Page 1 Catalyst 2928 Switch Software Configuration Guide Cisco IOS Release 12.2(55)EZ November 2010 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-23389-01...
Page 2 Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks.
Page 3: Table Of Contents
Monitoring Features Default Settings After Initial Switch Configuration Network Configuration Examples 1-11 Design Concepts for Using the Switch 1-11 Small to Medium-Sized Network Using Catalyst 2928 Switches 1-14 Campus Network Using Catalyst 2928 Switches 1-15 Where to Go Next 1-16...
Page 4 Checking and Saving the Running Configuration 3-14 Modifying the Startup Configuration 3-15 Default Boot Configuration 3-16 Automatically Downloading a Configuration File 3-16 Specifying the Filename to Read and Write the System Configuration 3-16 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 5 Standby Cluster Command Switch Characteristics Candidate Switch and Cluster Member Switch Characteristics Planning a Switch Cluster Automatic Discovery of Cluster Candidates and Members Discovery Through CDP Hops Discovery Through Non-CDP-Capable and Noncluster-Capable Devices Discovery Through Different VLANs Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 6 Configuring NTP Access Restrictions Configuring the Source IP Address for NTP Packets 7-10 Displaying the NTP Configuration 7-11 Configuring Time and Date Manually 7-11 Setting the System Clock 7-11 Displaying the Time and Date Configuration 7-12 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 7 Setting a Telnet Password for a Terminal Line Configuring Username and Password Pairs Configuring Multiple Privilege Levels Setting the Privilege Level for a Command Changing the Default Privilege Level for Lines Logging into and Exiting a Privilege Level Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 8 Configuring the SSH Server 8-36 Displaying the SSH Configuration and Status 8-36 Configuring the Switch for Secure Socket Layer HTTP 8-37 Understanding Secure HTTP Servers and Clients 8-37 Certificate Authority Trustpoints 8-37 CipherSuites 8-39 Catalyst 2928 Switch Software Configuration Guide viii OL-23389-01...
Page 9 Upgrading from a Previous Software Release 9-20 Configuring IEEE 802.1x Authentication 9-20 Configuring the Switch-to-RADIUS-Server Communication 9-22 Configuring the Host Mode 9-23 Configuring Periodic Re-Authentication 9-24 Manually Re-Authenticating a Client Connected to a Port 9-24 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 10 Configuring the Authentication Rule and Interfaces 10-10 Configuring AAA Authentication 10-11 Configuring Switch-to-RADIUS-Server Communication 10-11 Configuring the HTTP Server 10-13 Customizing the Authentication Proxy Web Pages 10-13 Specifying a Redirection URL for Successful Login 10-15 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 11 Configuring Interface Speed and Duplex Mode 12-17 Speed and Duplex Configuration Guidelines 12-17 Setting the Interface Speed and Duplex Parameters 12-18 Configuring IEEE 802.3x Flow Control 12-19 Configuring Auto-MDIX on an Interface 12-20 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 12 Configuring an Ethernet Interface as a Trunk Port 13-14 Interaction with Other Features 13-14 Configuring a Trunk Port 13-15 Defining the Allowed VLANs on a Trunk 13-16 Changing the Pruning-Eligible List 13-17 Configuring the Native VLAN for Untagged Traffic 13-17 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 13 Configuring a VTP Client 14-9 Disabling VTP (VTP Transparent Mode) 14-10 Enabling VTP Version 2 14-11 Enabling VTP Pruning 14-12 Adding a VTP Client Switch to a VTP Domain 14-12 Monitoring VTP 14-14 Catalyst 2928 Switch Software Configuration Guide xiii OL-23389-01...
Page 14 15-2 Configuring Voice VLAN 15-3 Default Voice VLAN Configuration 15-3 Voice VLAN Configuration Guidelines 15-3 Configuring a Port Connected to a Cisco 7960 IP Phone 15-4 Configuring Cisco IP Phone Voice Traffic 15-5 Displaying Voice VLAN 15-6 Configuring STP 16-1...
Page 15 Specifying the MST Region Configuration and Enabling MSTP 17-15 Configuring the Root Switch 17-17 Configuring a Secondary Root Switch 17-18 Configuring Port Priority 17-19 Configuring Path Cost 17-20 Configuring the Switch Priority 17-21 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 16 Configuring DHCP Features and IP Source Guard Features 19-1 C H A P T E R Understanding DHCP Snooping 19-1 DHCP Server 19-2 DHCP Relay Agent 19-2 DHCP Snooping 19-2 Option-82 Data Insertion 19-4 DHCP Snooping Binding Database 19-7 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 17 Configuring Dynamic ARP Inspection in DHCP Environments 20-7 Configuring ARP ACLs for Non-DHCP Environments 20-8 Limiting the Rate of Incoming ARP Packets 20-10 Performing Validation Checks 20-11 Configuring the Log Buffer 20-12 Catalyst 2928 Switch Software Configuration Guide xvii OL-23389-01...
Page 18 C H A P T E R Configuring Storm Control 22-1 Understanding Storm Control 22-1 Default Storm Control Configuration 22-3 Configuring Storm Control and Threshold Levels 22-3 Configuring Small-Frame Arrival Rate 22-5 Catalyst 2928 Switch Software Configuration Guide xviii OL-23389-01...
Page 19 Configuring LLDP and LLDP-MED 24-3 Default LLDP Configuration 24-3 Configuration Guidelines 24-3 Enabling LLDP 24-4 Configuring LLDP Characteristics 24-4 Configuring LLDP-MED TLVs 24-5 Configuring Network-Policy TLV 24-6 Monitoring and Maintaining LLDP and LLDP-MED 24-8 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 20 Specifying VLANs to Filter 26-12 Displaying SPAN Status 26-13 Configuring RMON 27-1 C H A P T E R Understanding RMON 27-1 Configuring RMON 27-2 Default RMON Configuration 27-3 Configuring RMON Alarms and Events 27-3 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 21 Default SNMP Configuration 29-6 SNMP Configuration Guidelines 29-7 Disabling the SNMP Agent 29-7 Configuring Community Strings 29-8 Configuring SNMP Groups and Users 29-9 Configuring SNMP Notifications 29-11 Setting the Agent Contact and Location Information 29-15 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 22 C H A P T E R Understanding QoS 31-1 Basic QoS Model 31-3 Classification 31-3 Queueing Overview 31-4 Weighted Tail Drop 31-4 Queueing on Ingress Queues 31-4 Queueing on Egress Queues 31-5 Packet Modification 31-6 Catalyst 2928 Switch Software Configuration Guide xxii OL-23389-01...
Page 23 Load Balancing and Forwarding Methods 32-6 Configuring EtherChannels 32-8 Default EtherChannel Configuration 32-9 EtherChannel Configuration Guidelines 32-9 Configuring Layer 2 EtherChannels 32-10 Configuring EtherChannel Load Balancing 32-12 Configuring the PAgP Learn Method and Priority 32-13 Catalyst 2928 Switch Software Configuration Guide xxiii OL-23389-01...
Page 24 Running TDR and Displaying the Results 33-18 Using Debug Commands 33-18 Enabling Debugging on a Specific Feature 33-19 Enabling All-System Diagnostics 33-19 Redirecting Debug and Error Message Output 33-20 Using the show platform forward Command 33-20 Catalyst 2928 Switch Software Configuration Guide xxiv OL-23389-01...
Page 25 A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
Page 26 Working with Software Images B-19 Image Location on the Switch B-20 tar File Format of Images on a Server or Cisco.com B-20 Copying Image Files By Using TFTP B-21 Preparing to Download or Upload an Image File By Using TFTP...
Page 27 Unsupported Global Configuration Commands Spanning Tree Unsupported Global Configuration Command Unsupported Interface Configuration Command VLAN Unsupported Global Configuration Command Unsupported vlan-config Command Unsupported User EXEC Commands Unsupported Privileged EXEC Commands N D E X Catalyst 2928 Switch Software Configuration Guide xxvii OL-23389-01...
Page 28 Contents Catalyst 2928 Switch Software Configuration Guide xxviii OL-23389-01...
Page 29 This guide is for the networking professional managing the Catalyst 2928 switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Page 30: Related Publications
• Catalyst 2928 Switch Getting Started Guide • Catalyst 2928 Switch Hardware Installation Guide • Regulatory Compliance and Safety Information for the Catalyst 2928 Switch Cisco Small Form-Factor Pluggable Modules Installation Notes • Catalyst 2928 Switch Software Configuration Guide xxviii...
Page 31 Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed...
Page 32 Preface Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 33: Features
Some features described in this chapter are available only on the cryptographic (supports encryption) version of the software. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, see the release notes for this release.
Page 34: Chapter 1 Overview
Smart Install to allow a single point of management (director) in a network. You can use Smart Install to provide zero touch image and configuration upgrade of newly deployed switches and image and configuration downloads for any client switches. For more information, see the Cisco Smart Install Configuration Guide.
Page 35: Management Options
For more information about the device manager, see the switch online help. CLI—The Cisco IOS software supports desktop- and multilayer-switching features. You can access • the CLI either by connecting your management station directly to the switch console port or by using Telnet from a remote management station.
Page 36: Manageability Features
Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external • source Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • Configuration logging to log and to view changes to the switch configuration •...
Page 37: Availability And Redundancy Features
VLAN Trunking Protocol (VTP) and VTP pruning for reducing network traffic by restricting • flooded traffic to links destined for stations receiving the traffic Voice VLAN for creating subnets for voice traffic from Cisco IP Phones • Catalyst 2928 Switch Software Configuration Guide...
Page 38: Security Features
– Port security for controlling access to IEEE 802.1x ports – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized – or unauthorized state of the port IP phone detection enhancement to detect and recognize a Cisco IP phone.
Page 39: Qos And Cos Features
Ratios and buffers/thresholds are predefined and fixed – Power over Ethernet Features (WS-C2928-24LT-C only) Ability to provide power to connected Cisco pre-standard and IEEE 802.3af-compliant powered • devices from Power over Ethernet (PoE)-capable ports if the switch detects that there is no power on the circuit.
Page 40: Monitoring Features
Chapter 1 Overview Default Settings After Initial Switch Configuration Support for Cisco intelligent power management. The powered device and the switch negotiate • through power-negotiation CDP messages for an agreed power-consumption level. The negotiation allows a high-power Cisco powered device to operate at its highest power mode.
Page 41 STP, PVST+ is enabled on VLAN 1. For more information, see Chapter 16, “Configuring STP.” MSTP is disabled. For more information, see Chapter 17, “Configuring MSTP.” • Optional spanning-tree features are disabled. For more information, see Chapter 18, “Configuring • Optional Spanning-Tree Features.” Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 42 Dynamic ARP inspection is disabled on all VLANs. For more information, see Chapter 21, • “Configuring Dynamic ARP Inspection.” No ACLs are configured. For more information, see Chapter 31, “Configuring Network Security • with ACLs.” Catalyst 2928 Switch Software Configuration Guide 1-10 OL-23389-01...
Page 43: Network Configuration Examples
“Design Concepts for Using the Switch” section on page 1-11 • “Small to Medium-Sized Network Using Catalyst 2928 Switches” section on page 1-14 Design Concepts for Using the Switch IAs your network users compete for network bandwidth, it takes longer to send and receive data. When you configure your network, consider the bandwidth required by your network users and the relative priority of the network applications that they use.
Page 44 1-1)—For • high-speed access to network resources, you can use the Cisco Catalyst 2928 switches in the access layer to provide Gigabit Ethernet to the desktop. To prevent congestion, use QoS DSCP marking priorities on these switches. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch with routing capability, such as a Catalyst 3750 switch, or to a router.
Page 45 Using SFP modules provides flexibility in media and distance options through fiber-optic connections. Figure 1-2 Server Aggregation Campus core Catalyst 6500 switches Catalyst 3750 StackWise switch stacks Access-layer Catalyst switches Server racks Catalyst 2928 Switch Software Configuration Guide 1-13 OL-23389-01...
Page 46: Small To Medium-Sized Network Using Catalyst 2928 Switches
Small to Medium-Sized Network Using Catalyst 2928 Switches Figure 1-3 shows a configuration for a network of up to 500 employees. This network uses Catalyst 2928 switches with high-speed connections to two routers. This ensures connectivity to the Internet, WAN, and mission-critical network resources in case one of the routers fails.
Page 47: Campus Network Using Catalyst 2928 Switches
This network uses Catalyst 2928 switches with connections to a core layer switch and a wireless services module. The switches connect workstations and wireless access points through the core layer to a third-party system that provides authentication, authorization, and accounting services.
Page 48: Where To Go Next
Chapter 1 Overview Where to Go Next Figure 1-4 Catalyst 2928 Switches in a Network Access Control Deployment Third Party Device Portal Server + RADIUS Server + DHCP Server + Policy Server + Accounting + Billing Information Core Layer Switch...
Page 49: Understanding Command Modes
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 2928 switch. It contains these sections: Understanding Command Modes, page 2-1 •...
Page 50: C H A P T E R 2 Using The Command-Line Interface
To return to console command. privileged EXEC mode, press Ctrl-Z or enter end. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 51: Understanding The Help System
You need to enter only enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command in an abbreviated form: Switch# show conf Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 52: Understanding No And Default Forms Of Commands
You can log and view changes to the switch configuration. You can use the Configuration Change Logging and Notification feature to track changes on a per-session and per-user basis. The logger tracks each configuration command that is applied, the user who entered the command, the time that the Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 53: Using Command History
Beginning in line configuration mode, enter this command to configure the number of command lines the switch records for all sessions on a particular line: Switch(config-line)# history size number-of-lines The range is from 0 to 256. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 54: Recalling Commands
Although enhanced editing mode is automatically enabled, you can disable it, re-enable it, or configure a specific line to have enhanced editing. These procedures are optional. To globally disable enhanced editing mode, enter this command in line configuration mode: Switch (config-line)# no editing Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 55: Editing Commands Through Keystrokes
Delete the word to the left of the cursor. Press Esc D. Delete from the cursor to the end of the word. Capitalize or lowercase words or Press Esc C. Capitalize at the cursor. capitalize a set of letters. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 56: Editing Command Lines That Wrap
The dollar sign ($) appears at the end of the line to show that the line has been scrolled to the right: Switch(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$ Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 57: Searching And Filtering Output Of Show And More Commands
Use any Telnet TCP/IP or encrypted Secure Shell (SSH) package from a remote management • station. The switch must have network connectivity with the Telnet or SSH client, and the switch must have an enable secret password configured. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 58 8-33. The switch supports up to five simultaneous secure SSH sessions. After you connect through the console port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Catalyst 2928 Switch Software Configuration Guide 2-10 OL-23389-01...
Page 59: Chapter 3 Assigning The Switch Ip Address And Default Gateway
This chapter describes how to create the initial switch configuration (for example, assigning the IP address and default gateway information) for the Catalyst 2928 switch by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration.
Page 60: Assigning Switch Information
If you are an experienced user familiar with the switch configuration steps, manually configure the switch. Otherwise, use the setup program described previously. • Default Switch Information, page 3-3 Understanding DHCP-Based Autoconfiguration, page 3-3 • Manually Assigning IP Information, page 3-14 • Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 61: Default Switch Information
DHCP server. A relay device forwards broadcast traffic between two directly connected LANs. A router does not forward broadcast packets, but it forwards packets based on the destination IP address in the received packet. DHCP-based autoconfiguration replaces the BOOTP client functionality on your switch. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 62: Dhcp Client Request Process
You can use the DHCP image upgrade features to configure a DHCP server to download both a new image and a new configuration file to one or more switches in a network. This helps ensure that each new switch added to a network receives the same image and configuration. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 63: Dhcp Autoconfiguration
NVRAM unless you enter the write memory or copy running-configuration startup-configuration privileged EXEC command. Note that if the downloaded configuration is saved to the startup configuration, the feature is not triggered during subsequent system restarts. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 64: Configuring Dhcp-Based Autoconfiguration
Example Configuration, page 3-9 • If your DHCP server is a Cisco device, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for additional information about configuring DHCP.
Page 65: Configuring The Dns
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Page 66: Obtaining Configuration Files
The switch receives its IP address, subnet mask, and the TFTP server address from the DHCP server. The switch sends a unicast message to the TFTP server to retrieve the network-confg or cisconet.cfg default configuration file. (If the network-confg file cannot be read, the switch reads the cisconet.cfg file.) Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 67: Example Configuration
Binding key (hardware address) 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 IP address 10.0.0.21 10.0.0.22 10.0.0.23 10.0.0.24 Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Router address 10.0.0.10 10.0.0.10 10.0.0.10 10.0.0.10 DNS server address 10.0.0.2 10.0.0.2 10.0.0.2 10.0.0.2 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 68 It reads the configuration file that corresponds to its hostname; for example, it reads switch1-confg • from the TFTP server. Switches B through D retrieve their configuration files and IP addresses in the same way. Catalyst 2928 Switch Software Configuration Guide 3-10 OL-23389-01...
Page 69: Configuring The Dhcp Auto Configuration And Image Update Features
Switch(dhcp-config)# network 10.10.10.0 255.255.255.0 Switch(dhcp-config)# bootfile config-boot.text Switch(dhcp-config)# default-router 10.10.10.1 Switch(dhcp-config)# option 150 10.10.10.1 Switch(dhcp-config)# exit Switch(config)# tftp-server flash:config-boot.text Switch(config)# interface gigabitethernet1/0/4 Switch(config-if)# no switchport Switch(config-if)# ip address 10.10.10.1 255.255.255.0 Switch(config-if)# end Catalyst 2928 Switch Software Configuration Guide 3-11 OL-23389-01...
Page 70: Configuring Dhcp Auto-Image Update (Configuration File And Image)
Upload the tarfile for the new image to the switch. Step 10 exit Return to global configuration mode. Step 11 tftp-server flash:config.text Specify the Cisco IOS configuration file on the TFTP server. Step 12 tftp-server flash:imagename.tar Specify the image name on the TFTP server. Step 13 tftp-server flash:filename.txt...
Page 71: Configuring The Client
Config file: flash:/config.text Private Config file: flash:/private-config.text Enable Break: Manual Boot: HELPER path-list: NVRAM/Config file buffer size: 32768 Timeout for Config Download: 300 seconds Config Download via DHCP: enabled (next boot: enabled) Switch# Catalyst 2928 Switch Software Configuration Guide 3-13 OL-23389-01...
Page 72: Manually Assigning Ip Information
Checking and Saving the Running Configuration You can check the configuration settings that you entered or changes that you made by entering this privileged EXEC command: Switch# show running-config Building configuration... Current configuration: 1363 bytes version 12.1 Catalyst 2928 Switch Software Configuration Guide 3-14 OL-23389-01...
Page 73: Modifying The Startup Configuration
EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Modifying the Startup Configuration Default Boot Configuration, page 3-16 •...
Page 74: Default Boot Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot-up cycle.
Page 75: Booting Manually
Filenames and directory names are case sensitive. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable manual booting, use the no boot manual global configuration command. Catalyst 2928 Switch Software Configuration Guide 3-17 OL-23389-01...
Page 76: Booting A Specific Software Image
A variable that is set to a null string (for example, “ ”) is a variable with a value. Many environment variables are predefined and have default values. Catalyst 2928 Switch Software Configuration Guide 3-18...
Page 77 Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 78: Scheduling A Reload Of The Software Image
This example shows how to reload the software on the switch on the current day at 7:30 p.m: Switch# reload at 19:30 Reload scheduled for 19:30:00 UTC Wed Jun 5 1996 (in 2 hours and 25 minutes) Proceed with reload? [confirm] Catalyst 2928 Switch Software Configuration Guide 3-20 OL-23389-01...
Page 79: Displaying Scheduled Reload Information
EXEC command. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled). Catalyst 2928 Switch Software Configuration Guide 3-21 OL-23389-01...
Page 80 Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 2928 Switch Software Configuration Guide 3-22 OL-23389-01...
Page 81: Chapter 4 Configuring Cisco Ios Cns Agents
C H A P T E R Configuring Cisco IOS CNS Agents This chapter describes how to configure the Cisco IOS CNS agents on the Catalyst 2928 switch. Note For complete configuration information for the Cisco Configuration Engine, see this URL on Cisco.com http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.html...
Page 82: Configuration Service
URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
Page 83: Event Service
Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine.
Page 84: Deviceid
Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.
Page 85: Understanding Cisco Ios Agents
Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: •...
Page 86: Incremental (Partial) Configuration
NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 4-6.
Page 87: Enabling The Cns Event Agent
For more information about running the setup program and creating templates on the Configuration Note Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux at this URL: http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/products_installation_and_configuration_ guide_book09186a00803b59db.html Enabling the CNS Event Agent You must enable the CNS event agent on the switch before you enable the CNS configuration agent.
Page 88: Enabling The Cisco Ios Cns Agent
Switch(config)# cns event 10.180.1.27 keepalive 120 10 Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: The cns config initial global configuration command enables the Cisco IOS agent and initiates an •...
Page 89: Enabling An Initial Configuration
Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents The cns config partial global configuration command enables the Cisco IOS agent and initiates a • partial configuration on the switch. You can then use the Configuration Engine to remotely send incremental configurations to the switch.
Page 90 ID, or enter an arbitrary text string for string string as the unique ID. Step 8 cns config initial {ip-address | hostname} Enable the Cisco IOS agent, and initiate an initial [port-number] [event] [no-persist] [page page] configuration. [source ip-address] [syntax-check] For {ip-address | hostname}, enter the IP address or •...
Page 91: Enabling A Partial Configuration
RemoteSwitch(config)# cns id Ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 10.1.1.1 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...
Page 92: Displaying Cns Configuration
Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed. show cns config stats Displays statistics about the Cisco IOS agent.
Page 93: Chapter 5 Clustering Switches
C H A P T E R Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 2928 switch clusters. You can create and manage switch clusters by using the command-line interface (CLI) or SNMP. For complete procedures, see the online help.
Page 94: Cluster Command Switch Characteristics
It is running Cisco IOS Release 12.2(44)SE or later. It has an IP address. • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). • It is not a command or cluster member switch of another cluster. •...
Page 95: Standby Cluster Command Switch Characteristics
Clustering Switches Understanding Switch Clusters Standby Cluster Command Switch Characteristics A standby cluster command switch must meet these requirements: It is running Cisco IOS 12.2(44)SE or later. • It has an IP address. • It has CDP version 2 enabled.
Page 96: Planning A Switch Cluster
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 97: Discovery Through Non-Cdp-Capable And Noncluster-Capable Devices
Device 15 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Page 98: Discovery Through Different Vlans
VLAN. For information about discovery through management VLANs, see the “Discovery Through Different Management VLANs” section on page 5-7. For more information about VLANs, see Chapter 13, “Configuring VLANs.” Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 99: Discovery Through Different Management Vlans
