Page 1: Software Configuration Guide
Software Configuration Guide Catalyst 4000 Family Catalyst 2948G Catalyst 2980G Software Releases 6.3 and 6.4 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7812647=...
Page 2 OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
Page 3: Table Of Contents
Documentation Feedback xxviii Obtaining Technical Assistance xxviii Cisco.com xxviii Technical Assistance Center xxviii Cisco TAC Web Site xxix Cisco TAC Escalation Center xxix Getting Started P A R T Product Overview C H A P T E R Catalyst 4000 Family Switches...
Page 4 Contents Abbreviating a Command Completing a Partial Command Scrolling Down a Line or a Screen Using Command Aliases Specifying Modules, Ports, and VLANs Specifying MAC Addresses Specifying IP Addresses, Host Names, and IP Aliases ROM Monitor Command-Line Interface Catalyst 4003 Bootup Display Example Configuring the Switch IP Address and Default Gateway C H A P T E R Understanding the Switch Management Interfaces...
Page 5 Contents Setting the Port Duplex Mode Configuring a Timeout Period for Ports in errdisable State Checking Connectivity Configuring Gigabit Ethernet Switching C H A P T E R Understanding How Gigabit Ethernet Works Understanding How Gigabit Ethernet Flow Control Works Flow-Control Overview Sending and Receiving Pause Frames Using Flow-Control Keywords...
Page 6 Contents Displaying EtherChannel Traffic Statistics 6-10 Displaying EtherChannel PAgP Statistics 6-11 EtherChannel Configuration Examples 6-11 Four-Port Fast EtherChannel Configuration Example 6-11 Two-Port Gigabit EtherChannel Configuration Example 6-13 Spanning Tree P A R T Configuring Spanning Tree C H A P T E R How Spanning Tree Protocols Work How a Topology Is Created How a Switch or Port Becomes the Root Switch or Root Port...
Page 7 Contents Configuring MISTP Bridge ID Priority 7-21 Configuring MISTP Port Cost 7-22 Configuring MISTP Port Priority 7-22 Configuring MISTP Port Instance Cost 7-23 Configuring MISTP Port Instance Priority 7-23 Enabling a MISTP Instance 7-24 Mapping VLANs to a MISTP Instance 7-25 Determining MISTP Instance—VLAN Mapping Conflicts 7-25...
Page 8 Contents Enabling UplinkFast Disabling UplinkFast 8-10 Understanding How BackboneFast Works 8-11 Configuring BackboneFast 8-13 Enabling BackboneFast 8-13 Displaying BackboneFast Statistics 8-14 Disabling BackboneFast 8-14 Understanding How Loop Guard Works 8-15 Configuring Loop Guard 8-17 Enabling Loop Guard 8-17 Disabling Loop Guard 8-17 Configuring VLANs and VLAN Trunks P A R T...
Page 9 Contents Creating or Modifying an Ethernet VLAN 10-4 Assigning Switch Ports to a VLAN 10-4 Mapping 802.1Q VLANs to ISL VLANs 10-5 Clearing 802.1Q-to-ISL VLAN Mappings 10-6 Deleting a VLAN 10-7 Configuring Private VLANs 10-7 Understanding How Private VLANs Work 10-7 Private VLAN Configuration Guidelines 10-9...
Page 10 Contents Configuring VMPS and Dynamic Port VLAN Membership 12-3 Creating the VMPS Database 12-3 Configuring VMPS 12-4 Configuring Dynamic Ports on VMPS Clients 12-5 Configuring Static VLAN Port Membership 12-6 Troubleshooting VMPS and Dynamic Port VLAN Membership 12-6 Troubleshooting VMPS 12-6 Troubleshooting Dynamic Port VLAN Membership 12-7...
Page 11 Contents Directing and Filtering Traffic P A R T Configuring QoS 14-1 C H A P T E R Understanding How QoS Works 14-1 Overview of QoS 14-1 QoS Terminology 14-2 Understanding Classification and Marking at the Ingress Port 14-3 Understanding Scheduling 14-3 Software Requirements...
