Page 1 Catalyst 2975 Switch Software Configuration Guide Cisco IOS Release 12.2(55)SE August 2010 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-19720-02...
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks.
Page 3: Table Of Contents
Default Settings After Initial Switch Configuration 1-13 Network Configuration Examples 1-15 Design Concepts for Using the Switch 1-15 Small to Medium-Sized Network Using Catalyst 2975 Switches 1-19 Long-Distance, High-Bandwidth Transport Configuration 1-20 Where to Go Next 1-21 Using the Command-Line Interface...
Page 4 Configuring DHCP Autoconfiguration (Only Configuration File) 3-12 Configuring DHCP Auto-Image Update (Configuration File and Image) 3-13 Configuring the Client 3-14 Manually Assigning IP Information 3-15 Checking and Saving the Running Configuration 3-16 Configuring the NVRAM Buffer Size 3-17 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 5 4-12 Displaying CNS Configuration 4-13 Clustering Switches C H A P T E R Understanding Switch Clusters Cluster Command Switch Characteristics Standby Cluster Command Switch Characteristics Candidate Switch and Cluster Member Switch Characteristics Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 6 Stack Protocol Version Compatibility Major Version Number Incompatibility Among Switches Minor Version Number Incompatibility Among Switches Understanding Auto-Upgrade and Auto-Advise 6-10 Auto-Upgrade and Auto-Advise Example Messages 6-11 Incompatible Software and Member Image Upgrades 6-13 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 7 6-28 Fixing a Bad Connection Between Stack Ports 6-29 Administering the Switch C H A P T E R Managing the System Time and Date Understanding the System Clock Understanding Network Time Protocol Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 8 7-25 Adding and Removing Static Address Entries 7-26 Configuring Unicast MAC Address Filtering 7-27 Disabling MAC Address Learning on a VLAN 7-28 Displaying Address Table Entries 7-30 Managing the ARP Table 7-30 Catalyst 2975 Switch Software Configuration Guide viii OL-19720-02...
Page 9 Establishing a Session with a Router if the AAA Server is Unreachable 9-18 Displaying the TACACS+ Configuration 9-18 Controlling Switch Access with RADIUS 9-18 Understanding RADIUS 9-18 RADIUS Operation 9-20 RADIUS Change of Authorization 9-20 Overview 9-20 Change-of-Authorization Requests 9-21 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 10 Default SSL Configuration 9-48 SSL Configuration Guidelines 9-49 Configuring a CA Trustpoint 9-49 Configuring the Secure HTTP Server 9-50 Configuring the Secure HTTP Client 9-51 Displaying Secure HTTP Server and Client Status 9-52 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 11 802.1x Authentication with VLAN Assignment 10-17 802.1x Authentication with Downloadable ACLs and Redirect URLs 10-18 Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 10-20 Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 10-20 VLAN ID-based MAC Authentication 10-20 802.1x Authentication with Guest VLAN...
Page 12 Configuring MAC Authentication Bypass 10-57 Configuring 802.1x User Distribution 10-58 Configuring NAC Layer 2 802.1x Validation 10-59 Configuring an Authenticator and a Supplicant Switch with NEAT 10-60 Configuring NEAT with Auto Smartports Macros 10-61 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 13 Configuring the HTTP Server 11-13 Customizing the Authentication Proxy Web Pages 11-13 Specifying a Redirection URL for Successful Login 11-15 Configuring an AAA Fail Policy 11-15 Configuring the Web-Based Authentication Parameters 11-16 Catalyst 2975 Switch Software Configuration Guide xiii OL-19720-02...
Page 14 Budgeting Power for Devices Connected to a PoE Port 12-24 Configuring Power Policing 12-26 Adding a Description for an Interface 12-27 Configuring Layer 3 SVIs 12-27 Configuring the System MTU 12-28 Monitoring and Maintaining the Interfaces 12-29 Monitoring Interface Status 12-30 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 15 13-20 Load Sharing Using STP Path Cost 13-21 Configuring VMPS 13-23 Understanding VMPS 13-23 Dynamic-Access Port VLAN Membership 13-24 Default VMPS Client Configuration 13-24 VMPS Configuration Guidelines 13-24 Configuring the VMPS Client 13-25 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 16 Configuring Voice VLAN 14-3 Default Voice VLAN Configuration 14-3 Voice VLAN Configuration Guidelines 14-3 Configuring a Port Connected to a Cisco 7960 IP Phone 14-5 Configuring Cisco IP Phone Voice Traffic 14-5 Configuring the Priority of Incoming Data Frames 14-6...
Page 17 16-15 Disabling Spanning Tree 16-16 Configuring the Root Switch 16-16 Configuring a Secondary Root Switch 16-18 Configuring Port Priority 16-18 Configuring Path Cost 16-20 Configuring the Switch Priority of a VLAN 16-21 Catalyst 2975 Switch Software Configuration Guide xvii OL-19720-02...
Page 18 Specifying the MST Region Configuration and Enabling MSTP 17-17 Configuring the Root Switch 17-19 Configuring a Secondary Root Switch 17-20 Configuring Port Priority 17-21 Configuring Path Cost 17-23 Configuring the Switch Priority 17-24 Catalyst 2975 Switch Software Configuration Guide xviii OL-19720-02...
Page 19 Displaying the Spanning-Tree Status 18-19 Configuring Flex Links and the MAC Address-Table Move Update Feature 19-1 C H A P T E R Understanding Flex Links and the MAC Address-Table Move Update 19-1 Flex Links 19-1 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 20 Source IP and MAC Address Filtering 20-15 IP Source Guard for Static Hosts 20-16 Configuring IP Source Guard 20-17 Default IP Source Guard Configuration 20-17 IP Source Guard Configuration Guidelines 20-17 Enabling IP Source Guard 20-18 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 21 22-5 Immediate Leave 22-5 IGMP Configurable-Leave Timer 22-5 IGMP Report Suppression 22-5 IGMP Snooping and Switch Stacks 22-6 Configuring IGMP Snooping 22-6 Default IGMP Snooping Configuration 22-7 Enabling or Disabling IGMP Snooping 22-7 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 22 Configuring Storm Control and Threshold Levels 23-3 Configuring Small-Frame Arrival Rate 23-5 Configuring Protected Ports 23-6 Default Protected Port Configuration 23-7 Protected Port Configuration Guidelines 23-7 Configuring a Protected Port 23-7 Configuring Port Blocking 23-8 Catalyst 2975 Switch Software Configuration Guide xxii OL-19720-02...
Page 23 Enabling LLDP 25-6 Configuring LLDP Characteristics 25-7 Configuring LLDP-MED TLVs 25-8 Configuring Network-Policy TLV 25-9 Configuring Location TLV and Wired Location Service 25-10 Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service 25-12 Catalyst 2975 Switch Software Configuration Guide xxiii OL-19720-02...
Page 24 RSPAN Configuration Guidelines 27-17 Configuring a VLAN as an RSPAN VLAN 27-18 Creating an RSPAN Source Session 27-19 Creating an RSPAN Destination Session 27-20 Creating an RSPAN Destination Session and Configuring Incoming Traffic 27-21 Catalyst 2975 Switch Software Configuration Guide xxiv OL-19720-02...
Page 25 C H A P T E R Understanding SNMP 30-1 SNMP Versions 30-2 SNMP Manager Functions 30-3 SNMP Agent Functions 30-4 SNMP Community Strings 30-4 Using SNMP to Access MIB Variables 30-4 SNMP Notifications 30-5 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 26 Hardware and Software Treatment of IP ACLs 31-19 Troubleshooting ACLs 31-19 IPv4 ACL Configuration Examples 31-20 Numbered ACLs 31-21 Extended ACLs 31-21 Named ACLs 31-21 Time Range Applied to an IP ACL 31-21 Catalyst 2975 Switch Software Configuration Guide xxvi OL-19720-02...
Page 27 Configuring Cisco IOS IP SLAs Operations 32-1 C H A P T E R Understanding Cisco IOS IP SLAs 32-1 Using Cisco IOS IP SLAs to Measure Network Performance 32-2 IP SLAs Responder and IP SLAs Control Protocol 32-3 Response Time Computation for IP SLAs...
Page 28 Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds 33-63 Allocating Buffer Space Between the Ingress Queues 33-65 Allocating Bandwidth Between the Ingress Queues 33-65 Configuring the Ingress Priority Queue 33-66 Configuring Egress Queue Characteristics 33-67 Configuration Guidelines 33-68 Catalyst 2975 Switch Software Configuration Guide xxviii OL-19720-02...
Page 29 IPv6 and Switch Stacks 35-6 Configuring IPv6 35-7 Default IPv6 Configuration 35-7 Configuring IPv6 Addressing and Enabling IPv6 Host 35-7 Configuring IPv6 ICMP Rate Limiting 35-9 Configuring Static Routes for IPv6 35-10 Displaying IPv6 35-11 Catalyst 2975 Switch Software Configuration Guide xxix OL-19720-02...
Page 30 LACP Interaction with Other Features 37-8 EtherChannel On Mode 37-8 Load Balancing and Forwarding Methods 37-8 EtherChannel and Switch Stacks 37-10 Configuring EtherChannels 37-11 Default EtherChannel Configuration 37-11 EtherChannel Configuration Guidelines 37-12 Configuring Layer 2 EtherChannels 37-13 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 31 Understanding Ping 38-14 Executing Ping 38-14 Using Layer 2 Traceroute 38-15 Understanding Layer 2 Traceroute 38-15 Usage Guidelines 38-16 Displaying the Physical Path 38-17 Using IP Traceroute 38-17 Understanding IP Traceroute 38-17 Catalyst 2975 Switch Software Configuration Guide xxxi OL-19720-02...
Page 32 A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
Page 33 Working with Software Images B-23 Image Location on the Switch B-24 tar File Format of Images on a Server or Cisco.com B-24 Copying Image Files By Using TFTP B-25 Preparing to Download or Upload an Image File By Using TFTP...
Page 34 Contents Copying an Image File from One Stack Member to Another B-37 Unsupported Commands in Cisco IOS Release 12.2(55)SE A P P E N D I X Access Control Lists Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Route-Map Configuration Commands...
Page 35 Contents Unsupported Interface Configuration Command VLAN Unsupported Global Configuration Command Unsupported vlan-config Command Unsupported User EXEC Commands Unsupported vlan-config Command Unsupported VLAN Database Commands Unsupported Privileged EXEC Commands N D E X Catalyst 2975 Switch Software Configuration Guide xxxv OL-19720-02...
Page 36 Contents Catalyst 2975 Switch Software Configuration Guide xxxvi OL-19720-02...
Page 37 This guide is for the networking professional managing the Catalyst 2975 switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Page 38: Related Publications
Means reader be careful. In this situation, you might do something that could result in equipment Caution damage or loss of data. Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/en/US/products/ps10081/tsd_products_support_series_home.html Before installing, configuring, or upgrading the switch, see these documents: Note For initial configuration information, see the “Using Express Setup”...
Page 39 Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed...
Page 40 Preface Catalyst 2975 Switch Software Configuration Guide xxxviii OL-19720-02...
Page 41: Features
Some features described in this chapter are available only on the cryptographic (supports encryption) version of the software. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, see the release notes for this release.
Page 42: Chapter 1 Overview
Using a single IP address and configuration file to manage the entire switch stack. – Automatic Cisco IOS version-check of new stack members with the option to automatically load – images from the stack master or from a TFTP server.
Page 43: Performance Features
– OUI-based triggers, remote macros as well as for automatic configuration based on these two new device types: Cisco Digital Media Player (Cisco DMP) and Cisco IP Video Surveillance Camera (Cisco IPVSC). For information, see the Auto Smartports Configuration Guide.
Page 44 Switch Database Management (SDM) templates for allocating system resources to maximize • support for user-selected features. Support for Cisco IOS IP Service Level Agreements (SLAs) responder that allows the system to • anticipate and respond to Cisco IOS IP SLAs request packets for monitoring network performance.
Page 45: Management Options
Network Assistant—Network Assistant is a network management application that can be • downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com.
Page 46 Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external • source Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • Configuration logging to log and to view changes to the switch configuration •...
Page 47: Availability And Redundancy Features
Root guard for preventing switches outside the network core from becoming the spanning-tree – root Loop guard for preventing alternate or root ports from becoming designated ports because of a – failure that leads to a unidirectional link Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 48: Vlan Features
• Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts and servers, and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch. VLAN Features Support for up to 255 VLANs for assigning users to VLANs associated with appropriate network •...
Page 49 VLAN. Voice VLAN assignment is supported for one IP phone. Port security for controlling access to 802.1x ports – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized – or unauthorized state of the port IP phone detection enhancement to detect and recognize a Cisco IP phone.
Page 50 When there is a change in policy for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server, such as Cisco Secure ACS to reinitialize authentication, and apply to the new policies.
Page 51: Qos And Cos Features
Trusted port states (CoS, DSCP, and IP precedence) within a QoS domain and with a port – bordering another QoS domain – Trusted boundary for detecting the presence of a Cisco IP Phone, trusting the CoS value received, and ensuring port security • Policing –...
Page 52: Layer 3 Features
Support for CDP with power consumption. The powered device notifies the switch of the amount of • power it is consuming. Support for Cisco intelligent power management. The powered device and the switch negotiate • through power-negotiation CDP messages for an agreed power-consumption level. The negotiation allows a high-power Cisco powered device to operate at its highest power mode.
Page 53: Default Settings After Initial Switch Configuration
Switch cluster is disabled. For more information about switch clusters, see Chapter 5, “Clustering Switches,” and the Getting Started with Cisco Network Assistant, available on Cisco.com. • No passwords are defined. For more information, see Chapter 7, “Administering the Switch.”...
Page 54 IGMP throttling setting is deny. For more information, see Chapter 22, “Configuring IGMP • Snooping and MVR.” • The IGMP snooping querier feature is disabled. For more information, see Chapter 22, “Configuring IGMP Snooping and MVR.” Catalyst 2975 Switch Software Configuration Guide 1-14 OL-19720-02...
Page 55: Network Configuration Examples
Fast Ethernet and Gigabit Ethernet connections. “Design Concepts for Using the Switch” section on page 1-15 • “Small to Medium-Sized Network Using Catalyst 2975 Switches” section on page 1-19 • “Long-Distance, High-Bandwidth Transport Configuration” section on page 1-20 •...
Page 56 Use VLAN trunks and BackboneFast for traffic-load balancing on the uplink ports • and availability to provide always on so that the uplink port with a lower relative port cost is selected to carry the VLAN mission-critical applications traffic. Catalyst 2975 Switch Software Configuration Guide 1-16 OL-19720-02...
Page 57 1-1)—A cost-effective way to connect many users to the wiring • closet is to have a switch stack of up to nine Catalyst 2975 switches. To preserve switch connectivity if one switch in the stack fails, connect the switches as recommended in the hardware installation guide, and enable either cross-stack Etherchannel or cross-stack UplinkFast.
Page 58 1-2)—For • high-speed access to network resources, you can use the Catalyst 2975 switch stack in the access layer to provide Gigabit Ethernet to the desktop. To prevent congestion, use QoS DSCP marking priorities on these switches. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch with routing capability, such as a Catalyst 3750 switch, or to a router.
Page 59: Small To Medium-Sized Network Using Catalyst 2975 Switches
500 employees. This network uses a Catalyst 2975 switch stack with high-speed connections to two routers. This ensures connectivity to the Internet, WAN, and mission-critical network resources if one of the routers fails. The switch stack uses cross-stack EtherChannel for loading sharing.
Page 60: Long-Distance, High-Bandwidth Transport Configuration
Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet.
Page 61: Where To Go Next
The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, see the Cisco CWDM GBIC and CWDM SFP Installation Note. Figure 1-5...
Page 62 Chapter 1 Overview Where to Go Next Catalyst 2975 Switch Software Configuration Guide 1-22 OL-19720-02...
Page 63: Using Configuration Logging
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 2975 switch.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Page 64: C H A P T E R 2 Using The Command-Line Interface
While in privileged To exit to privileged Use this mode to configure Switch(vlan)# EXEC mode, enter EXEC mode, enter VLAN parameters for VLANs the vlan database exit. 1 to 1005 in the VLAN command. database. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 65: Understanding The Help System
Obtain a list of commands that begin with a particular character string. For example: Switch# di? dir disable disconnect abbreviated-command-entry<Tab> Complete a partial command name. For example: Switch# sh conf<tab> Switch# show configuration Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 66: Understanding Abbreviated Commands
However, some commands are enabled by default and have variables set to certain default values. In these cases, the default command enables the command and sets variables to their default values. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 67: Understanding Cli Error Messages
You can choose to have the notifications sent to the syslog. For more information, see the Configuration Change Notification and Logging feature module: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtconlog.html Only CLI or HTTP changes are logged. Note Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 68: Using Command History
The number of commands that appear is controlled by the setting of the terminal history global configuration command and the history line configuration command. 1. The arrow keys function only on ANSI-compatible terminals such as VT100s. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 69: Disabling The Command History Feature
To re-enable the enhanced editing mode for the current terminal session, enter this command in privileged EXEC mode: Switch# terminal editing To reconfigure a specific line to have enhanced editing mode, enter this command in line configuration mode: Switch(config-line)# editing Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 70: Editing Commands Through Keystrokes
Change the word at the cursor to lowercase. Press Esc U. Capitalize letters from the cursor to the end of the word. Designate a particular keystroke as Press Ctrl-V or Esc Q. an executable command, perhaps as a shortcut. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 71: Editing Command Lines That Wrap
Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands through Keystrokes” section on page 2-8. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 72: Searching And Filtering Output Of Show And More Commands
Telnet session, but your switch must first be configured for this type of access. For more information, see the “Setting a Telnet Password for a Terminal Line” section on page 9-6. Catalyst 2975 Switch Software Configuration Guide 2-10 OL-19720-02...
Page 73 9-41. The switch supports up to five simultaneous secure SSH sessions. After you connect through the console port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Catalyst 2975 Switch Software Configuration Guide 2-11 OL-19720-02...
Page 74 Chapter 2 Using the Command-Line Interface Accessing the CLI Catalyst 2975 Switch Software Configuration Guide 2-12 OL-19720-02...
Page 75 This chapter describes how to create the initial switch configuration (for example, assigning the IP address and default gateway information) for the Catalyst 2975 switch by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Page 76: Understanding The Boot Process
Data bits default is 8. • If the data bits option is set to 8, set the parity option to none. Note Stop bits default is 1. • Parity settings default is none. • Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 77: Assigning Switch Information
No default gateway is defined. Enable secret password No password is defined. Hostname The factory-assigned default hostname is Switch. Telnet password No password is defined. Cluster command switch functionality Disabled. Cluster name No cluster name is defined. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 78: Understanding Dhcp-Based Autoconfiguration
(such as an IP address, subnet mask, gateway IP address, DNS IP address, a lease for the IP address, and so forth) to the client in a DHCPOFFER unicast message. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 79: Understanding Dhcp-Based Autoconfiguration And Image Update
DHCP autoconfiguration downloads a configuration file to one or more switches in your network from a DHCP server. The downloaded configuration file becomes the running configuration of the switch. It does not over write the bootup configuration saved in the flash, until you reload the switch. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 80: Dhcp Auto-Image Update
NVRAM unless you enter the write memory or copy running-configuration startup-configuration privileged EXEC command. Note that if the downloaded configuration is saved to the startup configuration, the feature is not triggered during subsequent system restarts. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 81: Configuring Dhcp-Based Autoconfiguration
The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational. If your DHCP server is a Cisco device, for additional information about configuring DHCP, see the “Configuring...
Page 82: Configuring The Dns
You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from where the DHCP replies will retrieve them. You can enter up to two DNS server IP addresses in the lease database. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 83: Configuring The Relay Device
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Page 84: Example Configuration
Figure 3-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (tftpserver) Catalyst 2975 Switch Software Configuration Guide 3-10 OL-19720-02...
Page 85 It reads its host table by indexing its IP address 10.0.0.21 to its hostname (switcha). • It reads the configuration file that corresponds to its hostname; for example, it reads switch1-confg • from the TFTP server. Catalyst 2975 Switch Software Configuration Guide 3-11 OL-19720-02...
Page 86: Configuring The Dhcp Auto Configuration And Image Update Features
This example shows how to configure a switch as a DHCP server so that it will download a configuration file: Switch# configure terminal Switch(config)# ip dhcp pool pool1 Switch(dhcp-config)# network 10.10.10.0 255.255.255.0 Switch(dhcp-config)# bootfile config-boot.text Switch(dhcp-config)# default-router 10.10.10.1 Switch(dhcp-config)# option 150 10.10.10.1 Switch(dhcp-config)# exit Switch(config)# tftp-server flash:config-boot.text Switch(config)# interface gigabitethernet1/0/4 Catalyst 2975 Switch Software Configuration Guide 3-12 OL-19720-02...
Page 87: Configuring Dhcp Auto-Image Update (Configuration File And Image)
Upload the tar file for the new image to the switch. Step 10 exit Return to global configuration mode. Step 11 tftp-server flash:config.text Specify the Cisco IOS configuration file on the TFTP server. Step 12 tftp-server flash:imagename.tar Specify the image name on the TFTP server. Step 13 tftp-server flash:filename.txt...
Page 88: Configuring The Client
^C warning-message ^C (Optional) Create warning messages to be displayed when you try to save the configuration file to NVRAM. Step 5 Return to privileged EXEC mode. Step 6 show boot Verify the configuration. Catalyst 2975 Switch Software Configuration Guide 3-14 OL-19720-02...
Page 89: Manually Assigning Ip Information
When your switch is configured to route with IP, it does not need Note to have a default gateway set. Step 6 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 3-15 OL-19720-02...
Page 90: Checking And Saving The Running Configuration
VLAN1 ip address 172.20.137.50 255.255.255.0 no ip directed-broadcast ip default-gateway 172.20.137.1 ! snmp-server community private RW snmp-server community public RO snmp-server community private@es0 RW snmp-server community public@es0 RO snmp-server chassis-id 0x12 Catalyst 2975 Switch Software Configuration Guide 3-16 OL-19720-02...
Page 91: Configuring The Nvram Buffer Size
EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Configuring the NVRAM Buffer Size The default NVRAM buffer size is 512 KB.
Page 92: Modifying The Startup Configuration
The Cisco IOS image is stored in a directory that has the same name as the image file (excluding the .bin extension).
Page 93: Specifying The Filename To Read And Write The System Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot-up cycle.
Page 94: Booting A Specific Software Image
• Use number to specify a stack member. (Specify only one stack member.) • Use all to specify all stack members. Step 4 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 3-20 OL-19720-02...
Page 95: Controlling Environment Variables
Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 96 A semicolon-separated list of executable files to try to load and execute when automatically Specifies the Cisco IOS image to load during the booting. If the BOOT environment variable is not next boot cycle and the stack members on which set, the system attempts to load and execute the the image is loaded.
Page 97: Scheduling A Reload Of The Software Image
This example shows how to reload the software on the switch on the current day at 7:30 p.m: Switch# reload at 19:30 Reload scheduled for 19:30:00 UTC Wed Jun 5 1996 (in 2 hours and 25 minutes) Proceed with reload? [confirm] Catalyst 2975 Switch Software Configuration Guide 3-23 OL-19720-02...
Page 98: Displaying Scheduled Reload Information
EXEC command. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled). Catalyst 2975 Switch Software Configuration Guide 3-24 OL-19720-02...
Page 99: Configuring Cisco Ios Configuration Engine
For complete configuration information for the Cisco Configuration Engine, go to Note http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.html For complete syntax and usage information for the commands used in this chapter, go to the Cisco IOS Network Management Command Reference, Release 12.4: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_book.html Understanding Cisco Configuration Engine Software, page 4-1 •...
Page 100: Configuration Service
(LDAP) URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
Page 101: Event Service
Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine.
Page 102: Deviceid
Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.
Page 103: Understanding Cisco Ios Agents
Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: •...
Page 104: Incremental (Partial) Configuration
NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 4-6.
Page 105: Enabling The Cns Event Agent
For more information about running the setup program and creating templates on the Configuration Note Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux: http://www.cisco.com/en/US/docs/net_mgmt/configuration_engine/1.5/installation_linux/guide/ setup_1.html Enabling the CNS Event Agent You must enable the CNS event agent on the switch before you enable the CNS configuration agent.
Page 106 This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.27 keepalive 120 10 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 107: Enabling The Cisco Ios Cns Agent
Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: •...
Page 108 ID, enter hostname (the default) to select the switch hostname as the unique ID, enter an arbitrary text string for string string as the unique ID, or enter udi to set the unique device identifier (UDI) as the unique ID. Catalyst 2975 Switch Software Configuration Guide 4-10 OL-19720-02...
Page 109 Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown (the CNS Zero Touch feature).
Page 110: Enabling A Partial Configuration
RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.129.22 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...
Page 111: Displaying Cns Configuration
Privileged EXEC show Commands Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed. show cns config stats Displays statistics about the Cisco IOS agent.
Page 112 Chapter 4 Configuring Cisco IOS Configuration Engine Displaying CNS Configuration Catalyst 2975 Switch Software Configuration Guide 4-14 OL-19720-02...
Page 113: Clustering Switches
C H A P T E R Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 2975 switch clusters. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Page 114: Chapter 5 Clustering Switche
Cluster members can belong to only one cluster at a time. A switch cluster is different from a switch stack. A switch stack is a set of Catalyst 2975 switches Note connected through their stack ports.
Page 115: Cluster Command Switch Characteristics
Standby cluster command switches must be the same type of switches as the cluster command Note switch. For example, if the cluster command switch is a Catalyst 2975 switch, the standby cluster command switches must also be Catalyst 2975 switches. Refer to the switch configuration guide of other cluster-capable switches for their requirements on standby cluster command switches.
Page 116: Candidate Switch And Cluster Member Switch Characteristics
This requirement does not apply if you have a Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switch. Candidate and cluster member switches can connect through any VLAN in common with the cluster command switch. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 117: Planning A Switch Cluster
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 118 Discovery Through CDP Hops Command device VLAN 16 VLAN 62 Member Member device 8 device 10 Member Device 12 device 9 Device 11 Candidate candidate Device 13 devices device Edge of cluster Device 14 Device 15 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 119: Discovery Through Non-Cdp-Capable And Noncluster-Capable Devices
Planning a Switch Cluster Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Page 120: Discovery Through Different Management Vlans
Figure 5-4 (assuming they are Catalyst 2960, Catalyst 2970, Catalyst 2975, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches) have ports assigned to VLANs 9, 16, and 62. The management VLAN on the cluster command switch is VLAN 9. Each cluster command switch discovers the switches in the different...
Page 121: Discovery Of Newly Installed Switches
VLANs 9 and 16. When new cluster-capable switches join the cluster: One cluster-capable switch and its access port are assigned to VLAN 9. • The other cluster-capable switch and its access port are assigned to management VLAN 16. • Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 122: Hsrp And Standby Cluster Command Switches
The HSRP standby hold time interval should be greater than or equal to three times the hello time Note interval. The default HSRP standby hold time interval is 10 seconds. The default HSRP standby hello time interval is 3 seconds. Catalyst 2975 Switch Software Configuration Guide 5-10 OL-19720-02...
Page 123: Virtual Ip Addresses
Catalyst 2975 switches. Refer to the switch configuration guide of other cluster-capable switches for their requirements on standby cluster command switches. If your switch cluster has a Catalyst 2975 switch or switch stack, it should be the cluster command switch.
Page 124: Automatic Recovery Of Cluster Configuration
Catalyst 1900, Catalyst 2820, and Catalyst 2916M XL cluster member switches. You must re-add these cluster member switches to the cluster. Catalyst 2975 Switch Software Configuration Guide 5-12 OL-19720-02...
Page 125: Ip Addresses
(such as eng-cluster-5) with the hostname of the cluster command switch in the new cluster (such as mkg-cluster-5). If the switch member number changes in the new cluster (such as 3), the switch retains the previous name (eng-cluster-5). Catalyst 2975 Switch Software Configuration Guide 5-13 OL-19720-02...
Page 126: Passwords
Switch Clusters and Switch Stacks A switch cluster can have one or more Catalyst 2975 switch stacks. Each switch stack can act as the cluster command switch or as a single cluster member.
Page 127 These are considerations to keep in mind when you have switch stacks in switch clusters: • If the cluster command switch is not a Catalyst 2975 switch or switch stack and a new stack master is elected in a cluster member switch stack, the switch stack loses its connectivity to the switch cluster if there are no redundant connections between the switch stack and the cluster command switch.
Page 128: Tacacs+ And Radius
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
Page 129: Using Snmp To Manage Switch Clusters