Switches 7 and 10 (switches in management VLAN 4) because they are not connected through a • common VLAN (meaning VLANs 62 and 9) with the cluster command switch. Switch 9 because automatic discovery does not extend beyond a noncandidate device, which is • switch 7. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 100: Discovery Of Newly Installed Switches
VLANs 9 and 16. When new cluster-capable switches join the cluster: One cluster-capable switch and its access port are assigned to VLAN 9. • The other cluster-capable switch and its access port are assigned to management VLAN 16. • Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 101: Hsrp And Standby Cluster Command Switches
These topics also provide more detail about standby cluster command switches: Virtual IP Addresses, page 5-10 • • Other Considerations for Cluster Standby Groups, page 5-10 • Automatic Recovery of Cluster Configuration, page 5-11 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 102: Virtual Ip Addresses
Standby cluster command switches must be the same type of switches as the cluster command • switch. For example, if the cluster command switch is a Catalyst 2928 switch, the standby cluster command switches must also be Catalyst 2928 switches. Refer to the switch configuration guide of other cluster-capable switches for their requirements on standby cluster command switches.
Page 103: Automatic Recovery Of Cluster Configuration
The active cluster command switch sends a copy of the cluster configuration to the cluster standby group. Catalyst 2928 Switch Software Configuration Guide 5-11 OL-23389-01...
Page 104: Ip Addresses
We recommend that you do not change the member-switch password after it joins a cluster. For more information about passwords, see the “Preventing Unauthorized Access to Your Switch” section on page 8-1. Catalyst 2928 Switch Software Configuration Guide 5-12 OL-23389-01...
Page 105: Snmp Community Strings
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
Page 106: Catalyst 1900 And Catalyst 2820 Cli Considerations
The Telnet session accesses the member-switch CLI at the same privilege level as on the cluster command switch. The Cisco IOS commands then operate as usual. For instructions on configuring the switch for a Telnet session, see the “Disabling Password Recovery”...
Page 107 For more information about SNMP and community strings, see Chapter 29, “Configuring SNMP.” Figure 5-7 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Catalyst 2928 Switch Software Configuration Guide 5-15 OL-23389-01...
Page 108 Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 2928 Switch Software Configuration Guide 5-16 OL-23389-01...
Page 109: Chapter 6 Configuring Sdm Templates
Table 6-1 Approximate Number of Feature Resources Allowed by Each Template Resource Default Unicast MAC addresses IPv4 IGMP groups IPv4 MAC QoS ACEs IPv4 MAC security ACEs Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 110: Configuring The Switch Sdm Template
If you enter the show sdm prefer command before you enter the reload privileged EXEC command, the show sdm prefer command shows the template currently in use and the template that will become active after a reload. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 111: Displaying The Sdm Templates
Use the show sdm prefer privileged EXEC command with no parameters to display the active template. Use the show sdm prefer [default | qos] privileged EXEC command to display the resource numbers supported by the specified template. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 112 Chapter 6 Configuring SDM Templates Displaying the SDM Templates Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 113: Managing The System Time And Date
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2.
Page 114: Understanding Network Time Protocol
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 115 Switch F Workstations If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is synchronized through NTP, when in fact it has learned the time by using other means. Other devices then synchronize to that device through NTP.
Page 116: Configuring Ntp
NTP that provide for accurate timekeeping) with other devices for security purposes: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp authenticate Enable the NTP authentication feature, which is disabled by default. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 117: Configuring Ntp Associations
An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around). Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 118: Configuring Ntp Broadcast Service
However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, the information flow is one-way only. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 119 Specify the interface to receive NTP broadcast packets, and enter interface configuration mode. Step 3 ntp broadcast client Enable the interface to receive NTP broadcast packets. By default, no interfaces receive NTP broadcast packets. Step 4 exit Return to global configuration mode. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 120: Configuring Ntp Access Restrictions
NTP control queries and allows the • switch to synchronize to the remote device. For access-list-number, enter a standard IP access list number from 1 to 99. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 121 99. However, the switch restricts access to allow only time requests from access list 42: Switch# configure terminal Switch(config)# ntp access-group peer 99 Switch(config)# ntp access-group serve-only 42 Switch(config)# access-list 99 permit 172.20.130.5 Switch(config)# access list 42 permit 172.20.130.6 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 122: Configuring The Source Ip Address For Ntp Packets
“Configuring NTP Associations” section on page 7-5. Catalyst 2928 Switch Software Configuration Guide 7-10 OL-23389-01...
Page 123: Displaying The Ntp Configuration
• show ntp status • For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
Page 124: Displaying The Time And Date Configuration
Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50 percent. In this case, the necessary command is clock timezone AST -3 30. To set the time to UTC, use the no clock timezone global configuration command. Catalyst 2928 Switch Software Configuration Guide 7-12 OL-23389-01...
Page 125: Configuring Summer Time (Daylight Saving Time)
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Catalyst 2928 Switch Software Configuration Guide 7-13 OL-23389-01...
Page 126: Configuring A System Name And Prompt
A greater-than symbol [>] is appended. The prompt is updated whenever the system name changes. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 127: Default System Name And Prompt Configuration
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
Page 128: Default Dns Configuration
Internet naming scheme (DNS). Step 5 Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config (Optional) Save your entries in the configuration file. startup-config Catalyst 2928 Switch Software Configuration Guide 7-16 OL-23389-01...
Page 129: Displaying The Dns Configuration
If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Page 130: Configuring A Login Banner
User Access Verification Password: Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Catalyst 2928 Switch Software Configuration Guide 7-18 OL-23389-01...
Page 131: Managing The Mac Address Table
• Default MAC Address Table Configuration, page 7-20 • Changing the Address Aging Time, page 7-20 • Removing Dynamic Address Entries, page 7-21 • Configuring MAC Address Notification Traps, page 7-21 • Catalyst 2928 Switch Software Configuration Guide 7-19 OL-23389-01...
Page 132: Building The Address Table
Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use. You can change the aging time setting for all VLANs or for a specified VLAN. Catalyst 2928 Switch Software Configuration Guide 7-20...
Page 133: Removing Dynamic Address Entries
MAC address activity for each hardware port for which the trap is enabled. MAC address notifications are generated for dynamic and secure MAC addresses; events are not generated for self addresses, multicast addresses, or other static addresses. Catalyst 2928 Switch Software Configuration Guide 7-21 OL-23389-01...
Page 134 Enable the MAC notification trap whenever a MAC address is added on this interface. Enable the MAC notification trap whenever a • MAC address is removed from this interface. Step 8 Return to privileged EXEC mode. Catalyst 2928 Switch Software Configuration Guide 7-22 OL-23389-01...
Page 135: Adding And Removing Static Address Entries
You add a static address to the address table by specifying the destination MAC unicast address and the VLAN from which it is received. Packets received with this destination address are forwarded to the interface specified with the interface-id option. Catalyst 2928 Switch Software Configuration Guide 7-23 OL-23389-01...
Page 136: Configuring Unicast Mac Address Filtering
% Only unicast addresses can be configured to be dropped % CPU destined address cannot be configured as drop address • Packets that are forwarded to the CPU are also not supported. Catalyst 2928 Switch Software Configuration Guide 7-24 OL-23389-01...
Page 137 When a packet is received in VLAN 4 with this MAC address as its source or destination, the packet is dropped: Switch(config)# mac ddress-table static c2f3.220a.12f4 vlan 4 drop Catalyst 2928 Switch Software Configuration Guide 7-25 OL-23389-01...
Page 138: Displaying Address Table Entries
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, see the Cisco IOS Release 12.2 documentation on Cisco.com. Catalyst 2928 Switch Software Configuration Guide...
Page 139: Chapter 8 Configuring Switch-Based Authentication
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 2928 switch. It consists of these sections: Preventing Unauthorized Access to Your Switch, page 8-1 • Protecting Access to Privileged EXEC Commands, page 8-2 •...
Page 140: Protecting Access To Privileged Exec Commands
Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Page 141: Setting Or Changing A Static Enable Password
We recommend that you use the enable secret command because it uses an improved encryption algorithm. If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 142 By default, no password is defined. • (Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you...
Page 143: Disabling Password Recovery
Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 144: Setting A Telnet Password For A Terminal Line
If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 145: Configuring Multiple Privilege Levels
Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 146: Setting The Privilege Level For A Command
This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands: Switch(config)# privilege exec level 14 configure Switch(config)# enable password level 14 SecretPswd14 Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 147: Changing The Default Privilege Level For Lines
Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 148: Controlling Switch Access With Tacacs
(AAA) and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2. These sections contain this configuration information: Understanding TACACS+, page 8-10 •...
Page 149 The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. Catalyst 2928 Switch Software Configuration Guide 8-11 OL-23389-01...
Page 150: Tacacs+ Operation
This process continues until there is successful communication with a listed method or the method list is exhausted. Catalyst 2928 Switch Software Configuration Guide 8-12 OL-23389-01...
Page 151: Default Tacacs+ Configuration
TACACS+ daemon. You must configure the same key on the TACACS+ daemon for encryption to be successful. Step 3 aaa new-model Enable AAA. Catalyst 2928 Switch Software Configuration Guide 8-13 OL-23389-01...
Page 152: Configuring Tacacs+ Login Authentication
Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Catalyst 2928 Switch Software Configuration Guide 8-14 OL-23389-01...
Page 153 {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command. Catalyst 2928 Switch Software Configuration Guide 8-15 OL-23389-01...
Page 154: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Page 155: Starting Tacacs+ Accounting
RADIUS is facilitated through AAA and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Page 156: Understanding Radius
• Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 157: Radius Operation
RADIUS authorization, if it is enabled. The additional data included with the ACCEPT or REJECT packets includes these items: Telnet, SSH, rlogin, or privileged EXEC services • • Connection parameters, including the host or client IP address, access list, and user timeouts Catalyst 2928 Switch Software Configuration Guide 8-19 OL-23389-01...
Page 158: Configuring Radius
Identifying the RADIUS Server Host Switch-to-RADIUS-server communication involves several components: • Hostname or IP address • Authentication destination port Accounting destination port • Key string • Timeout period • Retransmission value • Catalyst 2928 Switch Software Configuration Guide 8-20 OL-23389-01...
Page 159 “Configuring Settings for All RADIUS Servers” section on page 8-29. You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 8-25. Catalyst 2928 Switch Software Configuration Guide 8-21 OL-23389-01...
Page 160 This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2 Catalyst 2928 Switch Software Configuration Guide 8-22 OL-23389-01...
Page 161: Configuring Radius Login Authentication
Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Catalyst 2928 Switch Software Configuration Guide 8-23 OL-23389-01...
Page 162 For list-name, specify the list created with the aaa authentication • login command. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2928 Switch Software Configuration Guide 8-24 OL-23389-01...
Page 163: Defining Aaa Server Groups
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Page 164 Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Catalyst 2928 Switch Software Configuration Guide 8-26 OL-23389-01...
Page 165: Configuring Radius Authorization For User Privileged Access And Network Services
EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests. Catalyst 2928 Switch Software Configuration Guide 8-27 OL-23389-01...
Page 166: Starting Radius Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 167: Configuring Settings For All Radius Servers
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 168 (Optional) Save your entries in the configuration file. For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, see the “RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide, Release 12.2. Catalyst 2928 Switch Software Configuration Guide...
Page 169: Configuring The Switch For Vendor-Proprietary Radius Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Page 170: Configuring The Switch For Local Authentication And Authorization
To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip http authentication aaa global configuration command. Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. Catalyst 2928 Switch Software Configuration Guide 8-32 OL-23389-01...
Page 171: Configuring The Switch For Secure Shell
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 172: Limitations
IP domain name by using the ip domain-name global configuration command. When configuring the local authentication and authorization authentication method, make sure that • AAA is disabled on the console. Catalyst 2928 Switch Software Configuration Guide 8-34 OL-23389-01...
Page 173: Setting Up The Switch To Run Ssh
Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, see the release notes for this release. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server.
Page 174: Configuring The Ssh Server
Commands for Displaying the SSH Server Configuration and Status Command Purpose show ip ssh Shows the version and configuration information for the SSH server. show ssh Shows the status of the SSH server. Catalyst 2928 Switch Software Configuration Guide 8-36 OL-23389-01...
Page 175: Configuring The Switch For Secure Socket Layer Http
(pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 176 X.509v3 certificate from the client. Authenticating the client provides more security than server authentication by itself. For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.2. Catalyst 2928 Switch Software Configuration Guide 8-38...
Page 177: Ciphersuites
Configuring the Secure HTTP Server, page 8-41 • Configuring the Secure HTTP Client, page 8-42 • Default SSL Configuration The standard HTTP server is enabled. SSL is enabled. No CA trustpoints are configured. No self-signed certificates are generated. Catalyst 2928 Switch Software Configuration Guide 8-39 OL-23389-01...
Page 178: Ssl Configuration Guidelines
RSA key pair. Step 13 Return to privileged EXEC mode. Step 14 show crypto ca trustpoints Verify the configuration. Step 15 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2928 Switch Software Configuration Guide 8-40 OL-23389-01...
Page 179: Configuring The Secure Http Server
Step 10 ip http max-connections value (Optional) Set the maximum number of concurrent connections that are allowed to the HTTP server. The range is 1 to 16; the default value is 5. Catalyst 2928 Switch Software Configuration Guide 8-41 OL-23389-01...
Page 180: Configuring The Secure Http Client
Using this command assumes that you have already configured a CA trustpoint by using the previous procedure. The command is optional if client authentication is not needed or if a primary trustpoint has been configured. Catalyst 2928 Switch Software Configuration Guide 8-42 OL-23389-01...
Page 181: Displaying Secure Http Server And Client Status
Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and • Adelman (RSA) key pair. When using SCP, you cannot enter the password into the copy command. You must enter the password Note when prompted. Catalyst 2928 Switch Software Configuration Guide 8-43 OL-23389-01...
Page 182: Information About Secure Copy
A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
Page 183 C H A P T E R Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 2928 switch. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network.
Page 184: Understanding Ieee 802.1X Port-Based Authentication
Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 185: Authentication Process
VLAN that provides limited services if a guest VLAN is configured. Figure 9-2 shows the authentication process. Note Inaccessible authentication bypass, referenced at the bottom of the flow chart, is not supported on the switch. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 186 After IEEE 802.1x authentication using a RADIUS server is configured, the switch uses timers based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]). The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which re-authentication occurs. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 187: Authentication Initiation And Message Exchange
The specific exchange of EAP frames depends on the authentication method being used. Figure 9-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 188 MAC authentication bypass. Figure 9-4 Message Exchange During MAC Authentication Bypass Authentication server Client (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity Ethernet packet RADIUS Access/Request RADIUS Access/Accept Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 189: Ports In Authorized And Unauthorized States
The switch detects the client by sending an EAPOL frame when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state. Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 190: Ieee 802.1X Accounting
AV pairs are automatically sent by a switch that is configured for IEEE 802.1x accounting. Three types of RADIUS accounting packets are sent by a switch: START–sent when a new user session starts • INTERIM–sent during an existing session for updates • STOP–sent when a session terminates • Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 191: Using Ieee 802.1X Authentication With Vlan Assignment
You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_book09186a...
Page 192 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE 802.1x-authenticated user. For examples of tunnel attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes” section on page 8-29. Catalyst 2928 Switch Software Configuration Guide 9-10 OL-23389-01...
Page 193: Using Ieee 802.1X Authentication With Guest Vlan
VLAN if one is specified. For more information, see the“Using IEEE 802.1x Authentication with MAC Authentication Bypass” section on page 9-14. For more information, see the “Configuring a Guest VLAN” section on page 9-28. Catalyst 2928 Switch Software Configuration Guide 9-11 OL-23389-01...
Page 194: Using Ieee 802.1X Authentication With Restricted Vlan
Other port security features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can be configured independently on a restricted VLAN. For more information, see the “Configuring a Restricted VLAN” section on page 9-29. Catalyst 2928 Switch Software Configuration Guide 9-12 OL-23389-01...
Page 195: Using Ieee 802.1X Authentication With Voice Vlan Ports
If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and Note to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
Page 196: Using Ieee 802.1X Authentication With Mac Authentication Bypass
During re-authentication, the port remains in the previously assigned VLAN. If re-authentication is successful, the switch keeps the port in the same VLAN. If re-authentication fails, the switch assigns the port to the guest VLAN, if one is configured. Catalyst 2928 Switch Software Configuration Guide 9-14 OL-23389-01...
Page 197: 802.1X Authentication With Restricted Vlan
RADIUS server replies with either an EAP failure or an empty response without an EAP packet. When the port moves into the restricted VLAN, the failed attempt counter resets. Catalyst 2928 Switch Software Configuration Guide 9-15 OL-23389-01...
Page 198: Common Session Id
(0000.0000.0203) on Interface Fa4/0/4 AuditSessionID 160000050000000B288508E5 The session ID is used by the NAD, the AAA server, and other report-analyzing applications to identify the client. The ID appears automatically. No configuration is required. Catalyst 2928 Switch Software Configuration Guide 9-16 OL-23389-01...
Page 199: Configuring Ieee 802.1X Authentication
IEEE 802.1x-based authentication of the client. Disabled. RADIUS server IP address None specified. • • UDP authentication port 1812. • • None specified. • • Host mode Single-host mode. Control direction Bidirectional control. Periodic re-authentication Disabled. Catalyst 2928 Switch Software Configuration Guide 9-17 OL-23389-01...
Page 200: Table
MAC authentication bypass Disabled. Beginning with Cisco IOS Release 12.2(55)SE, you can filter out verbose system messages generated by the authentication manager. The filtered content typically relates to authentication success. You can also filter verbose messages for 802.1x authentication and MAB authentication. There is a separate...
Page 201: Ieee 802.1X Authentication Configuration Guidelines
Before globally enabling IEEE 802.1x authentication on a switch by entering the dot1x • system-auth-control global configuration command, remove the EtherChannel configuration from the interfaces on which IEEE 802.1x authentication and EtherChannel are configured. Catalyst 2928 Switch Software Configuration Guide 9-19 OL-23389-01...
Page 202: Vlan Assignment And Guest Vlan
If the port is in the authorized state, the port remains in this state until re-authorization occurs. • Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages. See the “Default IEEE 802.1x Authentication Configuration” section on page 9-17.
Page 203 IEEE 802.1x authentication, and enter interface configuration mode. Step 9 switchport mode access (Optional) Set the port to access mode only if you configured the RADIUS server in Step 6 and Step 7. Catalyst 2928 Switch Software Configuration Guide 9-21 OL-23389-01...
Page 204: Configuring The Switch-To-Radius-Server Communication
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global configuration command. Catalyst 2928 Switch Software Configuration Guide 9-22 OL-23389-01...
Page 205: Configuring The Host Mode
To disable multiple hosts on the port, use the no dot1x host-mode multi-host interface configuration command. This example shows how to enable IEEE 802.1x authentication and to allow multiple hosts: Switch(config)# interface gigabitethernet/0/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# dot1x host-mode multi-host Switch(config-if)# end Catalyst 2928 Switch Software Configuration Guide 9-23 OL-23389-01...
Page 206: Configuring Periodic Re-Authentication
“Configuring Periodic Re-Authentication” section on page 9-24. This example shows how to manually re-authenticate the client connected to a port: Switch# dot1x re-authenticate interface gigabitethernet0/1 Catalyst 2928 Switch Software Configuration Guide 9-24 OL-23389-01...
Page 207: Changing The Quiet Period
Set the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. The range is 5 to 65535 seconds; the default is 5. Catalyst 2928 Switch Software Configuration Guide 9-25 OL-23389-01...
Page 208: Setting The Switch-To-Client Frame-Retransmission Number
To return to the default retransmission number, use the no dot1x max-req interface configuration command. This example shows how to set 5 as the number of times that the switch sends an EAP-request/identity request before restarting the authentication process: Switch(config-if)# dot1x max-req 5 Catalyst 2928 Switch Software Configuration Guide 9-26 OL-23389-01...
Page 209: Setting The Re-Authentication Number
Accounting message %s for session %s failed to receive Accounting Response. When the stop message is not sent successfully, this message appears: 00:09:55: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.201:1645,1646 is not responding. Catalyst 2928 Switch Software Configuration Guide 9-27 OL-23389-01...
Page 210: Configuring A Guest Vlan
Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “IEEE 802.1x Authentication Configuration Guidelines” section on page 9-19. Catalyst 2928 Switch Software Configuration Guide 9-28 OL-23389-01...
Page 211: Configuring A Restricted Vlan
For the supported port types, see the “IEEE 802.1x Authentication Configuration Guidelines” section. Step 3 switchport mode access Set the port to access mode. Step 4 dot1x port-control auto Enable IEEE 802.1x authentication on the port. Catalyst 2928 Switch Software Configuration Guide 9-29 OL-23389-01...