Page 12 Contents Enabling GMRP Globally 15-9 Enabling GMRP on Individual Switch Ports 15-10 Disabling GMRP on Individual Switch Ports 15-10 Enabling GMRP Forward-All Option 15-11 Disabling GMRP Forward-All Option 15-11 Configuring GMRP Registration 15-12 Setting Normal Registration Mode 15-12 Setting Fixed Registration Mode 15-12 Setting Forbidden Registration Mode 15-13...
Page 13 Contents Adding IP Addresses to the IP Permit List 17-2 Enabling IP Permit List 17-3 Disabling the IP Permit List 17-4 Clearing an IP Permit List Entry 17-4 Configuring Protocol Filtering 18-1 C H A P T E R Understanding How Protocol Filtering Works 18-1 Default Protocol Filtering Configuration 18-2...
Page 14 Contents Setting the CDP Global Enable State 20-2 Setting the CDP Enable State on a Port 20-3 Setting the CDP Message Interval 20-4 Setting the CDP Holdtime 20-4 Displaying CDP Neighbor Information 20-4 Using Switch TopN Reports 21-1 C H A P T E R Understanding How Switch TopN Reports Works 21-1 Overview of Switch TopN Reports...
Page 15 Contents Dispatcher 23-8 Message Processing Subsystem 23-8 Security Subsystem 23-9 Access Control Subsystem 23-9 Applications 23-9 Configuring SNMPv3 from an NMS 23-10 Configuring SNMPv3 from the CLI 23-10 Using CiscoWorks2000 23-13 Configuring RMON 24-1 C H A P T E R Understanding How RMON Works 24-1 Enabling RMON...
Page 16 Contents Configuring a Single RSPAN Session 25-14 Modifying an Active RSPAN Session 25-14 Adding RSPAN Source Ports in Intermediate Switches 25-15 Administering the Switch P A R T Administering the Switch 26-1 C H A P T E R Setting the System Name and System Prompt 26-1 Configuring a Static System Name and Prompt 26-2...
Page 17 Contents Understanding How RADIUS Authentication Works 27-4 Understanding How Kerberos Authentication Works 27-4 Using Kerberized Login Procedure 27-6 Using a Non-Kerberized Login Procedure 27-6 Understanding How 802.1x Authentication Works 27-7 Traffic Control 27-9 Authentication Server 27-9 802.1x Parameters Configurable on the Switch 27-9 Configuring Authentication 27-9...
Page 18 Contents Clearing the RADIUS Key 27-28 Disabling RADIUS Authentication 27-29 Configuring Kerberos Authentication 27-30 Enabling Kerberos 27-31 Defining the Kerberos Local-Realm 27-31 Specifying a Kerberos Server 27-32 Mapping a Kerberos Realm to a Host Name or DNS Domain 27-33 Copying SRVTAB Files 27-33 Deleting an SRVTAB Entry 27-34...
Page 19 Contents Configuring Authorization 27-51 Authorization Default Configuration 27-51 TACACS+ Authorization Configuration Guidelines 27-51 Configuring TACACS+ Authorization 27-51 Enabling TACACS+ Authorization 27-52 Disabling TACACS+ Authorization 27-53 Authorization Example 27-54 Understanding How Accounting Works 27-55 Accounting Overview 27-56 Accounting Events 27-56 Specifying When to Create Accounting Records 27-57 Specifying RADIUS Servers 27-57...
Page 20 Contents Setting and Clearing the CONFIG_FILE Environment Variable 28-8 Setting the Variable 28-8 Clearing the Variable Settings 28-8 Displaying the Switch Boot Configuration 28-9 Working with System Software Images 29-1 C H A P T E R Software Image Naming Conventions 29-1 Downloading System Software Images to the Switch Using TFTP 29-1...