If a cluster member switch has its own IP address and community strings, they can be used in addition to the access provided by the cluster command switch. For more information about SNMP and community strings, see Chapter 30, “Configuring SNMP.” Catalyst 2975 Switch Software Configuration Guide 5-17 OL-19720-02...
Page 130 Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Figure 5-7 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Catalyst 2975 Switch Software Configuration Guide 5-18 OL-19720-02...
Page 131: Managing Switch Stacks
Understanding Stacks A switch stack is a set of up to nine Catalyst 2975 switches connected through their stack ports. One of the switches controls the operation of the stack and is called the stack master. The stack master and the other switches in the stack are stack members.
Page 132: Stack Membership
Minor Version Number Incompatibility Among Switches, page 6-9 – Incompatible Software and Member Image Upgrades, page 6-13 – Stack Configuration Files, page 6-13 – Additional Considerations for System-Wide Configuration on Switch Stacks, page 6-13 – Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 133 This can create an IP address configuration conflict in your network. If you want the stacks to remain separate, change the IP address or addresses of the newly created stacks. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 134: Master Election
If two or more switches in the stack use different software images, a switch running the noncryptographic image might be selected as the master. A switch running the cryptographic image takes 10 seconds longer to start than does the switch running the noncryptographic image. The Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 135: Stack Mac Address
10 seconds. To avoid this problem, upgrade the switch running the noncryptographic image to a software release later than Cisco IOS Release 12.2(46)EX, or manually start the master and wait at least 8 seconds before starting the new member.
Page 136: Member Numbers
The switch is then re-elected as master if a re-election occurs. The new priority value takes effect immediately but does not affect the current master until the current master or the stack resets. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 137: Effects Of Adding A Provisioned Switch To A Stack
The switch stack applies the default not found in the provisioned configuration to the provisioned switch configuration. and adds it to the stack. The provisioned configuration is changed to reflect the new information. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 138 The switch stack then adds to its running configuration a switch stack-member-number provision type global configuration command that matches the new switch. For configuration information, see the “Provisioning a New Member for a Stack” section on page 6-20. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 139: Effects Of Replacing A Provisioned Switch In A Stack
Stack Software Compatibility Recommendations All stack members must run the same Cisco IOS software version to ensure compatibility in the stack protocol version among the members. Stack Protocol Version Compatibility The stack protocol version has a major version number and a minor version number (for example 1.4,...
Page 140: Understanding Auto-Upgrade And Auto-Advise
EXEC command, the correct directory structure is not properly created. For more information about the info file, see the “tar File Format of Images on a Server or Cisco.com” section on page B-24. Understanding Auto-Upgrade and Auto-Advise When the software detects mismatched software and tries to upgrade the switch in version-mismatch mode, two software processes are involved: automatic upgrade and automatic advise.
Page 141: Auto-Upgrade And Auto-Advise Example Messages
*Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Old image will be deleted after download. *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:Extracting images from archive into flash on switch 1... *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:c2975-i5-mz.122-0.0.313.EX (directory) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting c2975-i5-mz.122-0.0.313.EX/c2975-lanbase-mz.122-46.EX (4945851 bytes) Catalyst 2975 Switch Software Configuration Guide 6-11 OL-19720-02...
Page 142 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: archive download-sw /force-reload /overwrite /dest 1 flash1:c2975-lanbase-mz.122-46.EX.tar *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: For information about using the archive download-sw privileged EXEC command, see the “Working with Software Images” section on page B-23. Catalyst 2975 Switch Software Configuration Guide 6-12 OL-19720-02...
Page 143: Incompatible Software And Member Image Upgrades
Configuration Files, and Software Images.” Additional Considerations for System-Wide Configuration on Switch Stacks • “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant, available on Cisco.com “MAC Addresses and Switch Stacks” section on page 7-21 •...
Page 144: Stack Management Connectivity
The Secure Shell (SSH) connectivity to the stack can be lost if a master running the cryptographic version fails and is replaced by a switch that is running a noncryptographic version. We recommend that a switch running the cryptographic version of the software be the master. Catalyst 2975 Switch Software Configuration Guide 6-14 OL-19720-02...
Page 145: Stack Configuration Scenarios
Make sure that one member has a default configuration and that the other member has a saved (nondefault) configuration file. Restart both members at the same time. Catalyst 2975 Switch Software Configuration Guide 6-15 OL-19720-02...
Page 146 Use the Mode button and port LEDs on the switches to identify which switches are masters and which switches belong to each master. For information about the Mode button and the LEDs, see the hardware installation guide. Catalyst 2975 Switch Software Configuration Guide 6-16 OL-19720-02...
Page 147: Configuring The Switch Stack
When you configure this feature, a warning message displays the consequences of your configuration. You should use this feature cautiously. Using the old master MAC address elsewhere in the domain could result in lost traffic. Catalyst 2975 Switch Software Configuration Guide 6-17 OL-19720-02...
Page 148 If you enter the no stack-mac persistent timer command after a new stack master takes over, before the time expires, the stack uses the current master MAC address. Step 3 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 6-18 OL-19720-02...
Page 149: Assigning Stack Member Information
Setting the Member Priority Value, page 6-20 (optional) • • Provisioning a New Member for a Stack, page 6-20 (optional) Assigning a Member Number Note This task is available only from the master. Catalyst 2975 Switch Software Configuration Guide 6-19 OL-19720-02...
Page 150: Provisioning A New Member For A Stack
You can also set the SWITCH_PRIORITY environment variable. For more information, see the “Controlling Environment Variables” section on page 3-21. Provisioning a New Member for a Stack Note This task is available only from the master. Catalyst 2975 Switch Software Configuration Guide 6-20 OL-19720-02...
Page 151: Changing The Stack Membership
If you remove powered-on members but do not want to partition the stack: Power off the newly created stacks. Step 1 Reconnect them to the original stack through their stack ports. Step 2 Power on the switches. Step 3 Catalyst 2975 Switch Software Configuration Guide 6-21 OL-19720-02...
Page 152: Accessing The Cli Of A Specific Member
Display the number of frames per member that are sent to the [detail] stack ring. The detail keyword displays the number of frames per member that are sent to the stack ring, the receive queues, and the ASIC. Catalyst 2975 Switch Software Configuration Guide 6-22 OL-19720-02...
Page 153: Troubleshooting Stacks
Reconnect the cable between Port 1 on Switch 1 and Port 2 on Switch 4 (the replacement switch). Re-enable the link between the switches. Enter the switch 1 stack port 1 enable privileged EXEC command to enable Port 1 on Switch 1. Power on Switch 4. Catalyst 2975 Switch Software Configuration Guide 6-23 OL-19720-02...
Page 154: Understanding The Show Switch Stack-Ports Summary Output
Yes—The port can send traffic to the link partner. Sync OK No—The link partner does not send valid protocol messages to the • stack port. Yes—The link partner sends valid protocol messages to the port. • Catalyst 2975 Switch Software Configuration Guide 6-24 OL-19720-02...
Page 155: Identifying Loopback Problems
Link Sync Port# Port Length Active Changes Loopback Status To LinkOK -------- ------ -------- -------- ---- ------ ---- --------- -------- Absent None No cable 50 cm 50 cm Down None 50 cm Catalyst 2975 Switch Software Configuration Guide 6-25 OL-19720-02...
Page 156: Software Loopback Example: No Connected Stack Cable
Switch# show switch stack-ports summary Switch#/ Stack Neighbor Cable Link Link Sync Port# Port Length Active Changes Loopback Status To LinkOK -------- ------ -------- -------- ---- ------ ---- --------- -------- 50 cm 50 cm Catalyst 2975 Switch Software Configuration Guide 6-26 OL-19720-02...
Page 157: Hardware Loopback
FF08FF00 0001DBDF 01000B00 FFFFFFFF 0CE60C10 No /No No cable Event type: RAC 0000000009 FF08FF00 8603F083 55AAFFFF FFFFFFFF 0CE60C10 No /No 50 cm 0000000009 FF08FF00 0001DC1F 02000100 FFFFFFFF 0CE60C10 No /No No cable Catalyst 2975 Switch Software Configuration Guide 6-27 OL-19720-02...
Page 158: Hardware Loop Example: Link Not Ok Event
If you disconnect the cable from Port 2 on Switch 1, these messages appear: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state DOWN %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN Catalyst 2975 Switch Software Configuration Guide 6-28 OL-19720-02...
Page 159: Fixing A Bad Connection Between Stack Ports
The Cable Length value is 50 cm. The switch detects and correctly identifies the cable. • The connection between Port 2 on Switch 1 and Port 1 on Switch 2 is unreliable on at least one of the connector pins. Catalyst 2975 Switch Software Configuration Guide 6-29 OL-19720-02...
Page 160 Chapter 6 Managing Switch Stacks Troubleshooting Stacks Catalyst 2975 Switch Software Configuration Guide 6-30 OL-19720-02...
Page 161: Managing The System Time And Date
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Configuration Fundamentals Command Reference from the Cisco.com page under Documentation >...
Page 162: Understanding Network Time Protocol
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 163 Switch F Workstations If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is synchronized through NTP, when in fact it has learned the time by using other means. Other devices then synchronize to that device through NTP.
Page 164: Configuring Ntp
NTP access restrictions No access control is specified. NTP packet source IP address The source address is set by the outgoing interface. NTP is enabled on all interfaces by default. All interfaces receive NTP packets. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 165: Configuring Ntp Authentication
This example shows how to configure the switch to synchronize only to devices providing authentication key 42 in the device’s NTP packets: Switch(config)# ntp authenticate Switch(config)# ntp authentication-key 42 md5 aNiceKey Switch(config)# ntp trusted-key 42 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 166: Configuring Ntp Associations
This example shows how to configure the switch to synchronize its system clock with the clock of the peer at IP address 172.16.22.44 using NTP Version 2: Switch(config)# ntp server 172.16.22.44 version 2 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 167: Configuring Ntp Broadcast Service
To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command. This example shows how to configure a port to send NTP Version 2 packets: Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ntp broadcast version 2 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 168: Configuring Ntp Access Restrictions
You can control NTP access on two levels as described in these sections: Creating an Access Group and Assigning a Basic IP Access List, page 7-9 • Disabling NTP Services on a Specific Interface, page 7-10 • Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 169 If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 170: Configuring The Source Ip Address For Ntp Packets
Specify the interface type and number from which the IP source address is taken. By default, the source address is set by the outgoing interface. Step 3 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 7-10 OL-19720-02...
Page 171: Configuring Time And Date Manually
[detail] show ntp status • For detailed information about the fields in these displays, see the Cisco IOS Configuration Note Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 172: Displaying The Time And Date Configuration
The default is UTC. • For hours-offset, enter the hours offset from UTC. • (Optional) For minutes-offset, enter the minutes offset from UTC. Step 3 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 7-12 OL-19720-02...
Page 173: Configuring Summer Time (Daylight Saving Time)
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Catalyst 2975 Switch Software Configuration Guide 7-13 OL-19720-02...
Page 174: Configuring A System Name And Prompt
9. When you use this command, the stack member number is appended to the system prompt. For example, is the prompt in privileged EXEC mode for stack member 2, and the system prompt Switch-2# for the switch stack is Switch Catalyst 2975 Switch Software Configuration Guide 7-14 OL-19720-02...
Page 175: Default System Name And Prompt Configuration
Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, from the Cisco.com page, select Documentation > Cisco IOS Software > 12.2 Mainline > Command References and see the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols.
Page 176: Default Dns Configuration
If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS). Catalyst 2975 Switch Software Configuration Guide 7-16 OL-19720-02...
Page 177: Displaying The Dns Configuration
If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Page 178: Configuring A Message-Of-The-Day Login Banner
This example shows the banner that appears from the previous configuration: Unix> telnet 172.2.5.4 Trying 172.2.5.4... Connected to 172.2.5.4. Escape character is '^]'. This is a secure site. Only authorized users are allowed. For access, contact technical support. User Access Verification Password: Catalyst 2975 Switch Software Configuration Guide 7-18 OL-19720-02...
Page 179: Configuring A Login Banner
The address table lists the destination MAC address, the associated VLAN ID, and port number associated with the address and the type (static or dynamic). For complete syntax and usage information for the commands used in this section, see the command Note reference for this release. Catalyst 2975 Switch Software Configuration Guide 7-19 OL-19720-02...
Page 180: Building The Address Table
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN. Catalyst 2975 Switch Software Configuration Guide 7-20 OL-19720-02...
Page 181: Mac Addresses And Switch Stacks
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default value, use the no mac address-table aging-time global configuration command. Catalyst 2975 Switch Software Configuration Guide 7-21 OL-19720-02...
Page 182: Removing Dynamic Address Entries
Step 3 snmp-server enable traps mac-notification change Enable the switch to send MAC address change notification traps to the NMS. Step 4 mac address-table notification change Enable the MAC address change notification feature. Catalyst 2975 Switch Software Configuration Guide 7-22 OL-19720-02...
Page 183 Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# snmp trap mac-notification change added You can verify your settings by entering the show mac address-table notification change interface and the show mac address-table notification change privileged EXEC commands. Catalyst 2975 Switch Software Configuration Guide 7-23 OL-19720-02...
Page 184: Configuring Mac Address Move Notification Traps
NMS, enable the MAC address move notification feature, and enable traps when a MAC address moves from one port to another. Switch(config)# snmp-server host 172.20.10.10 traps private mac-notification Switch(config)# snmp-server enable traps mac-notification move Switch(config)# mac address-table notification mac-move Catalyst 2975 Switch Software Configuration Guide 7-24 OL-19720-02...
Page 185: Configuring Mac Threshold Notification Traps
(Optional) For interval time, specify the time • between notifications; valid values are greater than or equal to 120 seconds. The default is 120 seconds. Step 6 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 7-25 OL-19720-02...
Page 186: Adding And Removing Static Address Entries
You add a static address to the address table by specifying the destination MAC unicast address and the VLAN from which it is received. Packets received with this destination address are forwarded to the interface specified with the interface-id option. Catalyst 2975 Switch Software Configuration Guide 7-26 OL-19720-02...
Page 187: Configuring Unicast Mac Address Filtering
% Only unicast addresses can be configured to be dropped % CPU destined address cannot be configured as drop address • Packets that are forwarded to the CPU are also not supported. Catalyst 2975 Switch Software Configuration Guide 7-27 OL-19720-02...
Page 188: Disabling Mac Address Learning On A Vlan
MAC addresses. Before you disable MAC address learning, be sure that you are familiar with the network topology and the switch system configuration. Disabling MAC address learning on a VLAN could cause flooding in the network. Catalyst 2975 Switch Software Configuration Guide 7-28 OL-19720-02...
Page 189 Switch(config)# no mac ddress-table learning vlan 200 You can display the MAC address learning status of all VLANs or a specified VLAN by entering the show mac-address-table learning [vlan vlan-id] privileged EXEC command. Catalyst 2975 Switch Software Configuration Guide 7-29 OL-19720-02...
Page 190: Displaying Address Table Entries
ARP entries added manually to the table do not age and must be manually removed. Note For CLI procedures, see the Cisco IOS Release 12.2 documentation from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline. Catalyst 2975 Switch Software Configuration Guide...
Page 191: Configuring Sdm Templates
C H A P T E R Configuring SDM Templates The Catalyst 2975 switch command reference has command syntax and usage information. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. Understanding the SDM Templates, page 8-1 •...
Page 192: Sdm Templates And Switch Stacks
2d23h:%STACKMGR-6-SWITCH_ADDED_SDM:Switch 2 has been ADDED to the stack (SDM_MISMATCH) 2d23h:%SDM-6-MISMATCH_ADVISE: 2d23h:%SDM-6-MISMATCH_ADVISE: 2d23h:%SDM-6-MISMATCH_ADVISE:System (#2) is incompatible with the SDM 2d23h:%SDM-6-MISMATCH_ADVISE:template currently running on the stack and 2d23h:%SDM-6-MISMATCH_ADVISE:will not function unless the stack is 2d23h:%SDM-6-MISMATCH_ADVISE:downgraded. Issuing the following commands Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 193: Configuring The Switch Sdm Template
If you try to configure IPv6 features without first selecting a dual IPv4 and IPv6 template, a warning message appears. Using the dual stack templates results in less TCAM capacity allowed for each resource, so do not • use it if you plan to forward only IPv4 traffic. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 194: Setting The Sdm Template
8 routed interfaces and 255 VLANs. number of unicast mac addresses: number of IPv4 IGMP groups + multicast routes: 0.25K number of IPv4 unicast routes: 4.25K number of directly-connected IPv4 hosts: number of indirect IPv4 routes: 0.25K Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 195 Chapter 8 Configuring SDM Templates .Displaying the SDM Templates number of IPv4 policy based routing aces: number of IPv4/MAC qos aces: 0.125k number of IPv4/MAC security aces: 0.375k Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 196 Chapter 8 Configuring SDM Templates .Displaying the SDM Templates Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 197: Chapter 9 Configuring Switch-Based Authentication
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. This chapter consists of these sections: Preventing Unauthorized Access to Your Switch, page 9-1 •...
Page 198 Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2 from the Cisco.com page under Documentation >...
Page 199: Default Password And Privilege Level Configuration
To remove the password, use the no enable password global configuration command. This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 (traditional privileged EXEC mode access): Switch(config)# enable password l1u2c3k4y5 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 200: Protecting Enable And Enable Secret Passwords With Encryption
By default, no password is defined. • (Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you...
Page 201: Disabling Password Recovery
Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 202: Setting A Telnet Password For A Terminal Line
(Optional) Save your entries in the configuration file. To remove the password, use the no password global configuration command. This example shows how to set the Telnet password to let45me67in89: Switch(config)# line vty 10 Switch(config-line)# password let45me67in89 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 203: Configuring Username And Password Pairs
To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 204: Configuring Multiple Privilege Levels
Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 205: Changing The Default Privilege Level For Lines
You might specify a high level or privilege level for your console line to restrict line usage. To return to the default line privilege level, use the no privilege level line configuration command. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 206: Logging Into And Exiting A Privilege Level
TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Page 207 The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or...
Page 208: Tacacs+ Operation
• Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services • Connection parameters, including the host or client IP address, access list, and user timeouts Catalyst 2975 Switch Software Configuration Guide 9-12 OL-19720-02...
Page 209: Configuring Tacacs
You can group servers to select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list and contains the list of IP addresses of the selected server hosts. Catalyst 2975 Switch Software Configuration Guide 9-13 OL-19720-02...
Page 210: Configuring Tacacs+ Login Authentication
You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to Catalyst 2975 Switch Software Configuration Guide 9-14...
Page 211 • Step 4 line [console | tty | vty] line-number Enter line configuration mode, and configure the lines to which you want [ending-line-number] to apply the authentication list. Catalyst 2975 Switch Software Configuration Guide 9-15 OL-19720-02...
Page 212: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...
Page 213: Starting Tacacs+ Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:...
Page 214: Establishing A Session With A Router If The Aaa Server Is Unreachable
RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software >...
Page 215 Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 216: Radius Operation
RADIUS Change of Authorization (CoA) extensions defined in RFC 5176 that are typically used in a pushed model and allow for the dynamic reconfiguring of sessions from external authentication, authorization, and accounting (AAA) or policy servers. Beginning with Cisco IOS Release 12.2(52)SE, the switch supports these per-session CoA requests: Session reauthentication •...
Page 217: Change-Of-Authorization Requests
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This feature is integrated with the Cisco Secure Access Control Server (ACS) 5.1. For information about ACS: http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html The RADIUS interface is enabled by default on Catalyst switches. However, some basic configuration is required for these attributes: Security and Password—See the...
Page 218 • Acct-Session-Id (IETF attribute 44) Unless all session identification attributes included in the CoA message match the session, the switch returns a Disconnect-NAK or CoA-NAK with the Invalid Attribute Value error-code attribute. Catalyst 2975 Switch Software Configuration Guide 9-22 OL-19720-02...
Page 219 • Session Termination • CoA Disconnect-Request • CoA Request: Disable Host Port • CoA Request: Bounce-Port • Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Table 9-4. Catalyst 2975 Switch Software Configuration Guide 9-23 OL-19720-02...
Page 220 To initiate session authentication, the AAA server sends a standard CoA-Request message which contains a Cisco vendor-specific attribute (VSA) in this form: Cisco:Avpair=“subscriber:command=reauthenticate” and one or more session identification attributes. The current session state determines the switch response to the message. If the session is currently authenticated by IEEE 802.1x, the switch responds by sending an Extensible Authentication Protocol...
Page 221 To restrict a host’s access to the network, use a CoA Request with the Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is known to be causing problems on the network, and you need to immediately block network access for the host.
Page 222: Stacking Guidelines For Session Termination
(which is subsequently removed). If the stack master fails before sending a CoA-ACK message, the new stack master treats the re-sent command as a new command. Catalyst 2975 Switch Software Configuration Guide 9-26 OL-19720-02...
Page 223: Configuring Radius
RADIUS and AAA are disabled by default. To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users accessing the switch through the CLI. Catalyst 2975 Switch Software Configuration Guide 9-27 OL-19720-02...
Page 224: Identifying The Radius Server Host
“Configuring Settings for All RADIUS Servers” section on page 9-36. You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 9-32. Catalyst 2975 Switch Software Configuration Guide 9-28 OL-19720-02...
Page 225 This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2 Catalyst 2975 Switch Software Configuration Guide 9-29 OL-19720-02...
Page 226: Configuring Radius Login Authentication
Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Catalyst 2975 Switch Software Configuration Guide 9-30 OL-19720-02...
Page 227 For list-name, specify the list created with the aaa authentication login command. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config (Optional) Save your entries in the configuration file. startup-config Catalyst 2975 Switch Software Configuration Guide 9-31 OL-19720-02...
Page 228: Defining Aaa Server Groups
HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...
Page 229 RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Catalyst 2975 Switch Software Configuration Guide 9-33 OL-19720-02...
Page 230: Configuring Radius Authorization For User Privileged Access And Network Services
Use the local database if authentication was not performed by using RADIUS. • Authorization is bypassed for authenticated users who log in through the CLI even if authorization has Note been configured. Catalyst 2975 Switch Software Configuration Guide 9-34 OL-19720-02...
Page 231: Starting Radius Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 232: Establishing A Session With A Router If The Aaa Server Is Unreachable
The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named cisco-avpair. The value is a string with this format:...
Page 233 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 234: Configuring The Switch For Vendor-Proprietary Radius Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Page 235: Configuring Coa On The Switch
(Optional) Save your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable the AAA server functionality on the switch, use the no aaa server radius dynamic authorization global configuration command. Catalyst 2975 Switch Software Configuration Guide 9-39 OL-19720-02...
Page 236: Monitoring And Troubleshooting Coa Functionality
Configuring RADIUS Server Load Balancing This feature allows access and authentication requests to be evenly across all RADIUS servers in a server group. For more information, see the “RADIUS Server Load Balancing” chapter of the “Cisco IOS Security Configuration Guide”, Release 12.2: http://www.ciscosystems.com/en/US/docs/ios/12_2sb/feature/guide/sbrdldbl.html...
Page 237: Configuring The Switch For Secure Shell
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Page 238: Understanding Ssh
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 239: Limitations
Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, see the release notes for this release. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server.
Page 240: Configuring The Ssh Server
If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2. Catalyst 2975 Switch Software Configuration Guide 9-44 OL-19720-02...
Page 241: Displaying The Ssh Configuration And Status
Shows the status of the SSH server. For more information about these commands, see the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html Catalyst 2975 Switch Software Configuration Guide...
Page 242: Configuring The Switch For Secure Socket Layer Http
(pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 243 For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 244: Ciphersuites
Configuring the Secure HTTP Server, page 9-50 • Configuring the Secure HTTP Client, page 9-51 • Default SSL Configuration The standard HTTP server is enabled. SSL is enabled. No CA trustpoints are configured. No self-signed certificates are generated. Catalyst 2975 Switch Software Configuration Guide 9-48 OL-19720-02...
Page 245: Ssl Configuration Guidelines
RSA key pair. Step 13 Return to privileged EXEC mode. Step 14 show crypto ca trustpoints Verify the configuration. Step 15 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 9-49 OL-19720-02...
Page 246: Configuring The Secure Http Server
Step 10 ip http max-connections value (Optional) Set the maximum number of concurrent connections that are allowed to the HTTP server. The range is 1 to 16; the default value is 5. Catalyst 2975 Switch Software Configuration Guide 9-50 OL-19720-02...
Page 247: Configuring The Secure Http Client
HTTPS connection. If you do not have a reason to [rc4-128-sha] [des-cbc-sha]} specify a particular CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support. This is the default. Catalyst 2975 Switch Software Configuration Guide 9-51 OL-19720-02...
Page 248: Displaying Secure Http Server And Client Status
Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and • Adelman (RSA) key pair. When using SCP, you cannot enter the password into the copy command. You must enter the password Note when prompted. Catalyst 2975 Switch Software Configuration Guide 9-52 OL-19720-02...
Page 249: Information About Secure Copy
A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
Page 250 Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Catalyst 2975 Switch Software Configuration Guide 9-54 OL-19720-02...
Page 251: Understanding Ieee 802.1X Port-Based Authentication
Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. The Catalyst 2975 switch command reference and the “RADIUS Commands” section in the Cisco IOS Security Command Reference, Release 12.2, have command syntax and usage information.
Page 252: Device Roles
Using IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute, page 10-31 • Common Session ID, page 10-32 • Device Roles Device roles with 802.1x port-based authentication: Figure 10-1 802.1x Device Roles Authentication server (RADIUS) Workstations (clients) Catalyst 2975 Switch Software Configuration Guide 10-2 OL-19720-02...
Page 253: Authentication Process
Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 254 The switch re-authenticates a client when one of these situations occurs: Periodic re-authentication is enabled, and the re-authentication timer expires. • You can configure the re-authentication timer to use a switch-specific value or to be based on values from the RADIUS server. Catalyst 2975 Switch Software Configuration Guide 10-4 OL-19720-02...
Page 255: Authentication Initiation And Message Exchange
The specific exchange of EAP frames depends on the authentication method being used. Figure 10-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server. Catalyst 2975 Switch Software Configuration Guide 10-5 OL-19720-02...
Page 256 MAC authentication bypass. Figure 10-4 Message Exchange During MAC Authentication Bypass Authentication server Client (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity Ethernet packet RADIUS Access/Request RADIUS Access/Accept Catalyst 2975 Switch Software Configuration Guide 10-6 OL-19720-02...
Page 257: Authentication Manager
Understanding IEEE 802.1x Port-Based Authentication Authentication Manager In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000.
Page 258: Per-User Acls And Filter-Ids
ACL configured on another device running Cisco IOS software, such as a Catalyst 6000 switch. In Cisco IOS Release 12.2(50)SE or later, the ACLs configured on the switch are compatible with other devices running the Cisco IOS release.