Page 212 To return to the default value, use the no dot1x auth-fail max-attempts interface configuration command. This example shows how to set 2 as the number of authentication attempts allowed before the port moves to the restricted VLAN: Switch(config-if)# dot1x auth-fail max-attempts 2 Catalyst 2928 Switch Software Configuration Guide 9-30 OL-23389-01...
Page 213: Configuring Mac Authentication Bypass
To configure the port as an IEEE 802.1x port access entity (PAE) authenticator, which enables IEEE 802.1x on the port but does not allow clients connected to the port to be authorized, use the dot1x pae authenticator interface configuration command. Catalyst 2928 Switch Software Configuration Guide 9-31 OL-23389-01...
Page 214: Resetting The Ieee 802.1X Authentication Configuration To The Default Values
For detailed information about the fields in these displays, see the command reference for this release. Beginning with Cisco IOS Release 12.2(55)SE, you can use the no dot1x logging verbose global configuration command to filter verbose 802.1x authentication messages. See the “Default IEEE 802.1x...
Page 215: Configuring Web-Based Authentication
These sections describe the role of web-based authentication as part of AAA: Device Roles, page 10-2 • Host Detection, page 10-2 • • Session Creation, page 10-3 • Authentication Process, page 10-3 Catalyst 2928 Switch Software Configuration Guide 10-1 OL-23389-01...
Page 216: Device Roles
ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static • IP address or a dynamic IP address. Dynamic ARP inspection • DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding • entry for the host. Catalyst 2928 Switch Software Configuration Guide 10-2 OL-23389-01...
Page 217: Session Creation
If the terminate action is RADIUS, the feature sends a nonresponsive host (NRH) request to the server. The terminate action is included in the response from the server. • If the terminate action is default, the session is dismantled, and the applied policy is removed. Catalyst 2928 Switch Software Configuration Guide 10-3 OL-23389-01...
Page 218: Local Web Authentication Banner
You create a banner by using the ip admission auth-proxy-banner http global configuration command. The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page, as shown in Figure 10-2.
Page 219 Figure 10-4. Figure 10-4 Login Screen With No Banner For more information, see the Cisco IOS Security Command Reference and the “Configuring a Web Authentication Local Banner” section on page 10-16. Catalyst 2928 Switch Software Configuration Guide 10-5 OL-23389-01...
Page 220: Guidelines
You must include an HTML redirect command in the success page to access a specific URL. • The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL • might cause page not found or similar errors on a web browser.
Page 221: Web-Based Authentication Interactions With Other Features
You can then limit the number or group of clients that can access the network through the port. For more information about enabling port security, see the “Configuring Port Security” section on page 22-8. Catalyst 2928 Switch Software Configuration Guide 10-7 OL-23389-01...
Page 222: Lan Port Ip
ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied. For Layer 2 web-based authentication, you must configure a port ACL (PACL) as the default access policy for ingress traffic from hosts connected to the port.
Page 223: Default Web-Based Authentication Configuration
You must configure the default ACL on the interface before configuring web-based authentication. • Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface. You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts •...
Page 224: Web-Based Authentication Configuration Task List
This example shows how to enable web-based authentication on Fast Ethernet port 5/1: Switch(config)# ip admission name webauth1 proxy http Switch(config)# interface fastethernet 5/1 Switch(config-if)# ip admission webauth1 Switch(config-if)# exit Switch(config)# ip device tracking Catalyst 2928 Switch Software Configuration Guide 10-10 OL-23389-01...
Page 225: Configuring Aaa Authentication
Switch(config)# aaa authorization auth-proxy default group tacacs+ Configuring Switch-to-RADIUS-Server Communication RADIUS security servers identification: Host name • Host IP address • Host name and specific UDP port numbers • IP address and specific UDP port numbers • Catalyst 2928 Switch Software Configuration Guide 10-11 OL-23389-01...
Page 226 For more information, see Cisco IOS Security Configuration Guide, Release 12.2 and the Cisco IOS Security Command Reference, Release 12.2: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html...
Page 227: Configuring The Http Server
The device: is flash memory. Step 2 ip admission proxy http success page file Specify the location of the custom HTML file to use in device:success-filename place of the default login success page. Catalyst 2928 Switch Software Configuration Guide 10-13 OL-23389-01...
Page 228 Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Session ratelimit is 100 Authentication Proxy Watch-list is disabled Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Catalyst 2928 Switch Software Configuration Guide 10-14 OL-23389-01...
Page 229: Configuring An Aaa Fail Policy
To remove the specification of a redirection URL, use the no form of the command. • This example shows how to configure a redirection URL for successful login: Switch(config)# ip admission proxy http success redirect www.cisco.com This example shows how to verify the redirection URL for successful login: Switch# show ip admission configuration...
Page 230: Configuring The Web-Based Authentication Parameters
(Optional) Create a custom banner by entering C banner-text C, where C is a delimiting character or a file-path indicates a file (for example, a logo or text file) that appears in the banner. Catalyst 2928 Switch Software Configuration Guide 10-16 OL-23389-01...
Page 231: Removing Web-Based Authentication Cache Entries
This example shows how to view only the global web-based authentication status: Switch# show authentication sessions This example shows how to view the web-based authentication settings for gigabit interface 3/27: Switch# show authentication sessions interface gigabitethernet 3/27 Catalyst 2928 Switch Software Configuration Guide 10-17 OL-23389-01...
Page 232 Chapter 10 Configuring Web-Based Authentication Displaying Web-Based Authentication Status Catalyst 2928 Switch Software Configuration Guide 10-18 OL-23389-01...
Page 233: Chapter 11 Configuring Portal-Based Authentication
Port number • The Catalyst 2928 switch works with a third-party system that includes a DHCP server, portal server, policy server, RADIUS server, and billing system. Together, the switch and the third-party system implement the binding of the six parameters through a combination of web authentication, DHCP authentication, and IP source guard.
Page 234: Configuring Portal-Based Authentication
Chapter 11 Configuring Portal-Based Authentication Configuring Portal-Based Authentication Figure 11-1 Catalyst 2928 Switches in a Network Access Control Deployment Third Party Device Portal Server + RADIUS Server + DHCP Server + Policy Server + Accounting + Billing Information Core Layer...
Page 235: Enabling Portal-Based Authentication On The Switch
Switch(config)# ip portal-auth secondary-host 192.168.0.252 l4port 8080 Switch(config)# ip portal-auth permit route 192.168.0.0 255.255.0.0 Switch(config)# ip portal-auth Switch(config)# end For additional portal-based authentication show commands, see the “Monitoring Portal-Based Authentication” section on page 11-6. Catalyst 2928 Switch Software Configuration Guide 11-3 OL-23389-01...
Page 236: Enabling Portal-Based Authentication On An Interface
Specify the VLAN interface for RADIUS server communication. Step 4 radius-server attribute 8 Include the user IP address in the access request sent to the RADIUS include-in-access-req server. Catalyst 2928 Switch Software Configuration Guide 11-4 OL-23389-01...
Page 237 This example shows how to configure communication between the switch and the RADIUS server. This configuration identifies the RADIUS server by its IP address 192.168.0.252, uses port 1645 as the authorization port and port 1646 as the accounting port, and sets the encryption key to cisco: Switch(config)# ip http server...
Page 238: Monitoring Portal-Based Authentication
Display portal-based authentication user information in brief or detailed format. [detailed] show platform ip portal-auth user Display portal-based authentication user information for the specified interface in interface interface-id [detailed] either brief or detailed format. Catalyst 2928 Switch Software Configuration Guide 11-6 OL-23389-01...
Page 239: Understanding Interface Types
C H A P T E R Configuring Interface Characteristics This chapter defines the types of interfaces on the Catalyst 2928 switch and describes how to configure them. The chapter consists of these sections: Understanding Interface Types, page 12-1 •...
Page 240: Port-Based Vlans
VLAN assigned to the port. If an access port receives a tagged packet (IEEE 802.1Q tagged), the packet is dropped, and the source address is not learned. Catalyst 2928 Switch Software Configuration Guide 12-2...
Page 241: Trunk Ports
Catalyst 6500 series switch; the Catalyst 2928 switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 15, “Configuring Voice VLAN.”...
Page 242: Power Over Ethernet (Poe) Ports (Ws-C2928-24Lt-C Only)
CDP messages for an agreed power-consumption level. The negotiation allows a high-power Cisco powered device, which consumes more than 7 W, to operate at its highest power mode. The powered device first boots up in low-power mode, consumes less than 7 W, and negotiates to obtain enough power to operate in high-power mode.
Page 243: Powered-Device Detection And Initial Power Allocation
A Cisco pre-standard powered device does not provide its power requirement when the switch • detects it, so a Catalyst 2928 switch allocates 15.4 W as the initial allocation for power budgeting. The initial power allocation is the maximum amount of power that a powered device requires. The switch initially allocates this amount of power when it detects and powers the powered device.
Page 244: Power Monitoring And Power Policing
When PoE is enabled, the switch senses the real-time power consumption of the powered device and monitors the power consumption of the connected powered device; this is called power monitoring or power sensing. The switch also uses the power policing feature to police the power usage. Catalyst 2928 Switch Software Configuration Guide 12-6 OL-23389-01...
Page 245 Configuring Interface Characteristics Understanding Interface Types Power monitoring is backward-compatible with Cisco intelligent power management and CDP-based power consumption. It works with these features to ensure that the PoE port can supply power to the powered device. For more information about these PoE features, see the “Powered-Device Detection and...
Page 246 If it still has power available, the switch then grants power to the PoE ports in auto mode in ascending order of the port numbers. For configuration information, see the “Configuring Power Policing” section on page 12-24. Catalyst 2928 Switch Software Configuration Guide 12-8 OL-23389-01...
Page 247: Connecting Interfaces
10/100/1000 Mb/s Ethernet ports or small form-factor pluggable (SFP) module Gigabit Ethernet interfaces. • Module number—The module or slot number on the switch (always 0 on the Catalyst 2928 switch). Port number—The interface number on the switch. The port numbers always begin at 1, starting with •...
Page 248: Procedures For Configuring Interfaces
You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters. When you enter the interface-range configuration mode, all command parameters that you enter are attributed to all interfaces within that range until you exit this mode. Catalyst 2928 Switch Software Configuration Guide 12-10 OL-23389-01...
Page 249 The show running-config privileged EXEC command displays the configured VLAN interfaces. VLAN interfaces not displayed by the show running-config command cannot be used with the interface range command. Catalyst 2928 Switch Software Configuration Guide 12-11 OL-23389-01...
Page 250: Configuring And Using Interface Range Macros
Use the no define interface-range macro_name global configuration command to delete a macro. When using the define interface-range global configuration command, note these guidelines: • Valid entries for interface-range: vlan vlan-ID, where the VLAN ID is 1 to 4094 – Catalyst 2928 Switch Software Configuration Guide 12-12 OL-23389-01...
Page 251 This example shows how to delete the interface-range macro enet_list and to verify that it was deleted. Switch# configure terminal Switch(config)# no define interface-range enet_list Switch(config)# end Switch# show run | include define Switch# Catalyst 2928 Switch Software Configuration Guide 12-13 OL-23389-01...
Page 252: Configuring Ethernet Interfaces
“Default Storm Control Configuration” section storm control on page 22-3. Protected port Disabled. See the “Configuring Protected Ports” section on page 22-6. Port security Disabled. See the “Default Port Security Configuration” section on page 22-11. Catalyst 2928 Switch Software Configuration Guide 12-14 OL-23389-01...
Page 253: Setting The Type Of A Dual-Purpose Uplink Port
Disabled on SFP module ports; enabled on all other ports. Setting the Type of a Dual-Purpose Uplink Port Some Catalyst 2928 switches support dual-purpose uplink ports. For more information, see the “Setting the Type of a Dual-Purpose Uplink Port” section on page 12-15.
Page 254 SFP module interface. In all other situations, the switch selects the active link based on which type first links up. The Catalyst 2928 switch operates with 100BASE-x (where -x is -BX, -FX-FE, -LX) SFP modules as follows: When the 100BASE -x SFP module is inserted into the module slot and there is no link on the RJ-45 •...
Page 255: Configuring Interface Speed And Duplex Mode
When STP is enabled and a port is reconfigured, the switch can take up to 30 seconds to check for • loops. The port LED is amber while STP reconfigures. Changing the interface speed and duplex mode configuration might shut down and re-enable the Caution interface during the reconfiguration. Catalyst 2928 Switch Software Configuration Guide 12-17 OL-23389-01...
Page 256: Setting The Interface Speed And Duplex Parameters
Switch(config-if)# speed 10 Switch(config-if)# duplex half This example shows how to set the interface speed to 100 Mb/s on a 10/100/1000 Mb/s port: Switch# configure terminal Switch(config)# interface gigabitethernet0/2 Switch(config-if)# speed 100 Catalyst 2928 Switch Software Configuration Guide 12-18 OL-23389-01...
Page 257: Configuring Ieee 802.3X Flow Control
Upon receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data packets during the congestion period. Catalyst 2928 ports can receive, but not send, pause frames. Note You use the flowcontrol interface configuration command to set the interface’s ability to receive pause frames to on, off, or desired.
Page 258: Configuring Auto-Mdix On An Interface
(Optional) Save your entries in the configuration file. To disable auto-MDIX, use the no mdix auto interface configuration command. This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Catalyst 2928 Switch Software Configuration Guide 12-20 OL-23389-01...
Page 259: Configuring A Power Management Mode On A Poe Port
The switch repowers the port only if the powered device is a Class 1, Class 2, or a Cisco-only powered device. Beginning in privileged EXEC mode, follow these steps to configure a power management mode on a...
Page 260: Budgeting Power For Devices Connected To A Poe Port
(CDP) to determine the actual power consumption of the devices, and the switch adjusts the power budget accordingly. The CDP protocol works with Cisco powered devices and does not apply to IEEE third-party powered devices. For these devices, when the switch grants a power request, the switch adjusts the power budget according to the powered-device IEEE classification.
Page 261 Display the power consumption status. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no power inline consumption default global configuration command. Catalyst 2928 Switch Software Configuration Guide 12-23 OL-23389-01...
Page 262: Configuring Power Policing
PoE port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical port to be configured, and enter interface configuration mode. Catalyst 2928 Switch Software Configuration Guide 12-24 OL-23389-01...
Page 263: Adding A Description For An Interface
Adding a Description for an Interface You can add a description about an interface to help you remember its function. The description appears in the output of these privileged EXEC commands: show configuration show running-config show interfaces. Catalyst 2928 Switch Software Configuration Guide 12-25 OL-23389-01...
Page 264: Configuring The System Mtu
SNMP, or Telnet. If Gigabit Ethernet interfaces are configured to accept frames greater than the 10/100 interfaces, jumbo Note frames received on a Gigabit Ethernet interface and sent on a 10/100 interface are dropped. Catalyst 2928 Switch Software Configuration Guide 12-26 OL-23389-01...
Page 265: Monitoring And Maintaining The Interfaces
These sections contain interface monitoring and maintenance information: Monitoring Interface Status, page 12-28 • Clearing and Resetting Interfaces and Counters, page 12-28 • Shutting Down and Restarting the Interface, page 12-29 • Catalyst 2928 Switch Software Configuration Guide 12-27 OL-23389-01...
Page 266: Monitoring Interface Status
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2. Table 12-4...
Page 267: Shutting Down And Restarting The Interface
Use the no shutdown interface configuration command to restart the interface. To verify that an interface is disabled, enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the display. Catalyst 2928 Switch Software Configuration Guide 12-29 OL-23389-01...
Page 268 Chapter 12 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 2928 Switch Software Configuration Guide 12-30 OL-23389-01...
Page 269: Chapter 13 Configuring Vlans
This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 2928 switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS).
Page 270: Supported Vlans
VLAN Configuration Guidelines” section on page 13-5 for more information about the number of spanning-tree instances and the number of VLANs. The switch supports only IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports. Catalyst 2928 Switch Software Configuration Guide 13-2 OL-23389-01...
Page 271: Vlan Port Membership Modes
Dynamic-Access Ports on VMPS Clients” section on page 13-24. Voice VLAN A voice VLAN port is an access port attached to a Cisco VTP is not required; it has no affect on a IP Phone, configured to use one VLAN for voice traffic voice VLAN.
Page 272: Configuring Normal-Range Vlans
Note This section does not provide configuration details for most of these parameters. For complete information on the commands and parameters that control VLAN configuration, see the command reference for this release. Catalyst 2928 Switch Software Configuration Guide 13-4 OL-23389-01...
Page 273: Token Ring Vlans
If the switch is a VTP server, you must define a VTP domain or VTP will not function. The switch does not support Token Ring or FDDI media. The switch does not forward FDDI, • FDDI-Net, TrCRF, or TrBRF traffic, but it does propagate the VLAN configuration through VTP. Catalyst 2928 Switch Software Configuration Guide 13-5 OL-23389-01...
Page 274: Saving Vlan Configuration
If the VLAN database configuration is used at startup and the startup configuration file contains Caution extended-range VLAN configuration, this information is lost when the system boots up. Default Ethernet VLAN Configuration Table 13-2 shows the default configuration for Ethernet VLANs. Catalyst 2928 Switch Software Configuration Guide 13-6 OL-23389-01...
Page 275: Creating Or Modifying An Ethernet Vlan
VLAN database. See the “Configuring Extended-Range VLANs” section on page 13-10. For the list of default parameters that are assigned when you add a VLAN, see the “Configuring Normal-Range VLANs” section on page 13-4. Catalyst 2928 Switch Software Configuration Guide 13-7 OL-23389-01...
Page 276: Deleting A Vlan
Token Ring VLANs 1002 to 1005. Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Catalyst 2928 Switch Software Configuration Guide 13-8 OL-23389-01...
Page 277: Assigning Static-Access Ports To A Vlan
This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet0/1 Catalyst 2928 Switch Software Configuration Guide 13-9 OL-23389-01...
Page 278: Configuring Extended-Range Vlans
STP is enabled by default on extended-range VLANs, but you can disable it by using the no • spanning-tree vlan vlan-id global configuration command. When the maximum number of spanning-tree instances are on the switch, spanning tree is disabled on any newly created VLANs. Catalyst 2928 Switch Software Configuration Guide 13-10 OL-23389-01...
Page 279: Creating An Extended-Range Vlan
To delete an extended-range VLAN, use the no vlan vlan-id global configuration command. The procedure for assigning static-access ports to an extended-range VLAN is the same as for normal-range VLANs. See the “Assigning Static-Access Ports to a VLAN” section on page 13-9. Catalyst 2928 Switch Software Configuration Guide 13-11 OL-23389-01...
Page 280: Displaying Vlans
A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch. Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network. The Catalyst 2928 switch supports IEEE 802.1Q encapsulation.
Page 281: Ieee 802.1Q Configuration Considerations
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
Page 282: Default Layer 2 Ethernet Interface Vlan Configuration
STP port priority for each VLAN. – STP Port Fast setting. – trunk status: if one port in a port group ceases to be a trunk, all ports cease to be trunks. Catalyst 2928 Switch Software Configuration Guide 13-14 OL-23389-01...
Page 283: Configuring A Trunk Port
This example shows how to configure a port as an IEEE 802.1Q trunk. The example assumes that the neighbor interface is configured to support IEEE 802.1Q trunking. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet0/2 Catalyst 2928 Switch Software Configuration Guide 13-15 OL-23389-01...
Page 284: Defining The Allowed Vlans On A Trunk
VLANs from the allowed list. VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a Note requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
Page 285: Changing The Pruning-Eligible List
A trunk port configured with IEEE 802.1Q tagging can receive both tagged and untagged traffic. By default, the switch forwards untagged traffic in the native VLAN configured for the port. The native VLAN is VLAN 1 by default. Catalyst 2928 Switch Software Configuration Guide 13-17 OL-23389-01...
Page 286: Configuring Trunk Ports For Load Sharing
VLAN is forwarding traffic for that VLAN. The trunk port with the lower priority (higher values) for the same VLAN remains in a blocking state for that VLAN. One trunk port sends or receives all traffic for the VLAN. Catalyst 2928 Switch Software Configuration Guide 13-18 OL-23389-01...
Page 287 Repeat Steps 7 through 10 on Switch A for a second port in the switch. Step 13 Repeat Steps 7 through 10 on Switch B to configure the trunk ports that connect to the trunk ports configured on Switch A. Catalyst 2928 Switch Software Configuration Guide 13-19 OL-23389-01...
Page 288: Load Sharing Using Stp Path Cost
Trunk port 2 VLANs 2 – 4 (path cost 30) VLANs 8 – 10 (path cost 30) VLANs 8 – 10 (path cost 19) VLANs 2 – 4 (path cost 19) Switch B Catalyst 2928 Switch Software Configuration Guide 13-20 OL-23389-01...
Page 289: Configuring Vmps
“Default VMPS Client Configuration” section on page 13-23 • “VMPS Configuration Guidelines” section on page 13-23 • “Configuring the VMPS Client” section on page 13-24 • “Monitoring the VMPS” section on page 13-26 • Catalyst 2928 Switch Software Configuration Guide 13-21 OL-23389-01...
Page 290: Understanding Vmps
Multiple hosts (MAC addresses) can be active on a dynamic-access port if they are all in the same VLAN; however, the VMPS shuts down a dynamic-access port if more than 20 hosts are active on the port. Catalyst 2928 Switch Software Configuration Guide 13-22 OL-23389-01...
Page 291: Default Vmps Client Configuration
• The VTP management domain of the VMPS client and the VMPS server must be the same. • The VLAN configured on the VMPS server should not be a voice VLAN. • Catalyst 2928 Switch Software Configuration Guide 13-23 OL-23389-01...
Page 292: Configuring The Vmps Client
Enter global configuration mode. Step 2 interface interface-id Specify the switch port that is connected to the end station, and enter interface configuration mode. Step 3 switchport mode access Set the port to access mode. Catalyst 2928 Switch Software Configuration Guide 13-24 OL-23389-01...
Page 293: Reconfirming Vlan Memberships
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no vmps reconfirm global configuration command. Catalyst 2928 Switch Software Configuration Guide 13-25 OL-23389-01...
Page 294: Changing The Retry Count
This is an example of output for the show vmps privileged EXEC command: Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.87 Reconfirmation status --------------------- VMPS Action: other Catalyst 2928 Switch Software Configuration Guide 13-26 OL-23389-01...
Page 295: Troubleshooting Dynamic-Access Port Vlan Membership
The Catalyst 6500 series Switch C and Switch J are secondary VMPS servers. • End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. Catalyst 2928 Switch Software Configuration Guide 13-27 OL-23389-01...
Page 296 172.20.26.154 Switch E 172.20.26.155 Switch F 172.20.26.156 Switch G 172.20.26.157 Switch H Client switch I Dynamic-access port 172.20.26.158 station 2 Trunk port 172.20.26.159 Catalyst 6500 series Secondary VMPS Switch J Server 3 Catalyst 2928 Switch Software Configuration Guide 13-28 OL-23389-01...
Page 297: Chapter 14 Configuring Vtp
Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 2928 switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 298: The Vtp Domain
For domain name and password configuration guidelines, see the “VTP Configuration Guidelines” section on page 14-7. Catalyst 2928 Switch Software Configuration Guide 14-2 OL-23389-01...
Page 299: Vtp Modes
Otherwise, the switch cannot receive any VTP advertisements. For more information on trunk ports, see “Configuring VLAN Trunks” section on page 13-12. VTP advertisements distribute this global domain information: VTP domain name • VTP configuration revision number • Update identity and update timestamp • Catalyst 2928 Switch Software Configuration Guide 14-3 OL-23389-01...
Page 300: Vtp Version 2
Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible switch trunk ports. If the VLANs are configured as pruning-ineligible, the flooding continues. VTP pruning is supported with VTP Version 1 and Version 2. Catalyst 2928 Switch Software Configuration Guide 14-4 OL-23389-01...
Page 301 Enabling VTP pruning on a VTP server enables pruning for the entire management domain. Making VLANs pruning-eligible or pruning-ineligible affects pruning eligibility for those VLANs on that trunk only (not on all switches in the VTP domain). Catalyst 2928 Switch Software Configuration Guide 14-5 OL-23389-01...
Page 302 VTP configuration. Table 14-2 Default VTP Configuration Feature Default Setting VTP domain name Null. VTP mode Server. VTP version Version 1 (Version 2 is disabled). VTP password None. VTP pruning Disabled. Catalyst 2928 Switch Software Configuration Guide 14-6 OL-23389-01...
Page 303: Vtp Configuration Guidelines
VTP advertisements until you configure it with the correct password. After the configuration, the switch accepts the next VTP advertisement that uses the same password and domain name in the advertisement. Catalyst 2928 Switch Software Configuration Guide 14-7 OL-23389-01...
Page 304: Vtp Version
When a switch is in VTP server mode, you can change the VLAN configuration and have it propagated throughout the network. Note If extended-range VLANs are configured on the switch, you cannot change VTP mode to server. You receive an error message, and the configuration is not allowed. Catalyst 2928 Switch Software Configuration Guide 14-8 OL-23389-01...
Page 305: Configuring A Vtp Client
(vlan.dat). If the switch is then powered off, it resets the VTP configuration to the default. To keep the VTP configuration with VTP client mode after the switch restarts, you must first configure the VTP domain name before the VTP mode. Catalyst 2928 Switch Software Configuration Guide 14-9 OL-23389-01...
Page 306: Disabling Vtp (Vtp Transparent Mode)
VTP configuration in the switch startup configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode transparent Configure the switch for VTP transparent mode (disable VTP). Catalyst 2928 Switch Software Configuration Guide 14-10 OL-23389-01...
Page 307: Enabling Vtp Version 2
In the VTP V2 Mode field of the display, verify that VTP Version 2 is enabled. To disable VTP Version 2, use the no vtp version global configuration command. Catalyst 2928 Switch Software Configuration Guide 14-11 OL-23389-01...
Page 308: Enabling Vtp Pruning
If you add a switch that has a revision number higher than the revision number in the VTP domain, it can erase all VLAN information from the VTP server and VTP domain. Catalyst 2928 Switch Software Configuration Guide 14-12...
Page 309 You can use the vtp mode transparent global configuration command or the vtp transparent VLAN Note database configuration command to disable VTP on the switch, and then change its VLAN information without affecting the other switches in the VTP domain. Catalyst 2928 Switch Software Configuration Guide 14-13 OL-23389-01...
Page 310: Monitoring Vtp
EXEC commands for monitoring VTP activity. Table 14-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information. show vtp counters Display counters about VTP messages that have been sent and received. Catalyst 2928 Switch Software Configuration Guide 14-14 OL-23389-01...
Page 311: Chapter 15 Configuring Voice Vlan
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the switch is connected to a Cisco 7960 IP Phone, the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS.
Page 312: Cisco Ip Phone Voice Traffic
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...
Page 313: Configuring Voice Vlan
For more information, see Chapter 31, “Configuring QoS.” You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration • to the phone. (CDP is globally enabled by default on all switch interfaces.) •...
Page 314: Configuring A Port Connected To A Cisco 7960 Ip Phone
Configuring Voice VLAN Configuring Voice VLAN If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the • same IP subnet. These conditions indicate that they are in the same VLAN: –...
Page 315: Configuring Cisco Ip Phone Voice Traffic
Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value.
Page 316: Displaying Voice Vlan
To return the port to its default setting, use the no switchport voice vlan interface configuration command. Displaying Voice VLAN To display voice VLAN configuration for an interface, use the show interfaces interface-id switchport privileged EXEC command. Catalyst 2928 Switch Software Configuration Guide 15-6 OL-23389-01...
Page 317: Configuring Stp
This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Catalyst 2928 switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Page 318: Stp Overview
The stable, active spanning-tree topology of a switched network is controlled by these elements: The unique bridge ID (switch priority and MAC address) associated with each VLAN on each • switch. The spanning-tree path cost to the root switch. • Catalyst 2928 Switch Software Configuration Guide 16-2 OL-23389-01...
Page 319: Bridge Id, Switch Priority, And Extended System Id
VLAN. Each VLAN on the switch has a unique 8-byte bridge ID. The 2 most-significant bytes are used for the switch priority, and the remaining 6 bytes are derived from the switch MAC address. Catalyst 2928 Switch Software Configuration Guide 16-3...
Page 320: Spanning-Tree Interface States
From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • From learning to forwarding or to disabled • From forwarding to disabled • Catalyst 2928 Switch Software Configuration Guide 16-4 OL-23389-01...
Page 321: Blocking State
An interface in the blocking state performs these functions: Discards frames received on the interface • Discards frames switched from another interface for forwarding • Does not learn addresses • • Receives BPDUs Catalyst 2928 Switch Software Configuration Guide 16-5 OL-23389-01...
Page 322: Listening State
A disabled interface performs these functions: • Discards frames received on the interface Discards frames switched from another interface for forwarding • Does not learn addresses • Does not receive BPDUs • Catalyst 2928 Switch Software Configuration Guide 16-6 OL-23389-01...
Page 323: How A Switch Or Port Becomes The Root Switch Or Root Port
If one link is high-speed and the other is low-speed, the low-speed link is always disabled. If the speeds are the same, the port priority and port ID are added together, and spanning tree disables the link with the lowest value. Catalyst 2928 Switch Software Configuration Guide 16-7 OL-23389-01...
Page 324: Spanning-Tree Address Management
A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch. Catalyst 2928 Switch Software Configuration Guide 16-8 OL-23389-01...
Page 325: Spanning-Tree Modes And Protocols
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Page 326: Spanning-Tree Interoperability And Backward Compatibility
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Page 327: Default Spanning-Tree Configuration
Spanning-tree VLAN port cost (configurable on a per-VLAN basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100. Spanning-tree timers Hello time: 2 seconds. Forward-delay time: 15 seconds. Maximum-aging time: 20 seconds. Transmit hold count: 6 BPDUs Catalyst 2928 Switch Software Configuration Guide 16-11 OL-23389-01...
Page 328: Spanning-Tree Configuration Guidelines
“Optional Spanning-Tree Configuration Guidelines” section on page 18-10. Caution Loop guard works only on point-to-point links. We recommend that each end of the link has a directly connected device that is running STP. Catalyst 2928 Switch Software Configuration Guide 16-12 OL-23389-01...
Page 329: Changing The Spanning-Tree Mode
(Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree mode global configuration command. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Catalyst 2928 Switch Software Configuration Guide 16-13 OL-23389-01...
Page 330: Disabling Spanning Tree
ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software. Catalyst 2928 Switch Software Configuration Guide 16-14 OL-23389-01...
Page 331 Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id root global configuration command. Catalyst 2928 Switch Software Configuration Guide 16-15 OL-23389-01...
Page 332: Configuring A Secondary Root Switch
(higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Catalyst 2928 Switch Software Configuration Guide 16-16 OL-23389-01...
Page 333 To return to the default setting, use the no spanning-tree [vlan vlan-id] port-priority interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing” section on page 13-18. Catalyst 2928 Switch Software Configuration Guide 16-17 OL-23389-01...
Page 334: Configuring Path Cost
The show spanning-tree interface interface-id privileged EXEC command displays information only for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. Catalyst 2928 Switch Software Configuration Guide 16-18 OL-23389-01...
Page 335: Configuring The Switch Priority Of A Vlan
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id priority global configuration command. Catalyst 2928 Switch Software Configuration Guide 16-19 OL-23389-01...
Page 336: Configuring Spanning-Tree Timers
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id hello-time global configuration command. Catalyst 2928 Switch Software Configuration Guide 16-20 OL-23389-01...
Page 337: Configuring The Forwarding-Delay Time For A Vlan
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Catalyst 2928 Switch Software Configuration Guide 16-21 OL-23389-01...
Page 338: Configuring The Transmit Hold-Count
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2928 Switch Software Configuration Guide 16-22 OL-23389-01...
Page 339: Chapter 17 Configuring Mstp
C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 2928 switch. The multiple spanning-tree (MST) implementation in Cisco IOS Release 12.2(44)SE is based on the Note IEEE 802.1s standard.
Page 340: Understanding Mstp
M-records, which are encapsulated within MSTP BPDUs. Because the MSTP BPDU carries information for all instances, the number of BPDUs that need to be processed to support multiple spanning-tree instances is significantly reduced. Catalyst 2928 Switch Software Configuration Guide 17-2 OL-23389-01...
Page 341: Operations Within An Mst Region
The IST connects all the MSTP switches in the region and appears as a subtree in the CIST that encompasses the entire switched domain. The root of the subtree is the CIST regional root. The MST region appears as a virtual switch to adjacent STP switches and MST regions. Catalyst 2928 Switch Software Configuration Guide 17-3 OL-23389-01...
Page 342 VLAN cost, and port VLAN priority) can be configured on both the CST instance and the MST instance. MSTP switches use Version 3 RSTP BPDUs or IEEE 802.1D STP BPDUs to communicate with legacy IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. Catalyst 2928 Switch Software Configuration Guide 17-4 OL-23389-01...
Page 343: Ieee 802.1S Terminology
Understanding MSTP IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network. Because the CIST is the only spanning-tree instance that spans the whole network, only the CIST parameters require the external rather than the internal or regional qualifiers.
Page 344: Boundary Ports
The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.
Page 345: Interoperation Between Legacy And Standard Switches
Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
Page 346: Interoperability With Ieee 802.1D Stp
Rapid Convergence, page 17-9 • Synchronization of Port Roles, page 17-11 • Bridge Protocol Data Unit Format and Processing, page 17-12 • For configuration information, see the “Configuring MSTP Features” section on page 17-13. Catalyst 2928 Switch Software Configuration Guide 17-8 OL-23389-01...
Page 347: Port Roles And The Active Topology
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
Page 348 Proposal and Agreement Handshaking for Rapid Convergence Switch A Switch B Proposal Designated Root switch Agreement Designated Switch C switch Root Proposal Designated Root switch Agreement DP = designated port RP = root port F = forwarding Catalyst 2928 Switch Software Configuration Guide 17-10 OL-23389-01...
Page 349: Synchronization Of Port Roles
Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 2. Block 3. Block 9. Forward 11. Forward 8. Agreement 6. Proposal 7. Proposal 10. Agreement Root port Designated port Catalyst 2928 Switch Software Configuration Guide 17-11 OL-23389-01...
Page 350: Bridge Protocol Data Unit Format And Processing
RSTP sets the port to the blocking state but does not send the agreement message. The designated port continues sending BPDUs with the proposal flag set until the forward-delay timer expires, at which time the port transitions to the forwarding state. Catalyst 2928 Switch Software Configuration Guide 17-12 OL-23389-01...
Page 351: Processing Inferior Bpdu Information
Default MSTP Configuration, page 17-14 • MSTP Configuration Guidelines, page 17-14 • Specifying the MST Region Configuration and Enabling MSTP, page 17-15 (required) • Configuring the Root Switch, page 17-17 (optional) • Catalyst 2928 Switch Software Configuration Guide 17-13 OL-23389-01...
Page 352: Default Mstp Configuration
• For two or more switches to be in the same MST region, they must have the same VLAN-to-instance map, the same configuration revision number, and the same name. Catalyst 2928 Switch Software Configuration Guide 17-14 OL-23389-01...
Page 353: Specifying The Mst Region Configuration And Enabling Mstp
Beginning in privileged EXEC mode, follow these steps to specify the MST region configuration and enable MSTP. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst configuration Enter MST configuration mode. Catalyst 2928 Switch Software Configuration Guide 17-15 OL-23389-01...
Page 354 1, display the pending configuration, apply the changes, and return to global configuration mode: Switch(config)# spanning-tree mst configuration Switch(config-mst)# instance 1 vlan 10-20 Switch(config-mst)# name region1 Switch(config-mst)# revision 1 Switch(config-mst)# show pending Pending MST configuration Name [region1] Revision Catalyst 2928 Switch Software Configuration Guide 17-16 OL-23389-01...
Page 355: Configuring The Root Switch
After configuring the switch as the root switch, we recommend that you avoid manually configuring the Note hello time, forward-delay time, and maximum-age time through the spanning-tree mst hello-time, spanning-tree mst forward-time, and the spanning-tree mst max-age global configuration commands. Catalyst 2928 Switch Software Configuration Guide 17-17 OL-23389-01...
Page 356: Configuring A Secondary Root Switch
You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command. Catalyst 2928 Switch Software Configuration Guide 17-18 OL-23389-01...
Page 357: Configuring Port Priority
Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces. The port-channel range is 1 to 6. Catalyst 2928 Switch Software Configuration Guide 17-19 OL-23389-01...
Page 358: Configuring Path Cost
Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces. The port-channel range is 1 to 6. Catalyst 2928 Switch Software Configuration Guide 17-20 OL-23389-01...
Page 359: Configuring The Switch Priority
Exercise care when using this command. For most situations, we recommend that you use the Note spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority. Catalyst 2928 Switch Software Configuration Guide 17-21 OL-23389-01...
Page 360: Configuring The Hello Time
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst hello-time global configuration command. Catalyst 2928 Switch Software Configuration Guide 17-22 OL-23389-01...
Page 361: Configuring The Forwarding-Delay Time
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst max-age global configuration command. Catalyst 2928 Switch Software Configuration Guide 17-23 OL-23389-01...
Page 362: Configuring The Maximum-Hop Count
Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Catalyst 2928 Switch Software Configuration Guide 17-24 OL-23389-01...
Page 363: Designating The Neighbor Type
To restart the protocol migration process (force the renegotiation with neighboring switches) on the switch, use the clear spanning-tree detected-protocols privileged EXEC command. To restart the protocol migration process on a specific interface, use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. Catalyst 2928 Switch Software Configuration Guide 17-25 OL-23389-01...
Page 364: Displaying The Mst Configuration And Status
Displays MST information for the specified instance. show spanning-tree mst interface interface-id Displays MST information for the specified interface. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2928 Switch Software Configuration Guide 17-26 OL-23389-01...
Page 365: Understanding Optional Spanning-Tree Features
C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 2928 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+).
Page 366: Understanding Port Fast
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. Catalyst 2928 Switch Software Configuration Guide 18-2 OL-23389-01...
Page 367: Understanding Bpdu Filtering
Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 18-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Catalyst 2928 Switch Software Configuration Guide 18-3 OL-23389-01...
Page 368 Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state. Catalyst 2928 Switch Software Configuration Guide 18-4...
Page 369: Understanding Backbonefast
(an indirect link) has failed (that is, the designated switch has lost its connection to the root switch). Under spanning-tree rules, the switch ignores inferior BPDUs for the configured maximum aging time specified by the spanning-tree vlan vlan-id max-age global configuration command. Catalyst 2928 Switch Software Configuration Guide 18-5 OL-23389-01...
Page 370 Switch B to Switch A. The root-switch election takes approximately 30 seconds, twice the Forward Delay time if the default Forward Delay time of 15 seconds is set. Figure 18-6 shows how BackboneFast reconfigures the topology to account for the failure of link L1. Catalyst 2928 Switch Software Configuration Guide 18-6 OL-23389-01...
Page 371: Understanding Etherchannel Guard
If the switch detects a misconfiguration on the other device, EtherChannel guard places the switch interfaces in the error-disabled state, and displays an error message. You can enable this feature by using the spanning-tree etherchannel guard misconfig global configuration command. Catalyst 2928 Switch Software Configuration Guide 18-7 OL-23389-01...
Page 372: Understanding Root Guard
Desired root switch Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being in the path to the root. Catalyst 2928 Switch Software Configuration Guide 18-8 OL-23389-01...
Page 373: Understanding Loop Guard
Port Fast, BPDU filtering, BPDU guard Globally disabled (unless they are individually configured per interface). UplinkFast Globally disabled. BackboneFast Globally disabled. EtherChannel guard Globally enabled. Root guard Disabled on all interfaces. Loop guard Disabled on all interfaces. Catalyst 2928 Switch Software Configuration Guide 18-9 OL-23389-01...
Page 374: Optional Spanning-Tree Configuration Guidelines
By default, Port Fast is disabled on all interfaces. Step 4 Return to privileged EXEC mode. Step 5 show spanning-tree interface interface-id Verify your entries. portfast Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2928 Switch Software Configuration Guide 18-10 OL-23389-01...
Page 375: Enabling Bpdu Guard
Enable the Port Fast feature. Step 5 Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2928 Switch Software Configuration Guide 18-11 OL-23389-01...
Page 376: Enabling Bpdu Filtering
To disable BPDU filtering, use the no spanning-tree portfast bpdufilter default global configuration command. You can override the setting of the no spanning-tree portfast bpdufilter default global configuration command by using the spanning-tree bpdufilter enable interface configuration command. Catalyst 2928 Switch Software Configuration Guide 18-12 OL-23389-01...
Page 377: Enabling Uplinkfast For Use With Redundant Links
If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not Note supported on Token Ring VLANs. This feature is supported for use with third-party switches. Catalyst 2928 Switch Software Configuration Guide 18-13 OL-23389-01...
Page 378: Enabling Etherchannel Guard
EXEC command to verify the EtherChannel configuration. After the configuration is corrected, enter the shutdown and no shutdown interface configuration commands on the port-channel interfaces that were misconfigured. Catalyst 2928 Switch Software Configuration Guide 18-14 OL-23389-01...
Page 379: Enabling Root Guard
Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional. Command Purpose Step 1 show spanning-tree active Verify which interfaces are alternate or root ports. show spanning-tree mst Step 2 configure terminal Enter global configuration mode. Catalyst 2928 Switch Software Configuration Guide 18-15 OL-23389-01...
Page 380: Displaying The Spanning-Tree Status
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2928 Switch Software Configuration Guide 18-16 OL-23389-01...
Page 381: Understanding Dhcp Snooping
Configuring DHCP Features and IP Source Guard Features This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the Catalyst 2928 switch. It also describes how to configure the IP source guard feature. Note To use the IP source guard feature, the switch must be running the LAN Base image.
Page 382: Dhcp Server
For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides.
Page 383 The port on the edge switch that connects to the aggregation switch must be configured as a trusted interface. Catalyst 2928 Switch Software Configuration Guide 19-3 OL-23389-01...
Page 384: Option-82 Data Insertion
If the IP address of the relay agent is configured, the switch adds this IP address in the DHCP packet. • The switch forwards the DHCP request that includes the option-82 field to the DHCP server. • Catalyst 2928 Switch Software Configuration Guide 19-4 OL-23389-01...
Page 385 The switch uses the packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option global configuration command. Catalyst 2928 Switch Software Configuration Guide 19-5 OL-23389-01...
Page 386 The length values are variable, depending on the length of the string that you configure. – Remote-ID suboption fields • – The remote-ID type is 1. – The length values are variable, depending on the length of the string that you configure. Catalyst 2928 Switch Software Configuration Guide 19-6 OL-23389-01...
Page 387: Dhcp Snooping Binding Database
If the file is not updated in a specified time (set by the write-delay and abort-timeout values), the update stops. Catalyst 2928 Switch Software Configuration Guide 19-7...
Page 388: Configuring Dhcp Snooping
• Enabling DHCP Snooping and Option 82, page 19-11 • Enabling the DHCP Snooping Binding Database Agent, page 19-12 • Default DHCP Snooping Configuration Table 19-1 shows the default DHCP snooping configuration. Catalyst 2928 Switch Software Configuration Guide 19-8 OL-23389-01...
Page 389: Dhcp Snooping Configuration Guidelines
DHCP snooping MAC address verification Enabled DHCP snooping binding database agent Enabled in Cisco IOS software, requires configuration. This feature is operational only when a destination is configured. 1. The switch responds to DHCP requests only if it is configured as a DHCP server.
Page 390: Configuring The Dhcp Relay Agent
To disable the DHCP server and relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software >...
Page 391: Enabling Dhcp Snooping And Option 82
Step 11 Return to privileged EXEC mode. Step 12 show running-config Verify your entries. Step 13 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2928 Switch Software Configuration Guide 19-11 OL-23389-01...
Page 392: Enabling The Dhcp Snooping Binding Database Agent
The vlan-id range is from 1 to 4904. The seconds range is from interface-id expiry seconds 1 to 4294967295. Enter this command for each entry that you add. Note Use this command when you are testing or debugging the switch. Catalyst 2928 Switch Software Configuration Guide 19-12 OL-23389-01...
Page 393: Displaying Dhcp Snooping Information
DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic. Catalyst 2928 Switch Software Configuration Guide 19-13 OL-23389-01...
Page 394: Source Ip Address Filtering
IP or non-IP packet matches a valid IP source binding, the switch forwards the packet. The switch drops all other types of packets except DHCP packets. The switch uses port security to filter source MAC addresses. The interface can shut down when a port-security violation occurs. Catalyst 2928 Switch Software Configuration Guide 19-14 OL-23389-01...
Page 395: Ip Source Guard For Static Hosts
• IP Source Guard Configuration Guidelines, page 19-16 • Enabling IP Source Guard, page 19-16 • Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port, page 19-18 • Catalyst 2928 Switch Software Configuration Guide 19-15 OL-23389-01...
Page 396: Default Ip Source Guard Configuration
Enabling IP Source Guard Begin in privileged EXEC mode. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Catalyst 2928 Switch Software Configuration Guide 19-16 OL-23389-01...
Page 397 Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip verify source port-security Switch(config-if)# exit Switch(config)# ip source binding 0100.0022.0010 vlan 10 10.0.0.2 interface gigabitethernet0/1 Switch(config)# ip source binding 0100.0230.0002 vlan 11 10.0.0.4 interface gigabitethernet0/1 Switch(config)# end Catalyst 2928 Switch Software Configuration Guide 19-17 OL-23389-01...
Page 398: Configuring Ip Source Guard For Static Hosts On A Layer 2 Access Port
(Optional) Activate port security for this port. Step 9 switchport port-security maximum value (Optional) Establish a maximum of MAC addresses for this port. Step 10 Return to privileged EXEC mode. Catalyst 2928 Switch Software Configuration Guide 19-18 OL-23389-01...
Page 399 Switch(config)# interface gigabitethernet 0/3 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 1 Switch(config-if)# ip device tracking maximum 5 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 5 Switch(config-if)# ip verify source tracking port-security Switch(config-if)# end Catalyst 2928 Switch Software Configuration Guide 19-19 OL-23389-01...
Page 400 GigabitEthernet 0/1 are marked as inactive. Switch# show ip device tracking all inactive IP Device Tracking = Enabled IP Device Tracking Probe Count = 3 IP Device Tracking Probe Interval = 30 --------------------------------------------------------------------- Catalyst 2928 Switch Software Configuration Guide 19-20 OL-23389-01...
