of policer within a policy map by using the police policy-map class configuration command.
  • Page 510 Chapter 28 Configuring QoS Understanding QoS Figure 28-4 shows the policing and marking process. Figure 28-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. Is a policer configured for this packet? Check if the packet is in profile by querying the policer.

  • Page 511: Mapping Tables

    Chapter 28 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or •...

  • Page 512: Queueing And Scheduling Overview

    Chapter 28 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 28-5. Figure 28-5 Ingress and Egress Queue Location Policer Marker Internal Egress ring queues Policer Marker Ingress queues...

  • Page 513: Srr Shaping And Sharing

    Chapter 28 Configuring QoS Understanding QoS Figure 28-6 WTD and Queue Operation CoS 6-7 100% 1000 CoS 4-5 CoS 0-3 For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 28-58, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set”...

  • Page 514: Queueing And Scheduling On Ingress Queues

    Chapter 28 Configuring QoS Understanding QoS Queueing and Scheduling on Ingress Queues Figure 28-7 shows the queueing and scheduling flowchart for ingress ports. Figure 28-7 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds.
  • Page 515 Chapter 28 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.

  • Page 516: Queueing And Scheduling On Egress Queues

    Chapter 28 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 28-8 shows the queueing and scheduling flowchart for egress ports. If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Note Figure 28-8 Queueing and Scheduling Flowchart for Egress Ports...
  • Page 517 Chapter 28 Configuring QoS Understanding QoS Figure 28-9 shows the egress queue buffer. The buffer space is divided between the common pool and the reserved pool. The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from consuming all the buffers and depriving other queues, and to control whether to grant buffer space to a requesting queue.

  • Page 518: Packet Modification

    Chapter 28 Configuring QoS Understanding QoS threshold-id cos1...cos8} global configuration command. You can display the DSCP output queue threshold map and the CoS output queue threshold map by using the show mls qos maps privileged EXEC command. The queues use WTD to support distinct drop percentages for different traffic classes. Each queue has three drop thresholds: two configurable (explicit) WTD thresholds and one nonconfigurable (implicit) threshold preset to the queue-full state.

  • Page 519: Configuring Auto-Qos

    The switch uses the resulting classification to choose the appropriate egress queue. You use auto-QoS commands to identify ports connected to Cisco IP Phones and to devices running the Cisco SoftPhone application. You also use the commands to identify ports that receive trusted traffic through an uplink.

  • Page 520: Generated Auto-Qos Configuration

    The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the port is set to Catalyst 2960 Switch Software Configuration Guide...
  • Page 521 DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The...
  • Page 522 Chapter 28 Configuring QoS Configuring Auto-QoS Table 28-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an ingress Switch(config)# no mls qos srr-queue input dscp-map Switch(config)# mls qos srr-queue input dscp-map queue and to a threshold ID. queue 1 threshold 2 9 10 11 12 13 14 15 Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7...
  • Page 523 If you entered the auto qos voip cisco-phone command, the Switch(config-if)# mls qos trust device cisco-phone switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone.

  • Page 524: Effects Of Auto-Qos On The Configuration

    Table 28-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command If you entered the auto qos voip cisco-phone command, the witch(config)# mls qos map policed-dscp 24 26 46 to switch automatically creates class maps and policy maps. Switch(config)# class-map match-all...

  • Page 525: Auto-Qos Configuration Guidelines

    By default, the CDP is enabled on all ports. For auto-QoS to function properly, do not disable the • CDP. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address • to the IP phone.
  • Page 526 | trust} The keywords have these meanings: • cisco-phone—If the port is connected to a Cisco IP Phone, the QoS labels of incoming packets are trusted only when the telephone is detected. cisco-softphone—The port is connected to device running the •...

  • Page 527: Auto-Qos Configuration Example

    IP phones IP phones Cisco IP phones Cisco IP phones Figure 28-10 shows a network in which the VoIP traffic is prioritized over all other traffic. Auto-QoS is enabled on the switches in the wiring closets at the edge of the QoS domain.
  • Page 528 Return to global configuration mode. Step 7 Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone. Step 8 interface interface-id Specify the switch port identified as connected to a trusted switch or router, and enter interface configuration mode.

  • Page 529: Displaying Auto-Qos Information

    Chapter 28 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.

  • Page 530: Default Standard Qos Configuration

    Chapter 28 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).

  • Page 531: Default Egress Queue Configuration

    Chapter 28 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 28-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited. Table 28-9 Default Egress Queue Configuration Feature...

  • Page 532: Default Mapping Table Configuration

    Chapter 28 Configuring QoS Configuring Standard QoS Default Mapping Table Configuration The default CoS-to-DSCP map is shown in Table 28-12 on page 28-52. The default IP-precedence-to-DSCP map is shown in Table 28-13 on page 28-53. The default DSCP-to-CoS map is shown in Table 28-14 on page 28-55.

  • Page 533: General Qos Guidelines

    Chapter 28 Configuring QoS Configuring Standard QoS You can set the policing rate only in 1-Mb/s increments. If you try to set a policing rate at less • than1 Mb/s, the switch prompts you for a correct value. On a port configured for QoS, all traffic received through the port is classified, policed, and marked •...

  • Page 534: Configuring Classification Using Port Trust States

    Chapter 28 Configuring QoS Configuring Standard QoS Configuring Classification Using Port Trust States These sections describe how to classify incoming traffic by using port trust states. Depending on your network configuration, you must perform one or more of these tasks or one or more of the tasks in the “Configuring a QoS Policy”...
  • Page 535 Chapter 28 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode.

  • Page 536: Configuring The Cos Value For An Interface

    To return to the default setting, use the no mls qos cos {default-cos | override} interface configuration command. Configuring a Trusted Boundary to Ensure Port Security In a typical network, you connect a Cisco IP Phone to a switch port, as shown in Figure 28-11 on page 28-34, and cascade devices that generate data packets from the back of the telephone.
  • Page 537 CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.

  • Page 538: Enabling Dscp Transparency Mode

    Chapter 28 Configuring QoS Configuring Standard QoS Enabling DSCP Transparency Mode The switch supports the DSCP transparency feature. It affects only the DSCP field of a packet at egress. By default, DSCP transparency is disabled. The switch modifies the DSCP field in an incoming packet, and the DSCP field in the outgoing packet is based on the quality of service (QoS) configuration, including the port trust setting, policing and marking, and the DSCP-to-DSCP mutation map.
  • Page 539 Chapter 28 Configuring QoS Configuring Standard QoS Figure 28-12 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 IP traffic Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map.

  • Page 540: Configuring A Qos Policy

    Chapter 28 Configuring QoS Configuring Standard QoS To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command. This example shows how to configure a port to the DSCP-trusted state and to modify the DSCP-to-DSCP-mutation map (named gi0/2-mutation) so that incoming DSCP values 10 to 13 are mapped to DSCP 30:...

  • Page 541: Classifying Traffic By Using Acls

    Chapter 28 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1...
  • Page 542 Chapter 28 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create an IP extended ACL, repeating the command as many times as permit} protocol source source-wildcard necessary.
  • Page 543 Chapter 28 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list.

  • Page 544: Classifying Traffic By Using Class Maps

    Chapter 28 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it.
  • Page 545 Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 4 match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported.

  • Page 546: Classifying, Policing, And Marking Traffic On Physical Ports By Using Policy Maps

    If you enter or have used the set ip dscp command, the switch changes this command to set dscp in • its configuration. In Cisco IOS Release 12.2(25)SED or later, you can use the set ip precedence or the set precedence • policy-map class configuration command to change the packet IP precedence value. This setting appears as set ip precedence in the switch configuration.
  • Page 547 Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 3 policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. By default, no policy maps are defined. The default behavior of a policy map is to set the DSCP to 0 if the packet is an IP packet and to set the CoS to 0 if the packet is tagged.
  • Page 548 Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 7 police rate-bps burst-byte [exceed-action Define a policer for the classified traffic. {drop | policed-dscp-transmit}] By default, no policer is defined. For information on the number of policers supported, see the “Standard QoS Configuration Guidelines”...