Page 259: Authentication Manager Cli Commands
Enable periodic re-authentication of the client. authentication port-control {auto dot1x port-control {auto | Enable manual control of the authorization state of | force-authorized | force-un force-authorized | the port. authorized} force-unauthorized} Catalyst 2975 Switch Software Configuration Guide 10-9 OL-19720-02...
Page 260: Ports In Authorized And Unauthorized States
Beginning with Cisco IOS Release 12.2(55)SE, you can filter out verbose system messages generated by the authentication manager. The filtered content typically relates to authentication success. You can also filter verbose messages for 802.1x authentication and MAB authentication.
Page 261: 802.1X Authentication And Switch Stacks
For example, you can have a redundant connection to the stack master and another to a stack member, and if the stack master fails, the switch stack still has connectivity to the RADIUS server. Catalyst 2975 Switch Software Configuration Guide 10-11...
Page 262: Host Mode
The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
Page 263: 802.1X Multiple Authentication Mode
• Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are allowed into both the data and voice VLANs. The data VLAN allows the voice device to contact a DHCP server to obtain an IP address and acquire the voice VLAN information. After the voice device starts sending on the voice VLAN, its access to the data VLAN is blocked.
Page 264: Mac Move
MAC move is supported on all host modes. (The authenticated host can move to any port on the switch, no matter which host mode is enabled on the that port.) Beginning with Cisco IOS Release 12.2(55)SE, MAC move can be configured in all host modes, along with port security.
Page 265: Mac Replace
“Enabling MAC Move” section on page 10-48. MAC Replace Beginning with Cisco IOS Release 12.2(55)SE, the MAC replace feature can be configured to address the violation that occurs when a host attempts to connect to a port where another host was previously authenticated.
Page 266: 802.1X Accounting Attribute-Value Pairs
DHCP snooping bindings table. You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2: http://www.cisco.com/en/US/docs/ios/12_2/debug/command/reference/122debug.html...
Page 267: 802.1X Readiness Check
If an 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to the • port access VLAN configuration does not take effect. In the case of a multidomain host, the same applies to voice devices when the port is fully authorized with these exceptions: Catalyst 2975 Switch Software Configuration Guide 10-17 OL-19720-02...
Page 268: 802.1X Authentication With Downloadable Acls And Redirect Urls
ACL only to the phone as part of the authorization policies. Beginning with Cisco IOS Release 12.2(55)SE, if there is no static ACL on a port, a dynamic auth-default ACL is created, and policies are enforced before dACLs are downloaded and applied.
Page 269 Note The auth-default-ACL does not support Cisco Discovery Protocol (CDP) bypass in the single host mode. You must configure a static ACL on the interface to support CDP bypass. The 802.1x and MAB authentication methods support two authentication modes, open and closed. If there is no static ACL on a port in closed authentication mode: An auth-default-ACL is created.
Page 270: Cisco Secure Acs And Attribute-Value Pairs For The Redirect Url
ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However, if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not configured, the authorization failure is declared.
Page 271: 802.1X Authentication With Guest Vlan
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new Note hosts and only authenticates based on the MAC address.) For configuration information, see the “Configuring VLAN ID-based MAC Authentication”...
Page 272: 802.1X Authentication With Restricted Vlan
Other port security features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can be configured independently on a restricted VLAN. For more information, see the “Configuring a Restricted VLAN” section on page 10-51. Catalyst 2975 Switch Software Configuration Guide 10-22 OL-19720-02...
Page 273: 802.1X Authentication With Inaccessible Authentication Bypass
RADIUS server is again available. When this is configured, all critical ports in the critical-authentication state are automatically re-authenticated. For more information, see the command reference for this release and the “Configuring the Inaccessible Authentication Bypass Feature” section on page 10-53. Catalyst 2975 Switch Software Configuration Guide 10-23 OL-19720-02...
Page 274: Feature Interactions
PVID to carry the data traffic to and from the workstation connected to the switch through the IP • phone. The PVID is the native VLAN of the port. Catalyst 2975 Switch Software Configuration Guide 10-24 OL-19720-02...
Page 275: 802.1X Authentication With Port Security
If you enable 802.1x authentication on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds. For more information about voice VLANs, see Chapter 14, “Configuring Voice VLAN.”...
Page 276: 802.1X Authentication With Wake-On-Lan
802.1x ports connected to devices such as printers. If 802.1x authentication times out while waiting for an EAPOL response from the client, the switch tries to authorize the client by using MAC authentication bypass. Catalyst 2975 Switch Software Configuration Guide 10-26 OL-19720-02...
Page 277 For more configuration information, see the “Authentication Manager” section on page 10-7. Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages. See the “Authentication Manager CLI Commands” section on page 10-9. Catalyst 2975 Switch Software Configuration Guide...
Page 278: 802.1X User Distribution
VLAN group, none of the ports or users that are in the authenticated state in any VLAN within the group are cleared, but the VLAN mappings to the VLAN group are cleared. For more information, see the “Configuring 802.1x User Distribution” section on page 10-58. Catalyst 2975 Switch Software Configuration Guide 10-28 OL-19720-02...
Page 279: Network Admission Control Layer 2 802.1X Validation
Single-host mode with open authentication–Only one user is allowed network access before and • after authentication. MDA mode with open authentication–Only one user in the voice domain and one user in the data • domain are allowed. Catalyst 2975 Switch Software Configuration Guide 10-29 OL-19720-02...
Page 280: Using Voice Aware 802.1X Security
Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing • user traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)
Page 281: Guidelines
If the session is over, authentication fails, or a link fails, the port becomes unauthorized, and the switch removes the ACL from the port. Catalyst 2975 Switch Software Configuration Guide 10-31 OL-19720-02...
Page 282: Common Session Id
These sections contain this configuration information: • Default 802.1x Authentication Configuration, page 10-33 • 802.1x Authentication Configuration Guidelines, page 10-35 • Configuring 802.1x Readiness Check, page 10-37 (optional) Configuring Voice Aware 802.1x Security, page 10-38 (optional) • Catalyst 2975 Switch Software Configuration Guide 10-32 OL-19720-02...
Page 283: Default 802.1X Authentication Configuration
Default 802.1x Authentication Configuration Feature Default Setting Switch 802.1x enable state Disabled. Per-port 802.1x enable state Disabled (force-authorized). The port sends and receives normal traffic without 802.1x-based authentication of the client. Disabled. Catalyst 2975 Switch Software Configuration Guide 10-33 OL-19720-02...
Page 284 Inactivity timeout Disabled. Guest VLAN None specified. Inaccessible authentication bypass Disabled. Restricted VLAN None specified. Authenticator (switch) mode None specified. MAC authentication bypass Disabled. Voice-aware security Disabled Catalyst 2975 Switch Software Configuration Guide 10-34 OL-19720-02...
Page 285: 802.1X Authentication Configuration Guidelines
EtherChannel configuration from the interfaces on which 802.1x authentication and EtherChannel are configured. • Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x authentication. See the “Authentication Manager CLI Commands” section on page 10-9.
Page 286: Vlan Assignment, Guest Vlan, Restricted Vlan, And Inaccessible Authentication Bypass
• are inactive. The range is 1to 65535 seconds. You must enable port security before configuring a time out value. For more information, see the “Configuring Port Security” section on page 23-9. Catalyst 2975 Switch Software Configuration Guide 10-36 OL-19720-02...
Page 287: Maximum Number Of Allowed Devices Per Port
In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with • a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN. In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one •...
Page 288: Configuring Voice Aware 802.1X Security
If the shutdown vlan keywords are not included, the entire port Note enters the error-disabled state and shuts down. Step 3 errdisable recovery cause (Optional) Enable automatic per-VLAN error recovery. security-violation Catalyst 2975 Switch Software Configuration Guide 10-38 OL-19720-02...
Page 289: Configuring 802.1X Violation Modes
For method1, enter the group radius keywords to use the list of all RADIUS servers for authentication. Though other keywords are visible in the command-line help Note string, only the group radius keywords are supported. Catalyst 2975 Switch Software Configuration Guide 10-39 OL-19720-02...
Page 290: Configuring 802.1X Authentication
The switch sends an interim accounting update to the accounting server, that is based on the result of Step 6 re-authentication. The user disconnects from the port. Step 7 The switch sends a stop message to the accounting server. Step 8 Catalyst 2975 Switch Software Configuration Guide 10-40 OL-19720-02...
Page 291: Configuring The Switch-To-Radius-Server Communication
The RADIUS host entries are tried in the order in which they were configured. Catalyst 2975 Switch Software Configuration Guide 10-41 OL-19720-02...
Page 292 You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation. Catalyst 2975 Switch Software Configuration Guide 10-42 OL-19720-02...
Page 293: Configuring The Host Mode
802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. Use the multi-domain keyword to configure multidomain authentication (MDA) to enable authentication of both a host and a voice device, such as an IP phone (Cisco or non-Cisco) on the same switch port.
Page 294: Configuring Periodic Re-Authentication
• Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]). This command affects the behavior of the switch only if periodic re-authentication is enabled. Catalyst 2975 Switch Software Configuration Guide 10-44 OL-19720-02...
Page 295: Manually Re-Authenticating A Client Connected To A Port
Set the number of seconds that the switch remains in the quiet state after a failed authentication exchange with the client. The range is 1 to 65535 seconds; the default is 60. Step 4 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 10-45 OL-19720-02...
Page 296: Changing The Switch-To-Client Retransmission Time
This example shows how to set 60 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request: Switch(config-if)# dot1x timeout tx-period 60 Catalyst 2975 Switch Software Configuration Guide 10-46 OL-19720-02...
Page 297: Setting The Switch-To-Client Frame-Retransmission Number
You should change the default value of this command only to adjust for unusual circumstances such as Note unreliable links or specific behavioral problems with certain clients and authentication servers. Catalyst 2975 Switch Software Configuration Guide 10-47 OL-19720-02...
Page 298: Enabling Mac Move
This example shows how to globally enable MAC move on a switch: Switch(config)# authentication mac-move permit Enabling MAC Replace MAC replace allows a host to replace an authenticated host on a port. Catalyst 2975 Switch Software Configuration Guide 10-48 OL-19720-02...
Page 299: Configuring 802.1X Accounting
To turn on these functions, enable logging of “Update/Watchdog packets from this AAA client” in your RADIUS server Network Configuration tab. Next, enable “CVS RADIUS Accounting” in your RADIUS server System Configuration tab. Catalyst 2975 Switch Software Configuration Guide 10-49 OL-19720-02...
Page 300: Configuring A Guest Vlan
“802.1x Authentication Configuration Guidelines” section on page 10-35. Step 3 switchport mode access Set the port to access mode. Step 4 authentication port-control auto Enable 802.1x authentication on the port. dot1x port-control auto Catalyst 2975 Switch Software Configuration Guide 10-50 OL-19720-02...
Page 301: Configuring A Restricted Vlan
“802.1x Authentication Configuration Guidelines” section on page 10-35. Step 3 switchport mode access Set the port to access mode. Step 4 authentication port-control auto Enable 802.1x authentication on the port. dot1x port-control auto Catalyst 2975 Switch Software Configuration Guide 10-51 OL-19720-02...
Page 302 Step 7 Return to privileged EXEC mode. Step 8 show authentication interface-id (Optional) Verify your entries. show dot1x interface interface-id Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 10-52 OL-19720-02...
Page 303: Configuring The Inaccessible Authentication Bypass Feature
(Optional) Set the number of minutes that a RADIUS server is not sent requests. The minutes range is from 0 to 1440 minutes (24 hours). The default is 0 minutes. Catalyst 2975 Switch Software Configuration Guide 10-53 OL-19720-02...
Page 304 [authorize | authorize–Move any new hosts trying to authenticate to the user-specified • reinitialize] vlan vlan-id critical VLAN. reinitialize–Move all authorized hosts on the port to the user-specified critical • VLAN. Catalyst 2975 Switch Software Configuration Guide 10-54 OL-19720-02...
Page 305 Switch(config)# dot1x critical eapol Switch(config)# dot1x critical recovery delay 2000 Switch(config)# interface gigabitethernet1/0/2 Switch(config)# radius-server deadtime 60 Switch(config-if)# dot1x critical Switch(config-if)# dot1x critical recovery action reinitialize Switch(config-if)# dot1x critical vlan 20 Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 10-55 OL-19720-02...
Page 306: Configuring 802.1X Authentication With Wol
To disable 802.1x authentication with WoL, use the no authentication control-direction or no dot1x control-direction interface configuration command. These examples show how to enable 802.1x authentication with WoL and set the port as bidirectional: Switch(config-if)# authentication control-direction both Switch(config-if)# dot1x control-direction both Catalyst 2975 Switch Software Configuration Guide 10-56 OL-19720-02...
Page 307: Configuring Mac Authentication Bypass
(Optional) Save your entries in the configuration file. To disable MAC authentication bypass, use the no dot1x mac-auth-bypass interface configuration command. This example shows how to enable MAC authentication bypass: Switch(config-if)# dot1x mac-auth-bypass Catalyst 2975 Switch Software Configuration Guide 10-57 OL-19720-02...
Page 308: Configuring 802.1X User Distribution
This example shows how to clear all the VLAN groups: switch(config)# no vlan group end-dept vlan-list all switch(config)# show vlan-group all For more information about these commands, see the Cisco IOS Security Command Reference. Catalyst 2975 Switch Software Configuration Guide 10-58...
Page 309: Configuring Nac Layer 2 802.1X Validation
(Optional) Save your entries in the configuration file. This example shows how to configure NAC Layer 2 802.1x validation: Switch# configure terminal Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# dot1x reauthentication Switch(config-if)# dot1x timeout reauth-period server Catalyst 2975 Switch Software Configuration Guide 10-59 OL-19720-02...
Page 310: Configuring An Authenticator And A Supplicant Switch With Neat
10-30. Note The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the interface as a trunk after the supplicant is successfully authenticated. Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:...
Page 311: Configuring Neat With Auto Smartports Macros
You must configure a downloadable ACL on the ACS before downloading it to the switch. Note After authentication on the port, you can use the show ip access-list privileged EXEC command to display the downloaded ACLs on the port. Catalyst 2975 Switch Software Configuration Guide 10-61 OL-19720-02...
Page 312: Configuring Downloadable Acls
0.0.0.0. (Optional) Applies the source-wildcard wildcard bits to the source. (Optional) Enters log to cause an informational logging message about the packet that matches the entry to be sent to the console. Catalyst 2975 Switch Software Configuration Guide 10-62 OL-19720-02...
Page 313 Switch(config)# aaa authorization network default group radius Switch(config)# ip device tracking Switch(config)# ip access-list extended default_acl Switch(config-ext-nacl)# permit ip any any Switch(config-ext-nacl)# exit Switch(config)# radius-server vsa send authentication Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip access-group default_acl in Switch(config-if)# exit Catalyst 2975 Switch Software Configuration Guide 10-63 OL-19720-02...
Page 314: Configuring Vlan Id-Based Mac Authentication
There is no show command to confirm the status of VLAN ID-based MAC authentication. You can use the debug radius accounting privileged EXEC command to confirm the RADIUS attribute 32. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2: http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_q1.html#wp1123741...
Page 315: Configuring Open1X
Beginning in privileged EXEC mode, follow these steps to disable 802.1x authentication on the port. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Catalyst 2975 Switch Software Configuration Guide 10-65 OL-19720-02...
Page 316: Resetting The 802.1X Authentication Configuration To The Default Values
Step 4 Return to privileged EXEC mode. Step 5 show authentication interface Verify your entries. interface-id show dot1x interface interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 10-66 OL-19720-02...
Page 317: Displaying 802.1X Statistics And Status
EXEC command. Beginning with Cisco IOS Release 12.2(55)SE, you can use the no dot1x logging verbose global configuration command to filter verbose 802.1x authentication messages. See the “Authentication...
Page 318 Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Displaying 802.1x Statistics and Status Catalyst 2975 Switch Software Configuration Guide 10-68 OL-19720-02...
Page 319: Understanding Web-Based Authentication
These sections describe the role of web-based authentication as part of AAA: Device Roles, page 11-2 • Host Detection, page 11-2 • • Session Creation, page 11-3 • Authentication Process, page 11-3 Catalyst 2975 Switch Software Configuration Guide 11-1 OL-19720-02...
Page 320: Understanding Web-Based Authentication
ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static • IP address or a dynamic IP address. Dynamic ARP inspection • DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding • entry for the host. Catalyst 2975 Switch Software Configuration Guide 11-2 OL-19720-02...
Page 321: Session Creation
If the terminate action is RADIUS, the feature sends a nonresponsive host (NRH) request to the server. The terminate action is included in the response from the server. • If the terminate action is default, the session is dismantled, and the applied policy is removed. Catalyst 2975 Switch Software Configuration Guide 11-3 OL-19720-02...
Page 322: Local Web Authentication Banner
You create a banner by using the ip admission auth-proxy-banner http global configuration command. The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page, as shown in Figure 11-2.
Page 323 Figure 11-4. Figure 11-4 Login Screen With No Banner For more information, see the Cisco IOS Security Command Reference and the “Configuring a Web Authentication Local Banner” section on page 11-16. Catalyst 2975 Switch Software Configuration Guide 11-5 OL-19720-02...
Page 324: Guidelines
You must include an HTML redirect command in the success page to access a specific URL. • The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL • might cause page not found or similar errors on a web browser.
Page 325: Port Security
You can then limit the number or group of clients that can access the network through the port. For more information about enabling port security, see the “Configuring Port Security” section on page 23-9. Catalyst 2975 Switch Software Configuration Guide 11-7 OL-19720-02...
Page 326: Lan Port Ip
ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied. For Layer 2 web-based authentication, you must configure a port ACL (PACL) as the default access policy for ingress traffic from hosts connected to the port.
Page 327: Default Web-Based Authentication Configuration
You must configure the default ACL on the interface before configuring web-based authentication. • Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface. You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts •...
Page 328: Web-Based Authentication Configuration Task List
This example shows how to enable web-based authentication on Fast Ethernet port 5/1: Switch(config)# ip admission name webauth1 proxy http Switch(config)# interface fastethernet 5/1 Switch(config-if)# ip admission webauth1 Switch(config-if)# exit Switch(config)# ip device tracking Catalyst 2975 Switch Software Configuration Guide 11-10 OL-19720-02...
Page 329: Configuring Aaa Authentication
Switch(config)# aaa authorization auth-proxy default group tacacs+ Configuring Switch-to-RADIUS-Server Communication RADIUS security servers identification: Host name • Host IP address • Host name and specific UDP port numbers • IP address and specific UDP port numbers • Catalyst 2975 Switch Software Configuration Guide 11-11 OL-19720-02...
Page 330 For more information, see Cisco IOS Security Configuration Guide, Release 12.2 and the Cisco IOS Security Command Reference, Release 12.2: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html...
Page 331: Configuring The Http Server
The device: is flash memory. Step 2 ip admission proxy http success page file Specify the location of the custom HTML file to use in device:success-filename place of the default login success page. Catalyst 2975 Switch Software Configuration Guide 11-13 OL-19720-02...
Page 332 Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Session ratelimit is 100 Authentication Proxy Watch-list is disabled Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Catalyst 2975 Switch Software Configuration Guide 11-14 OL-19720-02...
Page 333: Configuring An Aaa Fail Policy
To remove the specification of a redirection URL, use the no form of the command. • This example shows how to configure a redirection URL for successful login: Switch(config)# ip admission proxy http success redirect www.cisco.com This example shows how to verify the redirection URL for successful login: Switch# show ip admission configuration...
Page 334: Configuring The Web-Based Authentication Parameters
(Optional) Create a custom banner by entering C banner-text C, where C is a delimiting character or a file-path indicates a file (for example, a logo or text file) that appears in the banner. Catalyst 2975 Switch Software Configuration Guide 11-16 OL-19720-02...
Page 335: Removing Web-Based Authentication Cache Entries
This example shows how to view only the global web-based authentication status: Switch# show authentication sessions This example shows how to view the web-based authentication settings for gigabit interface 3/27: Switch# show authentication sessions interface gigabitethernet 3/27 Catalyst 2975 Switch Software Configuration Guide 11-17 OL-19720-02...
Page 336 Chapter 11 Configuring Web-Based Authentication Displaying Web-Based Authentication Status Catalyst 2975 Switch Software Configuration Guide 11-18 OL-19720-02...
Page 337: Understanding Interface Types
C H A P T E R Configuring Interface Characteristics This chapter defines the types of Catalyst 2975 interfaces and describes how to configure them. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Page 338: Port-Based Vlans
VLAN assigned to the port. If an access port receives an 802.1Q tagged packet, the packet is dropped, and the source address is not learned. Catalyst 2975 Switch Software Configuration Guide 12-2 OL-19720-02...
Page 339: Trunk Ports
Catalyst 6500 series switch. The Catalyst 2975 switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 14, “Configuring Voice VLAN.”...
Page 340: Etherchannel Port Groups
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. The DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP) operate only on physical ports.
Page 341: Supported Protocols And Standards
CDP messages for an agreed power-consumption level. The negotiation allows a high-power Cisco powered device, which consumes more than 7 W, to operate at its highest power mode. The powered device first boots up in low-power mode, consumes less than 7 W, and negotiates to obtain enough power to operate in high-power mode.
Page 342 After power is applied to the port, the switch uses CDP to determine the actual power consumption requirement of the connected Cisco powered devices, and the switch adjusts the power budget accordingly. This does not apply to third-party PoE devices. The switch processes a request and either grants or denies power.
Page 343: Power Management Modes
PoE-capable port, making the port a data-only port. For information on configuring a PoE port, see the “Configuring a Power Management Mode on a PoE Port” section on page 12-23. Catalyst 2975 Switch Software Configuration Guide 12-7 OL-19720-02...
Page 344: Power Monitoring And Power Policing
The switch also uses the power policing feature to police the power usage. Power monitoring is backward-compatible with Cisco intelligent power management and CDP-based power consumption. It works with these features to ensure that the PoE port can supply power to the powered device.
Page 345 PoE ports. Because the switch supports internal power supplies and the Cisco Redundant Power System 2300 (also referred to as the RPS 2300), the total amount of power available for the powered devices varies depending on the power supply configuration.
Page 346: Connecting Interfaces
(Figure 12-2). Figure 12-2 Connecting VLANs with a Layer 3 Switch Layer 3 switch with routing enabled 172.20.128.1 SVI 1 SVI 2 172.20.129.1 Host A Host B VLAN 20 VLAN 30 Catalyst 2975 Switch Software Configuration Guide 12-10 OL-19720-02...
Page 347: Using Interface Configuration Mode
1 with 48 10/100/1000 ports, enter this command: Switch(config)# interface gigabitethernet1/0/49 Configuration examples and outputs in this book might not be specific to your switch, particularly Note regarding the presence of a stack member number. Catalyst 2975 Switch Software Configuration Guide 12-11 OL-19720-02...
Page 348: Procedures For Configuring Interfaces
You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters. When you enter the interface-range configuration mode, all command parameters that you enter are attributed to all interfaces within that range until you exit this mode. Catalyst 2975 Switch Software Configuration Guide 12-12 OL-19720-02...
Page 349 All interfaces defined in a range must be the same type (all Fast Ethernet ports, all Gigabit Ethernet • ports, all EtherChannel ports, or all VLANs), but you can enter multiple ranges in a command. Catalyst 2975 Switch Software Configuration Guide 12-13 OL-19720-02...
Page 350: Configuring And Using Interface Range Macros
Show the defined interface range macro configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no define interface-range macro_name global configuration command to delete a macro. Catalyst 2975 Switch Software Configuration Guide 12-14 OL-19720-02...
Page 351 Switch(config)# define interface-range macro1 gigabitethernet1/0/1 - 2, gigabitethernet1/0/1 - 2 Switch(config)# end This example shows how to enter interface-range configuration mode for the interface-range macro enet_list: Switch# configure terminal Switch(config)# interface range macro enet_list Switch(config-if-range)# Catalyst 2975 Switch Software Configuration Guide 12-15 OL-19720-02...
Page 352: Default Ethernet Interface Configuration
Duplex mode Autonegotiate. Flow control Flow control is set to receive: off. It is always off for sent packets. EtherChannel (PAgP) Disabled on all Ethernet ports. Chapter 37, “Configuring EtherChannels and Link-State Tracking.” Catalyst 2975 Switch Software Configuration Guide 12-16 OL-19720-02...
Page 353: Setting The Type Of A Dual-Purpose Uplink Port
Enabled. The switch might not support a pre-standard powered Note device—such as Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether auto-MIDX is enabled on the switch port.
Page 354 SFP module interface. In all other situations, the switch selects the active link based on which type first links up. Catalyst 2975 Switch Software Configuration Guide 12-18 OL-19720-02...
Page 355: Configuring Interface Speed And Duplex Mode
For information about which SFP modules are supported on your switch, see the product release notes. • If both ends of the line support autonegotiation, we highly recommend the default setting of auto negotiation. Catalyst 2975 Switch Software Configuration Guide 12-19 OL-19720-02...
Page 356: Setting The Interface Speed And Duplex Parameters
Use the no speed and no duplex interface configuration commands to return the interface to the default speed and duplex settings (autonegotiate). To return all interface settings to the defaults, use the default interface interface-id interface configuration command. Switch# configure terminal Catalyst 2975 Switch Software Configuration Guide 12-20 OL-19720-02...
Page 357: Configuring Ieee 802.3X Flow Control
To disable flow control, use the flowcontrol receive off interface configuration command. This example shows how to turn on flow control on a port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# flowcontrol receive on Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 12-21 OL-19720-02...
Page 358: Configuring Auto-Mdix On An Interface
To disable auto-MDIX, use the no mdix auto interface configuration command. This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Catalyst 2975 Switch Software Configuration Guide 12-22 OL-19720-02...
Page 359: Configuring A Power Management Mode On A Poe Port
(15400 milliwatts). never—Disable device detection, and disable power to the port. • If a port has a Cisco powered device connected to it, do not use Note the power inline never command to configure the port. A false link-up can occur, placing the port into an error-disabled state.
Page 360: Budgeting Power For Devices Connected To A Poe Port
(CDP) to determine the actual power consumption of the devices, and the switch adjusts the power budget accordingly. The CDP protocol works with Cisco powered devices and does not apply to IEEE third-party powered devices. For these devices, when the switch grants a power request, the switch adjusts the power budget according to the powered-device IEEE classification.
Page 361 Display the power consumption status. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no power inline consumption interface configuration command. Catalyst 2975 Switch Software Configuration Guide 12-25 OL-19720-02...
Page 362: Configuring Power Policing
Step 7 show power inline police Display the power monitoring status, and verify the error recovery settings. show errdisable recovery Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 12-26 OL-19720-02...
Page 363: Adding A Description For An Interface
When you create an SVI, it does not become active until you associate it with a physical port. For information about assigning Layer 2 ports to VLANs, see Chapter 13, “Configuring VLANs.” Catalyst 2975 Switch Software Configuration Guide 12-27 OL-19720-02...
Page 364: Configuring The System Mtu
Although frames that are forwarded are typically not received by the CPU, in some cases, packets are sent to the CPU, such as traffic sent to control traffic, SNMP, or Telnet. Catalyst 2975 Switch Software Configuration Guide 12-28 OL-19720-02...
Page 365: Monitoring And Maintaining The Interfaces
These sections contain interface monitoring and maintenance information: • Monitoring Interface Status, page 12-30 • Clearing and Resetting Interfaces and Counters, page 12-30 Shutting Down and Restarting the Interface, page 12-31 • Catalyst 2975 Switch Software Configuration Guide 12-29 OL-19720-02...
Page 366: Monitoring Interface Status
? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 367: Shutting Down And Restarting The Interface
{vlan vlan-id} | {{fastethernet | gigabitethernet} Select the interface to be configured. interface-id} | {port-channel port-channel-number} Step 3 shutdown Shut down an interface. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entry. Catalyst 2975 Switch Software Configuration Guide 12-31 OL-19720-02...
Page 368 Chapter 12 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 2975 Switch Software Configuration Guide 12-32 OL-19720-02...
Page 369: Configuring Vlans
This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 2975 switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS).
Page 370: Chapter 13 Configuring Vlan
VTP transparent mode when you create VLAN IDs from 1006 to 4094. Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094). Extended range VLANs (VLANs 1006 to 4094) are supported only in VTP version 3.