Page 401: Displaying Ip Source Guard Information
DHCP would offer the same IP address to the replacement device. Control, monitoring, and other software expect a stable IP address associated with each device. If a device is replaced, the address assignment should remain stable even though the DHCP client has changed. Catalyst 2928 Switch Software Configuration Guide 19-21 OL-23389-01...
Page 402: Configuring Dhcp Server Port-Based Address Allocation
In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
Page 403: Enabling Dhcp Server Port-Based Address Allocation
DHCP address pool. Step 4 address ip-address client-id string [ascii] Reserve an IP address for a DHCP client identified by the interface name. string—can be an ASCII value or a hexadecimal value. Catalyst 2928 Switch Software Configuration Guide 19-23 OL-23389-01...
Page 404 1 subnet is currently in the pool: Current index IP address range Leased/Excluded/Total 10.1.1.1 10.1.1.1 - 10.1.1.254 / 4 / 254 1 reserved address is currently in the pool Address Client 10.1.1.7 Et1/0 Catalyst 2928 Switch Software Configuration Guide 19-24 OL-23389-01...
Page 405: Displaying Dhcp Server Port-Based Address Allocation
Displaying DHCP Server Port-Based Address Allocation For more information about configuring the DHCP server port-based address allocation feature, go to Cisco.com, and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation. You can also access the documentation: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html...
Page 406 Chapter 19 Configuring DHCP Features and IP Source Guard Features Displaying DHCP Server Port-Based Address Allocation Catalyst 2928 Switch Software Configuration Guide 19-26 OL-23389-01...
Page 407: Chapter 20 Configuring Dynamic Arp Inspection
This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 2928 switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN.
Page 408 MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command. For more information, see the “Performing Validation Checks” section on page 20-11. Catalyst 2928 Switch Software Configuration Guide 20-2 OL-23389-01...
Page 409: Interface Trust States And Network Security
However, to validate the bindings of packets from nondynamic ARP inspection switches, configure the switch running dynamic ARP inspection with ARP ACLs. When you cannot determine such bindings, at Layer 3, isolate switches Catalyst 2928 Switch Software Configuration Guide 20-3 OL-23389-01...
Page 410: Rate Limiting Of Arp Packets
You specify the type of packets that are logged by using the ip arp inspection vlan logging global configuration command. For configuration information, see the “Configuring the Log Buffer” section on page 20-12. Catalyst 2928 Switch Software Configuration Guide 20-4 OL-23389-01...
Page 411: Configuring Dynamic Arp Inspection
The number of entries in the log is 32. The number of system messages is limited to 5 per second. The logging-rate interval is 1 second. Per-VLAN logging All denied or dropped ARP packets are logged. Catalyst 2928 Switch Software Configuration Guide 20-5 OL-23389-01...
Page 412: Dynamic Arp Inspection Configuration Guidelines
VLANs. You also can use the ip arp inspection limit none interface configuration command to make the rate unlimited. A high rate-limit on one VLAN can cause a denial-of-service attack to other VLANs when the software places the port in the error-disabled state. Catalyst 2928 Switch Software Configuration Guide 20-6 OL-23389-01...
Page 413: Configuring Dynamic Arp Inspection In Dhcp Environments
VLANs separated by a comma. The range is 1 to 4094. Specify the same VLAN ID for both switches. Step 4 interface interface-id Specify the interface connected to the other switch, and enter interface configuration mode. Catalyst 2928 Switch Software Configuration Guide 20-7 OL-23389-01...
Page 414: Configuring Arp Acls For Non-Dhcp Environments
VLAN 1. If the IP address of Host 2 is not static (it is impossible to apply the ACL configuration on Switch A) you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them. Catalyst 2928 Switch Software Configuration Guide 20-8 OL-23389-01...
Page 415 ACL. Packets are permitted only if the access list permits them. Step 6 interface interface-id Specify the Switch A interface that is connected to Switch B, and enter interface configuration mode. Catalyst 2928 Switch Software Configuration Guide 20-9 OL-23389-01...
Page 416: Limiting The Rate Of Incoming Arp Packets
After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit. Catalyst 2928 Switch Software Configuration Guide 20-10 OL-23389-01...
Page 417: Performing Validation Checks
Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. Catalyst 2928 Switch Software Configuration Guide 20-11 OL-23389-01...
Page 418: Configuring The Log Buffer
A log-buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a single system message for the entry. Catalyst 2928 Switch Software Configuration Guide 20-12 OL-23389-01...
Page 419 The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. Catalyst 2928 Switch Software Configuration Guide 20-13 OL-23389-01...
Page 420: Displaying Dynamic Arp Inspection Information
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active). Catalyst 2928 Switch Software Configuration Guide 20-14 OL-23389-01...
Page 421 Clears the dynamic ARP inspection log buffer. show ip arp inspection log Displays the configuration and contents of the dynamic ARP inspection log buffer. For more information about these commands, see the command reference for this release. Catalyst 2928 Switch Software Configuration Guide 20-15 OL-23389-01...
Page 422 Chapter 20 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Catalyst 2928 Switch Software Configuration Guide 20-16 OL-23389-01...
Page 423: Chapter 21 Configuring Igmp Snooping
For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the “IP Multicast Routing Commands” section in the Cisco IOS IP Command Reference, Volume 3 of 3:Multicast, Release 12.2.
Page 424: Igmp Versions
IGMP snooping feature on IGMPv2 or IGMPv1 hosts. IGMPv3 join and leave messages are not supported on switches running IGMP filtering. Note Catalyst 2928 Switch Software Configuration Guide 21-2 OL-23389-01...
Page 425: Joining A Multicast Group
Table 21-1, that includes the port numbers connected to Host 1 and the router. Table 21-1 IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 224.1.2.3 IGMP 1, 2 Catalyst 2928 Switch Software Configuration Guide 21-3 OL-23389-01...
Page 426: Leaving A Multicast Group
If the router receives no reports from a VLAN, it removes the group for the VLAN from its IGMP cache. Catalyst 2928 Switch Software Configuration Guide 21-4 OL-23389-01...
Page 427: Immediate Leave
IGMPv2, and IGMPv3 reports for a group to the multicast devices. If you disable IGMP report suppression, all IGMP reports are forwarded to the multicast routers. For configuration steps, see the “Disabling IGMP Report Suppression” section on page 21-14. Catalyst 2928 Switch Software Configuration Guide 21-5 OL-23389-01...
Page 428: Configuring Igmp Snooping
VLANs, but can be enabled and disabled on a per-VLAN basis. Global IGMP snooping overrides the VLAN IGMP snooping. If global snooping is disabled, you cannot enable VLAN snooping. If global snooping is enabled, you can enable or disable VLAN snooping. Catalyst 2928 Switch Software Configuration Guide 21-6 OL-23389-01...
Page 429: Setting The Snooping Method
Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector • Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global •...
Page 430: Configuring A Multicast Router Port
The VLAN ID range is 1 to 1001 and 1006 to 4094. • The interface can be a physical interface or a port channel. • The port-channel range is 1 to 6. Step 3 Return to privileged EXEC mode. Catalyst 2928 Switch Software Configuration Guide 21-8 OL-23389-01...
Page 431: Configuring A Host Statically To Join A Group
When you enable IGMP Immediate Leave, the switch immediately removes a port when it detects an IGMP Version 2 leave message on that port. You should only use the Immediate-Leave feature when there is a single receiver present on every port in the VLAN. Catalyst 2928 Switch Software Configuration Guide 21-9 OL-23389-01...
Page 432: Configuring The Igmp Leave Timer
(Optional) Configure the IGMP leave time on the VLAN interface. The last-member-query-interval time range is 100 to 5000 milliseconds. Configuring the leave time on a VLAN overrides the globally Note configured timer. Step 4 Return to privileged EXEC mode. Catalyst 2928 Switch Software Configuration Guide 21-10 OL-23389-01...
Page 433: Configuring Tcn-Related Commands
(Optional) Save your entries in the configuration file. To return to the default flooding query count, use the no ip igmp snooping tcn flood query count global configuration command. Catalyst 2928 Switch Software Configuration Guide 21-11 OL-23389-01...
Page 434: Recovering From Flood Mode
Verify the TCN settings. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To re-enable multicast flooding on an interface, use the ip igmp snooping tcn flood interface configuration command. Catalyst 2928 Switch Software Configuration Guide 21-12 OL-23389-01...
Page 435: Configuring The Igmp Snooping Querier
(Optional) Verify that the IGMP snooping querier is enabled on the VLAN interface. The VLAN ID range is 1 to 1001 and 1006 to 4094. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2928 Switch Software Configuration Guide 21-13 OL-23389-01...
Page 436: Disabling Igmp Report Suppression
You can display IGMP snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for IGMP snooping. Catalyst 2928 Switch Software Configuration Guide 21-14 OL-23389-01...
Page 437 IGMP query message in the VLAN and the configuration and operational state of the IGMP snooping querier in the VLAN. For more information about the keywords and options in these commands, see the command reference for this release. Catalyst 2928 Switch Software Configuration Guide 21-15 OL-23389-01...
Page 438: Configuring Igmp Filtering And Throttling
Default IGMP Filtering and Throttling Configuration Table 21-5 shows the default IGMP filtering configuration. Table 21-5 Default IGMP Filtering Configuration Feature Default Setting IGMP filters None applied IGMP maximum number of IGMP groups No maximum set Catalyst 2928 Switch Software Configuration Guide 21-16 OL-23389-01...
Page 439: Configuring Igmp Profiles
Step 5 Return to privileged EXEC mode. Step 6 show ip igmp profile profile number Verify the profile configuration. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2928 Switch Software Configuration Guide 21-17 OL-23389-01...
Page 440: Applying Igmp Profiles
To remove a profile from an interface, use the no ip igmp filter profile number interface configuration command. This example shows how to apply IGMP profile 4 to a port: Switch(config)# interface gigabitethernet0/2 Switch(config-if)# ip igmp filter 4 Switch(config-if)# end Catalyst 2928 Switch Software Configuration Guide 21-18 OL-23389-01...
Page 441: Setting The Maximum Number Of Igmp Groups
• to an EtherChannel port group. • When the maximum group limitation is set to the default (no maximum), entering the ip igmp max-groups action {deny | replace} command has no effect. Catalyst 2928 Switch Software Configuration Guide 21-19 OL-23389-01...
Page 442: Displaying Igmp Filtering And Throttling Configuration
You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. You can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface. Catalyst 2928 Switch Software Configuration Guide 21-20 OL-23389-01...
Page 443 Displays the configuration of the specified interface or the configuration of all interfaces interface-id] on the switch, including (if configured) the maximum number of IGMP groups to which an interface can belong and the IGMP profile applied to the interface. Catalyst 2928 Switch Software Configuration Guide 21-21 OL-23389-01...
Page 444 Chapter 21 Configuring IGMP Snooping Displaying IGMP Filtering and Throttling Configuration Catalyst 2928 Switch Software Configuration Guide 21-22 OL-23389-01...
Page 445: Configuring Storm Control
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 2928 switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 446 When the storm control threshold for multicast traffic is reached, all multicast traffic except control Note traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. The graph in Figure 22-1 shows broadcast traffic patterns on an interface over a given period of time.
Page 447: Default Storm Control Configuration
Beginning in privileged EXEC mode, follow these steps to storm control and threshold levels: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Catalyst 2928 Switch Software Configuration Guide 22-3 OL-23389-01...
Page 448 Select the shutdown keyword to error-disable the port during • a storm. Select the trap keyword to generate an SNMP trap when a • storm is detected. Step 5 Return to privileged EXEC mode. Catalyst 2928 Switch Software Configuration Guide 22-4 OL-23389-01...
Page 449: Configuring Small-Frame Arrival Rate
(Optional) Configure the recovery time for error-disabled ports to be automatically re-enabled after they are error disabled by the arrival of small frames Step 5 interface interface-id Enter interface configuration mode, and specify the interface to be configured. Catalyst 2928 Switch Software Configuration Guide 22-5 OL-23389-01...
Page 450: Configuring Protected Ports
You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group. Catalyst 2928 Switch Software Configuration Guide 22-6 OL-23389-01...
Page 451: Configuring A Protected Port
The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group. Catalyst 2928 Switch Software Configuration Guide 22-7 OL-23389-01...
Page 452: Configuring Port Security
Understanding Port Security, page 22-9 Default Port Security Configuration, page 22-11 • Port Security Configuration Guidelines, page 22-11 • Enabling and Configuring Port Security, page 22-12 • Enabling and Configuring Port Security Aging, page 22-17 • Catalyst 2928 Switch Software Configuration Guide 22-8 OL-23389-01...
Page 453: Understanding Port Security
MAC addresses allowed in the system. This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. Catalyst 2928 Switch Software Configuration Guide 22-9 OL-23389-01...
Page 454: Security Violations
1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses. 2. The switch returns an error message if you manually configure an address that would cause a security violation. 3. Shuts down only the VLAN on which the violation occurred. Catalyst 2928 Switch Software Configuration Guide 22-10 OL-23389-01...
Page 455: Default Port Security Configuration
IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Page 456: Enabling And Configuring Port Security
(dynamic auto) cannot be configured as a secure port. Step 4 switchport voice vlan vlan-id Enable voice VLAN on a port. vlan-id—Specify the VLAN to be used for voice traffic. Step 5 switchport port-security Enable port security on the interface. Catalyst 2928 Switch Software Configuration Guide 22-12 OL-23389-01...
Page 457 The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. Catalyst 2928 Switch Software Configuration Guide 22-13 OL-23389-01...
Page 458 You can manually re-enable it by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface vlan privileged EXEC command. Catalyst 2928 Switch Software Configuration Guide 22-14 OL-23389-01...
Page 459 VLAN. Step 11 Return to privileged EXEC mode. Step 12 show port-security Verify your entries. Step 13 copy running-config (Optional) Save your entries in the configuration file. startup-config Catalyst 2928 Switch Software Configuration Guide 22-15 OL-23389-01...
Page 460 Switch(config-if)# switchport mode access Switch(config-if)# switchport voice vlan 22 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 20 Switch(config-if)# switchport port-security violation restrict Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002 Catalyst 2928 Switch Software Configuration Guide 22-16 OL-23389-01...
Page 461: Enabling And Configuring Port Security Aging
Step 4 Return to privileged EXEC mode. Step 5 show port-security [interface interface-id] Verify your entries. [address] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2928 Switch Software Configuration Guide 22-17 OL-23389-01...
Page 462: Displaying Port-Based Traffic Control Settings
[interface interface-id] address Displays all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each address. show port-security interface interface-id vlan Displays the number of secure MAC addresses configured per VLAN on the specified interface. Catalyst 2928 Switch Software Configuration Guide 22-18 OL-23389-01...
Page 463: Chapter 23 Configuring Cdp
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 464: Configuring Cdp
Enter global configuration mode. Step 2 cdp timer seconds (Optional) Set the transmission frequency of CDP updates in seconds. The range is 5 to 254; the default is 60 seconds. Catalyst 2928 Switch Software Configuration Guide 23-2 OL-23389-01...
Page 465: Disabling And Enabling Cdp
23-5. Disabling and Enabling CDP CDP is enabled by default. Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Note Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 5, “Clustering Switches.”...
Page 466: Disabling And Enabling Cdp On An Interface
(Optional) Save your entries in the configuration file. This example shows how to enable CDP on a port when it has been disabled. Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# cdp enable Switch(config-if)# end Catalyst 2928 Switch Software Configuration Guide 23-4 OL-23389-01...
Page 467: Monitoring And Maintaining Cdp
You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information. show cdp traffic Display CDP counters, including the number of packets sent and received and checksum errors. Catalyst 2928 Switch Software Configuration Guide 23-5 OL-23389-01...
Page 468 Chapter 23 Configuring CDP Monitoring and Maintaining CDP Catalyst 2928 Switch Software Configuration Guide 23-6 OL-23389-01...
Page 469: Chapter 24 Configuring Lldp And Lldp-Med
Understanding LLDP and LLDP-MED LLDP The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches). CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network.
Page 470: Lldp-Med
Provides location information from the switch to the endpoint device. The location TLV can send this information: Civic location information – Provides the civic address information and postal information. Examples of civic location information are street address, road name, and postal community name information. Catalyst 2928 Switch Software Configuration Guide 24-2 OL-23389-01...
Page 471: Configuring Lldp And Lldp-Med
This way the interface has the voice or voice-signaling VLAN network-policy profile applied on the interface. • You cannot configure static secure MAC addresses on an interface that has a network-policy profile. Catalyst 2928 Switch Software Configuration Guide 24-3 OL-23389-01...
Page 472: Enabling Lldp
You can also select the LLDP and LLDP-MED TLVs to send and receive. Beginning in privileged EXEC mode, follow these steps to configure these characteristics: Steps 2 through 5 are all optional and can be performed in any order. Note Catalyst 2928 Switch Software Configuration Guide 24-4 OL-23389-01...
Page 473: Configuring Lldp-Med Tlvs
By using the lldp interface configuration command, you can configure the interface not to send the TLVs listed in Table 24-2. Table 24-2 LLDP-MED TLVs LLDP-MED TLV Description inventory-management LLDP-MED inventory management TLV location LLDP-MED location TLV Catalyst 2928 Switch Software Configuration Guide 24-5 OL-23389-01...
Page 474: Configuring Network-Policy Tlv
Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 network-policy profile profile Specify the network-policy profile number, and enter network-policy number configuration mode. The range is 1 to 4294967295. Catalyst 2928 Switch Software Configuration Guide 24-6 OL-23389-01...
Page 475 Switch(config-if)# lldp med-tlv-select network-policy This example shows how to configure the voice application type for the native VLAN with priority tagging: Switch(config-network-policy)# voice vlan dot1p cos 4 Switch(config-network-policy)# voice vlan dot1p dscp 34 Catalyst 2928 Switch Software Configuration Guide 24-7 OL-23389-01...
Page 476: Monitoring And Maintaining Lldp And Lldp-Med
Display LLDP counters, including the number of packets sent and received, number of packets discarded, and number of unrecognized TLVs. show location Display the location information for an endpoint. show network-policy profile Display the configured network-policy profiles. Catalyst 2928 Switch Software Configuration Guide 24-8 OL-23389-01...
Page 477: Chapter 25 Configuring Udld
A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. Catalyst 2928 Switch Software Configuration Guide 25-1 OL-23389-01...
Page 478: Methods To Detect Unidirectional Links
Because this behavior is the same on all UDLD neighbors, the sender of the echoes expects to receive an echo in reply. Catalyst 2928 Switch Software Configuration Guide 25-2 OL-23389-01...
Page 479: Configuring Udld
Default UDLD Configuration, page 25-4 • Configuration Guidelines, page 25-4 Enabling UDLD Globally, page 25-5 • Enabling UDLD on an Interface, page 25-5 • Resetting an Interface Disabled by UDLD, page 25-6 • Catalyst 2928 Switch Software Configuration Guide 25-3 OL-23389-01...
Page 480: Default Udld Configuration
When configuring the mode (normal or aggressive), make sure that the same mode is configured on • both sides of the link. Caution Loop guard works only on point-to-point links. We recommend that each end of the link has a directly connected device that is running STP. Catalyst 2928 Switch Software Configuration Guide 25-4 OL-23389-01...
Page 481: Enabling Udld Globally
UDLD on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be enabled for UDLD, and enter interface configuration mode. Catalyst 2928 Switch Software Configuration Guide 25-5 OL-23389-01...
Page 482: Resetting An Interface Disabled By Udld
To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release. Catalyst 2928 Switch Software Configuration Guide 25-6 OL-23389-01...
Page 483: Chapter 26 Configuring Span
C H A P T E R Configuring SPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and on the Catalyst 2928 switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 484: Local Span
You can have multiple destination ports in a SPAN session, but no more than 64 destination ports. • • You can configure two separate SPAN source sessions with separate or overlapping sets of SPAN source ports and VLANs. Catalyst 2928 Switch Software Configuration Guide 26-2 OL-23389-01...
Page 485: Monitored Traffic
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Page 486: Source Ports
• You cannot use filter VLANs in the same session with VLAN sources. • You can monitor only Ethernet VLANs. Catalyst 2928 Switch Software Configuration Guide 26-4 OL-23389-01...
Page 487: Vlan Filtering
A destination port that belongs to a source VLAN of any SPAN session is excluded from the source • list and is not monitored. The maximum number of destination ports in a switch is 64. • Catalyst 2928 Switch Software Configuration Guide 26-5 OL-23389-01...
Page 488: Span Interaction With Other Features
SPAN destination port; however, IEEE 802.1x is disabled until the port is removed as a SPAN destination. For SPAN sessions, do not enable IEEE 802.1x on ports with monitored egress when ingress forwarding is enabled on the destination port. Catalyst 2928 Switch Software Configuration Guide 26-6 OL-23389-01...
Page 489: Configuring Span
Entering SPAN configuration commands does not remove previously configured SPAN parameters. • You must enter the no monitor session {session_number | all | local} global configuration command to delete configured SPAN parameters. Catalyst 2928 Switch Software Configuration Guide 26-7 OL-23389-01...
Page 490: Creating A Local Span Session
{session_number | all | Remove any existing SPAN configuration for the session. local} For session_number, the range is 1 to 66. Specify all to remove all SPAN sessions and local to remove all local sessions. Catalyst 2928 Switch Software Configuration Guide 26-8 OL-23389-01...
Page 491 If not selected, the default is to send packets in native form (untagged). You can use monitor session session_number destination Note command multiple times to configure multiple destination ports. Catalyst 2928 Switch Software Configuration Guide 26-9 OL-23389-01...
Page 492 VLAN 10. Switch(config)# no monitor session 2 Switch(config)# monitor session 2 source vlan 1 - 3 rx Switch(config)# monitor session 2 destination interface gigabitethernet0/2 Switch(config)# monitor session 2 source vlan 10 Switch(config)# end Catalyst 2928 Switch Software Configuration Guide 26-10 OL-23389-01...
Page 493: Creating A Local Span Session And Configuring Incoming Traffic
VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating a Local SPAN Session”...
Page 494: Specifying Vlans To Filter
(Optional) Use a comma (,) to specify a series of VLANs, or use a hyphen (-) to specify a range of VLANs. Enter a space before and after the comma; enter a space before and after the hyphen. Catalyst 2928 Switch Software Configuration Guide 26-12 OL-23389-01...
Page 495: Displaying Span Status
Switch(config)# end Displaying SPAN Status To display the current SPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN sessions. Catalyst 2928 Switch Software Configuration Guide 26-13 OL-23389-01...
Page 496 Chapter 26 Configuring SPAN Displaying SPAN Status Catalyst 2928 Switch Software Configuration Guide 26-14 OL-23389-01...
Page 497: Chapter 27 Configuring Rmon
C H A P T E R Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 2928 switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes.
Page 498: Configuring Rmon
• Configuring RMON Alarms and Events, page 27-3 (required) • Collecting Group History Statistics on an Interface, page 27-5 (optional) • Collecting Group Ethernet Statistics on an Interface, page 27-5 (optional) • Catalyst 2928 Switch Software Configuration Guide 27-2 OL-23389-01...
Page 499: Default Rmon Configuration
-2147483648 to 2147483647. (Optional) For event-number, specify the event • number to trigger when the rising or falling threshold exceeds its limit. (Optional) For owner string, specify the owner • of the alarm. Catalyst 2928 Switch Software Configuration Guide 27-3 OL-23389-01...
Page 500 This example also generates an SNMP trap when the event is triggered. Switch(config)# rmon event 1 log trap eventtrap description "High ifOutErrors" owner jjones Catalyst 2928 Switch Software Configuration Guide 27-4 OL-23389-01...