  • Page 549: Classifying, Policing, And Marking Traffic By Using Aggregate Policers

    Switch(config)# interface gigabitethernet0/1 Switch(config-if)# mls qos trust cos Switch(config-if)# service-policy input macpolicy1 Beginning with Cisco IOS Release 12.2(40)SE, a policy-map and a port trust state can both run on a • physical interface. The policy-map is applied before the port trust state.
  • Page 550 Chapter 28 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an aggregate policer: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos aggregate-policer Define the policer parameters that can be applied to multiple traffic aggregate-policer-name rate-bps burst-byte classes within the same policy map.

  • Page 551: Configuring Dscp Maps

    Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 9 service-policy input policy-map-name Specify the policy-map name, and apply it to an ingress port. Only one policy map per ingress port is supported. Step 10 Return to privileged EXEC mode. Step 11 show mls qos aggregate-policer Verify your entries.

  • Page 552: Configuring The Cos-To-Dscp Map

    Chapter 28 Configuring QoS Configuring Standard QoS Configuring the DSCP-to-CoS Map, page 28-55 (optional) • Configuring the DSCP-to-DSCP-Mutation Map, page 28-56 (optional, unless the null settings in the • map are not appropriate) All the maps, except the DSCP-to-DSCP-mutation map, are globally defined and are applied to all ports. Configuring the CoS-to-DSCP Map You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic.

  • Page 553: Configuring The Ip-Precedence-To-Dscp Map

    Chapter 28 Configuring QoS Configuring Standard QoS This example shows how to modify and display the CoS-to-DSCP map: Switch(config)# mls qos map cos-dscp 10 15 20 25 30 35 40 45 Switch(config)# end Switch# show mls qos maps cos-dscp Cos-dscp map: cos: -------------------------------- dscp:...

  • Page 554: Configuring The Policed-Dscp Map

    Chapter 28 Configuring QoS Configuring Standard QoS This example shows how to modify and display the IP-precedence-to-DSCP map: Switch(config)# mls qos map ip-prec-dscp 10 15 20 25 30 35 40 45 Switch(config)# end Switch# show mls qos maps ip-prec-dscp IpPrecedence-dscp map: ipprec: -------------------------------- dscp:...

  • Page 555: Configuring The Dscp-To-Cos Map

    Chapter 28 Configuring QoS Configuring Standard QoS In this policed-DSCP map, the marked-down DSCP values are shown in the body of the matrix. The d1 Note column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant digit of the original DSCP.

  • Page 556: Configuring The Dscp-To-Dscp-Mutation Map

    Chapter 28 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0, 8, 16, 24, 32, 40, 48, and 50 to CoS value 0 and to display the map: Switch(config)# mls qos map dscp-cos 0 8 16 24 32 40 48 50 to 0 Switch(config)# end Switch# show mls qos maps dscp-cos Dscp-cos map:...

  • Page 557: Configuring Ingress Queue Characteristics

    Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 4 mls qos trust dscp Configure the ingress port as a DSCP-trusted port. By default, the port is not trusted. Step 5 mls qos dscp-mutation Apply the map to the specified ingress DSCP-trusted port. dscp-mutation-name For dscp-mutation-name, enter the mutation map name specified in Step 2.

  • Page 558: Mapping Dscp Or Cos Values To An Ingress Queue And Setting Wtd Thresholds

    Chapter 28 Configuring QoS Configuring Standard QoS How much of the available bandwidth is allocated between the queues? • Is there traffic (such as voice) that should be given high priority? • These sections contain this configuration information: • Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds, page 28-58 (optional) •...

  • Page 559: Allocating Buffer Space Between The Ingress Queues

    Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 5 show mls qos maps Verify your entries. The DSCP input queue threshold map appears as a matrix. The d1 column specifies the most-significant digit of the DSCP number; the d2 row specifies the least-significant digit in the DSCP number.

  • Page 560: Allocating Bandwidth Between The Ingress Queues

    Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 4 show mls qos interface buffer Verify your entries. show mls qos input-queue Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos srr-queue input buffers global configuration command.

  • Page 561: Configuring The Ingress Priority Queue

    Chapter 28 Configuring QoS Configuring Standard QoS This example shows how to assign the ingress bandwidth to the queues. Priority queueing is disabled, and the shared bandwidth ratio allocated to queue 1 is 25/(25+75) and to queue 2 is 75/(25+75): Switch(config)# mls qos srr-queue input priority-queue 2 bandwidth 0 Switch(config)# mls qos srr-queue input bandwidth 25 75 Configuring the Ingress Priority Queue...

  • Page 562: Configuring Egress Queue Characteristics

    Chapter 28 Configuring QoS Configuring Standard QoS This example shows how to assign the ingress bandwidths to the queues. Queue 1 is the priority queue with 10 percent of the bandwidth allocated to it. The bandwidth ratios allocated to queues 1 and 2 is 4/(4+4).
  • Page 563 Chapter 28 Configuring QoS Configuring Standard QoS Each threshold value is a percentage of the queue’s allocated memory, which you specify by using the mls qos queue-set output qset-id buffers allocation1 ... allocation4 global configuration command. The queues use WTD to support distinct drop percentages for different traffic classes. The egress queue default settings are suitable for most situations.
  • Page 564 Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 3 mls qos queue-set output qset-id Configure the WTD thresholds, guarantee the availability of buffers, and threshold queue-id drop-threshold1 configure the maximum memory allocation for the queue-set (four egress drop-threshold2 reserved-threshold queues per port).

  • Page 565: Mapping Dscp Or Cos Values To An Egress Queue And To A Threshold Id

    Chapter 28 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID You can prioritize traffic by placing packets with particular DSCPs or costs of service into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. The egress queue default settings are suitable for most situations.

  • Page 566: Configuring Srr Shaped Weights On Egress Queues

    Chapter 28 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2: Switch(config)# mls qos srr-queue output dscp-map queue 1 threshold 2 10 11 Configuring SRR Shaped Weights on Egress Queues You can specify how much of the available bandwidth is allocated to each queue.

  • Page 567: Configuring Srr Shared Weights On Egress Queues

    Chapter 28 Configuring QoS Configuring Standard QoS Configuring SRR Shared Weights on Egress Queues In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require a share of the link, the remaining queues can expand into the unused bandwidth and share it among them.

  • Page 568: Configuring The Egress Expedite Queue

    Configuring Standard QoS Configuring the Egress Expedite Queue Beginning in Cisco IOS Release 12.1(19)EA1, Yyou can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues.

  • Page 569: Displaying Standard Qos Information

    Chapter 28 Configuring QoS Displaying Standard QoS Information Command Purpose Step 3 srr-queue bandwidth limit weight1 Specify the percentage of the port speed to which the port should be limited. The range is 10 to 90. By default, the port is not rate limited and is set to 100 percent. Step 4 Return to privileged EXEC mode.
  • Page 570 Chapter 28 Configuring QoS Displaying Standard QoS Information Table 28-15 Commands for Displaying Standard QoS Information (continued) Command Purpose show policy-map [policy-map-name [class Display QoS policy maps, which define classification criteria for class-map-name]] incoming traffic. Note Do not use the show policy-map interface privileged EXEC command to display classification information for incoming traffic.

  • Page 571: Chapter 29 Configuring Ipv6 Host Functions

    (SDM) template to a dual IPv4 and IPv6 template. See the “SDM Templates” section on page 29-6. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note documentation referenced in the procedures This chapter consists of these sections: “Understanding IPv6”...