Page 371: Vlan Port Membership Modes
VTP domain name. Catalyst 6500 series switch, for example, but never a To participate in VTP, at least one trunk port Catalyst 2975 switch. The Catalyst 2975 switch is a on the switch stack must be connected to a VMPS client.
Page 372: Configuring Normal-Range Vlans
This section does not provide configuration details for most of these parameters. For complete Note information on the commands and parameters that control VLAN configuration, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 13-4 OL-19720-02...
Page 373: Token Ring Vlans
VLAN anywhere in the VTP domain creates a VLAN on that switch that is not running spanning-tree. If you have the default allowed list on the trunk ports of that switch (which Catalyst 2975 Switch Software Configuration Guide 13-5...
Page 374: Configuring Normal-Range Vlans
• the first 1005 VLANs use the VLAN database information. VTP version 3 also supports VLANs 1006 to 4094. Default Ethernet VLAN Configuration Table 13-2 shows the default configuration for Ethernet VLANs. Catalyst 2975 Switch Software Configuration Guide 13-6 OL-19720-02...
Page 375: Creating Or Modifying An Ethernet Vlan
1006, but they are not added to the VLAN database. See the “Configuring Extended-Range VLANs” section on page 13-10. For the list of default parameters that are assigned when you add a VLAN, see the “Configuring Normal-Range VLANs” section on page 13-4. Catalyst 2975 Switch Software Configuration Guide 13-7 OL-19720-02...
Page 376: Deleting A Vlan
Token Ring VLANs 1002 to 1005. Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Catalyst 2975 Switch Software Configuration Guide 13-8 OL-19720-02...
Page 377: Assigning Static-Access Ports To A Vlan
This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet2/0/1 Catalyst 2975 Switch Software Configuration Guide 13-9 OL-19720-02...
Page 378: Configuring Extended-Range Vlans
VTP transparent mode. Otherwise, you lose the extended-range VLAN configuration if the switch resets. If you create extended-range VLANs in VTP version 3, you cannot convert to VTP version 1 or 2. Catalyst 2975 Switch Software Configuration Guide 13-10 OL-19720-02...
Page 379: Creating An Extended-Range Vlan
VLANs. Step 5 remote-span (Optional) Configure the VLAN as the RSPAN VLAN. See the “Configuring a VLAN as an RSPAN VLAN” section on page 27-18. Step 6 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 13-11 OL-19720-02...
Page 380: Displaying Vlans
Display parameters for all VLANs or the specified VLAN on the switch. For more details about the show command options and explanations of output fields, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 13-12 OL-19720-02...
Page 381: Configuring Vlan Trunks
Makes the interface actively attempt to convert the link to a trunk link. The interface desirable becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode. Catalyst 2975 Switch Software Configuration Guide 13-13 OL-19720-02...
Page 382: Ieee 802.1Q Configuration Considerations
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
Page 383: Configuring An Ethernet Interface As A Trunk Port
IEEE 802.1x on a dynamic port, an error message appears, and IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to dynamic, the port mode is not changed. Catalyst 2975 Switch Software Configuration Guide 13-15...
Page 384: Configuring A Trunk Port
This example shows how to configure a port as an IEEE 802.1Q trunk. The example assumes that the neighbor interface is configured to support IEEE 802.1Q trunking. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport mode dynamic desirable Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 13-16 OL-19720-02...
Page 385: Defining The Allowed Vlans On A Trunk
Note VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
Page 386: Changing The Pruning-Eligible List
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command. Catalyst 2975 Switch Software Configuration Guide 13-18 OL-19720-02...
Page 387: Configuring The Native Vlan For Untagged Traffic
STP port priorities, both load-sharing links must be connected to the same switch. For load sharing using STP path costs, each load-sharing link can be connected to the same switch or to two different switches. For more information about STP, see Chapter 16, “Configuring STP.” Catalyst 2975 Switch Software Configuration Guide 13-19 OL-19720-02...
Page 388: Load Sharing Using Stp Port Priorities
Configure a VTP administrative domain. The domain name can be 1 to 32 characters. Step 3 vtp mode server Configure Switch A as the VTP server. Step 4 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 13-20 OL-19720-02...
Page 389: Load Sharing Using Stp Path Cost
VLANs 8 through 10 are assigned a path cost of 30 on Trunk port 2. • VLANs 2 through 4 retain the default 100BASE-T path cost on Trunk port 2 of 19. • Catalyst 2975 Switch Software Configuration Guide 13-21 OL-19720-02...
Page 390 Verify your entries. In the display, verify that the path costs are set correctly for both trunk interfaces. Step 16 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 13-22 OL-19720-02...
Page 391: Configuring Vmps
VMPS when it identifies a new host address. If the switch receives a port-shutdown response from the VMPS, it disables the port. The port must be manually re-enabled by using Network Assistant, the CLI, or SNMP. Catalyst 2975 Switch Software Configuration Guide 13-23 OL-19720-02...
Page 392: Dynamic-Access Port Vlan Membership
When you configure a port as a dynamic-access port, the spanning-tree Port Fast feature is • automatically enabled for that port. The Port Fast mode accelerates the process of bringing the port into the forwarding state. Catalyst 2975 Switch Software Configuration Guide 13-24 OL-19720-02...
Page 393: Configuring The Vmps Client
You must have IP connectivity to the VMPS for dynamic-access ports to work. You can test for IP Note connectivity by pinging the IP address of the VMPS and verifying that you get a response. Catalyst 2975 Switch Software Configuration Guide 13-25 OL-19720-02...
Page 394: Configuring Dynamic-Access Ports On Vmps Clients
Beginning in privileged EXEC mode, follow these steps to confirm the dynamic-access port VLAN membership assignments that the switch has received from the VMPS: Command Purpose Step 1 vmps reconfirm Reconfirm dynamic-access port VLAN membership. Step 2 show vmps Verify the dynamic VLAN reconfirmation status. Catalyst 2975 Switch Software Configuration Guide 13-26 OL-19720-02...
Page 395: Changing The Reconfirmation Interval
Verify your entry in the Server Retry Count field of the display. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no vmps retry global configuration command. Catalyst 2975 Switch Software Configuration Guide 13-27 OL-19720-02...
Page 396: Monitoring The Vmps
The VMPS server and the VMPS client are separate switches. • The Catalyst 6500 series Switch A is the primary VMPS server. The Catalyst 6500 series Switch C and Switch J are secondary VMPS servers. • Catalyst 2975 Switch Software Configuration Guide 13-28 OL-19720-02...
Page 397 172.20.26.154 Switch E 172.20.26.155 Switch F 172.20.26.156 Switch G 172.20.26.157 Switch H Client switch I Dynamic-access port 172.20.26.158 station 2 Trunk port 172.20.26.159 Catalyst 6500 series Secondary VMPS Switch J Server 3 Catalyst 2975 Switch Software Configuration Guide 13-29 OL-19720-02...
Page 398 Chapter 13 Configuring VLANs Configuring VMPS Catalyst 2975 Switch Software Configuration Guide 13-30 OL-19720-02...
Page 399: Configuring Voice Vlan
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the switch is connected to a Cisco 7960 IP Phone, the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS.
Page 400: Cisco Ip Phone Voice Traffic
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports...
Page 401: Cisco Ip Phone Data Traffic
In untrusted mode, all traffic in IEEE 802.1Q or IEEE 802.1p frames received through the access • port on the Cisco IP Phone receive a configured Layer 2 CoS value. The default Layer 2 CoS value is 0. Untrusted mode is the default.
Page 402 VLAN, the Port Fast feature is not automatically disabled. • If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: –...
Page 403: Configuring A Port Connected To A Cisco 7960 Ip Phone
Because a Cisco 7960 IP Phone also supports a connection to a PC or other device, a port connecting the switch to a Cisco IP Phone can carry mixed traffic. You can configure a port to decide how the Cisco IP Phone carries voice traffic and data traffic.
Page 404: Configuring The Priority Of Incoming Data Frames
Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
Page 405: Displaying Voice Vlan
Chapter 14 Configuring Voice VLAN Displaying Voice VLAN This example shows how to configure a port connected to a Cisco IP Phone to not change the priority of frames received from the PC or the attached device: Switch# configure terminal Enter configuration commands, one per line.
Page 406 Chapter 14 Configuring Voice VLAN Displaying Voice VLAN Catalyst 2975 Switch Software Configuration Guide 14-8 OL-19720-02...
Page 407: Configuring Vtp
Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 2975 switches. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Page 408: The Vtp Domain
VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state. VTP version 1 and version 2 support only normal-range VLANs (VLAN IDs 1 to 1005). Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094).
Page 409: Vtp Modes
VTP off A switch in VTP off mode functions in the same manner as a VTP transparent switch, except that it does not forward VTP advertisements on trunks. Catalyst 2975 Switch Software Configuration Guide 15-3 OL-19720-02...
Page 410: Vtp Advertisements
Because VTP version 2 supports only one domain, it forwards VTP messages in transparent mode without inspecting the version and domain name. Catalyst 2975 Switch Software Configuration Guide 15-4 OL-19720-02...
Page 411: Vtp Version 3
For example, you can configure the switch as a VTP server for the VLAN database but with VTP off for the MST database. Catalyst 2975 Switch Software Configuration Guide 15-5...
Page 412: Vtp Pruning
Switches C, E, and F because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch B and Port 4 on Switch D). Catalyst 2975 Switch Software Configuration Guide 15-6...
Page 413: Vtp And Switch Stacks
VTP database. In this case, the MAC address of the stack master is used as the primary server ID. If the master switch reloads or is powered off, a new stack master is elected. Catalyst 2975 Switch Software Configuration Guide 15-7...
Page 414: Default Vtp Configuration
VTP information, the domain name, and the mode, and to disable or enable pruning. For more information about available keywords, see the command descriptions in the command reference for this release. The VTP information is saved in the VTP VLAN database. When Catalyst 2975 Switch Software Configuration Guide 15-8 OL-19720-02...
Page 415: Domain Names
When you configure a VTP domain password, the management domain does not function properly if you Caution do not assign a management domain password to each switch in the domain. Catalyst 2975 Switch Software Configuration Guide 15-9 OL-19720-02...
Page 416: Vtp Version
When you configure VTP, you must configure a trunk port on the switch stack so that the switch can send and receive VTP advertisements to and from other switches in the domain. For more information, see the “Configuring VLAN Trunks” section on page 13-13. Catalyst 2975 Switch Software Configuration Guide 15-10 OL-19720-02...
Page 417: Configuring Vtp Mode
If all switches are operating in VTP client mode, do not configure a VTP domain name. If you do, it is Caution impossible to make changes to the VLAN configuration of that domain. Therefore, make sure you configure at least one switch as a VTP server. Catalyst 2975 Switch Software Configuration Guide 15-11 OL-19720-02...
Page 418 Switch(config)# vtp domain eng_group Setting VTP domain name to eng_group. Switch(config)# vtp mode server Setting device to VTP Server mode for VLANS. Switch(config)# vtp password mypassword Setting device VLAN database password to mypassword. Switch(config)# end Catalyst 2975 Switch Software Configuration Guide 15-12 OL-19720-02...
Page 419: Configuring A Vtp Version 3 Password
(Optional) mst—Select the multiple spanning tree (MST) database as • the takeover feature. (Optional) force—Entering force overwrites the configuration of any • conflicting servers. If you do not enter force, you are prompted for confirmation before the takeover. Catalyst 2975 Switch Software Configuration Guide 15-13 OL-19720-02...
Page 420: Enabling The Vtp Version
Token Ring VLAN switching to function properly. For Token Ring and Token Ring-Net media, disable VTP version 2 must be disabled. VTP version 3 is supported on switches running Cisco IOS Release 12.2(52) SE or later. • In VTP version 3, both the primary and secondary servers can exist on an instance in the domain.
Page 421: Enabling Vtp Pruning
Verify the change to the port. interface-id Step 6 show vtp status Verify the configuration. To disable VTP on the interface, use the no vtp interface configuration command. Switch(config)# interface gigabitethernet 1/0/1 Switch(config-if)# vtp Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 15-15 OL-19720-02...
Page 422: Adding A Vtp Client Switch To A Vtp Domain
You can use the vtp mode transparent global configuration command to disable VTP on the switch and Note then to change its VLAN information without affecting the other switches in the VTP domain. Catalyst 2975 Switch Software Configuration Guide 15-16 OL-19720-02...
Page 423: Monitoring Vtp
Display the VTP password. The form of the password displayed depends on whether or not the hidden keyword was entered and if encryption is enabled on the switch. show vtp status Display the VTP switch configuration information. Catalyst 2975 Switch Software Configuration Guide 15-17 OL-19720-02...
Page 424 Chapter 15 Configuring VTP Monitoring VTP Catalyst 2975 Switch Software Configuration Guide 15-18 OL-19720-02...
Page 425 This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Catalyst 2975 switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Page 426: Configuring Stp
The default is for the switch to send keepalive messages (to ensure the connection is up) only on Note interfaces that do not have small form-factor pluggable (SFP) modules. You can use the [no] keepalive interface configuration command to change the default for an interface. Catalyst 2975 Switch Software Configuration Guide 16-2 OL-19720-02...
Page 427: Spanning-Tree Topology And Bpdus
Selects the lowest root bridge ID – Selects the lowest path cost to the root switch – Selects the lowest designated bridge ID – Selects the lowest designated path cost – Selects the lowest port ID – Catalyst 2975 Switch Software Configuration Guide 16-3 OL-19720-02...
Page 428 Figure 16-1 Spanning-Tree Port States in a Switch Stack All paths that are not needed to reach the root switch from anywhere in the switched network are placed in the spanning-tree blocking mode. Catalyst 2975 Switch Software Configuration Guide 16-4 OL-19720-02...
Page 429: Bridge Id, Switch Priority, And Extended System Id
• Forwarding—The interface forwards frames. • Disabled—The interface is not participating in spanning tree because of a shutdown port, no link on the port, or no spanning-tree instance running on the port. Catalyst 2975 Switch Software Configuration Guide 16-5 OL-19720-02...
Page 430 In the learning state, the interface continues to block frame forwarding as the switch learns end-station location information for the forwarding database. When the forward-delay timer expires, spanning tree moves the interface to the forwarding state, where both learning and frame forwarding are enabled. Catalyst 2975 Switch Software Configuration Guide 16-6 OL-19720-02...
Page 431: Blocking State
An interface in the forwarding state performs these functions: Receives and forwards frames received on the interface • Forwards frames switched from another interface • Learns addresses • Receives BPDUs • Catalyst 2975 Switch Software Configuration Guide 16-7 OL-19720-02...
Page 432: Disabled State
Ethernet link. By changing the spanning-tree port priority on the Gigabit Ethernet port to a higher priority (lower numerical value) than the root port, the Gigabit Ethernet port becomes the new root port. Catalyst 2975 Switch Software Configuration Guide 16-8...
Page 433: Spanning Tree And Redundant Connectivity
The accelerated aging is the same as the forward-delay parameter value (spanning-tree vlan vlan-id forward-time seconds global configuration command) when the spanning tree reconfigures. Catalyst 2975 Switch Software Configuration Guide 16-9 OL-19720-02...
Page 434: Spanning-Tree Modes And Protocols
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Page 435: Spanning-Tree Interoperability And Backward Compatibility
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Page 436: Spanning Tree And Switch Stacks
Configuring Port Priority, page 16-18 (optional) • Configuring Path Cost, page 16-20 (optional) • Configuring the Switch Priority of a VLAN, page 16-21 (optional) • Configuring Spanning-Tree Timers, page 16-22 (optional) • Catalyst 2975 Switch Software Configuration Guide 16-12 OL-19720-02...
Page 437: Default Spanning-Tree Configuration
VLAN that have a running spanning-tree instance can break loops. Therefore, spanning tree must be running on enough switches to break all the loops in the network; for example, at least one Catalyst 2975 Switch Software Configuration Guide 16-13...
Page 438 “Optional Spanning-Tree Configuration Guidelines” section on page 18-12. Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Catalyst 2975 Switch Software Configuration Guide 16-14 OL-19720-02...
Page 439: Changing The Spanning-Tree Mode
(Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree mode global configuration command. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Catalyst 2975 Switch Software Configuration Guide 16-15 OL-19720-02...
Page 440: Disabling Spanning Tree
ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software. Catalyst 2975 Switch Software Configuration Guide 16-16 OL-19720-02...
Page 441 Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id root global configuration command. Catalyst 2975 Switch Software Configuration Guide 16-17 OL-19720-02...
Page 442: Configuring A Secondary Root Switch
(higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Catalyst 2975 Switch Software Configuration Guide 16-18 OL-19720-02...
Page 443 The show spanning-tree interface interface-id privileged EXEC command displays information only Note if the port is in a link-up operative state. Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. Catalyst 2975 Switch Software Configuration Guide 16-19 OL-19720-02...
Page 444: Configuring Path Cost
Step 5 Return to privileged EXEC mode. Step 6 show spanning-tree interface interface-id Verify your entries. show spanning-tree vlan vlan-id Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 16-20 OL-19720-02...
Page 445: Configuring The Switch Priority Of A Vlan
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id priority global configuration command. Catalyst 2975 Switch Software Configuration Guide 16-21 OL-19720-02...
Page 446: Configuring Spanning-Tree Timers
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id hello-time global configuration command. Catalyst 2975 Switch Software Configuration Guide 16-22 OL-19720-02...
Page 447: Configuring The Forwarding-Delay Time For A Vlan
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Catalyst 2975 Switch Software Configuration Guide 16-23 OL-19720-02...
Page 448: Configuring The Transmit Hold-Count
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 16-24 OL-19720-02...
Page 449: Configuring Mstp
C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 2975 switch. The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard.
Page 450: Chapter 17 Configuring Mstp
Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST). All other MST instances are numbered from 1 to 4094. Catalyst 2975 Switch Software Configuration Guide 17-2 OL-19720-02...
Page 451: Operations Within An Mst Region
CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST. Catalyst 2975 Switch Software Configuration Guide 17-3...
Page 452 Figure 17-1 MST Regions, CIST Masters, and CST Root IST master and CST root Legacy IEEE 802.1D MST Region 1 IST master IST master MST Region 2 MST Region 3 Catalyst 2975 Switch Software Configuration Guide 17-4 OL-19720-02...
Page 453: Ieee 802.1S Terminology
IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network.
Page 454: Hop Count
The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.
Page 455: Ieee 802.1S Implementation
Configuring MSTP Understanding MSTP IEEE 802.1s Implementation The Cisco implementation of the IEEE MST standard includes features required to meet the standard, as well as some of the desirable prestandard functionality that is not yet incorporated into the published standard.
Page 456: Detecting Unidirectional Link Failure
Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
Page 457: Mstp And Switch Stacks
The RSTP takes advantage of point-to-point wiring and provides rapid convergence of the spanning tree. Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the default settings in the IEEE 802.1D spanning tree). Catalyst 2975 Switch Software Configuration Guide 17-9 OL-19720-02...
Page 458: Port Roles And The Active Topology
Learning Enabled Forwarding Forwarding Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Catalyst 2975 Switch Software Configuration Guide 17-10 OL-19720-02...
Page 459: Rapid Convergence
You can override the default setting that is controlled by the duplex setting by using the spanning-tree link-type interface configuration command. Catalyst 2975 Switch Software Configuration Guide 17-11 OL-19720-02...
Page 460: Synchronization Of Port Roles
RSTP forces it to synchronize with new root information. In general, when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions, its port state is set to blocking. Catalyst 2975 Switch Software Configuration Guide 17-12 OL-19720-02...
Page 461: Bridge Protocol Data Unit Format And Processing
RSTP flag fields. Table 17-3 RSTP BPDU Flags Function Topology change (TC) Proposal 2–3: Port role: Unknown Alternate port Root port Designated port Learning Forwarding Agreement Topology change acknowledgement (TCA) Catalyst 2975 Switch Software Configuration Guide 17-13 OL-19720-02...
Page 462: Processing Superior Bpdu Information
IEEE 802.1D switch and a configuration BPDU with the TCA bit set is received, the TC-while timer is reset. This behavior is only required to support IEEE 802.1D switches. The RSTP BPDUs never have the TCA bit set. Catalyst 2975 Switch Software Configuration Guide 17-14 OL-19720-02...
Page 463: Configuring Mstp Features
Configuring the Maximum-Hop Count, page 17-26 (optional) • Specifying the Link Type to Ensure Rapid Transitions, page 17-27 (optional) • Designating the Neighbor Type, page 17-27 (optional) Restarting the Protocol Migration Process, page 17-28 (optional) • Catalyst 2975 Switch Software Configuration Guide 17-15 OL-19720-02...
Page 464: Default Mstp Configuration
VTP propagation of the MST configuration is not supported. However, you can manually configure • the MST configuration (region name, revision number, and VLAN-to-instance mapping) on each switch within the MST region by using the command-line interface (CLI) or through the SNMP support. Catalyst 2975 Switch Software Configuration Guide 17-16 OL-19720-02...
Page 465: Specifying The Mst Region Configuration And Enabling Mstp
Beginning in privileged EXEC mode, follow these steps to specify the MST region configuration and enable MSTP. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst configuration Enter MST configuration mode. Catalyst 2975 Switch Software Configuration Guide 17-17 OL-19720-02...
Page 466 Switch(config)# spanning-tree mst configuration Switch(config-mst)# instance 1 vlan 10-20 Switch(config-mst)# name region1 Switch(config-mst)# revision 1 Switch(config-mst)# show pending Pending MST configuration Name [region1] Revision Catalyst 2975 Switch Software Configuration Guide 17-18 OL-19720-02...
Page 467: Configuring The Root Switch
After configuring the switch as the root switch, we recommend that you avoid manually configuring the Note hello time, forward-delay time, and maximum-age time through the spanning-tree mst hello-time, spanning-tree mst forward-time, and the spanning-tree mst max-age global configuration commands. Catalyst 2975 Switch Software Configuration Guide 17-19 OL-19720-02...
Page 468: Configuring A Secondary Root Switch
You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command. Catalyst 2975 Switch Software Configuration Guide 17-20 OL-19720-02...
Page 469: Configuring Port Priority
Assign lower cost values to ports that you want selected first and higher cost values to ports that you want selected last. For more information, see the “Configuring Path Cost” section on page 17-23. Catalyst 2975 Switch Software Configuration Guide 17-21 OL-19720-02...
Page 470 Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id port-priority interface configuration command. Catalyst 2975 Switch Software Configuration Guide 17-22 OL-19720-02...
Page 471: Configuring Path Cost
Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id cost interface configuration command. Catalyst 2975 Switch Software Configuration Guide 17-23 OL-19720-02...
Page 472: Configuring The Switch Priority
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst instance-id priority global configuration command. Catalyst 2975 Switch Software Configuration Guide 17-24 OL-19720-02...
Page 473: Configuring The Hello Time
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst forward-time global configuration command. Catalyst 2975 Switch Software Configuration Guide 17-25 OL-19720-02...
Page 474: Configuring The Maximum-Aging Time
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst max-hops global configuration command. Catalyst 2975 Switch Software Configuration Guide 17-26 OL-19720-02...
Page 475: Specifying The Link Type To Ensure Rapid Transitions
Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports. Step 3 spanning-tree mst pre-standard Specify that the port can send only prestandard BPDUs. Catalyst 2975 Switch Software Configuration Guide 17-27 OL-19720-02...
Page 476: Restarting The Protocol Migration Process
Displays MST information for the specified instance. show spanning-tree mst interface interface-id Displays MST information for the specified interface. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 17-28 OL-19720-02...
Page 477 C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 2975 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+).
Page 478: Understanding Optional Spanning-Tree Features
Port Fast-operational state if any BPDU is received on them. In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port means an invalid Catalyst 2975 Switch Software Configuration Guide 18-2...
Page 479: Understanding Bpdu Filtering
Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 18-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Catalyst 2975 Switch Software Configuration Guide 18-3 OL-19720-02...
Page 480 Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state. Catalyst 2975 Switch Software Configuration Guide 18-4...
Page 481: Understanding Cross-Stack Uplinkfast
Switch C Understanding Cross-Stack UplinkFast For Catalyst 2975 switches, the UplinkFast feature is the cross-stack UplinkFast feature. Cross-stack UplinkFast (CSUF) provides a fast spanning-tree transition (fast convergence in less than 1 second under normal network conditions) across a switch stack. During the fast transition, an alternate redundant link on the switch stack is placed in the forwarding state without causing temporary spanning-tree loops or loss of connectivity to the backbone.
Page 482: How Csuf Works
The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition. Catalyst 2975 Switch Software Configuration Guide 18-6 OL-19720-02...
Page 483: Events That Cause Fast Convergence
BPDU is a signal that the other switch might have lost its path to the root, and BackboneFast tries to find an alternate path to the root. Catalyst 2975 Switch Software Configuration Guide 18-7...
Page 484 Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that connects directly to Switch B is in the blocking state. Figure 18-6 BackboneFast Example Before Indirect Link Failure Switch A (Root) Switch B Blocked port Switch C Catalyst 2975 Switch Software Configuration Guide 18-8 OL-19720-02...
Page 485 BPDUs, and the new switch learns that Switch B is the designated switch to Switch A, the root switch. Figure 18-8 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch B Switch C (Designated bridge) Blocked port Added switch Catalyst 2975 Switch Software Configuration Guide 18-9 OL-19720-02...
Page 486: Understanding Etherchannel Guard
MST instance. You can enable this feature by using the spanning-tree guard root interface configuration command. Misuse of the root-guard feature can cause a loss of connectivity. Caution Catalyst 2975 Switch Software Configuration Guide 18-10 OL-19720-02...
Page 487: Understanding Loop Guard
When the switch is operating in MST mode, BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances. On a boundary port, loop guard blocks the interface in all MST instances. Catalyst 2975 Switch Software Configuration Guide 18-11 OL-19720-02...
Page 488: Configuring Optional Spanning-Tree Features
Feature Default Setting Port Fast, BPDU filtering, BPDU guard Globally disabled (unless they are individually configured per interface). UplinkFast Globally disabled. (On Catalyst 2975 switches, the UplinkFast feature is the CSUF feature.) BackboneFast Globally disabled. EtherChannel guard Globally enabled. Root guard Disabled on all interfaces.
Page 489: Enabling Port Fast
You can use the spanning-tree portfast default global configuration command to globally enable the Note Port Fast feature on all nontrunking ports. To disable the Port Fast feature, use the spanning-tree portfast disable interface configuration command. Catalyst 2975 Switch Software Configuration Guide 18-13 OL-19720-02...
Page 490: Enabling Bpdu Guard
To disable BPDU guard, use the no spanning-tree portfast bpduguard default global configuration command. You can override the setting of the no spanning-tree portfast bpduguard default global configuration command by using the spanning-tree bpduguard enable interface configuration command. Catalyst 2975 Switch Software Configuration Guide 18-14 OL-19720-02...
Page 491: Enabling Bpdu Filtering
To disable BPDU filtering, use the no spanning-tree portfast bpdufilter default global configuration command. You can override the setting of the no spanning-tree portfast bpdufilter default global configuration command by using the spanning-tree bpdufilter enable interface configuration command. Catalyst 2975 Switch Software Configuration Guide 18-15 OL-19720-02...
Page 492: Enabling Uplinkfast For Use With Redundant Links
To return the update packet rate to the default setting, use the no spanning-tree uplinkfast max-update-rate global configuration command. To disable UplinkFast, use the no spanning-tree uplinkfast command. Catalyst 2975 Switch Software Configuration Guide 18-16 OL-19720-02...
Page 493: Enabling Cross-Stack Uplinkfast
To disable the BackboneFast feature, use the no spanning-tree backbonefast global configuration command. Enabling EtherChannel Guard You can enable EtherChannel guard to detect an EtherChannel misconfiguration if your switch is running PVST+, rapid PVST+, or MSTP. Catalyst 2975 Switch Software Configuration Guide 18-17 OL-19720-02...
Page 494: Enabling Root Guard
Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable root guard, use the no spanning-tree guard interface configuration command. Catalyst 2975 Switch Software Configuration Guide 18-18 OL-19720-02...
Page 495: Enabling Loop Guard
Displays MST information for the specified interface. show spanning-tree summary [totals] Displays a summary of interface states or displays the total lines of the spanning-tree state section. Catalyst 2975 Switch Software Configuration Guide 18-19 OL-19720-02...
Page 496 You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 18-20 OL-19720-02...
Page 497 Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 2975 switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature.
Page 498: Understanding Flex Links And The Mac Address-Table Move Update
If a primary (forwarding) link goes down, a trap notifies the network management stations. If the standby link goes down, a trap notifies the users. Flex Links are supported only on Layer 2 ports and port channels, not on VLANs. Catalyst 2975 Switch Software Configuration Guide 19-2 OL-19720-02...
Page 499: Vlan Flex Link Load Balancing And Support
When the changeover happens, the backup port is unblocked, allowing the traffic to flow. In this case, the upstream multicast data flows as soon as the backup port is unblocked. Catalyst 2975 Switch Software Configuration Guide 19-3...
Page 500: Generating Igmp Reports
Active Interface Backup Interface State GigabitEthernet1/0/11 GigabitEthernet1/0/12 Active Up/Backup Standby Preemption Mode : off Multicast Fast Convergence : Off Bandwidth : 100000 Kbit (Gi1/0/11), 100000 Kbit (Gi1/0/12) Mac Address Move Update Vlan : auto Catalyst 2975 Switch Software Configuration Guide 19-4 OL-19720-02...