Page 501: Collecting Group History Statistics On An Interface
This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which to collect statistics, and enter interface configuration mode. Catalyst 2928 Switch Software Configuration Guide 27-5 OL-23389-01...
Page 502: Displaying Rmon Status
Displays the RMON statistics table. For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Catalyst 2928 Switch Software Configuration Guide 27-6 OL-23389-01...
Page 503: Chapter 28 Configuring System Message Logging
This chapter describes how to configure system message logging on the Catalyst 2928 switch. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Understanding System Message Logging, page 28-1 •...
Page 504: Configuring System Message Logging
Table 28-4 on page 28-13. severity Single-digit code from 0 to 7 that is the severity of the message. For a description of the severity levels, see Table 28-3 on page 28-9. Catalyst 2928 Switch Software Configuration Guide 28-2 OL-23389-01...
Page 505: Default System Message Logging Configuration
Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages. Catalyst 2928 Switch Software Configuration Guide 28-3 OL-23389-01...
Page 506: Setting The Message Display Destination Device
Use the show memory privileged EXEC command to view the free processor memory on the switch. However, this value is the maximum available, and the buffer size should not be set to this amount. Catalyst 2928 Switch Software Configuration Guide 28-4 OL-23389-01...
Page 507: Synchronizing Log Messages
You can also configure the maximum number of buffers for storing asynchronous messages for the terminal after which messages are dropped. Catalyst 2928 Switch Software Configuration Guide 28-5 OL-23389-01...
Page 508 (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command. Catalyst 2928 Switch Software Configuration Guide 28-6 OL-23389-01...
Page 509: Enabling And Disabling Time Stamps On Log Messages
Enable sequence numbers. Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2928 Switch Software Configuration Guide 28-7 OL-23389-01...
Page 510: Defining The Message Severity Level
To disable logging to the console, use the no logging console global configuration command. To disable logging to a terminal other than the console, use the no logging monitor global configuration command. To disable logging to syslog servers, use the no logging trap global configuration command. Catalyst 2928 Switch Software Configuration Guide 28-8 OL-23389-01...
Page 511: Limiting Syslog Messages Sent To The History Table And To Snmp
Change the default level of syslog messages stored in the history file and sent to the SNMP server. Table 28-3 on page 28-9 for a list of level keywords. By default, warnings, errors, critical, alerts, and emergencies messages are sent. Catalyst 2928 Switch Software Configuration Guide 28-9 OL-23389-01...
Page 512: Enabling The Configuration-Change Logger
[end-number] | statistics} [provisioning] privileged EXEC command to display the complete configuration log or the log for specified parameters. The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter0918 6a00801a8086.html#wp1114989...
Page 513: Configuring Unix Syslog Servers
Add a line such as the following to the file /etc/syslog.conf: Step 1 cisco.log local7.debug /usr/adm/logs/ Catalyst 2928 Switch Software Configuration Guide 28-11 OL-23389-01...
Page 514: Configuring The Unix System Logging Facility
To remove a syslog server, use the no logging host global configuration command, and specify the syslog server IP address. To disable logging to syslog servers, enter the no logging trap global configuration command. Catalyst 2928 Switch Software Configuration Guide 28-12 OL-23389-01...
Page 515: Displaying The Logging Configuration
Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Page 516 Chapter 28 Configuring System Message Logging Displaying the Logging Configuration Catalyst 2928 Switch Software Configuration Guide 28-14 OL-23389-01...
Page 517: Understanding Snmp
Catalyst 2928 switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the Cisco IOS Network Management Command Reference, Release 12.4 from the Cisco.com page at this URL: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_book.html •...
Page 518: Snmp Versions
A combination of the security level and the security model determine which security mechanism is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and SNMPv3. Catalyst 2928 Switch Software Configuration Guide 29-2 OL-23389-01...
Page 519: Snmp Manager Functions
1. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table. 2. The get-bulk command only works with SNMPv2 or later. Catalyst 2928 Switch Software Configuration Guide 29-3 OL-23389-01...
Page 520: Snmp Agent Functions
(@esN, where N is the switch number) to the first configured RW and RO community strings on the command switch and propagates them to the member switches. For more information, see Chapter 5, “Clustering Switches” and see Getting Started with Cisco Network Assistant, available on Cisco.com. Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software.
Page 521: Snmp Notifications
2 an ifIndex value of 10003, this value is the same after the switch reboots. The switch uses one of the values in Table 29-3 to assign an ifIndex value to an interface: Table 29-3 ifIndex Values Interface Type ifIndex Range 1–4999 EtherChannel 5000–5012 Loopback 5013–5077 Catalyst 2928 Switch Software Configuration Guide 29-5 OL-23389-01...
Page 522: Default Snmp Configuration
SNMP notification type If no type is specified, all notifications are sent. 1. This is the default when the switch starts and the startup configuration does not have any snmp-server global configuration commands. Catalyst 2928 Switch Software Configuration Guide 29-6 OL-23389-01...
Page 523: Snmp Configuration Guidelines
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 524: Configuring Community Strings
Place ones in the bit positions that you want to ignore. Recall that the access list is always terminated by an implicit deny statement for everything. Step 4 Return to privileged EXEC mode. Catalyst 2928 Switch Software Configuration Guide 29-8 OL-23389-01...
Page 525: Configuring Snmp Groups And Users
If you select remote, specify the ip-address of the device that • contains the remote copy of SNMP and the optional User Datagram Protocol (UDP) port on the remote device. The default is 162. Catalyst 2928 Switch Software Configuration Guide 29-9 OL-23389-01...
Page 526 64 characters) that is the name of the view in which you specify a notify, inform, or trap. • (Optional) Enter access access-list with a string (not to exceed 64 characters) that is the name of the access list. Catalyst 2928 Switch Software Configuration Guide 29-10 OL-23389-01...
Page 527: Configuring Snmp Notifications
A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Catalyst 2928 Switch Software Configuration Guide...
Page 528 Generates a trap for Open Shortest Path First (OSPF) changes. You can enable any or all of these traps: Cisco specific, errors, link-state advertisement, rate limit, retransmit, and state changes. Generates a trap for Protocol-Independent Multicast (PIM) changes. You can enable any or all of these traps: invalid PIM messages, neighbor changes, and rendezvous point (RP)-mapping changes.
Page 529 Step 4 snmp-server group groupname {v1 | Configure an SNMP group. v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] [access access-list] Catalyst 2928 Switch Software Configuration Guide 29-13 OL-23389-01...
Page 530 (for traps and informs). To enable a host to receive an inform, you must configure an snmp-server host informs command for the host and globally enable informs by using the snmp-server enable traps command. Catalyst 2928 Switch Software Configuration Guide 29-14 OL-23389-01...
Page 531: Setting The Agent Contact And Location Information
Limit TFTP servers used for configuration file copies through access-list-number SNMP to the servers in the access list. For access-list-number, enter an IP standard access list numbered from 1 to 99 and 1300 to 1999. Catalyst 2928 Switch Software Configuration Guide 29-15 OL-23389-01...
Page 532: Snmp Examples
This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public.
Page 533: Displaying Snmp Status
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 534 Chapter 29 Configuring SNMP Displaying SNMP Status Catalyst 2928 Switch Software Configuration Guide 29-18 OL-23389-01...
Page 535: Chapter 30 Configuring Network Security With Acls
ACLs on all packets it forwards. On the Catalyst 2928 switch, you attach ACLs to VLAN interfaces to filter traffic to and from the CPU. You configure access lists to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network.
Page 536: Acl Overview
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface. Catalyst 2928 Switch Software Configuration Guide 30-2 OL-23389-01...
Page 537: Handling Fragmented And Unfragmented Traffic
Switch(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp Switch(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet Switch(config)# access-list 102 permit tcp any host 10.1.1.2 Switch(config)# access-list 102 deny tcp any any Catalyst 2928 Switch Software Configuration Guide 30-3 OL-23389-01...
Page 538: Configuring Ipv4 Acls
ACEs were checking different hosts. Configuring IPv4 ACLs Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services”...
Page 539: Creating Standard And Extended Ipv4 Acls
Access List Numbers Access List Number Type Supported 1–99 IP standard access list 100–199 IP extended access list 200–299 Protocol type-code access list 300–399 DECnet access list 400–499 XNS standard access list Catalyst 2928 Switch Software Configuration Guide 30-5 OL-23389-01...
Page 540: Creating A Numbered Standard Acl
0.0.0.0 255.255.255.255. You do not need to enter a source-wildcard. The keyword host as an abbreviation for source and • source-wildcard of source 0.0.0.0. (Optional) The source-wildcard applies wildcard bits to the source. Catalyst 2928 Switch Software Configuration Guide 30-6 OL-23389-01...
Page 541: Creating A Numbered Extended Acl
(ospf), Payload Compression Protocol (pcp), Protocol Independent Multicast (pim), Transmission Control Protocol (tcp), or User Datagram Protocol (udp). Note ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered. Catalyst 2928 Switch Software Configuration Guide 30-7 OL-23389-01...
Page 542 Configuring IPv4 ACLs For more details on the specific keywords for each protocol, see these command references: Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 • Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 •...
Page 543 [precedence precedence] [tos tos] an abbreviation for a destination and destination wildcard of 0.0.0.0 [fragments] [time-range 255.255.255.255. time-range-name] [dscp dscp] You can use the any keyword in place of source and destination address and wildcard. Catalyst 2928 Switch Software Configuration Guide 30-9 OL-23389-01...
Page 544 TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
Page 545 ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. Step access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
Page 546: Resequencing Aces In An Acl
• host source—A source and source wildcard of source 0.0.0.0. permit {source [source-wildcard] | host source any—A source and source wildcard of 0.0.0.0 • | any} 255.255.255.255. Catalyst 2928 Switch Software Configuration Guide 30-12 OL-23389-01...
Page 547 Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered ACLs. After creating a named ACL, you can apply it to interfaces (see the “Applying an IPv4 ACL to a VLAN Interface” section on page 30-16). Catalyst 2928 Switch Software Configuration Guide 30-13 OL-23389-01...
Page 548: Using Time Ranges With Acls
This example shows how to configure time ranges for workhours and to configure January 1, 2006, as a company holiday and to verify your configuration. Switch(config)# time-range workhours Switch(config-time-range)# periodic weekdays 8:00 to 12:00 Switch(config-time-range)# periodic weekdays 13:00 to 17:00 Switch(config-time-range)# exit Catalyst 2928 Switch Software Configuration Guide 30-14 OL-23389-01...
Page 549: Including Comments In Acls
Smith is not allowed access: Switch(config)# access-list 1 remark Permit only Jones workstation through Switch(config)# access-list 1 permit 171.69.2.88 Switch(config)# access-list 1 remark Do not allow Smith through Switch(config)# access-list 1 deny 171.69.3.13 Catalyst 2928 Switch Software Configuration Guide 30-15 OL-23389-01...
Page 550: Applying An Ipv4 Acl To A Terminal Line
(SNMP, Telnet, SSH, and so on). ACLs attached to VLAN interfaces do not impact the hardware switching of packets on the VLAN. When controlling access to a VLAN interface, you can use a named or numbered ACL. • Catalyst 2928 Switch Software Configuration Guide 30-16 OL-23389-01...
Page 551: Hardware And Software Treatment Of Ip Acls
When you enter the show ip access-lists privileged EXEC command, the match count displayed does not account for packets that are access controlled in hardware. Use the show access-lists hardware counters privileged EXEC command to obtain some basic hardware ACL statistics for switched packets. Catalyst 2928 Switch Software Configuration Guide 30-17 OL-23389-01...
Page 552: Troubleshooting Acls
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 553: Numbered Acls
TCP traffic. It permits any other IP traffic. Switch(config)# ip access-list extended marketing_group Switch(config-ext-nacl)# permit tcp any 171.69.0.0 0.0.255.255 eq telnet Switch(config-ext-nacl)# deny tcp any any Switch(config-ext-nacl)# permit ip any any Switch(config-ext-nacl)# exit Catalyst 2928 Switch Software Configuration Guide 30-19 OL-23389-01...
Page 554: Time Range Applied To An Ip Acl
In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out Switch(config-ext-nacl)# deny tcp 171.69.0.0 0.0.255.255 any eq telnet Catalyst 2928 Switch Software Configuration Guide 30-20 OL-23389-01...
Page 555: Displaying Ipv4 Acl Configuration
[interface interface-id] Displays the contents of the configuration file for the switch or the specified interface, including all configured MAC and IP access lists and which access groups are applied to an interface. Catalyst 2928 Switch Software Configuration Guide 30-21 OL-23389-01...
Page 556 Chapter 30 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Catalyst 2928 Switch Software Configuration Guide 30-22 OL-23389-01...
Page 557: Chapter 31 Configuring Qos
This chapter describes how to configure quality of service (QoS) by using standard QoS commands on the Catalyst 2928 switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size.
Page 558 Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices, the traffic types and patterns in your network, and the granularity of control that you need over incoming and outgoing traffic. Catalyst 2928 Switch Software Configuration Guide 31-2 OL-23389-01...
Page 559: Basic Qos Model
During classification, the switch performs a lookup and assigns a QoS label to the packet. The QoS label identifies all QoS actions to be performed on the packet and from which queue the packet is sent. Catalyst 2928 Switch Software Configuration Guide 31-3...
Page 560: Queueing Overview
Figure 31-4 Queueing Flowchart for Ingress Ports Shaped round robin (SRR) services the priority queue for its configured share before servicing the other Note queue. Catalyst 2928 Switch Software Configuration Guide 31-4 OL-23389-01...
Page 561: Queueing On Egress Queues
All traffic exiting the switch flows through one of these four queues and is subjected to a threshold based on the QoS label assigned to the packet. Catalyst 2928 Switch Software Configuration Guide 31-5...
Page 562: Packet Modification
Enabling QoS Globally, page 31-9 (required) • Configuring Classification Using Port Trust States, page 31-9 (required • Configuring Ingress Queue Characteristics, page 31-12 (optional) • Configuring Egress Queue Characteristics, page 31-14 (optional) • Catalyst 2928 Switch Software Configuration Guide 31-6 OL-23389-01...
Page 563: Default Standard Qos Configuration
25 percent 25 percent 25 percent 25 percent WTD drop threshold 1 100 percent 200 percent 100 percent 100 percent WTD drop threshold 2 100 percent 200 percent 100 percent 100 percent Catalyst 2928 Switch Software Configuration Guide 31-7 OL-23389-01...
Page 564: General Qos Guidelines
QoS processing. • You are likely to lose data when you change queue settings; therefore, try to make changes when traffic is at a minimum. Catalyst 2928 Switch Software Configuration Guide 31-8 OL-23389-01...
Page 565: Enabling Qos Globally
QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain. Figure 31-6 shows a sample network topology. Catalyst 2928 Switch Software Configuration Guide 31-9 OL-23389-01...
Page 566 CoS value is 0. Step 4 Return to privileged EXEC mode. Step 5 show mls qos interface Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2928 Switch Software Configuration Guide 31-10 OL-23389-01...
Page 567: Configuring The Cos Value For An Interface
DSCP field in an incoming packet, and the DSCP field in the outgoing packet is based on the QoS configuration, including the port trust setting, policing and marking, and the DSCP-to-DSCP mutation map. Catalyst 2928 Switch Software Configuration Guide 31-11 OL-23389-01...
Page 568: Configuring Ingress Queue Characteristics
Mapping CoS Values to an Ingress Queue You can prioritize traffic by placing packets with particular CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Catalyst 2928 Switch Software Configuration Guide 31-12 OL-23389-01...
Page 569: Configuring The Ingress Priority Queue
Then, SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command. Catalyst 2928 Switch Software Configuration Guide 31-13 OL-23389-01...
Page 570: Configuring Egress Queue Characteristics
• Does the bandwidth of the port need to be rate limited? • How often should the egress queues be serviced and which technique (shaped, shared, or both) • should be used? Catalyst 2928 Switch Software Configuration Guide 31-14 OL-23389-01...
Page 571: Configuration Guidelines
3 is predefined. It is set to the queue-full state. • For cos1...cos8, enter up to eight values, and separate each value with a space. The range is 0 to 7. Step 3 Return to privileged EXEC mode. Catalyst 2928 Switch Software Configuration Guide 31-15 OL-23389-01...
Page 572: Configuring The Egress Expedite Queue
To disable the egress expedite queue, use the no priority-queue out interface configuration command. This example shows how to enable the egress expedite queue. Switch(config)# interface gigabitethernet0/1 Switch(config-if)# priority-queue out Switch(config-if)# end Catalyst 2928 Switch Software Configuration Guide 31-16 OL-23389-01...
Page 573: Displaying Standard Qos Information
[cos-input-q | cos-output-q] Display QoS mapping information. show mls qos vlan vlan-id Display the policy maps attached to the specified SVI. show running-config | include rewrite Display the CoS transparency setting. Catalyst 2928 Switch Software Configuration Guide 31-17 OL-23389-01...
Page 574 Chapter 31 Configuring QoS Displaying Standard QoS Information Catalyst 2928 Switch Software Configuration Guide 31-18 OL-23389-01...
Page 575: Understanding Etherchannels
C H A P T E R Configuring EtherChannels This chapter describes how to configure EtherChannels on Layer 2 ports on the Catalyst 2928 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Page 576: Etherchannel Overview
EtherChannel, and the failed link. Inbound broadcast and multicast packets on one link in an EtherChannel are blocked from returning on any other link of the EtherChannel. Catalyst 2928 Switch Software Configuration Guide 32-2 OL-23389-01...
Page 577: Port-Channel Interfaces
To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk. Catalyst 2928 Switch Software Configuration Guide 32-3 OL-23389-01...
Page 578: Port Aggregation Protocol
Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
Page 579: Pagp Interaction With Other Features
Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.
Page 580: Lacp Interaction With Other Features
With source-and-destination MAC-address forwarding, packets sent from host A to host B, host A to host C, and host C to host B could all use different ports in the channel. Catalyst 2928 Switch Software Configuration Guide 32-6 OL-23389-01...
Page 581 MAC address, using the destination-MAC address always chooses the same link in the channel. Using source addresses or IP addresses might result in better load balancing. Catalyst 2928 Switch Software Configuration Guide 32-7...
Page 582: Configuring Etherchannels
After you configure an EtherChannel, configuration changes applied to the port-channel interface apply Note to all the physical ports assigned to the port-channel interface, and configuration changes applied to the physical port affect only the port where you apply the configuration. Catalyst 2928 Switch Software Configuration Guide 32-8 OL-23389-01...
Page 583: Default Etherchannel Configuration
Spanning-tree path cost for each VLAN – Spanning-tree port priority for each VLAN – Spanning-tree Port Fast setting – Do not configure a port to be a member of more than one EtherChannel group. • Catalyst 2928 Switch Software Configuration Guide 32-9 OL-23389-01...
Page 584: Configuring Layer 2 Etherchannels
For a LACP EtherChannel, you can configure up to 16 Ethernet ports of the same type. Up to eight ports can be active, and up to eight ports can be in standby mode. Catalyst 2928 Switch Software Configuration Guide 32-10 OL-23389-01...
Page 585 Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a port from the EtherChannel group, use the no channel-group interface configuration command. Catalyst 2928 Switch Software Configuration Guide 32-11 OL-23389-01...
Page 586: Configuring Etherchannel Load Balancing
Step 3 Return to privileged EXEC mode. Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2928 Switch Software Configuration Guide 32-12 OL-23389-01...
Page 587: Configuring The Pagp Learn Method And Priority
When the link partner of the Catalyst 2928 switch is a physical learner (such as a Catalyst 1900 series switch), we recommend that you configure the Catalyst 2928 switch as a physical-port learner by using the pagp learn-method physical-port interface configuration command.
Page 588: Configuring Lacp Hot-Standby Ports
In priority comparisons, numerically lower values have higher priority. The priority decides which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating. Catalyst 2928 Switch Software Configuration Guide 32-14 OL-23389-01...
Page 589: Configuring The Lacp System Priority
The hot-standby ports that have lower port numbers become active in the channel first. You can use the show etherchannel summary privileged EXEC command to see which ports are in the hot-standby mode (denoted with an H port-state flag). Catalyst 2928 Switch Software Configuration Guide 32-15 OL-23389-01...
Page 590: Displaying Etherchannel, Pagp, And Lacp Status
Displays LACP information such as traffic information, the internal | neighbor} internal LACP configuration, and neighbor information. You can clear PAgP channel-group information and traffic counters by using the clear pagp {channel-group-number counters | counters} privileged EXEC command. Catalyst 2928 Switch Software Configuration Guide 32-16 OL-23389-01...
Page 591 You can clear LACP channel-group information and traffic counters by using the clear lacp {channel-group-number counters | counters} privileged EXEC command. For detailed information about the fields in the displays, see the command reference for this release. Catalyst 2928 Switch Software Configuration Guide 32-17 OL-23389-01...
Page 592 Chapter 32 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Catalyst 2928 Switch Software Configuration Guide 32-18 OL-23389-01...
Page 593: Chapter 33 Troubleshooting
This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 2928 switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems.
Page 594: Recovering From A Software Failure
From your PC, download the software image tar file (image_filename.tar) from Cisco.com. Step 1 The Cisco IOS image is stored as a bin file in a directory in the tar file. For information about locating the software image files on Cisco.com, see the release notes.
Page 595: Recovering From A Lost Or Forgotten Password
After the Xmodem request appears, use the appropriate command on the terminal-emulation software to Step 11 start the transfer and to copy the software image into flash memory. Boot the newly downloaded Cisco IOS image. Step 12 switch:boot flash:image_filename.bin Use the archive download-sw privileged EXEC command to download the software image to the Step 13 switch.
Page 596: Procedure With Password Recovery Enabled
Oct 01 2010 22:31:59 config.text -rwx Oct 01 2010 02:21:30 vlan.dat 16128000 bytes total (10003456 bytes free) Rename the configuration file to config.text.old. Step 5 This file contains the password definition. switch: rename flash:config.text flash:config.text.old Catalyst 2928 Switch Software Configuration Guide 33-4 OL-23389-01...
Page 597 To re-enable the interface, enter the interface vlan vlan-id global configuration command, and specify the VLAN ID of the shutdown interface. With the switch in interface configuration mode, enter the no shutdown command. Step 14 Reload the switch: Switch# reload Catalyst 2928 Switch Software Configuration Guide 33-5 OL-23389-01...
Page 598: Procedure With Password Recovery Disabled
Continue with the configuration dialog? [yes/no]: N At the switch prompt, enter privileged EXEC mode: Step 5 Switch> enable Enter global configuration mode: Step 6 Switch# configure terminal Step 7 Change the password: Catalyst 2928 Switch Software Configuration Guide 33-6 OL-23389-01...
Page 599: Recovering From A Command Switch Failure
• Replacing a Failed Command Switch with Another Switch, page 33-9 These recovery procedures require that you have physical access to the switch. For information on command-capable switches, see the release notes. Catalyst 2928 Switch Software Configuration Guide 33-7 OL-23389-01...
Page 600: Replacing A Failed Command Switch With A Cluster Member
Enter Y at the first prompt. Step 10 The prompts in the setup program vary depending on the member switch that you selected to be the command switch: Continue with configuration dialog? [yes/no]: y Configuring global parameters: Catalyst 2928 Switch Software Configuration Guide 33-8 OL-23389-01...
Page 601: Replacing A Failed Command Switch With Another Switch
--- System Configuration Dialog --- Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Catalyst 2928 Switch Software Configuration Guide 33-9 OL-23389-01...