  • Page 572: Ipv6 Addresses

    Routing optimized for mobile devices • Duplicate Address Detection (DAD) feature • For information about how Cisco Systems implements IPv6, go to this URL: http://www.cisco.com//warp/public/732/Tech/ipv6/ This section describes IPv6 implementation on the switch. These sections are included: • IPv6 Addresses, page 29-2 Supported IPv6 Unicast Routing Features, page 29-3 •...

  • Page 573: Supported Ipv6 Unicast Routing Features

    IPv6 routers do not forward packets with link-local source or destination addresses to other links. See the section on IPv6 Unicast Addresses in the “Implementing Addressing and Basic Connectivity for IPv6” chapter in the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00807fcf4b. html Each IPv6 host interface can support up to three addresses in hardware (one aggregatable global unicast address, one link-local unicast address, and zero or more privacy addresses).

  • Page 574: Dns For Ipv6

    Chapter 29 Configuring IPv6 Host Functions Understanding IPv6 DNS for IPv6 IPv6 introduces new Domain Name System (DNS) record types that are supported in the DNS name-to-address and address-to-name lookup processes. The new DNS AAAA resource record types support IPv6 addresses and are equivalent to an A address record in IPv4. The switch supports DNS resolution for IPv4 and IPv6.

  • Page 575: Ipv6 Applications

    New and upgraded applications can use both IPv4 and IPv6 protocol stacks. The Cisco IOS software supports the dual IPv4 and IPv6 protocol stack technique. When both IPv4 and IPv6 routing are enabled and an interface is configured with both an IPv4 and IPv6 address, the interface forwards both IPv4 and IPv6 traffic.

  • Page 576: Sdm Templates

    Chapter 29 Configuring IPv6 Host Functions Understanding IPv6 Figure 29-1 Dual IPv4 and IPv6 Support on an Interface IPv4 10.1.1.1 IPv6 3ffe:yyyy::1 The switch uses ternary content addressable memory (TCAM) to store unicast routes, MAC addresses, access control lists (ACLs), and other features, and provides the switch database management (SDM) templates to allocate memory resources depending on how the switch is used.

  • Page 577: Dual Ipv4-And-Ipv6 Sdm Templates

    Chapter 29 Configuring IPv6 Host Functions Configuring IPv6 Dual IPv4-and-IPv6 SDM Templates These SDM templates support IPv4 and IPv6 environments: This release does not support IPv6 multicast routing or QoS. This release does support IPv6 Multicast Note Listener Discovery (MLD) snooping. Dual IPv4 and IPv6 default SDM template—supports Layer 2, QoS, and ACLs for IPv4;...

  • Page 578: Default Ipv6 Configuration

    Chapter 29 Configuring IPv6 Host Functions Configuring IPv6 Default IPv6 Configuration Table 29-2 shows the default IPv6 configuration. Table 29-2 Default IPv6 Configuration Feature Default Setting SDM template Default IPv6 addresses None configured Configuring IPv6 ICMP Rate Limiting IPv6 ICMP rate limiting uses a token-bucket algorithm for limiting the rate at which IPv6 ICMP error messages are sent to the network.

  • Page 579: Configuring Static Routes For Ipv6

    Chapter 29 Configuring IPv6 Host Functions Configuring IPv6 To return to the default configuration, use the no ipv6 icmp error-interval global configuration command. This example shows how to configure an IPv6 ICMP error message interval of 50 milliseconds and a bucket size of 20 tokens.
  • Page 580 Chapter 29 Configuring IPv6 Host Functions Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to configure an IPv6 static route: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 route ipv6-prefix/prefix length Configure a static IPv6 route. {ipv6-address | interface-id [ipv6-address]} •...

  • Page 581: Displaying Ipv6

    This example shows how to configure a floating static route to an interface with an administrative distance of 130: Switch(config)# ipv6 route 2001:0DB8::/32 gigabitethernet0/1 130 For more information about configuring static IPv6 routing, see the “Implementing Static Routes for IPv6” chapter in the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00807fcf4b. html Displaying IPv6 Table 29-3 shows the privileged EXEC commands for monitoring IPv6 on the switch.
  • Page 582 Chapter 29 Configuring IPv6 Host Functions Displaying IPv6 This is an example of the output from the show ipv6 interface privileged EXEC command: Switch# show ipv6 interface Vlan1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940 Global unicast address(es): 3FFE:C000:0:1:20B:46FF:FE2F:D940, subnet is 3FFE:C000:0:1::/64 [EUI] Joined group address(es):...
  • Page 583 Chapter 29 Configuring IPv6 Host Functions Displaying IPv6 This is an example of the output from the show ipv6 traffic privileged EXEC command. Switch# show ipv6 traffic IPv6 statistics: Rcvd: 1 total, 1 local destination 0 source-routed, 0 truncated 0 format errors, 0 hop count exceeded 0 bad header, 0 unknown option, 0 bad source 0 unknown protocol, 0 not a router 0 fragments, 0 total reassembled...
  • Page 584 Chapter 29 Configuring IPv6 Host Functions Displaying IPv6 Catalyst 2960 Switch Software Configuration Guide 29-14 OL-8603-04...

  • Page 585: Chapter 30 Configuring Ipv6 Mld Snooping

    Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release or the Cisco IOS documentation referenced in the procedures. This chapter includes these sections: “Understanding MLD Snooping” section on page 30-1 •...

  • Page 586: Mld Messages

    Chapter 30 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD is a protocol used by IPv6 multicast routers to discover the presence of multicast listeners (nodes wishing to receive IPv6 multicast packets) on its directly attached links and to discover which multicast packets are of interest to neighboring nodes.

  • Page 587: Mld Queries

    Chapter 30 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD Queries The switch sends out MLD queries, constructs an IPv6 multicast address database, and generates MLD group-specific and MLD group-and-source-specific queries in response to MLD Done messages. The switch also supports report suppression, report proxying, Immediate-Leave functionality, and static IPv6 multicast MAC-address configuration.

  • Page 588: Mld Reports

    Chapter 30 Configuring IPv6 MLD Snooping Understanding MLD Snooping Received IPv6 multicast router control packets are always flooded to the ingress VLAN, whether or • not MLD snooping is enabled on the switch. After the discovery of the first IPv6 multicast router port, unknown IPv6 multicast data is forwarded •...

  • Page 589: Topology Change Notification Processing

    Chapter 30 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Topology Change Notification Processing When topology change notification (TCN) solicitation is enabled by using the ipv6 mld snooping tcn query solicit global configuration command, MLDv1 snooping sets the VLAN to flood all IPv6 multicast traffic with a configured number of MLDv1 queries before it begins sending multicast data only to selected ports.

  • Page 590: Mld Snooping Configuration Guidelines

    Chapter 30 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Table 30-1 Default MLD Snooping Configuration (continued) Feature Default Setting Last listener query interval Global: 1000 (1 second); VLAN: 0. The VLAN value overrides the global setting. When the Note VLAN value is 0, the VLAN uses the global interval.
  • Page 591 Chapter 30 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Command Purpose Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 5 reload Reload the operating system. To globally disable MLD snooping on the switch, use the no ipv6 mld snooping global configuration command.

  • Page 592: Configuring A Static Multicast Group

    Chapter 30 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring a Static Multicast Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure an IPv6 multicast address and member ports for a VLAN. Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command...

  • Page 593: Enabling Mld Immediate Leave

    Chapter 30 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Beginning in privileged EXEC mode, follow these steps to add a multicast router port to a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 mld snooping vlan vlan-id mrouter Specify the multicast router VLAN ID, and specify the interface interface interface-id to the multicast router.