Page 501 This output shows a querier for VLAN 1 and 401 with their queries reaching the switch through Gigabit Ethernet1/0/11: Switch# show ip igmp snooping querier Vlan IP Address IGMP Version Port ------------------------------------------------------------- 1.1.1.1 Gi1/0/11 41.41.41.1 Gi1/0/11 Catalyst 2975 Switch Software Configuration Guide 19-5 OL-19720-02...
Page 502: Mac Address-Table Move Update
When switch C gets a MAC address-table move update message from switch A, switch C learns the MAC address of the PC on port 4. Switch C updates the MAC address table, including the forwarding table entry for the PC. Catalyst 2975 Switch Software Configuration Guide 19-6 OL-19720-02...
Page 503: Configuring Flex Links And The Mac Address-Table Move Update
• Configuration Guidelines, page 19-8 • Configuring Flex Links, page 19-9 • Configuring VLAN Load Balancing on Flex Links, page 19-11 • Configuring the MAC Address-Table Move Update Feature, page 19-12 • Catalyst 2975 Switch Software Configuration Guide 19-7 OL-19720-02...
Page 504: Default Configuration
You can enable and configure this feature on the access switch to send the MAC address-table move updates. You can enable and configure this feature on the uplink switches to receive the MAC address-table • move updates. Catalyst 2975 Switch Software Configuration Guide 19-8 OL-19720-02...
Page 505: Configuring Flex Links
Switch# show interfaces switchport backup Switch Backup Interface Pairs: Active Interface Backup Interface State ------------------------------------------------------------------------ GigabitEthernet1/0/1 GigabitEthernet1/0/3 Active Standby/Backup Up Vlans Preferred on Active Interface: 1-3,5-4094 Vlans Preferred on Backup Interface: 4 Catalyst 2975 Switch Software Configuration Guide 19-9 OL-19720-02...
Page 506 GigabitEthernet1/0/21 GigabitEthernet1/0/2 Active Up/Backup Standby Interface Pair : Gi1/0/1, Gi1/0/2 Preemption Mode : forced Preemption Delay : 50 seconds Bandwidth : 100000 Kbit (Gi1/0/1), 100000 Kbit (Gi1/0/2) Mac Address Move Update Vlan : auto Catalyst 2975 Switch Software Configuration Guide 19-10 OL-19720-02...
Page 507: Configuring Vlan Load Balancing On Flex Links
Switch# show interfaces switchport backup Switch Backup Interface Pairs: Active Interface Backup Interface State ------------------------------------------------------------------------ GigabitEthernet2/0/6 GigabitEthernet2/0/8 Active Down/Backup Up Vlans Preferred on Active Interface: 1-50 Vlans Preferred on Backup Interface: 60, 100-120 Catalyst 2975 Switch Software Configuration Guide 19-11 OL-19720-02...
Page 508: Configuring The Mac Address-Table Move Update Feature
VLAN ID on the interface, which is used for sending the MAC address-table move update. When one link is forwarding traffic, the other interface is in standby mode. Catalyst 2975 Switch Software Configuration Guide 19-12 OL-19720-02...
Page 509 Enter global configuration mode. Step 2 mac address-table move update receive Enable the switch to get and process the MAC address-table move updates. Step 3 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 19-13 OL-19720-02...
Page 510: Monitoring Flex Links And The Mac Address-Table Move Update
When VLAN load balancing is enabled, the output displays the preferred VLANS on Active and Backup interfaces. show mac address-table move update Displays the MAC address-table move update information on the switch. Catalyst 2975 Switch Software Configuration Guide 19-14 OL-19720-02...
Page 511: Understanding Dhcp Snooping
This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the Catalyst 2975 switch. It also describes how to configure the IP source guard feature. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Page 512: Dhcp Server
For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides.
Page 513 The port on the edge switch that connects to the aggregation switch must be configured as a trusted interface. Catalyst 2975 Switch Software Configuration Guide 20-3 OL-19720-02...
Page 514: Option-82 Data Insertion
If the IP address of the relay agent is configured, the switch adds this IP address in the DHCP packet. • The switch forwards the DHCP request that includes the option-82 field to the DHCP server. • Catalyst 2975 Switch Software Configuration Guide 20-4 OL-19720-02...
Page 515 The switch uses the packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option global configuration command. Catalyst 2975 Switch Software Configuration Guide 20-5 OL-19720-02...
Page 516 The length values are variable, depending on the length of the string that you configure. – Remote-ID suboption fields • – The remote-ID type is 1. – The length values are variable, depending on the length of the string that you configure. Catalyst 2975 Switch Software Configuration Guide 20-6 OL-19720-02...
Page 517: Dhcp Snooping Binding Database
If the file is not updated in a specified time (set by the write-delay and abort-timeout values), the update stops. Catalyst 2975 Switch Software Configuration Guide 20-7...
Page 518: Dhcp Snooping And Switch Stacks
The new master of the partitioned stack begins processing the new incoming DHCP packets. For more information about switch stacks, see Chapter 6, “Managing Switch Stacks.” Catalyst 2975 Switch Software Configuration Guide 20-8 OL-19720-02...
Page 519: Configuring Dhcp Snooping
DHCP snooping MAC address verification Enabled DHCP snooping binding database agent Enabled in Cisco IOS software, requires configuration. This feature is operational only when a destination is configured. 1. The switch responds to DHCP requests only if it is configured as a DHCP server.
Page 520 EXEC command. Do not enable Dynamic Host Configuration Protocol (DHCP) snooping on RSPAN VLANs. If Note DHCP snooping is enabled on RSPAN VLANs, DHCP packets might not reach the RSPAN destination port. Catalyst 2975 Switch Software Configuration Guide 20-10 OL-19720-02...
Page 521: Configuring The Dhcp Relay Agent
To disable the DHCP server and relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software >...
Page 522 100 packets per second on a port: Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10 Switch(config)# ip dhcp snooping information option Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip dhcp snooping limit rate 100 Catalyst 2975 Switch Software Configuration Guide 20-12 OL-19720-02...
Page 523: Enabling The Dhcp Snooping Binding Database Agent
To clear the statistics of the DHCP snooping binding database agent, use the clear ip dhcp snooping database statistics privileged EXEC command. To renew the database, use the renew ip dhcp snooping database privileged EXEC command. Catalyst 2975 Switch Software Configuration Guide 20-13 OL-19720-02...
Page 524: Displaying Dhcp Snooping Information
Displays the DHCP snooping statistics in summary or detail form. Note If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the statically configured bindings. Catalyst 2975 Switch Software Configuration Guide 20-14 OL-19720-02...
Page 525: Understanding Ip Source Guard
IP or non-IP packet matches a valid IP source binding, the switch forwards the packet. The switch drops all other types of packets except DHCP packets. The switch uses port security to filter source MAC addresses. The interface can shut down when a port-security violation occurs. Catalyst 2975 Switch Software Configuration Guide 20-15 OL-19720-02...
Page 526: Ip Source Guard For Static Hosts
DHCP snooping. Multiple bindings are established on a port that is connected to both DHCP and static hosts. For example, bindings are stored in both the device tracking database as well as in the DHCP snooping binding database. Catalyst 2975 Switch Software Configuration Guide 20-16 OL-19720-02...
Page 527: Configuring Ip Source Guard
If you again provision the switch by entering the switch stack-member-number provision command, the binding is restored. To remove the binding from the running configuration, you must disable IP source guard before entering the no switch Catalyst 2975 Switch Software Configuration Guide 20-17 OL-19720-02...
Page 528: Enabling Ip Source Guard
This example shows how to enable IP source guard with source IP and MAC filtering on VLANs 10 and 11: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip verify source port-security Catalyst 2975 Switch Software Configuration Guide 20-18 OL-19720-02...
Page 529: Configuring Ip Source Guard For Static Hosts
IP device tracking table allows on the port. The range is 1to 10. The maximum number is 10. Note You must configure the ip device tracking maximum limit-number interface configuration command. Catalyst 2975 Switch Software Configuration Guide 20-19 OL-19720-02...
Page 530 IP-MAC bindings on the interface Gi0/3, and to verify that the number of bindings on this interface has reached the maximum: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip device tracking Switch(config)# interface gigabitethernet 0/3 Switch(config-if)# switchport mode access Catalyst 2975 Switch Software Configuration Guide 20-20 OL-19720-02...
Page 531 IP Device Tracking Probe Interval = 30 --------------------------------------------------------------------- IP Address MAC Address Vlan Interface STATE --------------------------------------------------------------------- 200.1.1.1 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.2 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.3 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.4 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.5 0001.0600.0000 GigabitEthernet0/1 ACTIVE Catalyst 2975 Switch Software Configuration Guide 20-21 OL-19720-02...
Page 532: Displaying Ip Source Guard Information
Display the active IP or MAC binding entries for all interfaces. show ip source binding Display the IP source bindings on a switch. show ip verify source Display the IP source guard configuration on the switch. Catalyst 2975 Switch Software Configuration Guide 20-22 OL-19720-02...
Page 533: Understanding Dhcp Server Port-Based Address Allocation
In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
Page 534: Enabling Dhcp Server Port-Based Address Allocation
By entering this command, users can configure a group of switches with DHCP pools that share a common IP subnet and that ignore requests from clients of other switches. Catalyst 2975 Switch Software Configuration Guide 20-24 OL-19720-02...
Page 535 10.1.1.1 10.1.1.3 ip dhcp pool dhcppool Catalyst 2975 Switch Software Configuration Guide 20-25 OL-19720-02...
Page 536: Displaying Dhcp Server Port-Based Address Allocation
10.1.1.7 Et1/0 For more information about configuring the DHCP server port-based address allocation feature, go to Cisco.com, and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation. You can also access the documentation: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html...
Page 537: Configuring Dynamic Arp Inspection
This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 2975 switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Page 538: C H A P T E R 21 Configuring Dynamic Arp Inspection
“Configuring ARP ACLs for Non-DHCP Environments” section on page 21-9. The switch logs dropped packets. For more information about the log buffer, see the “Logging of Dropped Packets” section on page 21-5. Catalyst 2975 Switch Software Configuration Guide 21-2 OL-19720-02...
Page 539: Interface Trust States And Network Security
If Switch A is not running dynamic ARP inspection, Host 1 can easily poison the ARP cache of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection. Catalyst 2975 Switch Software Configuration Guide 21-3 OL-19720-02...
Page 540: Rate Limiting Of Arp Packets
The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping. Catalyst 2975 Switch Software Configuration Guide 21-4 OL-19720-02...
Page 541: Configuring Dynamic Arp Inspection
15 new hosts per second. The rate is unlimited on all trusted interfaces. The burst interval is 1 second. ARP ACLs for non-DHCP environments No ARP ACLs are defined. Validation checks No checks are performed. Catalyst 2975 Switch Software Configuration Guide 21-5 OL-19720-02...
Page 542: Dynamic Arp Inspection Configuration Guidelines
30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2, each port can receive packets at 29 pps without causing the EtherChannel to become error-disabled. Catalyst 2975 Switch Software Configuration Guide 21-6 OL-19720-02...
Page 543: Configuring Dynamic Arp Inspection In Dhcp Environments
Chapter 20, “Configuring DHCP Features and IP Source Guard Features.” For information on how to configure dynamic ARP inspection when only one switch supports the feature, see the “Configuring ARP ACLs for Non-DHCP Environments” section on page 21-9. Catalyst 2975 Switch Software Configuration Guide 21-7 OL-19720-02...
Page 544 This example shows how to configure dynamic ARP inspection on Switch A in VLAN 1. You would perform a similar procedure on Switch B: Switch(config)# ip arp inspection vlan 1 Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip arp inspection trust Catalyst 2975 Switch Software Configuration Guide 21-8 OL-19720-02...
Page 545: Configuring Arp Acls For Non-Dhcp Environments
For more information, see the “Configuring the Log Buffer” section on page 21-13. Step 4 exit Return to global configuration mode. Catalyst 2975 Switch Software Configuration Guide 21-9 OL-19720-02...
Page 546 To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global configuration command. Catalyst 2975 Switch Software Configuration Guide 21-10 OL-19720-02...
Page 547: Limiting The Rate Of Incoming Arp Packets
ARP packets.The range is 1 to 15. For rate none, specify no upper limit for the rate of incoming ARP • packets that can be processed. Step 4 exit Return to global configuration mode. Catalyst 2975 Switch Software Configuration Guide 21-11 OL-19720-02...
Page 548: Performing Validation Checks
Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. Catalyst 2975 Switch Software Configuration Guide 21-12 OL-19720-02...
Page 549: Configuring The Log Buffer
A log-buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a single system message for the entry. Catalyst 2975 Switch Software Configuration Guide 21-13 OL-19720-02...
Page 550 The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. Catalyst 2975 Switch Software Configuration Guide 21-14 OL-19720-02...
Page 551: Displaying Dynamic Arp Inspection Information
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active). Catalyst 2975 Switch Software Configuration Guide 21-15 OL-19720-02...
Page 552 Clears the dynamic ARP inspection log buffer. show ip arp inspection log Displays the configuration and contents of the dynamic ARP inspection log buffer. For more information about these commands, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 21-16 OL-19720-02...
Page 553: Understanding Igmp Snooping
For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the “IP Multicast Routing Commands” section in the Cisco IOS IP Command Reference, Volume 3 of 3:Multicast, Release 12.2 from the Cisco.com page under Documentation >...
Page 554: Chapter 22 Configuring Igmp Snooping And Mvr
IGMPv3 report from a host, the switch can forward the IGMPv3 report to the multicast router. Note The switch supports IGMPv3 snooping based only on the destination multicast MAC address. It does not support snooping based on the source MAC address or on proxy reports. Catalyst 2975 Switch Software Configuration Guide 22-2 OL-19720-02...
Page 555: Joining A Multicast Group
The host associated with that interface receives multicast traffic for that multicast group. See Figure 22-1. Figure 22-1 Initial IGMP Join Message Router A IGMP report 224.1.2.3 VLAN Forwarding table Host 1 Host 2 Host 3 Host 4 Catalyst 2975 Switch Software Configuration Guide 22-3 OL-19720-02...
Page 556 Second Host Joining a Multicast Group Router A VLAN Forwarding table Host 1 Host 2 Host 3 Host 4 Table 22-2 Updated IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 224.1.2.3 IGMP 1, 2, 5 Catalyst 2975 Switch Software Configuration Guide 22-4 OL-19720-02...
Page 557: Leaving A Multicast Group
“Configuring the IGMP Leave Timer” section on page 22-11. IGMP Report Suppression IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. Note This feature is not supported when the query includes IGMPv3 reports. Catalyst 2975 Switch Software Configuration Guide 22-5 OL-19720-02...
Page 558: Configuring Igmp Snooping
Enabling IGMP Immediate Leave, page 22-10 • Configuring the IGMP Leave Timer, page 22-11 • Configuring TCN-Related Commands, page 22-12 • Configuring the IGMP Snooping Querier, page 22-14 • Disabling IGMP Report Suppression, page 22-15 • Catalyst 2975 Switch Software Configuration Guide 22-6 OL-19720-02...
Page 559: Default Igmp Snooping Configuration
Return to privileged EXEC mode. Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file. To globally disable IGMP snooping on all VLAN interfaces, use the no ip igmp snooping global configuration command. Catalyst 2975 Switch Software Configuration Guide 22-7 OL-19720-02...
Page 560: Setting The Snooping Method
Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector • Multicast Routing Protocol (DVMRP) packets • Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global configuration command You can configure the switch either to snoop on IGMP queries and PIM/DVMRP packets or to listen to CGMP self-join or proxy-join packets.
Page 561: Configuring A Multicast Router Port
(Optional) Save your entries in the configuration file. To remove a multicast router port from the VLAN, use the no ip igmp snooping vlan vlan-id mrouter interface interface-id global configuration command. Catalyst 2975 Switch Software Configuration Guide 22-9 OL-19720-02...
Page 562: Configuring A Host Statically To Join A Group
IGMP Version 2 leave message on that port. You should only use the Immediate-Leave feature when there is a single receiver present on every port in the VLAN. Immediate Leave is supported only on IGMP Version 2 hosts. Note Catalyst 2975 Switch Software Configuration Guide 22-10 OL-19720-02...
Page 563: Configuring The Igmp Leave Timer
Step 4 Return to privileged EXEC mode. Step 5 show ip igmp snooping (Optional) Display the configured IGMP leave time. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 22-11 OL-19720-02...
Page 564: Configuring Tcn-Related Commands
0.0.0.0. However, when you enable the ip igmp snooping tcn query solicit global configuration command, the switch sends the global leave message whether or not it is the spanning-tree root. When the router receives this special leave, it immediately Catalyst 2975 Switch Software Configuration Guide 22-12 OL-19720-02...
Page 565: Disabling Multicast Flooding During A Tcn Event
Verify the TCN settings. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To re-enable multicast flooding on an interface, use the ip igmp snooping tcn flood interface configuration command. Catalyst 2975 Switch Software Configuration Guide 22-13 OL-19720-02...
Page 566: Configuring The Igmp Snooping Querier
(Optional) Verify that the IGMP snooping querier is enabled on the VLAN interface. The VLAN ID range is 1 to 1001 and 1006 to 4094. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 22-14 OL-19720-02...
Page 567: Disabling Igmp Report Suppression
You can display IGMP snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for IGMP snooping. Catalyst 2975 Switch Software Configuration Guide 22-15 OL-19720-02...
Page 568 IGMP query message in the VLAN and the configuration and operational state of the IGMP snooping querier in the VLAN. For more information about the keywords and options in these commands, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 22-16 OL-19720-02...
Page 569: Understanding Multicast Vlan Registration
PC. When a subscriber selects a channel, the set-top box or PC sends an IGMP report to Switch A to join the appropriate multicast. If the IGMP report matches one of the Catalyst 2975 Switch Software Configuration Guide 22-17...
Page 570 With Immediate Leave, an IGMP query is not sent from the receiver port on which the Catalyst 2975 Switch Software Configuration Guide 22-18...
Page 571: Configuring Mvr
Multicast addresses None configured Query response time 0.5 second Multicast VLAN VLAN 1 Mode Compatible Interface (per port) default Neither a receiver nor a source port Immediate Leave Disabled on all ports Catalyst 2975 Switch Software Configuration Guide 22-19 OL-19720-02...
Page 572: Mvr Configuration Guidelines And Limitations
(Optional) Specify the VLAN in which multicast data is received; all source ports must belong to this VLAN. The VLAN range is 1 to 1001 and 1006 to 4094. The default is VLAN 1. Catalyst 2975 Switch Software Configuration Guide 22-20 OL-19720-02...
Page 573: Configuring Mvr Interfaces
IGMP leave and join messages. Receiver ports cannot belong to the multicast VLAN. The default configuration is as a non-MVR port. If you attempt to configure a non-MVR port with MVR characteristics, the operation fails. Catalyst 2975 Switch Software Configuration Guide 22-21 OL-19720-02...
Page 574 Switch(config-if)# mvr type receiver Switch(config-if)# mvr vlan 22 group 228.1.23.4 Switch(config-if)# mvr immediate Switch(config)# end Switch# show mvr interface Port Type Status Immediate Leave ---- ---- ------- --------------- Gi1/0/2 RECEIVER ACTIVE/DOWN ENABLED Catalyst 2975 Switch Software Configuration Guide 22-22 OL-19720-02...
Page 575: Displaying Mvr Information
VLAN ID range is 1 to 1001 and 1006 to 4094. show mvr members [ip-address] Displays all receiver and source ports that are members of any IP multicast group or the specified IP multicast group IP address. Catalyst 2975 Switch Software Configuration Guide 22-23 OL-19720-02...
Page 576: Configuring Igmp Filtering And Throttling
Configuring IGMP Profiles, page 22-25 (optional) • Applying IGMP Profiles, page 22-26 (optional) • Setting the Maximum Number of IGMP Groups, page 22-27 (optional) • Configuring the IGMP Throttling Action, page 22-28 (optional) • Catalyst 2975 Switch Software Configuration Guide 22-24 OL-19720-02...
Page 577: Default Igmp Filtering And Throttling Configuration
The default is for the switch to have no IGMP profiles configured. When a profile is configured, if neither the permit nor deny keyword is included, the default is to deny access to the range of IP addresses. Catalyst 2975 Switch Software Configuration Guide 22-25 OL-19720-02...
Page 578: Applying Igmp Profiles
You cannot apply profiles to ports that belong to an EtherChannel port group. You can apply a profile to multiple interfaces, but each interface can have only one profile applied to it. Catalyst 2975 Switch Software Configuration Guide 22-26...
Page 579: Setting The Maximum Number Of Igmp Groups
The range is 0 to 4294967294. The default is to have no maximum set. Step 4 Return to privileged EXEC mode. Step 5 show running-config interface Verify the configuration. interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 22-27 OL-19720-02...
Page 580: Configuring The Igmp Throttling Action
• replace—Replace the existing group with the new group for which • the IGMP report was received. Catalyst 2975 Switch Software Configuration Guide 22-28 OL-19720-02...
Page 581: Displaying Igmp Filtering And Throttling Configuration
Displays the configuration of the specified interface or the configuration of all interfaces interface-id] on the switch, including (if configured) the maximum number of IGMP groups to which an interface can belong and the IGMP profile applied to the interface. Catalyst 2975 Switch Software Configuration Guide 22-29 OL-19720-02...
Page 582 Chapter 22 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 2975 Switch Software Configuration Guide 22-30 OL-19720-02...
Page 583: Configuring Port-Based Traffic Control
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Page 584: Understanding Storm Control
When the storm control threshold for multicast traffic is reached, all multicast traffic except control Note traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. The graph in Figure 23-1 shows broadcast traffic patterns on an interface over a given period of time.
Page 585: Default Storm Control Configuration
Storm control is supported on physical interfaces. You can also configure storm control on an Note EtherChannel. When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel physical interfaces. Catalyst 2975 Switch Software Configuration Guide 23-3 OL-19720-02...
Page 586 Select the shutdown keyword to error-disable the port during a storm. • Select the trap keyword to generate an SNMP trap when a storm is • detected. Step 5 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 23-4 OL-19720-02...
Page 587: Configuring Small-Frame Arrival Rate
Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. In Cisco IOS Release 12.2(44)SE and later, you can configure a port to be error disabled if small frames arrive at a specified rate (threshold).
Page 588: Configuring Protected Ports
All data traffic passing between protected ports must be forwarded through a Layer 3 device. • Forwarding behavior between a protected port and a nonprotected port proceeds as usual. Catalyst 2975 Switch Software Configuration Guide 23-6 OL-19720-02...
Page 589: Default Protected Port Configuration
To disable protected port, use the no switchport protected interface configuration command. This example shows how to configure a port as a protected port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport protected Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 23-7 OL-19720-02...
Page 590: Configuring Port Blocking
Block unknown unicast forwarding out of the port. Step 5 Return to privileged EXEC mode. Step 6 show interfaces interface-id switchport Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 23-8 OL-19720-02...
Page 591: Configuring Port Security
If you try to set the maximum value to a number less than the number of secure addresses already Note configured on an interface, the command is rejected. Catalyst 2975 Switch Software Configuration Guide 23-9 OL-19720-02...
Page 592: Security Violations
We do not recommend configuring the protect violation mode on a trunk port. The protect Note mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit. Catalyst 2975 Switch Software Configuration Guide 23-10 OL-19720-02...
Page 593: Default Port Security Configuration
Violation mode Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded. Port security aging Disabled. Aging time is 0. Static aging is disabled. Type is absolute. Catalyst 2975 Switch Software Configuration Guide 23-11 OL-19720-02...
Page 594: Port Security Configuration Guidelines
IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Page 595: Enabling And Configuring Port Security
The voice keyword is available only if a voice VLAN is configured Note on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. Catalyst 2975 Switch Software Configuration Guide 23-13 OL-19720-02...
Page 596 You can manually re-enable it by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface vlan privileged EXEC command. Catalyst 2975 Switch Software Configuration Guide 23-14 OL-19720-02...
Page 597 VLAN. Step 11 Return to privileged EXEC mode. Step 12 show port-security Verify your entries. Step 13 copy running-config (Optional) Save your entries in the configuration file. startup-config Catalyst 2975 Switch Software Configuration Guide 23-15 OL-19720-02...
Page 598 Switch(config-if)# switchport mode access Switch(config-if)# switchport voice vlan 22 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 20 Switch(config-if)# switchport port-security violation restrict Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002 Catalyst 2975 Switch Software Configuration Guide 23-16 OL-19720-02...
Page 599: Enabling And Configuring Port Security Aging
Step 4 Return to privileged EXEC mode. Step 5 show port-security [interface interface-id] Verify your entries. [address] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 23-17 OL-19720-02...
Page 600: Port Security And Switch Stacks
MAC addresses for each interface, the number of secure MAC addresses on the interface, the number of security violations that have occurred, and the violation mode. Catalyst 2975 Switch Software Configuration Guide 23-18 OL-19720-02...
Page 601 [interface interface-id] address Displays all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each address. show port-security interface interface-id vlan Displays the number of secure MAC addresses configured per VLAN on the specified interface. Catalyst 2975 Switch Software Configuration Guide 23-19 OL-19720-02...
Page 602 Chapter 23 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 2975 Switch Software Configuration Guide 23-20 OL-19720-02...
Page 603: Configuring Cdp
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 604: Cdp And Switch Stacks
Chapter 24 Configuring CDP Configuring CDP For a switch and connected endpoint devices running Cisco Medianet CDP identifies connected endpoints that communicate directly with the switch. • To prevent duplicate reports of neighboring devices, only one wired switch reports the location •...
Page 605: Configuring The Cdp Characteristics
24-5. Disabling and Enabling CDP CDP is enabled by default. Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Note Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 5, “Clustering Switches”...
Page 606: Disabling And Enabling Cdp On An Interface
Step 3 no cdp enable Disable CDP on the interface. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 24-4 OL-19720-02...
Page 607: Monitoring And Maintaining Cdp
You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information. show cdp traffic Display CDP counters, including the number of packets sent and received and checksum errors. Catalyst 2975 Switch Software Configuration Guide 24-5 OL-19720-02...
Page 608 Chapter 24 Configuring CDP Monitoring and Maintaining CDP Catalyst 2975 Switch Software Configuration Guide 24-6 OL-19720-02...
Page 609: Configuring Lldp, Lldp-Med, And Wired Location Service
Understanding LLDP, LLDP-MED, and Wired Location Service LLDP The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches). CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network.
Page 610: Lldp-Med
A switch stack appears as a single switch in the network. Therefore, LLDP discovers the switch stack, not the individual stack members. When you configure LLDP or CDP location information on a per-port basis, remote devices can send Cisco Medianet location information to the switch. For information, go to http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cdp_discover.html. LLDP-MED LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between endpoint devices such as IP phones and network devices such as switches.
Page 611: Wired Location Service
Understanding LLDP, LLDP-MED, and Wired Location Service Starting with Cisco IOS Release 12.2(52)SE, when LLDP is enabled and power is applied to a port, the power TLV determines the actual power requirement of the endpoint device so that the system power budget can be adjusted accordingly.
Page 612 If you change a location address on the switch, the switch sends an NMSP location notification message that identifies the affected ports and the changed address information. Catalyst 2975 Switch Software Configuration Guide 25-4 OL-19720-02...
Page 613: Configuring Lldp, Lldp-Med, And Wired Location Service
You cannot configure static secure MAC addresses on an interface that has a network-policy profile. • You cannot configure a network-policy profile on a private-VLAN port. • • For wired location to function, you must first enter the ip device tracking global configuration command. Catalyst 2975 Switch Software Configuration Guide 25-5 OL-19720-02...
Page 614: Enabling Lldp
Switch# configure terminal Switch(config)# lldp run Switch(config)# end This example shows how to enable LLDP on an interface. Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# lldp transmit Switch(config-if)# lldp receive Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 25-6 OL-19720-02...
Page 615: Configuring Lldp Characteristics
Use the no form of each of the LLDP commands to return to the default setting. This example shows how to configure LLDP characteristics. Switch# configure terminal Switch(config)# lldp holdtime 120 Switch(config)# lldp reinit 2 Switch(config)# lldp timer 30 Switch(config)# end Catalyst 2975 Switch Software Configuration Guide 25-7 OL-19720-02...
Page 616: Configuring Lldp-Med Tlvs
(Optional) Save your entries in the configuration file. This example shows how to enable a TLV on an interface: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# lldp med-tlv-select inventory-management Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 25-8 OL-19720-02...
Page 617: Configuring Network-Policy Tlv
Verify the configuration. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of each command to return to the default setting. Catalyst 2975 Switch Software Configuration Guide 25-9 OL-19720-02...
Page 618: Configuring Location Tlv And Wired Location Service
ID for the civic location or the ELIN location. The ID range is 1 to 4095. word—Specify a word or phrase with additional location information. Step 6 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 25-10 OL-19720-02...