Page 21 Contents Working with Configuration Files 31-1 C H A P T E R Guidelines for Creating and Using Configuration Files 31-1 Creating a Configuration File 31-2 Configuring the Switch Using a File in Flash Memory 31-2 Copying Configuration Files Using TFTP 31-3 Downloading Configuration Files from a TFTP Server 31-3...
Page 22 Contents Displaying the Logging Configuration 33-8 Displaying System Messages 33-9 Configuring DNS 34-1 C H A P T E R Understanding How DNS Works 34-1 DNS Default Configuration 34-1 Configuring DNS 34-2 Setting Up and Enabling DNS 34-2 Clearing a DNS Server 34-3 Clearing the DNS Domain Name 34-3...
Page 23 Preface This preface describes the intended audience for this manual, how it is organized, the document conventions, and how to obtain additional documentaion and technical support. Audience This guide is for experienced network administrators who are responsible for configuring and maintaining Catalyst enterprise LAN switches.
Page 24 Chapter 14 Configuring QoS Describes how to configure quality of service (QoS). Chapter 15 Configuring Multicast Services Describes how to configure Cisco Group Management Protocol (CGMP), Internet Group Management Protocol (IGMP) snooping, and GARP Multicast Registration Protocol (GMRP) on the switch.
Page 25: Related Documentation
Preface Related Documentation Chapter Title Description Chapter 24 Configuring RMON Describes how to configure Remote Monitoring (RMON) on the switch. Chapter 25 Configuring SPAN and RSPAN Describes how to configure the Switch Port Analyzer (SPAN) on the switch. Part 7—Administering the Switch Chapter 26 Administering the Switch Describes how to set the system name, create a login...
Page 26 Preface Conventions Conventions Throughout this publication, these conventions are used when referring to switch platforms: • Catalyst enterprise LAN switches—Refers to the Catalyst 4000 family, Catalyst 2948G, and Catalyst 2980G switches. • Catalyst 4000 family switches—Refers to the Catalyst 4003, Catalyst 4006, and Catalyst 4912G switches.
Page 27: Obtaining Documentation
Obtaining Documentation These sections explain how to obtain documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com Translated documentation is available at this URL: http://www.cisco.com/public/countries_languages.shtml...
Page 28: Documentation Feedback
Order Cisco learning materials and merchandise • Register for online skill assessment, training, and certification programs If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL: http://www.cisco.com Technical Assistance Center The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution.
Page 29 Cisco TAC Web Site You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL: http://www.cisco.com/tac...
Page 30 Preface Obtaining Technical Assistance Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 78-12647-02...
Page 31 A R T Getting Started...
Page 33: Product Overview
C H A P T E R Product Overview The Catalyst enterprise LAN switches facilitate the migration from traditional shared-hub LANs to large-scale, fully integrated internetworks. These switches provide switched connections to individual workstations, servers, LAN segments, backbones, or other switches, using a variety of media. This chapter consists of these sections: Catalyst 4000 Family Switches, page 1-1 •...
Page 34: Chapter 1 Product Overview
Chapter 1 Product Overview Catalyst 2948G Switch Table 1-1 Catalyst 4000 Family Switches (continued) Product Number Chassis Description WS-C4006 Catalyst 4006 Modular 6-slot chassis • 30-Gbps backplane • Two power supplies, with optional third power supply • WS-C4912G Catalyst 4912G •...
Page 35: Catalyst 2980G Switch
Chapter 1 Product Overview Supervisor Engine Software Table 1-3 Catalyst 2980G Switch Product Number Chassis Description WS-C2980G Catalyst 2980G • Fixed configuration switch • 12-Gbps backplane • Optional redundant power supplies Two 1000BASE-X (GBIC) Gigabit Ethernet ports • 80 10/100BASE-TX Fast Ethernet ports •...
Page 36: Supervisor Engine Software
Chapter 1 Product Overview Supervisor Engine Software Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 78-12647-02...