  • Page 594: Configuring Mld Snooping Queries

    Chapter 30 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring MLD Snooping Queries When Immediate Leave is not enabled and a port receives an MLD Done message, the switch generates MASQs on the port and sends them to the IPv6 multicast address for which the Done message was sent. You can optionally configure the number of MASQs that are sent and the length of time the switch waits for a response before deleting the port from the multicast group.

  • Page 595: Disabling Mld Listener Message Suppression

    Chapter 30 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information This example shows how to set the MLD snooping global robustness variable to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping robustness-variable 3 Switch(config)# exit This example shows how to set the MLD snooping last-listener query count for a VLAN to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 200 last-listener-query-count 3 Switch(config)# exit...
  • Page 596 Chapter 30 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information Table 30-2 Commands for Displaying MLD Snooping Information Command Purpose show ipv6 mld snooping [vlan vlan-id] Display the MLD snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.

  • Page 597: Chapter 31 Configuring Etherchannels And Link-State Tracking

    C H A P T E R Configuring EtherChannels and Link-State Tracking This chapter describes how to configure EtherChannels on Layer 2 ports on the Catalyst 2960 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.

  • Page 598: Etherchannel Overview

    Incompatible ports are suspended. Beginning with Cisco IOS Release 12.2(35)SE, instead of a suspended state, the local port is put into an independent state and continues to carry data traffic as would any other single link.

  • Page 599: Port-Channel Interfaces

    Chapter 31 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels If a link within an EtherChannel fails, traffic previously carried over that failed link moves to the remaining links within the EtherChannel. If traps are enabled on the switch, a trap is sent for a failure that identifies the switch, the EtherChannel, and the failed link.

  • Page 600: Port Aggregation Protocol

    Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.

  • Page 601: Pagp Interaction With Other Features

    Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.

  • Page 602: Lacp Interaction With Other Features

    Chapter 31 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels LACP Interaction with Other Features The DTP and the CDP send and receive packets over the physical ports in the EtherChannel. Trunk ports send and receive LACP PDUs on the lowest numbered VLAN. In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the EtherChannel.
  • Page 603 Chapter 31 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels With source-IP address-based forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the EtherChannel based on the source-IP address of the incoming packet. Therefore, to provide load-balancing, packets from different IP addresses use different ports in the channel, but packets from the same IP address use the same port in the channel.

  • Page 604: Configuring Etherchannels

    Configuring EtherChannels Figure 31-3 Load Distribution and Forwarding Methods Switch with source-based forwarding enabled EtherChannel Cisco router with destination-based forwarding enabled Configuring EtherChannels These sections contain this configuration information: Default EtherChannel Configuration, page 31-9 • EtherChannel Configuration Guidelines, page 31-9 •...

  • Page 605: Default Etherchannel Configuration

    Chapter 31 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Default EtherChannel Configuration Table 31-3 shows the default EtherChannel configuration. Table 31-3 Default EtherChannel Configuration Feature Default Setting Channel groups None assigned. Port-channel logical interface None defined. PAgP mode No default. PAgP learn method Aggregate-port learning on all ports.

  • Page 606: Configuring Layer 2 Etherchannels

    Chapter 31 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups • running PAgP and LACP can coexist on the same switch. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate. Do not configure a Switched Port Analyzer (SPAN) destination port as part of an EtherChannel.
  • Page 607 Chapter 31 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Command Purpose Step 3 switchport mode {access | trunk} Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN.

  • Page 608: Configuring Etherchannel Load Balancing

    Chapter 31 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel. It assigns two ports as static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable: Switch# configure terminal Switch(config)# interface range gigabitethernet0/1 -2 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 10 Switch(config-if-range)# channel-group 5 mode desirable non-silent...

  • Page 609: Configuring The Pagp Learn Method And Priority

    Chapter 31 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command. Configuring the PAgP Learn Method and Priority Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical learner if it learns addresses by physical ports and directs transmissions based on that knowledge.

  • Page 610: Configuring Lacp Hot-Standby Ports

    Chapter 31 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Command Purpose Step 3 pagp learn-method physical-port Select the PAgP learning method. By default, aggregation-port learning is selected, which means the switch sends packets to the source by using any of the ports in the EtherChannel.

  • Page 611: Configuring The Lacp System Priority

    Chapter 31 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Determining which ports are active and which are hot standby is a two-step procedure. First the system with a numerically lower system priority and system-id is placed in charge of the decision. Next, that system decides which ports are active and which are hot standby, based on its values for port priority and port number.

  • Page 612: Displaying Etherchannel, Pagp, And Lacp Status

    Chapter 31 Configuring EtherChannels and Link-State Tracking Displaying EtherChannel, PAgP, and LACP Status If LACP is not able to aggregate all the ports that are compatible (for example, the remote system might Note have more restrictive hardware limitations), all the ports that cannot be actively included in the EtherChannel are put in the hot-standby state and are used only if one of the channeled ports fails.

  • Page 613: Understanding Link-State Tracking

    Chapter 31 Configuring EtherChannels and Link-State Tracking Understanding Link-State Tracking You can clear LACP channel-group information and traffic counters by using the clear lacp {channel-group-number counters | counters} privileged EXEC command. For detailed information about the fields in the displays, see the command reference for this release. Understanding Link-State Tracking Link-state tracking, also known as trunk failover, is a feature that binds the link state of multiple interfaces.
  • Page 614 Chapter 31 Configuring EtherChannels and Link-State Tracking Understanding Link-State Tracking Link-state group 1 on switch B • Switch B provides secondary links to server 1 and server 2 through link-state group 1. Port 1 is – connected to server 1, and port 2 is connected to server 2. Port 1 and port 2 are the downstream interfaces in link-state group 1.

  • Page 615: Configuring Link-State Tracking

    Chapter 31 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Figure 31-4 Typical Link-State Tracking Configuration Network Layer 3 link Distribution Distribution switch 1 switch 2 Link-state Link-state group 1 group 2 Link-state Link-state group 1 group 2 Port Port Port Port Port...

  • Page 616: Default Link-State Tracking Configuration

    Chapter 31 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Default Link-State Tracking Configuration There are no link-state groups defined, and link-state tracking is not enabled for any group. Link-State Tracking Configuration Guidelines Follow these guidelines to avoid configuration problems: •...

  • Page 617: Displaying Link-State Tracking Status

    Chapter 31 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking To disable a link-state group, use the no link state track number global configuration command. Displaying Link-State Tracking Status Use the show link state group command to display the link-state group information. Enter this command without keywords to display information about all link-state groups.
  • Page 618 Chapter 31 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Catalyst 2960 Switch Software Configuration Guide 31-22 OL-8603-04...

  • Page 619: Chapter 32 Troubleshooting

    C H A P T E R Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 2960 switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems.

  • Page 620: Recovering From A Software Failure

    From your PC, download the software image tar file (image_filename.tar) from Cisco.com. Step 1 The Cisco IOS image is stored as a bin file in a directory in the tar file. For information about locating the software image files on Cisco.com, see the release notes.

  • Page 621: Recovering From A Lost Or Forgotten Password

    Step 11 start the transfer and to copy the software image into flash memory. Step 12 Boot the newly downloaded Cisco IOS image. switch:boot flash: image_filename.bin Use the archive download-sw privileged EXEC command to download the software image to the Step 13 switch.

  • Page 622: Procedure With Password Recovery Enabled

    Chapter 32 Troubleshooting Recovering from a Lost or Forgotten Password Several lines of information about the software appear with instructions, informing you if the password recovery procedure has been disabled or not. If you see a message that begins with this: •...
  • Page 623 Chapter 32 Troubleshooting Recovering from a Lost or Forgotten Password switch: rename flash: config.text flash: config.text.old Boot up the system: Step 6 switch: boot You are prompted to start the setup program. Enter N at the prompt: Continue with the configuration dialog? [yes/no]: N At the switch prompt, enter privileged EXEC mode: Step 7 Switch>...