Page 619 (Optional) Save your entries in the configuration file. This example shows how to enable NMSP on a switch and to set the location notification time to 10 seconds: Switch(config)# nmsp enable Switch(config)# nmsp notification interval location 10 Catalyst 2975 Switch Software Configuration Guide 25-11 OL-19720-02...
Page 620: Monitoring And Maintaining Lldp, Lldp-Med, And Wired Location Service
TLVs. show location Display the location information for an endpoint. show network-policy profile Display the configured network-policy profiles. show nmsp Display the NMSP information. Catalyst 2975 Switch Software Configuration Guide 25-12 OL-19720-02...
Page 621: Configuring Udld
Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 622: Methods To Detect Unidirectional Links
UDLD sends at least one message to inform the neighbors to flush the part of their caches affected by the status change. The message is intended to keep the caches synchronized. Catalyst 2975 Switch Software Configuration Guide 26-2...
Page 623: Configuring Udld
Default UDLD Configuration, page 26-4 • Configuration Guidelines, page 26-4 • Enabling UDLD Globally, page 26-5 • Enabling UDLD on an Interface, page 26-6 • Resetting an Interface Disabled by UDLD, page 26-6 • Catalyst 2975 Switch Software Configuration Guide 26-3 OL-19720-02...
Page 624: Default Udld Configuration
When configuring the mode (normal or aggressive), make sure that the same mode is configured on • both sides of the link. Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Catalyst 2975 Switch Software Configuration Guide 26-4 OL-19720-02...
Page 625: Enabling Udld Globally
To disable UDLD globally, use the no udld enable global configuration command to disable normal mode UDLD on all fiber-optic ports. Use the no udld aggressive global configuration command to disable aggressive mode UDLD on all fiber-optic ports. Catalyst 2975 Switch Software Configuration Guide 26-5 OL-19720-02...
Page 626: Enabling Udld On An Interface
The errdisable recovery cause udld global configuration command enables the timer to • automatically recover from the UDLD error-disabled state, and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error-disabled state. Catalyst 2975 Switch Software Configuration Guide 26-6 OL-19720-02...
Page 627: Displaying Udld Status
To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 26-7 OL-19720-02...
Page 628 Chapter 26 Configuring UDLD Displaying UDLD Status Catalyst 2975 Switch Software Configuration Guide 26-8 OL-19720-02...
Page 629: Configuring Span And Rspan
Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 630: Local Span
Figure 27-1 Example of Local SPAN Configuration on a Single Switch Port 5 traffic mirrored 1 2 3 4 5 6 7 8 9 10 11 12 on Port 10 Network analyzer Catalyst 2975 Switch Software Configuration Guide 27-2 OL-19720-02...
Page 631: Remote Span
RSPAN VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port, as shown on Switch C in the figure. Catalyst 2975 Switch Software Configuration Guide 27-3 OL-19720-02...
Page 632: Span And Rspan Concepts And Terminology
RSPAN VLAN. To configure an RSPAN destination session on another device, you associate the destination port with the RSPAN VLAN. The destination session collects all RSPAN VLAN traffic and sends it out the RSPAN destination port. Catalyst 2975 Switch Software Configuration Guide 27-4 OL-19720-02...
Page 633: Monitored Traffic
SPAN; the destination port receives a copy of the packet even if the actual incoming packet is dropped. These features include IP standard and extended input access control lists (ACLs), ingress QoS policing, and egress QoS policing. Catalyst 2975 Switch Software Configuration Guide 27-5 OL-19720-02...
Page 634: Source Ports
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Page 635: Source Vlans
SPAN traffic coming from other port types is not affected by VLAN filtering; that is, all VLANs are • allowed on other ports. VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the • switching of normal traffic. Catalyst 2975 Switch Software Configuration Guide 27-7 OL-19720-02...
Page 636: Destination Port
IEEE 802.1Q-tagged packets. • For RSPAN, the original VLAN ID is lost because it is overwritten by the RSPAN VLAN identification. Therefore, all packets appear on the destination port as untagged. Catalyst 2975 Switch Software Configuration Guide 27-8 OL-19720-02...
Page 637: Rspan Vlan
SPAN destination, it is removed from the group. After the port is removed from the SPAN session, it rejoins the EtherChannel group. Ports removed from an EtherChannel group remain members of the group, but they are in the inactive or suspended state. Catalyst 2975 Switch Software Configuration Guide 27-9 OL-19720-02...
Page 638: Span And Rspan And Switch Stacks
Chapter 6, “Managing Switch Stacks.” Configuring SPAN and RSPAN These sections contain this configuration information: Default SPAN and RSPAN Configuration, page 27-11 • Configuring Local SPAN, page 27-11 • Configuring RSPAN, page 27-17 • Catalyst 2975 Switch Software Configuration Guide 27-10 OL-19720-02...
Page 639: Default Span And Rspan Configuration
You can configure a disabled port to be a source or destination port, but the SPAN function does not • start until the destination port and at least one source port or source VLAN are enabled. Catalyst 2975 Switch Software Configuration Guide 27-11 OL-19720-02...
Page 640 This is the default. rx—Monitor received traffic. • tx—Monitor sent traffic. • Note You can use the monitor session session_number source command multiple times to configure multiple source ports. Catalyst 2975 Switch Software Configuration Guide 27-12 OL-19720-02...
Page 641 Switch(config)# no monitor session 1 source interface gigabitethernet1/0/1 Switch(config)# end This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring: Switch(config)# no monitor session 1 source interface gigabitethernet1/0/1 rx Catalyst 2975 Switch Software Configuration Guide 27-13 OL-19720-02...
Page 642 VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating a Local SPAN Session”...
Page 643 IEEE 802.1Q encapsulation and VLAN 6 as the default ingress VLAN. Switch(config)# no monitor session 2 Switch(config)# monitor session 2 source gigabitethernet1/0/1 rx Switch(config)# monitor session 2 destination interface gigabitethernet1/0/2 encapsulation replicate ingress dot1q vlan 6 Switch(config)# end Catalyst 2975 Switch Software Configuration Guide 27-15 OL-19720-02...
Page 644: Specifying Vlans To Filter
Step 8 copy running-config startup-config (Optional) Save the configuration in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command. Catalyst 2975 Switch Software Configuration Guide 27-16 OL-19720-02...
Page 645 You can configure any VLAN as an RSPAN VLAN as long as these conditions are met: • The same RSPAN VLAN is used for an RSPAN session in all the switches. – All participating switches support RSPAN. – Catalyst 2975 Switch Software Configuration Guide 27-17 OL-19720-02...
Page 646: Configuring A Vlan As An Rspan Vlan
To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN, use the no remote-span VLAN configuration command. This example shows how to create RSPAN VLAN 901. Switch(config)# vlan 901 Switch(config-vlan)# remote span Switch(config-vlan)# end Catalyst 2975 Switch Software Configuration Guide 27-18 OL-19720-02...
Page 647: Creating An Rspan Source Session
Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command. Catalyst 2975 Switch Software Configuration Guide 27-19 OL-19720-02...
Page 648: Creating An Rspan Destination Session
Specify the RSPAN session and the source RSPAN VLAN. remote vlan vlan-id For session_number, the range is 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Catalyst 2975 Switch Software Configuration Guide 27-20 OL-19720-02...
Page 649: Creating An Rspan Destination Session And Configuring Incoming Traffic
RSPAN VLAN and the destination port, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating an RSPAN Destination...
Page 650 VLAN 6 as the default receiving VLAN. Switch(config)# monitor session 2 source remote vlan 901 Switch(config)# monitor session 2 destination interface gigabitethernet1/0/2 ingress vlan 6 Switch(config)# end Catalyst 2975 Switch Software Configuration Guide 27-22 OL-19720-02...
Page 651 Switch(config)# no monitor session 2 Switch(config)# monitor session 2 source interface gigabitethernet1/0/2 rx Switch(config)# monitor session 2 filter vlan 1 - 5, 9 Switch(config)# monitor session 2 destination remote vlan 902 Switch(config)# end Catalyst 2975 Switch Software Configuration Guide 27-23 OL-19720-02...
Page 652: Displaying Span And Rspan Status
To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions. Catalyst 2975 Switch Software Configuration Guide 27-24 OL-19720-02...
Page 653: Configuring Rmon
C H A P T E R Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Page 654: Understanding Rmon
Because switches supported by this software release use hardware counters for RMON data processing, the monitoring is more efficient, and little processing power is required. Note 64-bit counters are not supported for RMON alarms. Catalyst 2975 Switch Software Configuration Guide 28-2 OL-19720-02...
Page 655: Configuring Rmon
You must also configure SNMP on the switch to access RMON MIB objects. For more information, see Chapter 30, “Configuring SNMP.” 64-bit counters are not supported for RMON alarms. Note Catalyst 2975 Switch Software Configuration Guide 28-3 OL-19720-02...
Page 656 SNMP community string used for this trap. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 28-4 OL-19720-02...
Page 657: Collecting Group History Statistics On An Interface
1800 seconds. • (Optional) For owner ownername, enter the name of the owner of the RMON group of statistics. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Catalyst 2975 Switch Software Configuration Guide 28-5 OL-19720-02...
Page 658: Collecting Group Ethernet Statistics On An Interface
To disable the collection of group Ethernet statistics, use the no rmon collection stats index interface configuration command. This example shows how to collect RMON statistics for the owner root: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# rmon collection stats 2 owner root Catalyst 2975 Switch Software Configuration Guide 28-6 OL-19720-02...
Page 659: Displaying Rmon Status
For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 660 Chapter 28 Configuring RMON Displaying RMON Status Catalyst 2975 Switch Software Configuration Guide 28-8 OL-19720-02...
Page 661: Configuring System Message Logging
This chapter describes how to configure system message logging on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under...
Page 662: Configuring System Message Logging
The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command. Catalyst 2975 Switch Software Configuration Guide 29-2 OL-19720-02...
Page 663: C H A P T E R 29 Configuring System Message Logging
00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to up (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/1, changed state to down 2 (Switch-2) Catalyst 2975 Switch Software Configuration Guide 29-3 OL-19720-02...
Page 664: Default System Message Logging Configuration
When the logging process is disabled, messages appear on the console as soon as they are produced, often appearing in the middle of command output. Catalyst 2975 Switch Software Configuration Guide 29-4 OL-19720-02...
Page 665: Setting The Message Display Destination Device
The severity range is 0 to 7. For a list of logging type keywords, see Table 29-3 on page 29-10. By default, the log file receives debugging messages and numerically lower levels. Step 5 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 29-5 OL-19720-02...
Page 666: Synchronizing Log Messages
Unsolicited messages and debug command output appears on the console after the prompt for user input is returned. Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Catalyst 2975 Switch Software Configuration Guide 29-6 OL-19720-02...
Page 667 (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command. Catalyst 2975 Switch Software Configuration Guide 29-7 OL-19720-02...
Page 668: Enabling And Disabling Time Stamps On Log Messages
Beginning in privileged EXEC mode, follow these steps to enable sequence numbers in log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service sequence-numbers Enable sequence numbers. Step 3 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 29-8 OL-19720-02...
Page 669: Defining The Message Severity Level
To disable logging to the console, use the no logging console global configuration command. To disable logging to a terminal other than the console, use the no logging monitor global configuration command. To disable logging to syslog servers, use the no logging trap global configuration command. Catalyst 2975 Switch Software Configuration Guide 29-9 OL-19720-02...
Page 670: Limiting Syslog Messages Sent To The History Table And To Snmp
By default, one message of the level warning and numerically lower levels (see Table 29-3 on page 29-10) are stored in the history table even if syslog traps are not enabled. Catalyst 2975 Switch Software Configuration Guide 29-10 OL-19720-02...
Page 671: Enabling The Configuration-Change Logger
[end-number] | statistics} [provisioning] privileged EXEC command to display the complete configuration log or the log for specified parameters. The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T: http://www.cisco.com/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g04.html...
Page 672: Configuring Unix Syslog Servers
| switchport mode trunk temi@vty5 | exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define the UNIX system logging facility. Catalyst 2975 Switch Software Configuration Guide 29-12 OL-19720-02...
Page 673: Logging Messages To A Unix Syslog Daemon
Step 3 logging trap level Limit messages logged to the syslog servers. Be default, syslog servers receive informational messages and lower. See Table 29-3 on page 29-10 for level keywords. Catalyst 2975 Switch Software Configuration Guide 29-13 OL-19720-02...
Page 674: Displaying The Logging Configuration
To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation >...
Page 675: Configuring Snmp
Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the Cisco IOS Network Management Command Reference, Release 12.4:...
Page 676: Snmp Versions
A combination of the security level and the security model determine which security mechanism is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and SNMPv3. Catalyst 2975 Switch Software Configuration Guide 30-2 OL-19720-02...
Page 677: Snmp Manager Functions
1. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table. 2. The get-bulk command only works with SNMPv2 or later. Catalyst 2975 Switch Software Configuration Guide 30-3 OL-19720-02...
Page 678: Snmp Agent Functions
(@esN, where N is the switch number) to the first configured RW and RO community strings on the command switch and propagates them to the member switches. For more information, Chapter 5, “Clustering Switches” and see Getting Started with Cisco Network Assistant, available on Cisco.com. Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software.
Page 679: Snmp Notifications
2 an ifIndex value of 10003, this value is the same after the switch reboots. The switch uses one of the values in Table 30-3 to assign an ifIndex value to an interface: Table 30-3 ifIndex Values Interface Type ifIndex Range 1–4999 EtherChannel 5000–5012 Loopback 5013–5077 Catalyst 2975 Switch Software Configuration Guide 30-5 OL-19720-02...
Page 680: Configuring Snmp
SNMP notification type If no type is specified, all notifications are sent. 1. This is the default when the switch starts and the startup configuration does not have any snmp-server global configuration commands. Catalyst 2975 Switch Software Configuration Guide 30-6 OL-19720-02...
Page 681: Snmp Configuration Guidelines
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 682: Configuring Community Strings
Place ones in the bit positions that you want to ignore. Recall that the access list is always terminated by an implicit deny statement for everything. Step 4 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 30-8 OL-19720-02...
Page 683: Configuring Snmp Groups And Users
If you select remote, specify the ip-address of the device that • contains the remote copy of SNMP and the optional User Datagram Protocol (UDP) port on the remote device. The default is 162. Catalyst 2975 Switch Software Configuration Guide 30-9 OL-19720-02...
Page 684 64 characters) that is the name of the view in which you specify a notify, inform, or trap. • (Optional) Enter access access-list with a string (not to exceed 64 characters) that is the name of the access list. Catalyst 2975 Switch Software Configuration Guide 30-10 OL-19720-02...
Page 685 To display SNMPv3 information about auth | noauth | Note priv mode configuration, you must enter the show snmp user privileged EXEC command. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 30-11 OL-19720-02...
Page 686: Configuring Snmp Notifications
A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
Page 687 [access access-list] | v3 [encrypted] configuring the engine ID for the remote host. Otherwise, you [access access-list] [auth {md5 | sha} receive an error message, and the command is not executed. auth-password]} Catalyst 2975 Switch Software Configuration Guide 30-13 OL-19720-02...
Page 688 1 to 1000; the default is 10. Step 9 snmp-server trap-timeout seconds (Optional) Define how often to resend trap messages. The range is 1 to 1000; the default is 30 seconds. Step 10 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 30-14 OL-19720-02...
Page 689: Setting The Cpu Threshold Notification Types And Values
Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 30-15 OL-19720-02...
Page 690: Setting The Agent Contact And Location Information
Place ones in the bit positions that you want to ignore. Recall that the access list is always terminated by an implicit deny statement for everything. Catalyst 2975 Switch Software Configuration Guide 30-16 OL-19720-02...
Page 691: Snmp Examples
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 692: Displaying Snmp Status
EXEC command. You also can use the other privileged EXEC commands in Table 30-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference. Table 30-6 Commands for Displaying SNMP Information Feature...
Page 693: Configuring Network Security With Acls
C H A P T E R Configuring Network Security with ACLs This chapter describes how to configure network security on the Catalyst 2975 switch by using access control lists (ACLs), also referred to as access lists. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Page 694: Supported Acls
When an output router ACL and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered. Catalyst 2975 Switch Software Configuration Guide 31-2 OL-19720-02...
Page 695: Port Acls
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface. Catalyst 2975 Switch Software Configuration Guide 31-3 OL-19720-02...
Page 696: Router Acls
Switch(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp Switch(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet Switch(config)# access-list 102 permit tcp any host 10.1.1.2 Switch(config)# access-list 102 deny tcp any any Catalyst 2975 Switch Software Configuration Guide 31-4 OL-19720-02...
Page 697: Acls And Switch Stacks
Chapter 6, “Configuring the Switch Stack.”) The ACL configuration that is part of the running configuration is also reparsed during this step. The new stack master distributes the ACL information to all switches in the stack. Catalyst 2975 Switch Software Configuration Guide 31-5 OL-19720-02...
Page 698: Configuring Ipv4 Acls
Configuring IPv4 ACLs Configuring IPv4 ACLs Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 699: Access List Numbers
IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list. Catalyst 2975 Switch Software Configuration Guide 31-7 OL-19720-02...
Page 700: Creating A Numbered Standard Acl
Switch (config)# access-list 2 deny host 171.69.198.102 Switch (config)# access-list 2 permit any Switch(config)# end Switch# show access-lists Standard IP access list 2 10 deny 171.69.198.102 20 permit any Catalyst 2975 Switch Software Configuration Guide 31-8 OL-19720-02...
Page 701: Creating A Numbered Extended Acl
For more details on the specific keywords for each protocol, see these command references: • Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 •...
Page 702 [precedence precedence] [tos tos] an abbreviation for a destination and destination wildcard of 0.0.0.0 [fragments] [time-range 255.255.255.255. time-range-name] [dscp dscp] You can use the any keyword in place of source and destination address and wildcard. Catalyst 2975 Switch Software Configuration Guide 31-10 OL-19720-02...
Page 703 TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
Page 704 ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. Step access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
Page 705: Resequencing Aces In An Acl
0.0.0.0. permit {source [source-wildcard] | host source • any—A source and source wildcard of 0.0.0.0 | any} 255.255.255.255. Step 4 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 31-13 OL-19720-02...
Page 706 Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered ACLs. After creating a named ACL, you can apply it to interfaces (see the “Applying an IPv4 ACL to an Interface” section on page 31-18). Catalyst 2975 Switch Software Configuration Guide 31-14 OL-19720-02...
Page 707: Using Time Ranges With Acls
(Optional) Save your entries in the configuration file. Repeat the steps if you have multiple items that you want in effect at different times. To remove a configured time-range limitation, use the no time-range time-range-name global configuration command. Catalyst 2975 Switch Software Configuration Guide 31-15 OL-19720-02...
Page 708: Including Comments In Acls
To include a comment for IP numbered standard or extended ACLs, use the access-list access-list number remark remark global configuration command. To remove the remark, use the no form of this command. Catalyst 2975 Switch Software Configuration Guide 31-16 OL-19720-02...
Page 709: Applying An Ipv4 Acl To A Terminal Line
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line configuration command. Catalyst 2975 Switch Software Configuration Guide 31-17 OL-19720-02...
Page 710: Applying An Ipv4 Acl To An Interface
Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip access-group 2 in This example shows how to apply access list 3 to filter packets going to the CPU: Switch(config)# interface vlan 1 Switch(config-if)# ip access-group 3 in Catalyst 2975 Switch Software Configuration Guide 31-18 OL-19720-02...
Page 711: Hardware And Software Treatment Of Ip Acls
EXEC command. If the switch does not have available resources, the output shows that index 0 to index 15 are not available. For more information about configuring ACLs with insufficient resources, see CSCsq63926 in the Bug Toolkit. Catalyst 2975 Switch Software Configuration Guide 31-19 OL-19720-02...
Page 712: Ipv4 Acl Configuration Examples
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 713: Numbered Acls
Switch(config)# periodic weekdays 8:00 to 18:00 Switch(config)# time-range udp-yes Switch(config)# periodic weekend 12:00 to 20:00 Switch(config)# ip access-list extended strict Switch(config-ext-nacl)# deny tcp any any eq www time-range no-http Switch(config-ext-nacl)# permit udp any any time-range udp-yes Catalyst 2975 Switch Software Configuration Guide 31-21 OL-19720-02...
Page 714: Commented Ip Acl Entries
Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Define an extended MAC access list using a name. Catalyst 2975 Switch Software Configuration Guide 31-22 OL-19720-02...
Page 715: Applying A Mac Acl To A Layer 2 Interface
A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 • interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Catalyst 2975 Switch Software Configuration Guide 31-23 OL-19720-02...
Page 716 If the ACL rejects the packet, the switch discards it. When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security. Catalyst 2975 Switch Software Configuration Guide 31-24 OL-19720-02...
Page 717: Displaying Ipv4 Acl Configuration
MAC and IP access lists and which access groups are applied to an interface. show mac access-group [interface interface-id] Displays MAC access lists applied to all Layer 2 interfaces or the specified Layer 2 interface. Catalyst 2975 Switch Software Configuration Guide 31-25 OL-19720-02...
Page 718 Chapter 31 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Catalyst 2975 Switch Software Configuration Guide 31-26 OL-19720-02...
Page 719: Configuring Cisco Ios Ip Slas Operations
This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the Catalyst 2975 switch. Cisco IP SLAs is a part of Cisco IOS software that allows Cisco customers to analyze IP service levels for IP applications and services by using active traffic monitoring—the generation of traffic in a continuous, reliable, and predictable manner—for measuring network performance.
Page 720: Using Cisco Ios Ip Slas To Measure Network Performance
Virtual Private Network (VPN) routing/forwarding instance (VRF), and URL web address. Because Cisco IP SLAs is Layer 2 transport independent, you can configure end-to-end operations over disparate networks to best reflect the metrics that an end user is likely to experience. IP SLAs collects a...
Page 721: Ip Slas Responder And Ip Slas Control Protocol
IP SLAs Responder and IP SLAs Control Protocol The IP SLAs responder is a component embedded in the destination Cisco device that allows the system to anticipate and respond to IP SLAs request packets. The responder provides accurate measurements without the need for dedicated probes.
Page 722: Response Time Computation For Ip Slas
(such as Telnet or HTTP). You cannot configure the IP SLAs responder on non-Cisco devices and Cisco IOS IP SLAs can send operational packets only to services native to those devices.
Page 723: Configuring Ip Slas Operations
This section does not include configuration information for all available operations as the configuration information details are included in the Cisco IOS IP SLAs Configuration Guide. It includes only the procedure for configuring the responder, as the switch includes only responder support.
Page 724: Configuring The Ip Slas Responder
The IP SLAs responder is available only on Cisco IOS software-based devices, including some Layer 2 switches that do not support full IP SLAs functionality, such as the Catalyst 2960 or the Cisco ME 2400 or IE 3000 switch running the LAN base image. Beginning in privileged EXEC mode, follow these steps...
Page 725: Configuring Qos
This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the Catalyst 2975 switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size.
Page 726 Layer 2 802.1Q and 802.1p Frame Start frame Preamble Data delimiter 3 bits used for CoS (user priority) Layer 3 IPv4 Packet Version Offset TTL Proto FCS IP-SA IP-DA Data length (1 byte) IP precedence or DSCP Catalyst 2975 Switch Software Configuration Guide 33-2 OL-19720-02...
Page 727: Chapter 33 Configuring Qo
Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices, the traffic types and patterns in your network, and the granularity of control that you need over incoming and outgoing traffic. Catalyst 2975 Switch Software Configuration Guide 33-3 OL-19720-02...
Page 728: Basic Qos Model
Scheduling services the four egress queues based on their configured SRR shared or shaped weights. • One of the queues (queue 1) can be the expedited queue, which is serviced until empty before the other queues are serviced. Catalyst 2975 Switch Software Configuration Guide 33-4 OL-19720-02...
Page 729: Classification
0 as the DSCP and CoS values, which means best-effort traffic. Otherwise, the policy-map action specifies a DSCP or CoS value to assign to the incoming frame. Catalyst 2975 Switch Software Configuration Guide 33-5 OL-19720-02...
Page 730 For configuration information on port trust states, see the “Configuring Classification Using Port Trust States” section on page 33-37. After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Catalyst 2975 Switch Software Configuration Guide 33-6 OL-19720-02...
Page 731 CoS-to-DSCP map. Generate the DSCP by using Assign the DSCP or CoS as specified Assign the default by ACL action to generate the QoS label. DSCP (0). the CoS-to-DSCP map. Done Done Catalyst 2975 Switch Software Configuration Guide 33-7 OL-19720-02...
Page 732: Classification Based On Qos Acls
You can configure a default class by using the class class-default policy-map configuration command. Unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as default traffic. Catalyst 2975 Switch Software Configuration Guide 33-8 OL-19720-02...
Page 733: Policing And Marking
For configuration information, see the “Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 33-50 and the “Classifying, Policing, and Marking Traffic by Using Aggregate Policers” section on page 33-55. Catalyst 2975 Switch Software Configuration Guide 33-9 OL-19720-02...
Page 734: Policing On Physical Ports
You configure how fast (the average rate) that the tokens are removed from the bucket by using the rate-bps option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command. Catalyst 2975 Switch Software Configuration Guide 33-10 OL-19720-02...
Page 735: Mapping Tables
This configurable map is called the policed-DSCP map. You configure this map by using the mls qos map policed-dscp global configuration command. Catalyst 2975 Switch Software Configuration Guide 33-11 OL-19720-02...
Page 736: Queueing And Scheduling Overview
Both the ingress and egress queues use an enhanced version of the tail-drop congestion-avoidance mechanism called weighted tail drop (WTD). WTD is implemented on queues to manage the queue lengths and to provide drop precedences for different traffic classifications. Catalyst 2975 Switch Software Configuration Guide 33-12 OL-19720-02...
Page 737: Srr Shaping And Sharing
With sharing, the ratio of the weights controls the frequency of dequeuing; the absolute values are meaningless. Shaping and sharing is configured per interface. Each interface can be uniquely configured. Catalyst 2975 Switch Software Configuration Guide 33-13 OL-19720-02...
Page 738: Queueing And Scheduling On Ingress Queues
Queue the packet. Service the queue according to the SRR weights. Send packet to the stack ring. SRR services the priority queue for its configured share before servicing the other queue. Note Catalyst 2975 Switch Software Configuration Guide 33-14 OL-19720-02...
Page 739 The priority queue should be used for traffic (such as voice) that requires guaranteed delivery because this queue is guaranteed part of the bandwidth regardless of the load on the stack ring. Catalyst 2975 Switch Software Configuration Guide 33-15 OL-19720-02...
Page 740: Queueing And Scheduling On Egress Queues
Queueing and Scheduling on Egress Queues Figure 33-8 shows the queueing and scheduling flowchart for egress ports. If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Note Catalyst 2975 Switch Software Configuration Guide 33-16 OL-19720-02...
Page 741 (under-limit), whether it has consumed all of its maximum buffers (over limit), and whether the common pool is empty (no free Catalyst 2975 Switch Software Configuration Guide 33-17...
Page 742 You assign the two WTD threshold percentages for threshold ID 1 and ID 2. The drop threshold for threshold ID 3 is preset to the queue-full state, and you cannot Catalyst 2975 Switch Software Configuration Guide 33-18...
Page 743: Packet Modification
CoS-to-DSCP map. The input mutation causes the DSCP to be rewritten depending on the new value of DSCP chosen. The set action in a policy map also causes the DSCP to be rewritten. Catalyst 2975 Switch Software Configuration Guide 33-19 OL-19720-02...
Page 744: Configuring Auto-Qos
Table 33-5.) • Switch enables the trusted boundary feature and uses the Cisco Discovery Protocol (CDP) to detect the presence of a supported device. • Policing is used to determine whether a packet is in or out of profile and specifies the action on the packet.
Page 745: Voip Device Specifics
DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When there is no Cisco IP Phone, the ingress classification is set to not trust the QoS label in the packet. The policing is applied to the traffic matching the policy-map classification before the switch enables the trust boundary feature.
Page 746: Enhanced Auto-Qos For Video, Trust, And Classification
Ensure Port Security” section on page 39-42. When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone, or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and applies the commands listed in Table 33-5 to the port.
Page 747: Global Auto-Qos Configuration
4 threshold 2 1 output cos-map queue 3 threshold 3 0 Switch(config)# mls qos srr-queue output cos-map queue 4 threshold 3 0 Switch(config)# mls qos srr-queue output cos-map queue 4 threshold 3 1 Catalyst 2975 Switch Software Configuration Guide 33-23 OL-19720-02...
Page 748 33 40 41 42 43 44 45 Switch(config)# mls qos srr-queue Switch(config)# mls qos srr-queue input dscp-map queue 2 threshold 3 40 input dscp-map queue 2 threshold 3 46 41 42 43 44 45 46 47 Catalyst 2975 Switch Software Configuration Guide 33-24 OL-19720-02...
Page 749 4 threshold 2 10 10 11 12 13 14 15 12 14 Switch(config)# mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7 Catalyst 2975 Switch Software Configuration Guide 33-25 OL-19720-02...