Page 602 Start your browser, and enter the IP address of the new command switch. Step 13 From the Cluster menu, select Add to Cluster to display a list of candidate switches to add to the cluster. Step 14 Catalyst 2928 Switch Software Configuration Guide 33-10 OL-23389-01...
Page 603: Recovering From Lost Cluster Member Connectivity
A member switch (Catalyst 3750, Catalyst 3560, Catalyst 3550, Catalyst 3500 XL, Catalyst 2970, Catalyst 2960, Catalyst 2950, Catalyst 2928, Catalyst 2900 XL, Catalyst 2820, and Catalyst 1900 switch) cannot connect to the command switch through a port that is defined as a network port.
Page 604: Disabled Port Caused By Power Loss
Disabled Port Caused by Power Loss If a powered device (such as a Cisco IP Phone 7910) that is connected to a PoE switch port and is powered by an AC power source loses power from the AC power source, the device might enter an error-disabled state.
Page 605: Monitoring Sfp Module Status
Troubleshooting Monitoring SFP Module Status If the module is identified as a Cisco SFP module, but the system is unable to read vendor-data information to verify its accuracy, an SFP module error message is generated. In this case, you should remove and re-insert the SFP module.
Page 606: Using Layer 2 Traceroute
The switch can only identify the path from the source device to the destination device. It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host. Catalyst 2928 Switch Software Configuration Guide 33-14 OL-23389-01...
Page 607: Usage Guidelines
Using Layer 2 Traceroute Usage Guidelines These are the Layer 2 traceroute usage guidelines: Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 • traceroute to function properly, do not disable CDP.
Page 608: Using Ip Traceroute
ICMP port-unreachable error to the source. Because all errors except port-unreachable errors come from intermediate hops, the receipt of a port-unreachable error means that this message was sent by the destination port. Catalyst 2928 Switch Software Configuration Guide 33-16 OL-23389-01...
Page 609: Executing Ip Traceroute
Port unreachable. To end a trace in progress, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and release the Ctrl, Shift, and 6 keys and then press the X key. Catalyst 2928 Switch Software Configuration Guide 33-17 OL-23389-01...
Page 610: Using Tdr
These sections explains how you use debug commands to diagnose and resolve internetworking problems: • Enabling Debugging on a Specific Feature, page 33-19 • Enabling All-System Diagnostics, page 33-19 Redirecting Debug and Error Message Output, page 33-20 • Catalyst 2928 Switch Software Configuration Guide 33-18 OL-23389-01...
Page 611: Enabling Debugging On A Specific Feature
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Page 612: Redirecting Debug And Error Message Output
10 20 Global Port Number:24, Asic Number:5 Src Real Vlan Id:5, Mapped Vlan Id:5 Ingress: Lookup Key-Used Index-Hit A-Data InptACL 40_0D020202_0D010101-00_40000014_000A0000 01FFA 03000000 L2Local 80_00050002_00020002-00_00000000_00000000 00C71 0000002B Station Descriptor:02340000, DestIndex:0239, RewriteIndex:F005 ========================================== Catalyst 2928 Switch Software Configuration Guide 33-20 OL-23389-01...
Page 613 02010197 Station Descriptor:F0050003, DestIndex:F005, RewriteIndex:0003 ========================================== Egress:Asic 3, switch 1 Output Packets: ------------------------------------------ Packet 1 Lookup Key-Used Index-Hit A-Data OutptACL 50_0D020202_0D010101-00_40000014_000A0000 01FFE 03000000 Port Vlan SrcMac DstMac Dscpv Gi0/2 0005 0001.0001.0001 0009.43A8.0145 Catalyst 2928 Switch Software Configuration Guide 33-21 OL-23389-01...
Page 614: Using The Crashinfo Files
Extended crashinfo file—The switch automatically creates this file when the system is failing. Basic crashinfo Files The information in the basic file includes the Cisco IOS image name and version that failed, a list of the processor registers, and a stack trace. You can provide this information to the Cisco technical support representative by using the show tech-support privileged EXEC command.
Page 615: Memory Consistency Check Routines
The number of initial attempts to fix the invalid values or masks. Retries The number of attempts to fix the invalid values or masks. Failures The number of failed attempts to fix the invalid values or masks. Catalyst 2928 Switch Software Configuration Guide 33-23 OL-23389-01...
Page 616: Troubleshooting Tables
For more information about the show platform tcam errors privileged EXEC command, see the command reference for this release. Troubleshooting Tables These tables are a condensed version of troubleshooting documents on Cisco.com. “Troubleshooting CPU Utilization” section on page 33-24 •...
Page 617: Troubleshooting Power Over Ethernet (Poe)
This example shows normal CPU utilization. The output shows that utilization for the last 5 seconds is 8%/0%, which has this meaning: The total CPU utilization is 8 percent, including both time running Cisco IOS processes and time • spent handling interrupts The time spent handling interrupts is zero percent.
Page 618 (available PoE). Use the show inline power and show inline power detail commands to verify the amount of available power. For more information, see No PoE On One Port on Cisco.com. Catalyst 2928 Switch Software Configuration Guide 33-26 OL-23389-01...
Page 619 This normally produces an alarm. Check the log again for alarms reported earlier by system messages. For more information, see No PoE On Any Port or a Group of Ports Cisco.com. Catalyst 2928 Switch Software Configuration Guide 33-27 OL-23389-01...
Page 620 Verify that sufficient power is available for the powered device type before you A non-Cisco powered device is connected connect it. to a Cisco PoE switch, but never powers on or powers on and then quickly powers off. Use the show interface status command to verify that the switch detects the Non-PoE devices work normally.
Page 621: Appendix
CISCO-CONFIG-COPY-MIB • CISCO-CONFIG-MAN-MIB • • CISCO-DHCP-SNOOPING-MIB • CISCO-ENTITY-VENDORTYPE-OID-MIB • CISCO-ENVMON-MIB CISCO-ERR-DISABLE-MIB • CISCO-FLASH-MIB (Flash memory on all switches is modeled as removable flash memory.) • CISCO-FTP-CLIENT-MIB • CISCO-IGMP-FILTER-MIB • CISCO-IMAGE-MIB • CISCO IP-STAT-MIB • CISCO-LAG-MIB • Catalyst 2928 Switch Software Configuration Guide...
Page 622: Appendix A Supported Mib
Appendix A Supported MIBs MIB List CISCO-MAC-NOTIFICATION-MIB • CISCO-MEMORY-POOL-MIB • CISCO-PAGP-MIB • CISCO-PING-MIB • CISCO-POE-EXTENSIONS-MIB • CISCO-PORT-QOS-MIB (Only the packet counters are supported; the octet counters are not • supported.) CISCO-PORT-SECURITY-MIB • CISCO-PORT-STORM-CONTROL-MIB • CISCO-PROCESS-MIB • CISCO-RTTMON-MIB • CISCO-SMI-MIB •...
Page 623: Using Ftp To Access The Mib Files
Make sure that your FTP client is in passive mode. Step 1 Some FTP clients do not support passive mode. Note Use FTP to access the server ftp.cisco.com. Step 2 Log in with the username anonymous. Step 3 Enter your e-mail username when prompted for the password.
Page 624 Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 2928 Switch Software Configuration Guide OL-23389-01...
Page 625: Appendix
Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Catalyst 2928 switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch.
Page 626: Displaying Available File Systems
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example.
Page 627: Setting The Default File System
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command.
Page 628: Creating And Removing Directories
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Command Purpose...
Page 629: Deleting Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist. Specifically, you cannot copy these combinations: • From a running configuration to a running configuration From a startup configuration to a startup configuration •...
Page 630: Creating A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating a tar File To create a tar file and write files into it, use this privileged EXEC command: archive tar /create destination-url flash:/file-url For destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create.
Page 631: Extracting A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System c2928-lanlitek9-mz.122-55.EZ/c2928-lanlitek9-mz.122-55.EZ.bin (4590080 bytes) c2928-lanlitek9-mz.122-55.EZ/info (219 bytes) This example shows how to display only the /html directory and its contents: Switch# archive tar /table flash:c2928-lanlitek9-mz.122-55.0.02.EZ/html c2928-lanlitek9-mz.122-55.EZ/html...
Page 632: Working With Configuration Files
This section describes how to create, load, and maintain configuration files. Configuration files contain commands entered to customize the function of the Cisco IOS software. A way to create a basic configuration file is to use the setup program or to enter the setup privileged EXEC command.
Page 633 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Use these guidelines when creating a configuration file: We recommend that you connect through the console port for the initial configuration of the switch.
Page 634: Preparing To Download Or Upload A Configuration File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Copy the configuration file to the appropriate server location. For example, copy the file to the TFTP Step 4 directory on the workstation (usually /tftpboot on a UNIX workstation).
Page 635 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading the Configuration File By Using TFTP To configure the switch by using a configuration file downloaded from a TFTP server, follow these steps: Step 1 Copy the configuration file to the appropriate TFTP directory on the workstation.
Page 636: Copying Configuration Files By Using Ftp
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Page 637 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files If you are accessing the switch through the console or a Telnet session and you do not have a valid • username, make sure that the current FTP username is the one that you want to use for the FTP download.
Page 638 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. The software copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 to the switch startup configuration.
Page 639: Copying Configuration Files By Using Rcp
The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Page 640 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Preparing to Download or Upload a Configuration File By Using RCP Before you begin downloading or uploading a configuration file by using RCP, do these tasks: Ensure that the workstation acting as the RCP server supports the remote shell (rsh).
Page 641 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 5 Return to privileged EXEC mode. Step 6 copy Using RCP, copy the configuration file from a network rcp:[[[//[username@]location]/directory]/filename]...
Page 642: Clearing Configuration Information
Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the switch prompts for confirmation on destructive file operations. For more information about the file prompt command, see the Cisco IOS Command Reference for Release 12.2.
Page 643: Working With Software Images
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images You cannot restore a file after it has been deleted. Caution Working with Software Images This section describes how to archive (download and upload) software image files, which contain the system software, the Cisco IOS code, and the embedded device manager software.
Page 644 Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:).
Page 645: Preparing To Download Or Upload An Image File By Using Tftp
Field Description total_image_file_size Specifies the size of all the images (the Cisco IOS image and the web management files) in the tar file, which is an approximate measure of how much flash memory is required to hold them image_feature Describes the core functionality of the image...
Page 646: Downloading An Image File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Ensure that the switch has a route to the TFTP server. The switch and the TFTP server must be in • the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the TFTP server by using the ping command.
Page 647 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 3 archive download-sw /overwrite /reload Download the image file from the TFTP server to the switch, and tftp:[[//location]/directory]/image-name.tar overwrite the current image.
Page 648: Uploading An Image File By Using Tftp
The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 649 The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 650 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using FTP You can download a new image file and overwrite the current image or keep the current image.
Page 651 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 8 archive download-sw /leave-old-sw /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image.
Page 652: Copying Image Files By Using Rcp
The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 653: Preparing To Download Or Upload An Image File By Using Rcp
RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 654 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If you are accessing the switch through the console or a Telnet session and you do not have a valid • username, make sure that the current RCP username is the one that you want to use for the RCP download.
Page 655 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 6 archive download-sw /overwrite /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and overwrite the current image.
Page 656 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Page 657 The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 658 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Catalyst 2928 Switch Software Configuration Guide B-34 OL-23389-01...
Page 659: Appendix
This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 2928 switch prompt but are not supported in this release, either because they are not tested or because of Catalyst 2928 switch hardware limitations. This is not a complete list.
Page 660: Boot Loader Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)EZ Boot Loader Commands Boot Loader Commands Unsupported Global Configuration Commands boot buffersize Debug Commands Unsupported Privileged EXEC Commands debug platform cli-redirection main debug platform configuration IEEE 802.1x Commands Unsupported Privileged EXEC Command...
Page 661: Unsupported Global Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)EZ MAC Address Commands Unsupported Global Configuration Commands interface tunnel Unsupported Interface Configuration Commands transmit-interface type number MAC Address Commands Unsupported Privileged EXEC Commands show mac-address-table show mac-address-table address show mac-address-table aging-time...
Page 662: Miscellaneous
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)EZ Miscellaneous Miscellaneous Unsupported Privileged EXEC Commands file verify auto show cable-diagnostics prbs test cable-diagnostics prbs Unsupported Global Configuration Commands errdisable recovery cause unicast flood l2protocol-tunnel global drop-threshold service compress-config stack-mac persistent timer...
Page 663: Radius
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)EZ RADIUS RADIUS Unsupported Global Configuration Commands aaa nas port extended aaa authentication feature default enable aaa authentication feature default line aaa nas port extended radius-server configure radius-server extended-portnames SNMP Unsupported Global Configuration Commands...
Page 664: Unsupported Vlan-Config Command
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)EZ Unsupported vlan-config Command private-vlan Unsupported User EXEC Commands show running-config vlan show vlan ifindex show vlan private-vlan Unsupported Privileged EXEC Commands vtp {password password | pruning | version number} This command has been replaced by the vtp global configuration command.
Page 665: I N D E X
IPv4 30-12 ACLs port 30-2 ACEs 30-1 resequencing entries 30-12 any keyword 30-9 standard IPv4 applying creating 30-6 time ranges to 30-14 matching criteria 30-5 to an interface 30-16 support for Catalyst 2928 Switch Software Configuration Guide IN-1 OL-23389-01...
Page 666 STP brand new switches 16-8, 16-21 MAC address table connectivity 7-20 maximum different VLANs for MSTP 17-23, 17-24 management VLANs for STP non-CDP-capable devices 16-21, 16-22 alarms, RMON noncluster-capable devices 27-3 Catalyst 2928 Switch Software Configuration Guide IN-2 OL-23389-01...
Page 667 DHCP snooping database automatic discovery 19-7 IP source guard defined 19-14 binding table, DHCP snooping requirements See DHCP snooping binding database See also command switch, cluster standby group, and member switch blocking packets 22-7 Catalyst 2928 Switch Software Configuration Guide IN-3 OL-23389-01...
Page 668 LRE profile considerations 5-13 CIST regional root managing See MSTP through CLI 5-13 CIST root through SNMP 5-14 See MSTP planning civic location 24-2 class of service See CoS clearing interfaces 12-28 Catalyst 2928 Switch Software Configuration Guide IN-4 OL-23389-01...
Page 669 22-12 enabling event agent config.text 3-16 management functions configurable leave timer, IGMP 21-5 command-line interface configuration, initial See CLI defaults command modes Express Setup configuration changes, logging 28-10 Catalyst 2928 Switch Software Configuration Guide IN-5 OL-23389-01...
Page 670 ARP inspection 20-5 conflicts, configuration 33-11 EtherChannel 32-9 connections, secure remote 8-33 Ethernet interfaces 12-14 connectivity problems 33-13, 33-14, 33-16 IGMP filtering 21-16 consistency checks in VTP Version 2 14-4 IGMP snooping 21-6 Catalyst 2928 Switch Software Configuration Guide IN-6 OL-23389-01...
Page 671 See DHCP snooping binding database description command DHCP binding table 12-25 designing your network, examples See DHCP snooping binding database 1-11 destination addresses in IPv4 ACLs 30-9 destination-IP address-based forwarding, EtherChannel 32-7 Catalyst 2928 Switch Software Configuration Guide IN-7 OL-23389-01...
Page 672 DHCP snooping binding database support for adding bindings 19-12 domain names binding file 7-15 format 19-8 14-7 location 19-7 Domain Name System bindings 19-7 See DNS clearing agent statistics 19-13 configuration guidelines 19-10 configuring 19-12 Catalyst 2928 Switch Software Configuration Guide IN-8 OL-23389-01...
Page 673 20-4 clearing error-disabled state 20-4 log buffer statistics 20-15 statistics 20-15 clearing 20-15 configuration guidelines displaying 20-6 20-15 validation checks, performing 20-11 dynamic auto trunking mode 13-13 dynamic desirable trunking mode 13-13 Catalyst 2928 Switch Software Configuration Guide IN-9 OL-23389-01...
Page 674 13-7 described 32-2 defaults and ranges 13-7 displaying status 32-16 modifying 13-7 forwarding methods 32-6, 32-12 events, RMON 27-3 IEEE 802.3ad, described 32-5 examples network configuration 1-11 expedite queue for QoS 31-16 Catalyst 2928 Switch Software Configuration Guide IN-10 OL-23389-01...
Page 675 33-22 image files deleting old image B-27 creating downloading B-26 displaying the contents of preparing the server B-25 extracting uploading B-27 image file format B-20 get-bulk-request operation 29-3 get-next-request operation 29-3, 29-4 Catalyst 2928 Switch Software Configuration Guide IN-11 OL-23389-01...
Page 676 HTTP over SSL See PoE see HTTPS IEEE 802.3x flow control 12-19 HTTPS 8-37 ifIndex values, SNMP 29-5 configuring 8-41 self-signed certificate 8-38 HTTP secure server 8-37 Hulc Forwarding TCAM Manager See HFTM space Catalyst 2928 Switch Software Configuration Guide IN-12 OL-23389-01...
Page 677 21-9 configuration guidelines, duplex and speed 12-17 IGMP profile configuring applying procedure 21-18 12-10 configuration mode counters, clearing 21-17 12-28 configuring 21-17 default configuration 12-14 described 12-25 descriptive name, adding 12-25 Catalyst 2928 Switch Software Configuration Guide IN-13 OL-23389-01...
Page 678 21-17 source IP and MAC address filtering 19-14 IP information static bindings assigned adding 19-16, 19-18 manually deleting 3-14 19-17 through DHCP-based autoconfiguration static hosts 19-18 default configuration Catalyst 2928 Switch Software Configuration Guide IN-14 OL-23389-01...
Page 679 LEDs, switch enabling 18-15 See hardware installation guide support for lightweight directory access protocol LRE profiles, considerations in switch clusters 5-13 See LDAP line configuration mode Link Aggregation Control Protocol See EtherChannel Catalyst 2928 Switch Software Configuration Guide IN-15 OL-23389-01...
Page 680 24-2 monitoring management options access groups 30-21 cables for unidirectional links 25-1 clustering 23-5 features overview IGMP management VLAN filters 21-21 considerations in switch clusters snooping 21-14 discovery through different management VLANs Catalyst 2928 Switch Software Configuration Guide IN-16 OL-23389-01...
Page 681 17-6 terminology 17-5 instances supported 16-9 interface state, blocking to forwarding 18-2 interoperability and compatibility among modes 16-10 interoperability with IEEE 802.1D described 17-8 restarting migration process 17-25 Catalyst 2928 Switch Software Configuration Guide IN-17 OL-23389-01...
Page 682 13-5 Immediate Leave 21-5 configuring 13-4 joining 21-3 defined 13-1 leaving 21-4 static joins 21-9 multicast router interfaces, monitoring 21-15 multicast router ports, adding 21-8 multicast storm 22-1 Catalyst 2928 Switch Software Configuration Guide IN-18 OL-23389-01...
Page 683 12-5 See EtherChannel CDP with power consumption, described 12-4 CDP with power negotiation, described 12-4 Cisco intelligent power management 12-4 configuring 12-21 cutoff power determining 12-7 cutoff-power support for 12-6 Catalyst 2928 Switch Software Configuration Guide IN-19 OL-23389-01...
Page 684 9-20 authentication server multiple-hosts mode, described defined ports RADIUS server authorization state and dot1x port-control command client, defined authorized and unauthorized configuration guidelines 9-19 voice VLAN 9-13 Catalyst 2928 Switch Software Configuration Guide IN-20 OL-23389-01...
Page 685 VLAN 13-3 changing the default for lines port priority command switch 5-14 MSTP exiting 17-19 logging into 16-16 mapping on member switches 5-14 overview 8-2, 8-7 setting a command with Catalyst 2928 Switch Software Configuration Guide IN-21 OL-23389-01...
Page 686 CoS value 31-11 query solicitation, IGMP 21-12 DSCP transparency 31-11 egress queue characteristics 31-14 ingress queue characteristics 31-12 port trust states within the domain 31-9 default standard configuration 31-7 DSCP transparency 31-11 Catalyst 2928 Switch Software Configuration Guide IN-22 OL-23389-01...
Page 687 IEEE 802.1Q trunking interoperability 16-10 resetting a UDLD-shutdown interface 25-6 instances supported 16-9 restricted VLAN Rapid Spanning Tree Protocol configuring 9-29 See RSTP described 9-12, 9-15 rcommand command 5-13 using with IEEE 802.1x 9-12, 9-15 Catalyst 2928 Switch Software Configuration Guide IN-23 OL-23389-01...
Page 688 17-9 MSTP See also MSTP 17-17 16-14 running configuration, saving 3-14 RSPAN default configuration 26-7 destination ports 26-5 displaying status 26-13 interaction with other features 26-6 monitored ports 26-4 Catalyst 2928 Switch Software Configuration Guide IN-24 OL-23389-01...
Page 689 29-4 setup program configuration examples 29-16 failed command switch replacement 33-9 default configuration 29-6 replacing failed command switch 33-8 engine ID 29-7 severity levels, defining in system messages 28-8 groups 29-7, 29-9 Catalyst 2928 Switch Software Configuration Guide IN-25 OL-23389-01...
Page 690 29-7, 29-9 source ports 26-4 versions supported 29-2 transmitted traffic 26-3 SNMPv1 29-2 VLAN-based 26-4 SNMPv2C 29-2 spanning tree and native VLANs 13-14 SNMPv3 29-2 Spanning Tree Protocol snooping, IGMP 21-1 See STP Catalyst 2928 Switch Software Configuration Guide IN-26 OL-23389-01...
Page 691 3-16 18-2 default boot configuration disabling 3-16 18-12 static access ports enabling 18-11 assigning to VLAN 13-9 BPDU message exchange 16-2 defined configuration guidelines 12-3, 13-3 16-12, 18-10 Catalyst 2928 Switch Software Configuration Guide IN-27 OL-23389-01...
Page 692 16-3 inferior BPDU 16-3 root switch instances supported 16-9 configuring 16-14 interface state, blocking to forwarding 18-2 effects of extended system ID 16-3, 16-14 election 16-3 unexpected behavior 16-14 Catalyst 2928 Switch Software Configuration Guide IN-28 OL-23389-01...
Page 693 TLV 24-2 system clock configuring daylight saving time 7-13 manually 7-11 summer time 7-13 time zones 7-12 displaying the time and date 7-12 overview See also NTP system description TLV 24-1 Catalyst 2928 Switch Software Configuration Guide IN-29 OL-23389-01...
Page 694 33-23 time-range command 30-14 space time ranges in ACLs 30-14 HFTM 33-23 time stamps in log messages 28-7 HQATM 33-23 time zones 7-12 unassigned 33-23 TLVs defined 24-1 LLDP 24-1 LLDP-MED 24-2 Catalyst 2928 Switch Software Configuration Guide IN-30 OL-23389-01...
Page 695 29-12 overview 29-1, 29-4 troubleshooting connectivity problems 33-13, 33-14, 33-16 CPU utilization 33-24 detecting unidirectional links 25-1 displaying crash information 33-22 setting packet forwarding 33-20 SFP security and identification 33-12 Catalyst 2928 Switch Software Configuration Guide IN-31 OL-23389-01...
Page 696 VMPS 13-22 UNIX syslog servers VLAN configuration daemon configuration 28-11 at bootup 13-6 facilities supported 28-13 saving 13-6 message logging configuration 28-12 VLAN configuration mode unrecognized Type-Length-Value (TLV) support 14-4 Catalyst 2928 Switch Software Configuration Guide IN-32 OL-23389-01...
Page 697 SPAN 26-12 802.1Q frames 15-5 modifying 13-7 connecting to an IP phone 15-4 native, configuring 13-17 default configuration 15-3 normal-range 13-1, 13-4 described 15-1 number supported displaying 15-6 Catalyst 2928 Switch Software Configuration Guide IN-33 OL-23389-01...
Page 698 10-13 transparent 14-3, 14-10 configuring RADIUS server parameters on the switch 10-11 monitoring 14-14 configuring switch-to-RADIUS-server passwords 14-7 communication 10-11 customizeable web pages 10-6 default configuration 10-9 description 10-1 device roles 10-2 Catalyst 2928 Switch Software Configuration Guide IN-34 OL-23389-01...
Page 699 10-17 switch as proxy 10-2 web-based authentication, interactions with other features 10-7 weighted tail drop See WTD wired location service location TLV 24-2 described 31-4 support for Xmodem protocol 33-2 Catalyst 2928 Switch Software Configuration Guide IN-35 OL-23389-01...
Page 700 Index Catalyst 2928 Switch Software Configuration Guide IN-36 OL-23389-01...