  • Page 624: Procedure With Password Recovery Disabled

    Chapter 32 Troubleshooting Recovering from a Lost or Forgotten Password Write the running configuration to the startup configuration file: Step 13 Switch# copy running-config startup-config The new password is now in the startup configuration. This procedure is likely to leave your switch virtual interface in a shutdown state. You can see Note which interface is in this state by entering the show running-config privileged EXEC command.

  • Page 625: Recovering From A Command Switch Failure

    This section describes how to recover from a failed command switch. You can configure a redundant command switch group by using the Hot Standby Router Protocol (HSRP). For more information, see Chapter 5, “Clustering Switches.” Also see the Getting Started with Cisco Network Assistant, available on Cisco.com. Catalyst 2960 Switch Software Configuration Guide...

  • Page 626: Replacing A Failed Command Switch With A Cluster Member

    Chapter 32 Troubleshooting Recovering from a Command Switch Failure HSRP is the preferred method for supplying redundancy to a cluster. Note If you have not configured a standby command switch, and your command switch loses power or fails in some other way, management contact with the member switches is lost, and you must install a new command switch.
  • Page 627 Chapter 32 Troubleshooting Recovering from a Command Switch Failure Use the setup program to configure the switch IP information. This program prompts you for IP address Step 9 information and passwords. From privileged EXEC mode, enter setup, and press Return. Switch# setup --- System Configuration Dialog --- Continue with configuration dialog? [yes/no]: y...

  • Page 628: Replacing A Failed Command Switch With Another Switch

    Chapter 32 Troubleshooting Recovering from a Command Switch Failure Replacing a Failed Command Switch with Another Switch To replace a failed command switch with a switch that is command-capable but not part of the cluster, follow these steps: Insert the new switch in place of the failed command switch, and duplicate its connections to the cluster Step 1 members.

  • Page 629: Recovering From Lost Cluster Member Connectivity

    Chapter 32 Troubleshooting Recovering from Lost Cluster Member Connectivity When prompted, assign a name to the cluster, and press Return. Step 10 The cluster name can be 1 to 31 alphanumeric characters, dashes, or underscores. Step 11 When the initial configuration displays, verify that the addresses are correct. Step 12 If the displayed information is correct, enter Y, and press Return.

  • Page 630: Sfp Module Security And Identification

    If you are using a non-Cisco SFP module, remove the SFP module from the switch, and replace it with a Cisco module. After inserting a Cisco SFP module, use the errdisable recovery cause gbic-invalid global configuration command to verify the port status, and enter a time interval for recovering from the error-disabled state.

  • Page 631: Understanding Ping

    Chapter 32 Troubleshooting Using Ping Understanding Ping The switch supports IP ping, which you can use to test connectivity to remote hosts. Ping sends an echo request packet to an address and waits for a reply. Ping returns one of these responses: Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds, depending •...

  • Page 632: Using Layer 2 Traceroute

    Usage Guidelines These are the Layer 2 traceroute usage guidelines: Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 • traceroute to function properly, do not disable CDP. For a list of switches that support Layer 2 traceroute, see the “Usage Guidelines”...

  • Page 633: Displaying The Physical Path

    Chapter 32 Troubleshooting Using IP Traceroute The traceroute mac command output shows the Layer 2 path only when the specified source and • destination MAC addresses belong to the same VLAN. If you specify source and destination MAC addresses that belong to different VLANs, the Layer 2 path is not identified, and an error message appears.

  • Page 634: Executing Ip Traceroute

    Chapter 32 Troubleshooting Using IP Traceroute Your switches can participate as the source or destination of the traceroute privileged EXEC command and might or might not appear as a hop in the traceroute command output. If the switch is the destination of the traceroute, it is displayed as the final destination in the traceroute output.

  • Page 635: Using Tdr

    Chapter 32 Troubleshooting Using TDR The display shows the hop count, the IP address of the router, and the round-trip time in milliseconds for each of the three probes that are sent. Table 32-2 Traceroute Output Display Characters Character Description The probe timed out.

  • Page 636: Running Tdr And Displaying The Results

    For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

  • Page 637: Enabling All-System Diagnostics

    Chapter 32 Troubleshooting Using Debug Commands If you enable a debug command and no output appears, consider these possibilities: The switch might not be properly configured to generate the type of traffic you want to monitor. Use • the show running-config command to check its configuration. •...

  • Page 638: Using The Show Platform Forward Command

    Chapter 32 Troubleshooting Using the show platform forward Command Using the show platform forward Command The output from the show platform forward privileged EXEC command provides some useful information about the forwarding results if a packet entering an interface is sent through the system. Depending upon the parameters entered about the packet, the output provides lookup table results and port maps used to calculate forwarding destinations, bitmaps, and egress information.

  • Page 639: Using The Crashinfo Files

    Basic crashinfo Files The information in the basic file includes the Cisco IOS image name and version that failed, a list of the processor registers, and a stack trace. You can provide this information to the Cisco technical support representative by using the show tech-support privileged EXEC command.

  • Page 640: Extended Crashinfo Files

    EXEC command. Extended crashinfo Files In Cisco IOS Release 12.2(25)SEC or later, the switch creates the extended crashinfo file when the system is failing. The information in the extended file includes additional information that can help determine the cause of the switch failure. You provide this information to the Cisco technical support representative by manually accessing the file and using the more or the copy privileged EXEC command.

  • Page 641: Appendix

    CISCO-CDP-MIB • CISCO-CLUSTER-MIB • CISCO-CONFIG-COPY-MIB • CISCO-CONFIG-MAN-MIB • CISCO-ENTITY-VENDORTYPE-OID-MIB • CISCO-ENVMON-MIB • • CISCO-ERR-DISABLE-MIB CISCO-FLASH-MIB (Flash memory on all switches is modeled as removable flash memory.) • CISCO-FTP-CLIENT-MIB • CISCO-IGMP-FILTER-MIB • CISCO-IMAGE-MIB • CISCO IP-STAT-MIB • CISCO-LAG-MIB • • CISCO-MAC-NOTIFICATION-MIB...

  • Page 642: Appendix A Supported Mib

    Appendix A Supported MIBs MIB List CISCO-MEMORY-POOL-MIB • CISCO-PAE-MIB • • CISCO-PAGP-MIB • CISCO-PING-MIB CISCO-PRODUCTS-MIB • CISCO-PROCESS-MIB • CISCO-RTTMON-MIB • CISCO-SMI-MIB • CISCO-STP-EXTENSIONS-MIB • CISCO-SYSLOG-MIB • • CISCO-TC-MIB CISCO-TCP-MIB • CISCO-UDLDP-MIB • CISCO-VLAN-IFTABLE-RELATIONSHIP-MIB • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VTP-MIB • ENTITY-MIB •...

  • Page 643: Using Ftp To Access The Mib Files

    You can also use this URL for a list of supported MIBs for the Catalyst 2960 switch: Note ftp://ftp.cisco.com/pub/mibs/supportlists/cat2960/cat2960-supportlist.htmlYou can access other information about MIBs and Cisco products on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Using FTP to Access the MIB Files You can get each MIB file by using this procedure: Make sure that your FTP client is in passive mode.

  • Page 644: Using Ftp To Access The Mib Files

    Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 2960 Switch Software Configuration Guide OL-8603-04...

  • Page 645: Appendix

    For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References. This appendix consists of these sections: •...

  • Page 646: Displaying Available File Systems

    Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example.

  • Page 647: A P P E N D I X B Working With The Cisco Ios File System, Configuration Files, And Software Images

    Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command.