Page 750: Auto-Qos Generated Configuration For Voip Devices
Auto-QoS Generated Configuration For VoIP Devices If you entered the auto qos voip cisco-phone command, the switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone. Switch(config-if)# mls qos trust device cisco-phone If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
Page 751: Auto-Qos Generated Configuration For Enhanced Video, Trust, And Classify Devices
AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is enabled. Switch(config-if)# service-policy input AutoQoS-Police-SoftPhone If you entered the auto qos voip cisco-phone command, the switch automatically creates class maps and policy maps. Switch(config-if)# mls qos trust device cisco-phone If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
Page 752: Policy Maps
Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-pmap)# class AUTOQOS_TRANSACTION_CLASS Switch(config-pmap-c)# set dscp af21 Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-pmap)# class AUTOQOS_SCAVANGER_CLASS Switch(config-pmap-c)# set dscp cs1 Switch(config-pmap-c)# police 10000000 8000 exceed-action drop Switch(config-pmap)# class AUTOQOS_SIGNALING_CLASS Catalyst 2975 Switch Software Configuration Guide 33-28 OL-19720-02...
Page 753 Switch(config-pmap-c)# set dscp default Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-if)# service-policy input AUTOQOS-SRND4-CLASSIFY-POLICE-POLICY This is the enhanced configuration for the auto qos voip cisco-phone command: Switch(config)# mls qos map policed-dscp 0 10 18 to 8 Switch(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56...
Page 754: Effects Of Auto-Qos On The Configuration
Auto-Qos VoIP uses the priority-queue interface configuration command for an egress interface. • You can also configure a policy-map and trust device on the same interface for Cisco IP phones. To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other •...
Page 755: Auto-Qos Enhanced Considerations
Chapter 33 Configuring QoS Configuring Auto-QoS When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address • to the IP phone. • This release supports only Cisco IP SoftPhone Version 1.3(3) or later.
Page 756: Troubleshooting Auto Qos Commands
To display information about the QoS configuration that might be affected by auto-QoS, use one of these commands: show mls qos • show mls qos maps cos-dscp • show mls qos interface [interface-id] [buffers | queueing] • Catalyst 2975 Switch Software Configuration Guide 33-32 OL-19720-02...
Page 757: Configuring Standard Qos
No policy maps are configured. The default port trust state on all ports is untrusted. The default ingress and egress queue settings are described in the “Default Ingress Queue Configuration” section on page 33-34 and the “Default Egress Queue Configuration” section on page 33-34. Catalyst 2975 Switch Software Configuration Guide 33-33 OL-19720-02...
Page 758: Default Ingress Queue Configuration
WTD drop threshold 1 100 percent 200 percent 100 percent 100 percent WTD drop threshold 2 100 percent 200 percent 100 percent 100 percent Reserved threshold 50 percent 50 percent 50 percent 50 percent Catalyst 2975 Switch Software Configuration Guide 33-34 OL-19720-02...
Page 759: Default Mapping Table Configuration
The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value. The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value (no markdown). Catalyst 2975 Switch Software Configuration Guide 33-35 OL-19720-02...
Page 760: Standard Qos Configuration Guidelines
If you do not first remove the policy map from all interfaces, high CPU usage can occur, which, in turn, can cause the console to pause for a very long time. Catalyst 2975 Switch Software Configuration Guide 33-36...
Page 761: General Qos Guidelines
QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain. Figure 33-10 shows a sample network topology. Catalyst 2975 Switch Software Configuration Guide 33-37 OL-19720-02...
Page 762 Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode. Valid interfaces include physical ports. Catalyst 2975 Switch Software Configuration Guide 33-38 OL-19720-02...
Page 763: Configuring The Cos Value For An Interface
CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Valid interfaces include physical ports. Catalyst 2975 Switch Software Configuration Guide 33-39 OL-19720-02...
Page 764: Configuring A Trusted Boundary To Ensure Port Security
CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the Catalyst 2975 Switch Software Configuration Guide...
Page 765: Enabling Dscp Transparency Mode
In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
Page 766: Configuring The Dscp Trust State On A Port Bordering Another Qos Domain
QoS. If the two domains use different DSCP values, you can configure the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match the definition in the other domain. Catalyst 2975 Switch Software Configuration Guide 33-42 OL-19720-02...
Page 767 Step 6 Return to privileged EXEC mode. Step 7 show mls qos maps dscp-mutation Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 33-43 OL-19720-02...
Page 768: Configuring A Qos Policy
Classifying Traffic by Using Class Maps, page 33-48 • • Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps, page 33-50 • Classifying, Policing, and Marking Traffic by Using Aggregate Policers, page 33-55 Catalyst 2975 Switch Software Configuration Guide 33-44 OL-19720-02...
Page 769: Classifying Traffic By Using Acls
Switch(config)# access-list 1 permit 192.5.255.0 0.0.0.255 Switch(config)# access-list 1 permit 128.88.0.0 0.0.255.255 Switch(config)# access-list 1 permit 36.0.0.0 0.0.0.255 ! (Note: all other access implicitly denied) Catalyst 2975 Switch Software Configuration Guide 33-45 OL-19720-02...
Page 770 This example shows how to create an ACL that permits PIM traffic from any source to a destination group address of 224.0.0.2 with a DSCP set to 32: Switch(config)# access-list 102 permit pim any 224.0.0.2 dscp 32 Catalyst 2975 Switch Software Configuration Guide 33-46 OL-19720-02...
Page 771 MAC address 0001.0000.0002 to the host with MAC address 0002.0000.0002. Switch(config)# mac access-list extended maclist1 Switch(config-ext-macl)# permit 0001.0000.0001 0.0.0 0002.0000.0001 0.0.0 Switch(config-ext-macl)# permit 0001.0000.0002 0.0.0 0002.0000.0002 0.0.0 xns-idp ! (Note: all other access implicitly denied) Catalyst 2975 Switch Software Configuration Guide 33-47 OL-19720-02...
Page 772: Classifying Traffic By Using Class Maps
If neither the match-all or match-any keyword is specified, the default is match-all. Because only one match command per class map is supported, Note the match-all and match-any keywords function the same. Catalyst 2975 Switch Software Configuration Guide 33-48 OL-19720-02...
Page 773 This example shows how to create a class map called class3, which matches incoming traffic with IP-precedence values of 5, 6, and 7: Switch(config)# class-map class3 Switch(config-cmap)# match ip precedence 5 6 7 Switch(config-cmap)# end Switch# Catalyst 2975 Switch Software Configuration Guide 33-49 OL-19720-02...
Page 774: Classifying, Policing, And Marking Traffic On Physical Ports By Using Policy Maps
When you configure a default traffic class by using the class class-default policy-map configuration • command, unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as the default traffic class (class-default). Catalyst 2975 Switch Software Configuration Guide 33-50 OL-19720-02...
Page 775 It is always placed at the end of a policy map. With an implied match any included in the class-default class, all packets that have not already matched the other traffic classes will match class-default. Catalyst 2975 Switch Software Configuration Guide 33-51 OL-19720-02...
Page 776 DSCP value (by using the policed-DSCP map) and to send the packet. For more information, see the “Configuring the Policed-DSCP Map” section on page 33-59. Catalyst 2975 Switch Software Configuration Guide 33-52 OL-19720-02...
Page 777 Switch(config-ext-mac)# permit 0001.0000.0001 0.0.0 0002.0000.0001 0.0.0 Switch(config-ext-mac)# permit 0001.0000.0002 0.0.0 0002.0000.0002 0.0.0 xns-idp Switch(config-ext-mac)# exit Switch(config)# mac access-list extended maclist2 Switch(config-ext-mac)# permit 0001.0000.0003 0.0.0 0002.0000.0003 0.0.0 Switch(config-ext-mac)# permit 0001.0000.0004 0.0.0 0002.0000.0004 0.0.0 aarp Catalyst 2975 Switch Software Configuration Guide 33-53 OL-19720-02...
Page 778 Switch(config-cmap)# exit Switch(config)# policy-map pm3 Switch(config-pmap)# class class-default Switch(config-pmap)# set dscp 10 Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-3 Switch(config-pmap-c) set dscp 4 Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-4 Switch(config-pmap-c)# trust cos Switch(config-pmap-c)# exit Switch(config-pmap)# exit Catalyst 2975 Switch Software Configuration Guide 33-54 OL-19720-02...
Page 779: Classifying, Policing, And Marking Traffic By Using Aggregate Policers
Create a policy map by entering the policy map name, and enter policy-map configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 33-50. Catalyst 2975 Switch Software Configuration Guide 33-55 OL-19720-02...
Page 780 Switch(config-cmap)# match access-group 2 Switch(config-cmap)# exit Switch(config)# policy-map aggflow1 Switch(config-pmap)# class ipclass1 Switch(config-pmap-c)# trust dscp Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# class ipclass2 Switch(config-pmap-c)# set dscp 56 Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Catalyst 2975 Switch Software Configuration Guide 33-56 OL-19720-02...
Page 781: Configuring Dscp Maps
Table 33-12 shows the default CoS-to-DSCP map. Table 33-12 Default CoS-to-DSCP Map CoS Value DSCP Value If these values are not appropriate for your network, you need to modify them. Catalyst 2975 Switch Software Configuration Guide 33-57 OL-19720-02...
Page 782: Configuring The Ip-Precedence-To-Dscp Map
QoS uses internally to represent the priority of the traffic. Table 33-13 shows the default IP-precedence-to-DSCP map: Table 33-13 Default IP-Precedence-to-DSCP Map IP Precedence Value DSCP Value If these values are not appropriate for your network, you need to modify them. Catalyst 2975 Switch Software Configuration Guide 33-58 OL-19720-02...
Page 783: Configuring The Policed-Dscp Map
DSCP value. Step 3 Return to privileged EXEC mode. Step 4 show mls qos maps policed-dscp Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 33-59 OL-19720-02...
Page 784: Configuring The Dscp-To-Cos Map
DSCP-to-CoS map. Table 33-14 Default DSCP-to-CoS Map DSCP Value CoS Value 0–7 8–15 16–23 24–31 32–39 40–47 48–55 56–63 If these values are not appropriate for your network, you need to modify them. Catalyst 2975 Switch Software Configuration Guide 33-60 OL-19720-02...
Page 785: Configuring The Dscp-To-Dscp-Mutation Map
The switch sends the packet out the port with the new DSCP value. You can configure multiple DSCP-to-DSCP-mutation maps on an ingress port. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value. Catalyst 2975 Switch Software Configuration Guide 33-61 OL-19720-02...
Page 786 30 30 30 30 30 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 Catalyst 2975 Switch Software Configuration Guide 33-62 OL-19720-02...
Page 787: Configuring Ingress Queue Characteristics
Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Catalyst 2975 Switch Software Configuration Guide 33-63 OL-19720-02...
Page 788 To return to the default WTD threshold percentages, use the no mls qos srr-queue input threshold queue-id global configuration command. Catalyst 2975 Switch Software Configuration Guide 33-64 OL-19720-02...
Page 789: Allocating Buffer Space Between The Ingress Queues
SRR scheduler sends packets from each queue. The bandwidth and the buffer allocation control how much data can be buffered before packets are dropped. On ingress queues, SRR operates only in shared mode. Catalyst 2975 Switch Software Configuration Guide 33-65 OL-19720-02...
Page 790: Configuring The Ingress Priority Queue
Then, SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command. Catalyst 2975 Switch Software Configuration Guide 33-66 OL-19720-02...
Page 791: Configuring Egress Queue Characteristics
• Does the bandwidth of the port need to be rate limited? • How often should the egress queues be serviced and which technique (shaped, shared, or both) • should be used? Catalyst 2975 Switch Software Configuration Guide 33-67 OL-19720-02...
Page 792: Configuration Guidelines
The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Catalyst 2975 Switch Software Configuration Guide 33-68 OL-19720-02...
Page 793 Map the port to a queue-set. For qset-id, enter the ID of the queue-set specified in Step 2. The range is 1 to 2. The default is 1. Step 6 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 33-69 OL-19720-02...
Page 794: Mapping Dscp Or Cos Values To An Egress Queue And To A Threshold Id
The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Catalyst 2975 Switch Software Configuration Guide 33-70 OL-19720-02...
Page 795 This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2: Switch(config)# mls qos srr-queue output dscp-map queue 1 threshold 2 10 11 Catalyst 2975 Switch Software Configuration Guide 33-71 OL-19720-02...
Page 796: Configuring Srr Shaped Weights On Egress Queues
2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0 Catalyst 2975 Switch Software Configuration Guide 33-72 OL-19720-02...
Page 797: Configuring Srr Shared Weights On Egress Queues
1, 2, 3, and 4. This means that queue 4 has four times the bandwidth of queue 1, twice the bandwidth of queue 2, and one-and-a-third times the bandwidth of queue 3. Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth share 1 2 3 4 Catalyst 2975 Switch Software Configuration Guide 33-73 OL-19720-02...
Page 798: Configuring The Egress Expedite Queue
Beginning in privileged EXEC mode, follow these steps to limit the bandwidth on an egress port. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be rate limited, and enter interface configuration mode. Catalyst 2975 Switch Software Configuration Guide 33-74 OL-19720-02...
Page 799: Displaying Standard Qos Information
[cos-dscp | cos-input-q | Display QoS mapping information. cos-output-q | dscp-cos | dscp-input-q | dscp-mutation dscp-mutation-name | dscp-output-q | ip-prec-dscp | policed-dscp] show mls qos queue-set [qset-id] Display QoS settings for the egress queues. Catalyst 2975 Switch Software Configuration Guide 33-75 OL-19720-02...
Page 800 EXEC command to display classification information for incoming traffic. The control-plane and interface keywords are not supported, and the statistics shown in the display should be ignored. show running-config | include rewrite Display the DSCP transparency setting. Catalyst 2975 Switch Software Configuration Guide 33-76 OL-19720-02...
Page 801: Understanding Ip Routing
For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 Understanding IP Routing, page 34-1 •...
Page 802: Types Of Routing
If a stack master fails, the stack detects that the stack master is down and elects a stack member to be the new stack master. Except for a momentary interruption, the hardware continues to forward packets. Catalyst 2975 Switch Software Configuration Guide 34-2...
Page 803: C H A P T E R 34 Configuring Static Ip Unicast Routing
By default, IP routing is disabled on the switch. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software Releases > 12.2 Mainline > Configuration Guides.
Page 804: Assigning Ip Addresses To Svis
Return to privileged EXEC mode. Step 5 show interfaces [interface-id] Verify your entries. show ip interface [interface-id] show running-config interface [interface-id] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 34-4 OL-19720-02...
Page 805: Configuring Static Unicast Routes
[address [mask] [longer-prefixes]] | Display the state of the routing table. show ip route summary Display the state of the routing table in summary form. show platform ip unicast Display platform-dependent IP unicast information. Catalyst 2975 Switch Software Configuration Guide 34-5 OL-19720-02...
Page 806 Chapter 34 Configuring Static IP Unicast Routing Monitoring and Maintaining the IP Network Catalyst 2975 Switch Software Configuration Guide 34-6 OL-19720-02...
Page 807 IPv4 and IPv6 switch database management (SDM) template. See the “Dual IPv4 and IPv6 Protocol Stacks” section on page 35-4. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note documentation referenced in the procedures. This chapter consists of these sections: “Understanding IPv6”...
Page 808: C H A P T E R 35 Configuring Ipv6 Host Functions
• Use the Search field to locate the Cisco IOS software documentation. For example, if you want information about static routes, you can enter Implementing Static Routes for IPv6 in the search field to get this document about static routes: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-stat_routes_ps6441_TSD_Pro...
Page 809: Supported Ipv6 Host Features
For more information, see the section about IPv6 unicast addresses in the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. DNS for IPv6 IPv6 supports Domain Name System (DNS) record types in the DNS name-to-address and address-to-name lookup processes.
Page 810: Icmpv6
For more information about autoconfiguration and duplicate address detection, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com. IPv6 Applications...
Page 811: Snmp And Syslog Over Ipv6
TCAM capacity for each resource. For more information about IPv4 and IPv6 protocol stacks, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com. SNMP and Syslog Over IPv6 To support both IPv4 and IPv6, IPv6 network management requires both IPv6 and IPv4 transports.
Page 812: Http(S) Over Ipv6
Basic network connectivity (ping) must exist between the client and the server hosts before HTTP connections can be made. For more information, see the “Managing Cisco IOS Applications over IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Page 813: Configuring Ipv6
• all-routers link-local multicast group FF02::2 • For more information about configuring IPv6, see the “Implementing Addressing and Basic Connectivity for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Catalyst 2975 Switch Software Configuration Guide 35-7 OL-19720-02...
Page 814 Output from the show ipv6 interface EXEC command shows how the interface ID (20B:46FF:FE2F:D940) is appended to the link-local prefix FE80::/64 of the interface. Switch(config)# sdm prefer dual-ipv4-and-ipv6 default Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ipv6 address 2001:0DB8:c18:1::/64 eui 64 Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 35-8 OL-19720-02...
Page 815: Configuring Ipv6 Icmp Rate Limiting
Switch(config-if)# end For more information about configuring DRP for IPv6, see the “Implementing IPv6 Addresses and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Configuring IPv6 ICMP Rate Limiting ICMP rate limiting is enabled by default with a default interval between error messages of 100 milliseconds and a bucket size (maximum number of tokens to be stored in a bucket) of 10.
Page 816: Configuring Static Routes For Ipv6
To configure a floating static route, use an administrative distance greater than that of the dynamic routing protocol. Step 3 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 35-10 OL-19720-02...
Page 817: Displaying Ipv6
For more information about configuring static IPv6 routing, see the “Implementing Static Routes for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Displaying IPv6 For complete syntax and usage information on these commands, see the Cisco IOS command reference publications. Table 35-2 shows the privileged EXEC commands for monitoring IPv6 on the switch.
Page 818 This is an example of the output from the show ipv6 static privileged EXEC command: Switch# show ipv6 static IPv6 Static routes Code: * - installed in RIB * ::/0 via nexthop 3FFE:C000:0:7::777, distance 1 Catalyst 2975 Switch Software Configuration Guide 35-12 OL-19720-02...
Page 819 UDP statistics: Rcvd: 0 input, 0 checksum errors, 0 length errors 0 no port, 0 dropped Sent: 26749 output TCP statistics: Rcvd: 0 input, 0 checksum errors Sent: 0 output, 0 retransmitted Catalyst 2975 Switch Software Configuration Guide 35-13 OL-19720-02...
Page 820 Chapter 35 Configuring IPv6 Host Functions Displaying IPv6 Catalyst 2975 Switch Software Configuration Guide 35-14 OL-19720-02...
Page 821: Understanding Mld Snooping
You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP version 6 (IPv6) multicast data to clients and routers in a switched network on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Page 822: Chapter 36 Configuring Ipv6 Mld Snooping
Message timers and state transitions resulting from messages being sent or received are the same as those of IGMPv2 messages. MLD messages that do not have valid link-local IPv6 source addresses are ignored by MLD routers and switches. Catalyst 2975 Switch Software Configuration Guide 36-2 OL-19720-02...
Page 823: Mld Queries
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 2975 switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
Page 824: Mld Reports
If the deleted port is the last member of the multicast address, the multicast address is also deleted, and the switch sends the address leave information to all detected multicast routers. Catalyst 2975 Switch Software Configuration Guide 36-4 OL-19720-02...
Page 825: Topology Change Notification Processing
Configuring a Static Multicast Group, page 36-8 • Configuring a Multicast Router Port, page 36-8 • Enabling MLD Immediate Leave, page 36-9 • Configuring MLD Snooping Queries, page 36-10 • Disabling MLD Listener Message Suppression, page 36-11 • Catalyst 2975 Switch Software Configuration Guide 36-5 OL-19720-02...
Page 826: Default Mld Snooping Configuration
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 2975 switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
Page 827: Enabling Or Disabling Mld Snooping
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 2975 switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
Page 828: Configuring A Static Multicast Group
(add a static connection to a multicast router), use the ipv6 mld snooping vlan mrouter global configuration command on the switch. Static connections to multicast routers are supported only on switch ports. Note Catalyst 2975 Switch Software Configuration Guide 36-8 OL-19720-02...
Page 829: Enabling Mld Immediate Leave
To disable MLD Immediate Leave on a VLAN, use the no ipv6 mld snooping vlan vlan-id immediate-leave global configuration command. This example shows how to enable MLD Immediate Leave on VLAN 130: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 130 immediate-leave Switch(config)# exit Catalyst 2975 Switch Software Configuration Guide 36-9 OL-19720-02...
Page 830: Configuring Mld Snooping Queries
[vlan (Optional) Verify that the MLD snooping querier information for the vlan-id] switch or for the VLAN. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 36-10 OL-19720-02...
Page 831: Disabling Mld Listener Message Suppression
Verify that IPv6 MLD snooping report suppression is disabled. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To re-enable MLD message suppression, use the ipv6 mld snooping listener-message-suppression global configuration command. Catalyst 2975 Switch Software Configuration Guide 36-11 OL-19720-02...
Page 832: Displaying Mld Snooping Information
Enter user to display MLD snooping user-configured group • information for the switch or for a VLAN. show ipv6 mld snooping multicast-address vlan Display MLD snooping for the specified VLAN and IPv6 multicast vlan-id [ipv6-multicast-address] address. Catalyst 2975 Switch Software Configuration Guide 36-12 OL-19720-02...
Page 833 Configuring EtherChannels and Link-State Tracking This chapter describes how to configure EtherChannels on the Catalyst 2975 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Page 834: Understanding Etherchannels
An EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in Figure 37-1. Figure 37-1 Typical EtherChannel Configuration Catalyst 8500 series switch Gigabit EtherChannel 1000BASE-X 1000BASE-X 10/100 10/100 Switched Switched links links Workstations Workstations Catalyst 2975 Switch Software Configuration Guide 37-2 OL-19720-02...
Page 835: C H A P T E R 37 Configuring Etherchannels And Link-State Tracking
EtherChannel are blocked from returning on any other link of the EtherChannel. Figure 37-2 Single-Switch EtherChannel Catalyst 2975 switch stack Switch 1 Channel group 1 Stack port connections Switch 2 Switch A Channel group 2 Switch 3 Catalyst 2975 Switch Software Configuration Guide 37-3 OL-19720-02...
Page 836: Port-Channel Interfaces
If you use a new number, the channel-group command dynamically creates a new port channel. Each EtherChannel has a port-channel logical interface numbered from 1 to 6. This port-channel interface number corresponds to the one specified with the channel-group interface configuration command. Catalyst 2975 Switch Software Configuration Guide 37-4 OL-19720-02...
Page 837: Port Aggregation Protocol
Layer 2 EtherChannel as a trunk. Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
Page 838: Pagp Modes
(VSLs) that carry control and data traffic between them. One of the switches is in active mode. The others are in standby mode. For redundancy, remote switches, such as Catalyst 2975 switches, are connected to the virtual switch by remote satellite links (RSLs).
Page 839: Pagp Interaction With Other Features
Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.
Page 840: Lacp Interaction With Other Features
Therefore, to provide load balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel. Catalyst 2975 Switch Software Configuration Guide 37-8 OL-19720-02...
Page 841 MAC address, using the destination-MAC address always chooses the same link in the channel. Using source addresses or IP addresses might result in better load balancing. Catalyst 2975 Switch Software Configuration Guide 37-9...
Page 842: Etherchannel And Switch Stacks
STP reconvergence. Use the stack-mac persistent timer command to control whether or not the stack MAC address changes during a master failover. For more information about switch stacks, see Chapter 6, “Managing Switch Stacks.” Catalyst 2975 Switch Software Configuration Guide 37-10 OL-19720-02...
Page 843: Configuring Etherchannels
LACP system priority 32768. LACP system ID LACP system priority and the stack MAC address. Load balancing Load distribution on the switch is based on the source-MAC address of the incoming packet. Catalyst 2975 Switch Software Configuration Guide 37-11 OL-19720-02...
Page 844: Etherchannel Configuration Guidelines
If you configure an EtherChannel from trunk ports, verify that the trunking mode (ISL or IEEE 802.1Q) is the same on all the trunks. Inconsistent trunk modes on EtherChannel ports can have unexpected results. Catalyst 2975 Switch Software Configuration Guide 37-12 OL-19720-02...
Page 845: Configuring Layer 2 Etherchannels
Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094. Catalyst 2975 Switch Software Configuration Guide 37-13 OL-19720-02...
Page 846 Verify your entries. Step 7 copy running-config (Optional) Save your entries in the configuration file. startup-config To remove a port from the EtherChannel group, use the no channel-group interface configuration command. Catalyst 2975 Switch Software Configuration Guide 37-14 OL-19720-02...
Page 847: Configuring Etherchannel Load Balancing
Configuring EtherChannel Load Balancing This section describes how to configure EtherChannel load balancing by using source-based or destination-based forwarding methods. For more information, see the “Load Balancing and Forwarding Methods” section on page 37-8. Catalyst 2975 Switch Software Configuration Guide 37-15 OL-19720-02...
Page 848: Configuring The Pagp Learn Method And Priority
You also must set the load-distribution method to source-based distribution, so that any given source MAC address is always sent on the same physical port. Catalyst 2975 Switch Software Configuration Guide 37-16 OL-19720-02...
Page 849 When the link partner of the switch is a physical learner (such as a Catalyst 1900 series switch), we recommend that you configure the Catalyst 2975 switch as a physical-port learner by using the pagp learn-method physical-port interface configuration command. Set the load-distribution method based on the source MAC address by using the port-channel load-balance src-mac global configuration command.
Page 850: Configuring Lacp Hot-Standby Ports
LACP-configured channel. By changing this value from the default, you can affect how the software selects active and standby links. You can use the show etherchannel summary privileged EXEC command to see which ports are in the hot-standby mode (denoted with an H port-state flag). Catalyst 2975 Switch Software Configuration Guide 37-18 OL-19720-02...
Page 851: Configuring The Lacp Port Priority
For priority, the range is 1 to 65535. The default is 32768. The lower the value, the more likely that the port will be used for LACP transmission. Step 4 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 37-19 OL-19720-02...
Page 852: Displaying Etherchannel, Pagp, And Lacp Status
Note An interface can be an aggregation of ports (an EtherChannel), or a single physical port in access or trunk mode. Catalyst 2975 Switch Software Configuration Guide 37-20 OL-19720-02...
Page 853 37-22. If the upstream link for port 6 is lost, the link states of downstream ports 1 and 2 do not change. However, if the link for upstream port 5 is also lost, the link state of the Catalyst 2975 Switch Software Configuration Guide 37-21...
Page 854 Port Port Port Port Link- Link- state state group 2 group 1 Link- Link- state state group 1 group 2 Server 1 Server 2 Server 3 Server 4 Primary link Secondary link Catalyst 2975 Switch Software Configuration Guide 37-22 OL-19720-02...
Page 855: Configuring Link-State Tracking
Specify a link-state group, and configure the interface as either downstream} an upstream or downstream interface in the group.The group number can be 1 to 2; the default is 1. Step 5 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 37-23 OL-19720-02...
Page 856: Displaying Link-State Tracking Status
Upstream Interfaces : Gi1/0/15(Dwn) Gi1/0/16(Dwn) Gi1/0/17(Dwn) Downstream Interfaces : Gi1/0/11(Dis) Gi1/0/12(Dis) Gi1/0/13(Dis) Gi1/0/14(Dis) (Up):Interface up (Dwn):Interface Down (Dis):Interface disabled For detailed information about the fields in the display, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 37-24 OL-19720-02...
Page 857: Troubleshooting
This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 2975 switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems.
Page 858: Chapter 38 Troubleshooting
From your PC, download the software image tar file (image_filename.tar) from Cisco.com. Step 1 The Cisco IOS image is stored as a bin file in a directory in the tar file. For information about locating the software image files on Cisco.com, see the release notes.
Page 859: Recovering From A Lost Or Forgotten Password
After the Xmodem request appears, use the appropriate command on the terminal-emulation software to Step 11 start the transfer and to copy the software image into flash memory. Boot the newly downloaded Cisco IOS image. Step 12 switch:boot flash:image_filename.bin Use the archive download-sw privileged EXEC command to download the software image to the switch Step 13 or to the switch stack.
Page 860: Procedure With Password Recovery Enabled
If you had set the console port speed to anything other than 9600, it has been reset to that particular Step 2 speed. Change the emulation software line speed to match that of the switch console port. Load any helper files: Step 3 switch: load_helper Catalyst 2975 Switch Software Configuration Guide 38-4 OL-19720-02...
Page 861 The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, and allows spaces but ignores leading spaces. Return to privileged EXEC mode: Step 12 Switch (config)# exit Switch# Catalyst 2975 Switch Software Configuration Guide 38-5 OL-19720-02...
Page 862: Procedure With Password Recovery Disabled
Elect to continue with password recovery and lose the existing configuration: Step 1 Would you like to reset the system back to the default configuration (y/n)? Y Load any helper files: Step 2 Switch: load_helper Catalyst 2975 Switch Software Configuration Guide 38-6 OL-19720-02...
Page 863 VLAN ID of the shutdown interface. With the switch in interface configuration mode, enter the no shutdown command. You must now reconfigure the switch. If the system administrator has the backup switch and VLAN Step 10 configuration files available, you should use those. Catalyst 2975 Switch Software Configuration Guide 38-7 OL-19720-02...
Page 864: Preventing Switch Stack Problems
Hot Standby Router Protocol (HSRP). For more information, see Chapter 5, “Clustering Switches.” Also see the Getting Started with Cisco Network Assistant, available on Cisco.com. HSRP is the preferred method for supplying redundancy to a cluster.
Page 865: Replacing A Failed Command Switch With A Cluster Member
From privileged EXEC mode, enter setup, and press Return. Switch# setup --- System Configuration Dialog --- Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help. Catalyst 2975 Switch Software Configuration Guide 38-9 OL-19720-02...
Page 866 Start your browser, and enter the IP address of the new command switch. Step 17 From the Cluster menu, select Add to Cluster to display a list of candidate switches to add to the cluster. Step 18 Catalyst 2975 Switch Software Configuration Guide 38-10 OL-19720-02...