Cisco Catalyst 2928 Software Configuration Manual

Chapter 1 Overview

CHAPTER 2 Using the Command-Line Interface2-1

Understanding the Help System

Understanding Abbreviated Commands

Understanding no and Default Forms of Commands

Understanding CLI Error Messages

Using Configuration Logging

Using Command History

Using Editing Features

Searching and Filtering Output of Show and more Commands

Accessing the CLI

Chapter 3 Assigning the Switch IP Address and Default Gateway

Default Boot Configuration

Automatically Downloading a Configuration File

Booting Manually

Booting a Specific Software Image

Controlling Environment Variables

Chapter 4 Configuring Cisco IOS CNS Agents

Chapter 5 Clustering Switches

Chapter 6 Configuring SDM Templates

Chapter 7 Administering the Switch

Chapter 8 Configuring Switch-Based Authentication

Default RADIUS Configuration

Identifying the RADIUS Server Host

Configuring RADIUS Login Authentication

Defining AAA Server Groups

Configuring RADIUS Authorization for User Privileged Access and Network Services

Starting RADIUS Accounting

Configuring Settings for All RADIUS Servers

Configuring the Switch to Use Vendor-Specific RADIUS Attributes

Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

CHAPTER 9 Configuring IEEE 802.1X Port-Based Authentication9-1

Understanding IEEE 802.1X Port-Based Authentication

Device Roles

Authentication Process

Authentication Initiation and Message Exchange

Ports in Authorized and Unauthorized States

IEEE 802.1X Host Mode

IEEE 802.1X Accounting

IEEE 802.1X Accounting Attribute-Value Pairs

Table

IEEE 802.1X Authentication Configuration Guidelines

Configuring IEEE 802.1X Authentication

Configuring the Switch-To-RADIUS-Server Communication

Configuring the Host Mode

Configuring Periodic Re-Authentication

Manually Re-Authenticating a Client Connected to a Port

Changing the Quiet Period

Changing the Switch-To-Client Retransmission Time

Setting the Switch-To-Client Frame-Retransmission Number

Setting the Re-Authentication Number

Configuring IEEE 802.1X Accounting

Configuring a Guest VLAN

Configuring a Restricted VLAN

Configuring MAC Authentication Bypass

Disabling IEEE 802.1X Authentication on the Port

Resetting the IEEE 802.1X Authentication Configuration to the Default Values

CHAPTER 10 Configuring Web-Based Authentication

Understanding Web-Based Authentication

Device Roles

Host Detection

Session Creation

Authentication Process

Configuring AAA Authentication

Configuring Switch-To-RADIUS-Server Communication

Configuring the HTTP Server

Configuring the Web-Based Authentication Parameters

Removing Web-Based Authentication Cache Entries

Chapter 11 Configuring Portal-Based Authentication

CHAPTER 12 Configuring Interface Characteristics12-1

Power over Ethernet (Poe) Ports (WS-C2928-24LT-C Only)

Default Ethernet Interface Configuration

Setting the Type of a Dual-Purpose Uplink Port

Configuring Interface Speed and Duplex Mode

Configuring IEEE 802.3X Flow Control

Configuring Auto-MDIX on an Interface

Configuring a Power Management Mode on a Poe Port

Budgeting Power for Devices Connected to a Poe Port

Configuring Power Policing