  • Page 648: Creating And Removing Directories

    Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Command Purpose...

  • Page 649: Deleting Files

    Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist. Specifically, you cannot copy these combinations: From a running configuration to a running configuration •...

  • Page 650: Creating A Tar File

    Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating a tar File To create a tar file and write files into it, use this privileged EXEC command: archive tar /create destination-url flash:/file-url For destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create.

  • Page 651: Extracting A Tar File

    Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System c2960-lanbase-mz.122-25.FX/html/foo.html (0 bytes) c2960-lanbase-mz.122-25.FX/c2960-lanbase-mz.122-25.FX.bin (4590080 bytes) c2960-lanbase-mz.122-25.FX/info (219 bytes) This example shows how to display only the /html directory and its contents: Switch# archive tar /table flash: c2960 - lanbase-mz.12-25/html...

  • Page 652: Working With Configuration Files

    This section describes how to create, load, and maintain configuration files. Configuration files contain commands entered to customize the function of the Cisco IOS software. A way to create a basic configuration file is to use the setup program or to enter the setup privileged EXEC command.

  • Page 653: Configuration File Types And Location

    Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Use these guidelines when creating a configuration file: We recommend that you connect through the console port for the initial configuration of the switch.

  • Page 654: Copying Configuration Files By Using Tftp

    Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Make sure the permissions on the file are set to world-read. Step 5 Copying Configuration Files By Using TFTP You can configure the switch by using configuration files you create, download from another switch, or download from a TFTP server.

  • Page 655: Downloading The Configuration File By Using Tftp

    Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading the Configuration File By Using TFTP To configure the switch by using a configuration file downloaded from a TFTP server, follow these steps: Step 1 Copy the configuration file to the appropriate TFTP directory on the workstation.

  • Page 656: Copying Configuration Files By Using Ftp

    The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
  • Page 657 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files NVRAM. If you are accessing the switch through a Telnet session and you have a valid username, this username is used, and you do not need to set the FTP username. Include the username in the copy command if you want to specify a username for only that copy operation.

  • Page 658: Uploading A Configuration File By Using Ftp

    Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Switch# copy ftp: nvram:startup-config Address of remote host [255.255.255.255]? 172.16.101.101 Name of configuration file[rtr2-confg]? host2-confg Configure using host2-confg from 172.16.101.101?[confirm] Connected to 172.16.101.101...

  • Page 659: Copying Configuration Files By Using Rcp

    The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.

  • Page 660: Downloading A Configuration File By Using Rcp

    Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The new username is stored in NVRAM. If you are accessing the switch through a Telnet session and you have a valid username, this username is used, and you do not need to set the RCP username.

  • Page 661: Uploading A Configuration File By Using Rcp

    Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files %SYS-5-CONFIG: Configured from host1-config by rcp from 172.16.101.101 This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101...
  • Page 662 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Switch(config)# ip rcmd remote-username netadmin2 Switch(config)# end Switch# copy nvram:startup-config rcp: Remote host[]? 172.16.101.101 Name of configuration file to write [switch2-confg]? Write file switch2-confg on host 172.16.101.101?[confirm]...

  • Page 663: Clearing Configuration Information

    Replacing and Rolling Back Configurations The configuration replacement and rollback feature replaces the running configuration with any saved Cisco IOS configuration file. You can use the rollback function to roll back to a previous configuration. These sections contain this information: Understanding Configuration Replacement and Rollback, page B-19 •...
  • Page 664 EXEC command displays information for all the configuration files saved in the configuration archive. The Cisco IOS configuration archive, in which the configuration files are stored and available for use with the configure replace command, is in any of these file systems: FTP, HTTP, RCP, TFTP.

  • Page 665: Configuration Guidelines

    When using the configure replace command, you must specify a saved configuration as the replacement configuration file for the running configuration. The replacement file must be a complete configuration generated by a Cisco IOS device (for example, a configuration generated by the copy running-config destination-url command).

  • Page 666: Performing A Configuration Replacement Or Rollback Operation

    Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 5 time-period minutes (Optional) Set the time increment for automatically saving an archive file of the running configuration in the configuration archive.

  • Page 667: Working With Software Images

    If you do not have access to a TFTP server, you can download a software image file directly to your PC or workstation by using a web browser (HTTP) and then by using the device manager or Cisco Network Assistant to upgrade your switch. For information about upgrading your switch by using a TFTP server or a web browser (HTTP), see the release notes.

  • Page 668: Image Location On The Switch

    Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:).

  • Page 669: Copying Image Files By Using Tftp

    Cisco IOS image total_image_file_size Specifies the size of all the images (the Cisco IOS image and the web management files) in the tar file, which is an approximate measure of how much flash memory is required to hold them...

  • Page 670: Preparing To Download Or Upload An Image File By Using Tftp

    Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command, we Note recommend using the archive download-sw and archive upload-sw privileged EXEC commands to download and upload software image files.
  • Page 671 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode, follow Steps 1 through 3 to download a new image from a TFTP server and overwrite the existing image. To keep the current image, go to Step 3.

  • Page 672: Copying Image Files By Using Ftp

    The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.

  • Page 673: Downloading An Image File By Using Ftp

    The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: •...
  • Page 674 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If you are accessing the switch through the console or a Telnet session and you do not have a valid • username, make sure that the current FTP username is the one that you want to use for the FTP download.
  • Page 675 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 7 archive download-sw /overwrite /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and overwrite the current image.
  • Page 676 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.

  • Page 677: Copying Image Files By Using Rcp

    RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
  • Page 678 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The remote username associated with the current TTY (terminal) process. For example, if the user • is connected to the router through Telnet and was authenticated through the username command, the switch software sends the Telnet username as the remote username.
  • Page 679 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images For example, suppose the switch contains these configuration lines: hostname Switch1 ip rcmd remote-username User0 If the switch IP address translates to Switch1.company.com, the .rhosts file for User0 on the RCP server should contain this line: Switch1.company.com Switch1...
  • Page 680 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 7 archive download-sw /leave-old-sw /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and keep the current image.
  • Page 681 The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
  • Page 682 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Catalyst 2960 Switch Software Configuration Guide B-38 OL-8603-04...

  • Page 683: Appendix

    Configuration Compatibility Issues The configuration commands between the two switch platforms differ for these reasons: • The Catalyst 2950 switch runs Cisco IOS 12.1EA software, and the Catalyst 2960 switch runs Cisco IOS 12.2SE software. • The switch families have different hardware.

  • Page 684: A P P E N D I X C Recommendations For Upgrading A Catalyst 2950 Switch To A Catalyst 2960 Switch

    %Invalid input detected at ‘^’ marker. DHCP snooping A Catalyst 2950 switch DHCP snooping feature limits In Cisco IOS 12.2SE, the range was changed to the number of DHCP packets per second that an 1 to 2048 messages per second.
  • Page 685 Catalyst 2950 Switch Command and Explanation Result on the Catalyst 2960 Switch IEEE 802.1x In Cisco IOS 12.1EA, the Catalyst 2950 switch ranges In Cisco IOS 12.2SE, the IEEE 802.1x server-timeout and supp-timeout ranges are 30 for the IEEE 802.1x server-timeout, supp-timeout, and to 65535.
  • Page 686 We recommend that you enable automatic QoS (auto-QoS) on the Catalyst 2950 switch by using the For more information about the generated auto qos voip {cisco-phone | cisco-softphone | trust} commands, see the auto qos voip command in interface configuration command.