Page 867: Replacing A Failed Command Switch With Another Switch
When prompted for the enable secret and enable passwords, enter the passwords of the failed command switch again. Step 9 When prompted, make sure to enable the switch as the cluster command switch, and press Return. Catalyst 2975 Switch Software Configuration Guide 38-11 OL-19720-02...
Page 868: Recovering From Lost Cluster Member Connectivity
If a remote device does not autonegotiate, configure the duplex settings on the two ports to match. The Note speed parameter can adjust itself even if the connected port does not autonegotiate. Catalyst 2975 Switch Software Configuration Guide 38-12 OL-19720-02...
Page 869: Troubleshooting Power Over Ethernet Switch Ports
Disabled Port Caused by Power Loss If a powered device (such as a Cisco IP Phone 7910) that is connected to a PoE switch port and is powered by an AC power source loses power from the AC power source, the device might enter an error-disabled state.
Page 870: Monitoring Sfp Module Status
If the module is identified as a Cisco SFP module, but the system is unable to read vendor-data information to verify its accuracy, an SFP module error message is generated. In this case, you should remove and re-insert the SFP module.
Page 871: Using Layer 2 Traceroute
The switch can only identify the path from the source device to the destination device. It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host. Catalyst 2975 Switch Software Configuration Guide 38-15 OL-19720-02...
Page 872: Usage Guidelines
Using Layer 2 Traceroute Usage Guidelines These are the Layer 2 traceroute usage guidelines: Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 • traceroute to function properly, do not disable CDP.
Page 873: Displaying The Physical Path
ICMP port-unreachable error to the source. Because all errors except port-unreachable errors come from intermediate hops, the receipt of a port-unreachable error means that this message was sent by the destination port. Catalyst 2975 Switch Software Configuration Guide 38-17 OL-19720-02...
Page 874: Executing Ip Traceroute
Port unreachable. To end a trace in progress, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and release the Ctrl, Shift, and 6 keys and then press the X key. Catalyst 2975 Switch Software Configuration Guide 38-18 OL-19720-02...
Page 875: Using Tdr
These sections explains how you use debug commands to diagnose and resolve internetworking problems: Enabling Debugging on a Specific Feature, page 38-20 • Enabling All-System Diagnostics, page 38-20 • Redirecting Debug and Error Message Output, page 38-21 • Catalyst 2975 Switch Software Configuration Guide 38-19 OL-19720-02...
Page 876: Enabling Debugging On A Specific Feature
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Page 877: Redirecting Debug And Error Message Output
Most of the information in the output from the command is useful mainly for technical support personnel, who have access to detailed information about the switch application-specific integrated circuits (ASICs). However, packet forwarding information can also be helpful in troubleshooting. Catalyst 2975 Switch Software Configuration Guide 38-21 OL-19720-02...
Page 878 Src Real Vlan Id:5, Mapped Vlan Id:5 Ingress: Lookup Key-Used Index-Hit A-Data InptACL 40_0D020202_0D010101-00_40000014_000A0000 01FFA 03000000 L2Local 80_00050009_43A80145-00_00000000_00000000 00086 02010197 Station Descriptor:F0050003, DestIndex:F005, RewriteIndex:0003 ========================================== Egress:Asic 3, switch 1 Output Packets: ------------------------------------------ Catalyst 2975 Switch Software Configuration Guide 38-22 OL-19720-02...
Page 879: Using The Crashinfo Files
• Basic crashinfo Files The information in the basic file includes the Cisco IOS image name and version that failed, a list of the processor registers, and other switch-specific information. You can provide this information to the Cisco technical support representative by using the show tech-support privileged EXEC command.
Page 880: Memory Consistency Check Routines
Switch# show platform tcam errors TCAM Memory Consistency Checker Errors -------------------------------------- TCAM Space Values Masks Fixups Retries Failures Unassigned 0 HFTM HQATM Switch# The display provides information about TCAM portions that were checked for integrity. Catalyst 2975 Switch Software Configuration Guide 38-24 OL-19720-02...
Page 881: Troubleshooting Tables
For more information about the show platform tcam errors privileged EXEC command, see the command reference for this release. Troubleshooting Tables These tables are a condensed version of troubleshooting documents on Cisco.com. “Troubleshooting CPU Utilization” section on page 38-25 •...
Page 882: Verifying The Problem And Cause
This example shows normal CPU utilization. The output shows that utilization for the last 5 seconds is 8%/0%, which has this meaning: • The total CPU utilization is 8 percent, including both time running Cisco IOS processes and time spent handling interrupts •...
Page 883: Troubleshooting Power Over Ethernet (Poe)
(available PoE). Use the show inline power and show inline power detail commands to verify the amount of available power. For more information, see No PoE On One Port on Cisco.com. Catalyst 2975 Switch Software Configuration Guide 38-27 OL-19720-02...
Page 884 This normally produces an alarm. Check the log again for alarms reported earlier by system messages. For more information, see No PoE On Any Port or a Group of Ports Cisco.com. Catalyst 2975 Switch Software Configuration Guide 38-28 OL-19720-02...
Page 885 Verify that sufficient power is available for the powered device type before you A non-Cisco powered device is connected connect it. to a Cisco PoE switch, but never powers on or powers on and then quickly powers off. Use the show interface status command to verify that the switch detects the Non-PoE devices work normally.
Page 886: Troubleshooting Stackwise
Cable Connections). Enter the show switch privileged • EXEC command to see whether new Check status of stack members (see • switch shows as Ready, Progressing, Verifying StackWise Cable Connections). or Provisioned. Catalyst 2975 Switch Software Configuration Guide 38-30 OL-19720-02...
Page 887 Typical Sequence States and Rules.) Stack members need to be Stack members running different major Defective StackWise switch interface or cable upgraded. or minor versions of the Cisco IOS (see Quick-and-Easy Catalyst 3750 and software. Catalyst 3750E Switch Stack Upgrades.) StackWise link connection Look at the LED behavior.
Page 888 Chapter 38 Troubleshooting Troubleshooting Tables Catalyst 2975 Switch Software Configuration Guide 38-32 OL-19720-02...
Page 889: Supported Mibs
CISCO-CLUSTER-MIB • • CISCO-CONFIG-COPY-MIB • CISCO-CONFIG-MAN-MIB • CISCO-ENTITY-VENDORTYPE-OID-MIB CISCO-ENVMON-MIB • CISCO-ERR-DISABLE-MIB • CISCO-FLASH-MIB (Flash memory on all switches is modeled as removable flash memory.) • CISCO-FTP-CLIENT-MIB • CISCO-IETF-IP-MIB • CISCO-IETF-IP-FORWARDING-MIB • CISCO-IGMP-FILTER-MIB • Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 890 CISCO-MEMORY-POOL-MIB (Only stack master image details are shown.) • CISCO-NAC-NAD-MIB • CISCO-PAE-MIB • CISCO-PAGP-MIB • CISCO-PING-MIB • CISCO-PORT-QOS-MIB (only the packet counters are supported; the octet counters are not • supported) CISCO-POWER-ETHERNET-EXT-MIB • CISCO-PRODUCTS-MIB • CISCO-PROCESS-MIB (Only stack master details are shown.) • •...
Page 891: Using Ftp To Access The Mib Files
SNMPv2-MIB • TCP-MIB • UDP-MIB You can also use this URL for a list of supported MIBs for the Catalyst 2975 switch: Note ftp://ftp.cisco.com/pub/mibs/supportlists/cat2975/cat2975-supportlist.html You can access other information about MIBs and Cisco products on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml...
Page 892 Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 893: Working With The Cisco Ios File System, Configuration Files, And Software Images
Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Catalyst 2975 switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Page 894: Displaying Available File Systems
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System These sections contain this configuration information: Displaying Available File Systems, page B-2 • , page B-2 • Displaying Information about Files on a File System, page B-3 •...
Page 895: Setting The Default File System
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-1 show file systems Field Descriptions (continued) Field Value Flags Permission for file system. ro—read-only. rw—read/write.\ wo—write-only. Prefixes Alias for file system.
Page 896: Changing Directories And Displaying The Working Directory
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-2 Commands for Displaying Information About Files (continued) Command Description show file information file-url Display information about a specific file.
Page 897: Copying Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System For filesystem, use flash: for the system board flash device. For file-url, enter the name of the directory to be deleted. All the files in the directory and the directory are removed.
Page 898: Creating, Displaying, And Extracting Tar Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System When files are deleted, their contents cannot be recovered. Caution This example shows how to delete the file myconfig from the default flash memory device:...
Page 899: Displaying The Contents Of A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying the Contents of a tar File To display the contents of a tar file on the screen, use this privileged EXEC command: archive tar /table source-url For source-url, specify the source URL alias for the local or network file system.
Page 900: Displaying The Contents Of A File
6-13. Configuration files contain commands entered to customize the function of the Cisco IOS software. A way to create a basic configuration file is to use the setup program or to enter the setup privileged EXEC command. For more information, see Chapter 3, “Assigning the Switch IP Address and Default...
Page 901: Guidelines For Creating And Using Configuration Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files You can copy (upload) configuration files from the switch to a file server by using TFTP, FTP, or RCP. You might perform this task to back up a current configuration file to a server before changing its contents so that you can later restore the original configuration file from the server.
Page 902: Configuration File Types And Location N
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Configuration File Types and Location n Startup configuration files are used during system startup to configure the software. Running configuration files contain the current configuration of the software. The two configuration files can be different.
Page 903: Downloading The Configuration File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Make sure that the /etc/services file contains this line: tftp 69/udp You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files.
Page 904: Uploading The Configuration File By Using Tftp
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Page 905: Preparing To Download Or Upload A Configuration File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files If the server has a directory structure, the configuration file is written to or copied from the directory associated with the username on the server. For example, if the configuration file resides in the home directory of a user on the server, specify that user's name as the remote username.
Page 906: Uploading A Configuration File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 Return to privileged EXEC mode. Step 7 copy Using FTP, copy the configuration file from a network ftp:[[[//[username[:password]@]location]/directory]...
Page 907: Copying Configuration Files By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 1 configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6).
Page 908: Preparing To Download Or Upload A Configuration File By Using Rcp
The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Page 909: Downloading A Configuration File By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP:...
Page 910: Uploading A Configuration File By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP:...
Page 911: Clearing The Startup Configuration File
Replacing and Rolling Back Configurations The configuration replacement and rollback feature replaces the running configuration with any saved Cisco IOS configuration file. You can use the rollback function to roll back to a previous configuration. These sections contain this information: Understanding Configuration Replacement and Rollback, page B-19 •...
Page 912 EXEC command displays information for all the configuration files saved in the configuration archive. The Cisco IOS configuration archive, in which the configuration files are stored and available for use with the configure replace command, is in any of these file systems: FTP, HTTP, RCP, TFTP.
Page 913: Configuration Guidelines
• replacement configuration file for the running configuration. The replacement file must be a complete configuration generated by a Cisco IOS device (for example, a configuration generated by the copy running-config destination-url command). If you generate the replacement configuration file externally, it must comply with the format of files Note generated by Cisco IOS devices.
Page 914: Performing A Configuration Replacement Or Rollback Operation
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 5 time-period minutes (Optional) Set the time increment for automatically saving an archive file of the running configuration in the configuration archive.
Page 915: Working With Software Images
If you do not have access to a TFTP server, you can download a software image file directly to your PC or workstation by using a web browser (HTTP) and then by using the device manager or Cisco Network Assistant to upgrade your switch. For information about upgrading your switch by using a TFTP server or a web browser (HTTP), see the release notes.
Page 916: Image Location On The Switch
Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:).
Page 917: Copying Image Files By Using Tftp
Field Description total_image_file_size Specifies the size of all the images (the Cisco IOS image and the web management files) in the tar file, which is an approximate measure of how much flash memory is required to hold them image_feature Describes the core functionality of the image...
Page 918: Downloading An Image File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Make sure that the /etc/services file contains this line: tftp 69/udp You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files.
Page 919 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 3 archive download-sw /overwrite /reload Download the image file from the TFTP server to the switch, and tftp:[[//location]/directory]/image-name.tar overwrite the current image.
Page 920: Uploading An Image File By Using Tftp
The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 921: Preparing To Download Or Upload An Image File By Using Ftp
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 922: Downloading An Image File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The new username is stored in NVRAM. If you are accessing the switch through a Telnet session and you have a valid username, this username is used, and you do not need to set the FTP username.
Page 923 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 8 archive download-sw /leave-old-sw /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image.
Page 924: Uploading An Image File By Using Ftp
The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 925: Copying Image Files By Using Rcp
RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: •...
Page 926: Downloading An Image File By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images For the RCP copy request to execute successfully, an account must be defined on the network server for the remote username. If the server has a directory structure, the image file is written to or copied from the directory associated with the remote username on the server.
Page 927 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 Return to privileged EXEC mode. Step 6 archive download-sw /overwrite /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and overwrite the current image.
Page 928: Uploading An Image File By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed.
Page 929: Copying An Image File From One Stack Member To Another
The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 930 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode from the stack member that you want to upgrade, follow these steps to copy the running image file from the flash memory of a different stack member:...
Page 931: Access Control Lists
This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 2975 switch prompt but are not supported in this release, either because they are not tested or because of switch hardware limitations. This is not a complete list. These...
Page 932: A P P E N D I X C Unsupported Commands In Cisco Ios Release 12.2(55)Se
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)SE Boot Loader Commands show access-lists rate-limit [destination] show accounting show ip accounting [checkpoint] [output-packets | access violations] show ip cache [prefix-mask] [type number] Unsupported Global Configuration Commands access-list rate-limit acl-index {precedence | mask prec-mask}...
Page 933: Interface Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)SE Interface Commands Interface Commands Unsupported Privileged EXEC Commands show interfaces [interface-id | vlan vlan-id] [crb | fair-queue | irb | mac-accounting | precedence | irb | random-detect | rate-limit | shape]...
Page 934: Unsupported Global Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)SE Miscellaneous Unsupported Global Configuration Commands mac-address-table aging-time mac-address-table notification mac-address-table static Miscellaneous Unsupported User EXEC Commands verify Unsupported Privileged EXEC Commands file verify auto show cable-diagnostics prbs test cable-diagnostics prbs Unsupported Global Configuration Commands...
Page 935: Unsupported Global Configuration Command
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)SE Unsupported Global Configuration Command priority-list Unsupported Interface Configuration Commands priority-group rate-limit Unsupported Policy-Map Configuration Command class class-default where class-default is the class-map-name. RADIUS Unsupported Global Configuration Commands aaa nas port extended...
Page 936: Snmpv3
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)SE SNMPv3 SNMPv3 Unsupported 3DES Encryption Commands Spanning Tree Unsupported Global Configuration Command spanning-tree pathcost method {long | short} Unsupported Interface Configuration Command spanning-tree stack-port VLAN Unsupported Global Configuration Command vlan internal allocation policy {ascending | descending}...
Page 937: Unsupported Privileged Exec Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)SE Unsupported VLAN Database Commands vlan show vlan private-vlan Unsupported Privileged EXEC Commands vtp {password password | pruning | version number} This command has been replaced by the vtp global configuration command.
Page 938 Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)SE Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 939 9-11, 9-17 applying to interfaces 31-18 ACEs creating 31-6 and QoS 33-8 matching criteria 31-6 defined 31-2 named 31-13 Ethernet 31-2 numbers 31-7 31-2 terminal lines, setting on 31-17 unsupported features 31-6 Catalyst 2975 Switch Software Configuration Guide IN-1 OL-19720-02...
Page 940 7-22 authentication IPv6 local mode with AAA 35-2 9-40 MAC, discovering NTP associations 7-30 multicast, STP address management open1x 16-9 10-29 static RADIUS adding and removing 7-26 9-28 defined login 7-19 9-30 Catalyst 2975 Switch Software Configuration Guide IN-2 OL-19720-02...
Page 941 See also CDP DHCP snooping automatic extraction (auto-extract) in switch stacks 6-10 See DHCP snooping binding database automatic QoS bindings See QoS DHCP snooping database 20-7 IP source guard 20-15 Catalyst 2975 Switch Software Configuration Guide IN-3 OL-19720-02...
Page 942 23-4 updates 24-3 broadcast storms 23-2 CGMP as IGMP snooping learning method 22-8 joining multicast group 22-3 CipherSuites 9-48 Cisco 7960 IP Phone 14-1 Cisco Discovery Protocol See CDP Catalyst 2975 Switch Software Configuration Guide IN-4 OL-19720-02...
Page 943 Index Cisco intelligent power management 12-5 CLI (continued) Cisco IOS File System history See IFS changing the buffer size Cisco IOS IP Service Level Agreements (SLAs) described responder disabling Cisco IOS IP SLAs 32-1 recalling commands Cisco Secure ACS managing clusters...
Page 944 5-11 clearing the startup configuration B-19 active (AC) creating using a text editor 5-10 B-10 configuration conflicts default name 38-12 3-18 defined deleting a stored configuration B-19 passive (PC) 5-10 described Catalyst 2975 Switch Software Configuration Guide IN-6 OL-19720-02...
Page 945 10-39 to 10-40 customjzeable web pages, web-based authentication 11-6 configuring small-frame arrival rate 23-5 CWDM SFPs 1-20 config-vlan mode conflicts, configuration 38-12 connections, secure remote 9-42 connectivity problems 38-14, 38-15, 38-17 Catalyst 2975 Switch Software Configuration Guide IN-7 OL-19720-02...
Page 946 EtherChannel 37-9 LLDP 25-5 detecting indirect link failures, STP 18-8 MAC address table 7-21 device B-23 MAC address-table move update 19-8 device discovery protocol 24-1, 25-1 MSTP 17-16 22-19 Catalyst 2975 Switch Software Configuration Guide IN-8 OL-19720-02...
Page 947 DHCP option 82 location 20-7 circuit ID suboption 20-5 bindings 20-7 configuration guidelines 20-9 clearing agent statistics 20-13 default configuration 20-9 configuration guidelines 20-10 displaying 20-14 configuring 20-13 overview 20-4 default configuration 20-9 Catalyst 2975 Switch Software Configuration Guide IN-9 OL-19720-02...
Page 948 7-16 dual-purpose uplinks support for defined 12-4 domain names LEDs 12-4 7-15 link selection 12-4, 12-17 15-9 setting the type 12-17 Domain Name System See DNS downloadable ACL 10-18, 10-20, 10-61 Catalyst 2975 Switch Software Configuration Guide IN-10 OL-19720-02...
Page 949 21-13 encryption, CipherSuite 9-48 displaying 21-16 encryption for passwords logging of dropped packets, described 21-5 environment variables, function of 3-22 man-in-the middle attack, described 21-2 error-disabled state, BPDU 18-3 Catalyst 2975 Switch Software Configuration Guide IN-11 OL-19720-02...
Page 950 37-16 modes 37-6 support for fa0 interface with dual-action detection 37-6 failover support port-channel interfaces Fast Convergence 19-3 described 37-4 Fast Uplink Transition Protocol 18-6 numbering of 37-4 features, incompatible 23-12 Catalyst 2975 Switch Software Configuration Guide IN-12 OL-19720-02...
Page 951 19-5 configuration guidelines 19-8 Generating IGMP Reports 19-4 configuring 19-9, 19-10 get-bulk-request operation 30-3 configuring preferred VLAN 19-12 get-next-request operation 30-3, 30-4 configuring VLAN load balancing 19-11 get-request operation 30-3, 30-4 Catalyst 2975 Switch Software Configuration Guide IN-13 OL-19720-02...
Page 952 HTTP over SSL IEEE 802.3ad see HTTPS See EtherChannel HTTPS 9-46 IEEE 802.3af configuring 9-50 See PoE self-signed certificate 9-47 IEEE 802.3x flow control 12-21 HTTP secure server 9-46 ifIndex values, SNMP 30-5 Catalyst 2975 Switch Software Configuration Guide IN-14 OL-19720-02...
Page 953 Express Setup configuration guidelines interface 22-11 described number 22-5 12-11 enabling 22-10 range macros 12-14 IGMP profile interface command 12-11 to 12-12 applying interface configuration mode 22-26 configuration mode 22-25 configuring 22-26 Catalyst 2975 Switch Software Configuration Guide IN-15 OL-19720-02...
Page 954 IP Service Level Agreements implicit deny See IP SLAs 31-8, 31-12 implicit masks IP service levels, analyzing 31-8 32-1 named IP SLAs 31-13 undefined 31-19 benefits 32-2 configuration guidelines 32-5 Control Protocol 32-3 Catalyst 2975 Switch Software Configuration Guide IN-16 OL-19720-02...
Page 955 20-18, 20-19 35-7 filtering autoconfiguration 35-4 source IP address 20-15 configuring static routes 35-10 source IP and MAC address default configuration 20-15 35-7 on provisioned switches defined 20-17 35-2 Catalyst 2975 Switch Software Configuration Guide IN-17 OL-19720-02...
Page 956 25-2 assigning IPv6 addresses to 35-8 LLDP Media Endpoint Discovery changing from Layer 2 mode 34-4 See LLDP-MED Layer 3 packets, classification methods 33-2 local SPAN 27-2 LDAP location TLV 25-3, 25-8 Catalyst 2975 Switch Software Configuration Guide IN-18 OL-19720-02...
Page 957 IP source binding table 20-22 browser session dynamic CLI session learning 7-20 device manager removing 7-22 SNMP in ACLs 31-22 out-of-band console port connection management address TLV 25-2 Catalyst 2975 Switch Software Configuration Guide IN-19 OL-19720-02...
Page 958 22-16, 36-12 automatic discovery 22-23 defined network traffic for analysis with probe 27-2 managing port 5-16 passwords 5-13 blocking 23-18 recovering from lost connectivity protection 38-12 23-18 Catalyst 2975 Switch Software Configuration Guide IN-20 OL-19720-02...
Page 959 MST region 17-17 described 18-11 neighbor type 17-27 enabling 18-19 path cost 17-23 mapping VLANs to MST instance 17-18 port priority 17-21 root switch 17-19 secondary root switch 17-20 switch priority 17-24 Catalyst 2975 Switch Software Configuration Guide IN-21 OL-19720-02...
Page 960 22-16, 36-12 configuring 13-19 multicast router ports, adding 22-9, 36-8 default 13-19 multicast storm 23-2 NEAT multicast storm-control command 23-4 configuring 10-60 multicast television application 22-17 overview 10-30 multicast VLAN 22-17 Catalyst 2975 Switch Software Configuration Guide IN-22 OL-19720-02...
Page 961 Network Time Protocol open1x See NTP configuring 10-65 no commands open1x authentication nonhierarchical policy maps overview 10-29 described 33-10 optimizing system resources non-IP traffic filtering 31-22 options, management nontrunking mode 13-13 out-of-profile markdown 1-11 Catalyst 2975 Switch Software Configuration Guide IN-23 OL-19720-02...
Page 962 38-15 for each matched traffic class 33-50 executing 38-14 for more than one traffic class 33-55 overview 38-14 described 33-4 displaying 33-75 number of 33-36 types of 33-10 Catalyst 2975 Switch Software Configuration Guide IN-24 OL-19720-02...
Page 963 10-47 and voice VLAN 10-26 switch-to-client retransmission time 10-46 described 10-25 violation modes 10-39 to 10-40 interactions 10-25 default configuration 10-33, 11-9 multiple-hosts mode 10-12 described 10-1 Catalyst 2975 Switch Software Configuration Guide IN-25 OL-19720-02...
Page 964 TLV preemption, default configuration 25-2 19-8 Port Fast preemption delay, default configuration 19-8 described 18-2 preferential treatment of traffic enabling See QoS 18-13 mode, spanning tree preventing unauthorized access 13-24 Catalyst 2975 Switch Software Configuration Guide IN-26 OL-19720-02...
Page 965 13-18 class maps for VTP pruning 15-6 configuring 33-48 VLANs 15-15 displaying 33-75 PVST+ configuration guidelines described 16-10 auto-QoS 33-30 IEEE 802.1Q trunking interoperability 16-11 standard QoS 33-36 instances supported 16-10 Catalyst 2975 Switch Software Configuration Guide IN-27 OL-19720-02...
Page 966 33-7 displaying 33-75 egress queueing and scheduling 33-17 number of 33-36 ingress queueing and scheduling 33-14 types of 33-10 policing and marking 33-11 policies, attaching to an interface 33-9 implicit deny 33-8 Catalyst 2975 Switch Software Configuration Guide IN-28 OL-19720-02...
Page 967 22-13 See rapid PVST+ rapid PVST+ described 16-10 IEEE 802.1Q trunking interoperability 16-11 RADIUS instances supported 16-10 attributes Rapid Spanning Tree Protocol vendor-proprietary 9-38 See RSTP vendor-specific 9-36 rcommand command 5-16 Catalyst 2975 Switch Software Configuration Guide IN-29 OL-19720-02...
Page 968 RFC 5176 Compliance 9-21 Remote Network Monitoring RMON See RMON default configuration 28-3 Remote SPAN displaying status 28-7 See RSPAN enabling alarms and events 28-3 remote SPAN 27-3 groups supported 28-2 overview 28-2 Catalyst 2975 Switch Software Configuration Guide IN-30 OL-19720-02...
Page 969 VLANs 27-23 scheduled reloads 3-23 specifying monitored ports 27-18 with ingress traffic enabled 27-21 and SSH 9-52 source ports 27-6 configuring 9-53 transmitted traffic 27-6 VLAN-based 27-7 Catalyst 2975 Switch Software Configuration Guide IN-31 OL-19720-02...
Page 970 30-4 30-10 setup program community strings failed command switch replacement 38-11 configuring 30-8 replacing failed command switch for cluster switches 38-9 30-4 severity levels, defining in system messages overview 29-9 30-4 Catalyst 2975 Switch Software Configuration Guide IN-32 OL-19720-02...
Page 971 30-5 overview 1-12, 27-1 disabling 30-15 ports, restrictions 23-12 enabling 30-12 received traffic 27-5 enabling MAC address notification 7-22, 7-24, 7-25 overview 30-1, 30-4 types of 30-12 users 30-7, 30-9 Catalyst 2975 Switch Software Configuration Guide IN-33 OL-19720-02...
Page 972 HTTP client displaying information of 9-51 6-22 configuring a secure HTTP server number 9-50 cryptographic software image 9-46 priority value described provisioning a new member 9-46 6-20 monitoring replacing 9-52 6-13 Catalyst 2975 Switch Software Configuration Guide IN-34 OL-19720-02...
Page 973 6-10 managing examples 6-11 membership manual upgrades with auto-advise 6-10 merged upgrades with auto-extract 6-10 MSTP instances supported 16-10 version-mismatch mode described See also stack master and stack member Catalyst 2975 Switch Software Configuration Guide IN-35 OL-19720-02...
Page 974 16-3 configuring for IPv6 35-10 configuration guidelines 16-13, 18-12 static VLAN membership 13-2 statistics 802.1X 11-17 802.1x 10-67 24-5 interface 12-30 LLDP 25-12 LLDP-MED 25-12 NMSP 25-12 QoS ingress and egress 33-75 Catalyst 2975 Switch Software Configuration Guide IN-36 OL-19720-02...
Page 975 16-3 IEEE 802.1D and multicast addresses 16-9 IEEE 802.1t and VLAN identifier 16-5 inferior BPDU 16-3 instances supported 16-10 interface state, blocking to forwarding 18-2 Catalyst 2975 Switch Software Configuration Guide IN-37 OL-19720-02...
Page 976 12-2 29-6 switchport backup interface syslog facility 19-4, 19-5 1-13 switchport block multicast command time stamps, enabling and disabling 23-8 29-8 switchport block unicast command 23-8 switchport protected command 23-7 Catalyst 2975 Switch Software Configuration Guide IN-38 OL-19720-02...
Page 977 9-17 limiting access by servers 30-16 tar files TFTP server creating threshold, traffic level 23-2 displaying the contents of time extracting See NTP and system clock image file format B-24 Catalyst 2975 Switch Software Configuration Guide IN-39 OL-19720-02...
Page 978 VLAN for untagged traffic 1-11 13-19 traffic suppression 23-2 parallel 13-21 transmit hold-count pruning-eligible list 13-18 see STP to non-DTP device 13-13 transparent mode, VTP trusted boundary for QoS 15-3 33-40 trap-door mechanism Catalyst 2975 Switch Software Configuration Guide IN-40 OL-19720-02...
Page 979 MAC address filtering and adding static addresses 7-28 and broadcast MAC addresses 7-27 and CPU packets 7-27 and multicast addresses 7-27 and router MAC addresses 7-27 configuration guidelines 7-27 described 7-27 Catalyst 2975 Switch Software Configuration Guide IN-41 OL-19720-02...
Page 980 VLAN Management Policy Server Token Ring 13-5 See VMPS traffic between 13-2 VLAN membership VTP modes 15-3 confirming 13-26 VLAN Trunking Protocol modes 13-3 See VTP VLAN Query Protocol VLAN trunks 13-13 See VQP Catalyst 2975 Switch Software Configuration Guide IN-42 OL-19720-02...
Page 981 13-18 IP phone data traffic, described server mode, configuring 14-3 15-11, 15-13 IP phone voice traffic, described statistics 14-2 15-17 1-8, 13-23 support for Token Ring support 15-4 transparent mode, configuring 15-11 Catalyst 2975 Switch Software Configuration Guide IN-43 OL-19720-02...
Page 982 See WTD wired location service configuring 25-10 displaying 25-12 location TLV 25-3 understanding 25-3 wizards described 33-12 setting thresholds egress queue-sets 33-68 ingress queues 33-63 support for 1-11, 1-12 Catalyst 2975 Switch Software Configuration Guide IN-44 OL-19720-02...

Cisco Catalyst 2975 Software Configuration Manual

Table of Contents

Chapter 1 Overview

CHAPTER 2 Using the Command-Line Interface

CHAPTER 3 Assigning the Switch IP Address and Default Gateway

CHAPTER 4 Configuring Cisco IOS Configuration Engine

Chapter 5 Clustering Switche

Planning a Switch Cluster

Stack Membership/Chapter 6 Managing Switch Stack

Chapter 6 Managing Switch Stack

Chapter 7 Administering the Switch

Configuring Ntp

Building the Address Table

Chapter 8 Configuring SDM Template

Chapter 9 Configuring Switch-Based Authentication

Configuring Radius

Configuring Ieee 802.1X Port-Based Authentication

CHAPTER 10 Configuring IEEE 802.1X Port-Based Authentication

Quick Links

Chapters

Troubleshooting

Related Manuals for Cisco Catalyst 2975

Summary of Contents for Cisco Catalyst 2975