  • Page 687: Feature Behavior Incompatibilities

    Appendix C Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Feature Behavior Incompatibilities Table C-1 Catalyst 2950 and 2960 Switch Configuration Incompatibilities (continued) Feature Catalyst 2950 Switch Command and Explanation Result on the Catalyst 2960 Switch RSPAN You have to specify one port as the reflector port with Because of advanced hardware in the...
  • Page 688 Appendix C Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Feature Behavior Incompatibilities • The Catalyst 2960 switch uses different port hardware than the Catalyst 2950 switch, and more QoS features are offered on the Catalyst 2960 switch. For example, the Catalyst 2950 switch supports WRR scheduling, whereas the Catalyst 2960 switch supports SRR scheduling.

  • Page 689: Appendix

    A P P E N D I X Unsupported Commands in Cisco IOS Release 12.2(40)SE This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 2960 switch prompt but are not supported in this release, either because they are not tested or because of Catalyst 2960 switch hardware limitations.

  • Page 690: A P P E N D I X D Unsupported Commands In Cisco Ios Release 12.2(40)Se

    Appendix D Unsupported Commands in Cisco IOS Release 12.2(40)SE Boot Loader Commands Boot Loader Commands Unsupported User EXEC Commands Unsupported Global Configuration Commands boot buffersize Embedded Event Manager Unsupported Privileged EXEC Commands event manager update user policy [policy-filename | group [group name expression] ] | repository [url...

  • Page 691: Igmp Snooping Commands

    Appendix D Unsupported Commands in Cisco IOS Release 12.2(40)SE |IGMP Snooping Commands IGMP Snooping Commands Unsupported Global Configuration Commands ip igmp snooping tcn Interface Commands Unsupported Privileged EXEC Commands show interfaces [interface-id | vlan vlan-id] [crb | fair-queue | irb | mac-accounting | precedence | irb...

  • Page 692: Unsupported Global Configuration Commands

    Appendix D Unsupported Commands in Cisco IOS Release 12.2(40)SE Miscellaneous show mac-address-table vlan show mac address-table multicast Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast Note address-table entries for a VLAN. Unsupported Global Configuration Commands...

  • Page 693: Qos

    Appendix D Unsupported Commands in Cisco IOS Release 12.2(40)SE Unsupported Global Configuration Command priority-list Unsupported Interface Configuration Commands priority-group rate-limit Unsupported Policy-Map Configuration Command class class-default where class-default is the class-map-name. RADIUS Unsupported Global Configuration Commands aaa nas port extended...

  • Page 694: Spanning Tree

    Appendix D Unsupported Commands in Cisco IOS Release 12.2(40)SE Spanning Tree Spanning Tree Unsupported Global Configuration Command spanning-tree pathcost method {long | short} Unsupported Interface Configuration Command spanning-tree stack-port VLAN Unsupported Global Configuration Command vlan internal allocation policy {ascending | descending}...

  • Page 695: I N D E X

    I N D E X active traffic monitoring, IP SLAs 27-1 address aliasing 18-2 abbreviating commands addresses AC (command switch) displaying the MAC address table 6-26 access-denied response, VMPS 12-24 dynamic accessing accelerated aging 15-8 clusters, switch 5-12 changing the aging time 6-21 command switches 5-10...
  • Page 696 Index aging time automatic discovery accelerated considerations for MSTP beyond a noncandidate device 16-23 for STP brand new switches 15-8, 15-21 MAC address table connectivity 6-21 maximum different VLANs for MSTP management VLANs 16-23, 16-24 for STP non-CDP-capable devices 15-21, 15-22 alarms, RMON 24-3 noncluster-capable devices...
  • Page 697 18-8 See BPDU joining multicast group 18-3 broadcast storm-control command 19-4 CipherSuites 8-39 broadcast storms 19-1 Cisco 7960 IP Phone 14-1 Cisco Discovery Protocol See CDP Cisco IOS File System See IFS Catalyst 2960 Switch Software Configuration Guide IN-3 OL-8603-04...
  • Page 698 Index Cisco IOS IP Service Level Agreements (SLAs) clock responder See system clock Cisco IOS IP SLAs 27-1 cluster requirements xxxi Cisco Network Assistant clusters, switch See Network Assistant accessing 5-12 CiscoWorks 2000 1-4, 26-4 automatic discovery CIST regional root...
  • Page 699 Index command switch (continued) Configuration Engine standby (SC) configID, deviceID, hostname See also candidate switch, cluster standby group, member switch, and standby command switch configuration service community strings described configuring 5-13, 26-8 event service for cluster switches 26-4 embedded agents in clusters 5-13 described...
  • Page 700 Index configuration files (continued) CoS-to-DSCP map for QoS 28-52 obtaining with DHCP counters, clearing interface 10-19 password recovery disable considerations crashinfo file 32-21 replacing a running configuration critical authentication, IEEE 802.1x B-19, B-20 9-33 rolling back a running configuration cryptographic software image B-19, B-20 specifying the filename 3-12...
  • Page 701 Index default configuration (continued) DHCP-based autoconfiguration optional spanning-tree configuration 17-9 client request message exchange password and privilege level configuring RADIUS client side 8-20 RMON 24-3 RSPAN relay device 23-9 SDM template server side SNMP TFTP server 26-7 SPAN 23-9 example lease options 8-40 standard QoS...
  • Page 702 Index Domain Name System dynamic access ports See DNS characteristics 12-3 downloading configuring 12-26 configuration files defined 10-3 preparing dynamic addresses B-10, B-13, B-16 reasons for See addresses using FTP dynamic auto trunking mode B-13 12-15 using RCP dynamic desirable trunking mode B-17 12-15 using TFTP...
  • Page 703 Index EtherChannel (continued) Ethernet VLANs default configuration 31-9 adding 12-8 described defaults and ranges 31-2 12-7 displaying status modifying 31-16 12-8 forwarding methods 31-6, 31-12 29-3 IEEE 802.3ad, described events, RMON 31-5 24-3 interaction examples with STP conventions for 31-9 with VLANs 31-10 network configuration...
  • Page 704 Index files (continued) FTP (continued) extended crashinfo image files description deleting old image 32-22 B-32 location downloading 32-22 B-30 preparing the server B-29 creating uploading B-32 displaying the contents of extracting image file format B-24 file system get-bulk-request operation 26-3 displaying available file systems get-next-request operation 26-3, 26-5...
  • Page 705 Index HSRP IEEE 802.3ad automatic cluster recovery 5-11 See EtherChannel cluster standby group considerations IEEE 802.3x flow control 5-10 10-14 See also clusters, cluster standby group, and standby ifIndex values, SNMP 26-6 command switch HTTP over SSL IGMP see HTTPS configurable leave timer HTTPS 8-38...
  • Page 706 Index IGMP profile interfaces applying 18-25 auto-MDIX, configuring 10-15 configuration mode configuration guidelines 18-24 configuring duplex and speed 18-25 10-12 IGMP snooping configuring and address aliasing procedure 18-2 10-5 configuring counters, clearing 18-6 10-19 default configuration default configuration 18-6, 30-5, 30-6 10-9 definition 18-1...
  • Page 707 Index IP addresses (continued) IPv4 and IPv6 redundant clusters 5-10 differences 29-2 standby command switch dual protocol stacks 5-10, 5-12 29-5 See also IP information IPv6 ip igmp profile command addresses 18-24 29-2 IP information address formats 29-2 assigned advantages 29-2 manually applications...
  • Page 708 Index Layer 2 traceroute (continued) LLDP-MED (continued) multiple devices on a port 32-15 overview 21-1, 21-2 unicast traffic supported TLVs 32-14 21-2 usage guidelines LLDP Media Endpoint Discovery 32-14 Layer 3 packets, classification methods See LLDP-MED 28-2 LDAP local SPAN 23-2 LEDs, switch location TLV...
  • Page 709 Index MAC address notification, support for maximum aging time 1-10 MAC address-to-VLAN mapping 12-24 MSTP 16-23 MAC extended access lists 15-21 configuring for QoS maximum hop count, MSTP 28-43 16-24 for QoS classification membership mode, VLAN port 28-5 12-3 macros member switch See Smartports macros automatic discovery...
  • Page 710 Index monitoring (continued) MSTP (continued) port blocking defined 19-18 16-3 protection operations between regions 19-18 16-4 SFP status default configuration 10-18, 32-12 16-14 speed and duplex mode default optional feature configuration 10-13 17-9 traffic flowing among switches displaying status 24-1 16-26 traffic suppression enabling the mode...
  • Page 711 Index MSTP (continued) MST region and address aliasing 18-20 CIST and IGMPv3 16-3 18-20 configuring configuration guidelines 16-16 18-20 described configuring interfaces 16-2 18-21 hop-count mechanism default configuration 16-5 18-19 described 16-3 18-17 supported spanning-tree instances example application 16-2 18-18 optional features supported modes 18-21...
  • Page 712 Index Network Assistant (continued) management options associations requirements authenticating upgrading a switch defined B-23 wizards enabling broadcast messages network configuration examples peer increasing network performance server 1-13 long-distance, high-bandwidth transport default configuration 1-17 providing network services 1-13 displaying the configuration 6-11 server aggregation and Linux server cluster overview...
  • Page 713 Index passwords (continued) policy maps for QoS overview characteristics of 28-46 recovery of described 32-3 28-7 setting displaying 28-70 enable nonhierarchical on physical ports enable secret described 28-9 Telnet Port Aggregation Protocol with usernames See EtherChannel VTP domain 13-8 port-based authentication path cost accounting MSTP...
  • Page 714 Index port-based authentication (continued) port-based authentication (continued) guest VLAN voice VLAN configuration guidelines described 9-11, 9-12 9-14 described PVID 9-11 9-14 host mode VVID 9-14 inaccessible authentication bypass wake-on-LAN, described 9-15 configuring port blocking 9-33 1-3, 19-7 described port-channel 9-13 guidelines 9-21 See EtherChannel...
  • Page 715 Index port security (continued) PVST+ violations 19-9 described 15-9 with other features IEEE 802.1Q trunking interoperability 19-10 15-10 port-shutdown response, VMPS instances supported 12-24 15-9 port VLAN ID TLV 21-2 power management TLV 21-2, 21-6 preferential treatment of traffic See QoS preventing unauthorized access and MQC commands 28-1...
  • Page 716 Index QoS (continued) QoS (continued) class maps flowcharts configuring classification 28-44 28-6 displaying egress queueing and scheduling 28-69 28-16 configuration guidelines ingress queueing and scheduling 28-14 auto-QoS policing and marking 28-25 28-10 standard QoS implicit deny 28-32 28-7 configuring ingress queues aggregate policers 28-49 allocating bandwidth...
  • Page 717 Index QoS (continued) policers RADIUS configuring 28-48, 28-50 attributes described 28-8 vendor-proprietary 8-31 displaying 28-69 vendor-specific 8-29 number of 28-32 configuring types of 28-9 accounting 8-28 policies, attaching to an interface 28-8 authentication 8-23 policing authorization 8-27 described 28-4, 28-8 communication, global 8-21, 8-29 token bucket algorithm...
  • Page 718 Index responder, IP SLAs configuration files described 27-3 downloading enabling B-17 27-6 overview response time, measuring with IP SLAs B-15 27-4 preparing the server restricted VLAN B-16 uploading configuring B-18 9-31 image files described 9-12 deleting old image using with IEEE 802.1x B-36 9-12 downloading...
  • Page 719 Index root switch RSTP (continued) MSTP 16-17 proposal-agreement handshake process 16-10 rapid convergence 15-14 RSPAN described 16-10 characteristics edge ports and Port Fast 23-7 16-10 configuration guidelines point-to-point links 23-16 16-10, 16-24 default configuration root ports 23-9 16-10 defined root port, defined 23-2 16-9 destination ports...
  • Page 720 Simple Network Management Protocol disabling 26-15 See SNMP enabling 26-15 Smartports macros limiting access by TFTP servers 26-16 applying Cisco-default macros limiting system log messages to NMS 11-6 25-10 applying global parameter values 11-5, 11-6 manager functions 1-4, 26-3 applying macros...
  • Page 721 Index SNMP (continued) SPAN MIBs configuration guidelines 23-10 location of default configuration 23-9 supported destination ports 23-6 notifications displaying status 26-5 23-22 overview interaction with other features 26-1, 26-4 23-8 security levels monitored ports 26-3 23-5 status, displaying monitoring ports 26-18 23-6 system contact and location...
  • Page 722 Index static routes configuring 8-34 configuring for IPv6 29-9 cryptographic software image static VLAN membership 8-33 12-2 described statistics 1-5, 8-33 encryption methods 802.1x 8-34 9-41 user authentication methods, supported 8-34 20-4 interface 10-18 configuration guidelines LLDP 8-40 21-7 configuring a secure HTTP client 8-43 LLDP-MED 21-7...
  • Page 723 Index STP (continued) STP (continued) configuring interface states forward-delay time blocking 15-21 15-6 hello time disabled 15-20 15-7 maximum aging time forwarding 15-21 15-5, 15-6 path cost learning 15-18 15-6 port priority listening 15-16 15-6 root switch overview 15-14 15-4 secondary root switch 15-16 interoperability and compatibility among...
  • Page 724 Index STP (continued) system description TLV 21-2 shutdown Port Fast-enabled port 17-2 system message logging status, displaying default configuration 15-22 25-3 superior BPDU defining error message severity levels 15-3 25-8 timers, described disabling 15-20 25-4 UplinkFast displaying the configuration 25-13 described enabling 17-3...
  • Page 725 Index TACACS+ (continued) TFTP (continued) configuring image files accounting deleting 8-17 B-28 authentication key downloading 8-13 B-27 authorization preparing the server 8-16 B-26 login authentication uploading 8-14 B-28 default configuration limiting access by servers 8-13 26-16 displaying the configuration TFTP server 8-17 identifying the server 8-13...
  • Page 726 Index traffic suppression trusted boundary for QoS 19-1 28-36 transmit hold-count trusted port states see STP between QoS domains 28-38 transparent mode, VTP classification options 13-3, 13-12 28-5 trap-door mechanism ensuring port security for IP phones 28-36 traps support for configuring MAC address notification within a QoS domain 6-22...
  • Page 727 Index unicast MAC address filtering 1-4 (continued) uploading (continued) configuration guidelines 6-25 image files described preparing 6-25 B-26, B-29, B-33 unicast storm reasons for 19-1 B-23 unicast storm control command using FTP 19-4 B-32 unicast traffic, blocking using RCP 19-7 B-37 UniDirectional Link Detection protocol using TFTP...
  • Page 728 12-28 displaying 12-13 voice-over-IP 14-1 extended-range 12-1, 12-11 voice VLAN features Cisco 7960 phone, port connections 14-1 illustrated 12-2 configuration guidelines 14-3 limiting source traffic with RSPAN 23-21 configuring IP phones for data traffic limiting source traffic with SPAN...
  • Page 729 Index VTP (continued) adding a client to a domain 13-14 pruning advertisements disabling 12-16, 13-3 13-14 and extended-range VLANs enabling 13-1 13-14 and normal-range VLANs examples 13-1 13-5 client mode, configuring overview 13-11 13-4 configuration support for global configuration mode pruning-eligible list, changing 13-7 12-19...
  • Page 730 Index Xmodem protocol 32-2 Catalyst 2960 Switch Software Configuration Guide IN-36 OL-8603-04...

This manual is also suitable for:

Ws-c2960s-24td-lWs-c2960s-48lpd-lCatalyst 2960

Table of Contents