Page 37: Overview Of The Switch Cli
Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches. For descriptions of the commands used to configure the Route Switch Module (RSM) and Route Switch Feature Card (RSFC), refer to the Cisco IOS software command reference publications. This chapter consists of these sections: •...
Page 38: C H A P T E R 2 Using The Command-Line Interface
“Catalyst 4003 Bootup Display Example” section on page 2-9). If the switch is already booted, press Enter to see this display: Cisco Systems, Inc. Console Enter password: After you successfully connect to the switch through the console port, you can enter normal-mode commands to monitor the switch or enter privileged mode to change the configuration.
Page 39: Switch Cli Command Modes
Trying 172.16.10.10... Connected to Catalyst_1. Escape character is '^]'. Cisco Systems Console Enter password: After you successfully connect to the switch using Telnet, you can enter normal-mode commands to monitor the switch or enter privileged mode to change the configuration. For more information, see the “Switch CLI Command Modes”...
Page 40: Accessing Help
Step 3 To disconnect from the switch CLI, enter the exit command. Console> exit Session Disconnected... Cisco Systems Console Fri Aug 27 1999, 16:14:41 Enter password: Many commands (for example, commands that modify the configuration) can be entered only in privileged mode.
Page 41: Command-Line Editing
Chapter 2 Using the Command-Line Interface Command-Line Editing To use the partial-keyword-lookup function, enter ? to display a list of commands that begin with a specific set of characters. Do not insert a space between the last letter of the variable and the question mark (?).
Page 42: Abbreviating A Command
Chapter 2 Using the Command-Line Interface Abbreviating a Command Table 2-2 History Substitution Commands Command Function Repeating recent commands: Repeat the most recent command. !-nn Repeat the nnth most recent command. Repeat command n. !aaa Repeat the command beginning with string aaa. !?aaa Repeat the command containing the string aaa.
Page 43: Scrolling Down A Line Or A Screen
Chapter 2 Using the Command-Line Interface Scrolling Down a Line or a Screen Scrolling Down a Line or a Screen When the output of a command fills more than one terminal screen, a --- --- prompt is displayed at More the bottom of the screen.
Page 44: Specifying Mac Addresses
Chapter 2 Using the Command-Line Interface Specifying MAC Addresses With many commands, you can enter lists of ports. To specify a range of ports, use a comma-separated list (do not insert spaces) to specify individual ports or a hyphen (-) between the port numbers to specify a range of ports.
Page 45: Rom Monitor Command-Line Interface
Chapter 2 Using the Command-Line Interface ROM Monitor Command-Line Interface ROM Monitor Command-Line Interface The ROM monitor is a ROM-based program that executes when the switch is powered on, reset, or when a fatal exception occurs. The system enters ROM monitor mode if the nonvolatile RAM (NVRAM) configuration is corrupted, if the switch does not find a valid system image or if the configuration register is set to enter ROM monitor mode.
Page 46 IP address for Catalyst not configured BOOTP/DHCP will commence after the ports are online Ports are coming online ... Cisco Systems, Inc. Console Enter password: 1999 Aug 12 14:34:05 %SYS-5-MOD_OK:Module 1 is online 1999 Aug 12 14:34:08 %SYS-5-MOD_OK:Module 3 is online...
Page 47: Understanding The Switch Management Interfaces
The in-band (sc0) management interface is connected to the switching fabric and participates in all of the functions of a normal switch port, such as spanning tree, Cisco Discovery Protocol (CDP), and VLAN membership. The out-of-band management interfaces (me1 and sl0) are not connected to the switching fabric and do not participate in any of these functions.
Page 48: C H A P T E R 3 Configuring The Switch Ip Address And Default Gateway
Chapter 3 Configuring the Switch IP Address and Default Gateway Understanding Automatic IP Configuration When you configure the IP address, subnet mask, and broadcast address (and, on the sc0 interface, VLAN membership) of the sc0 or me1 interface, you can access the switch through Telnet or SNMP. When you configure the SLIP (sl0) interface, you can open a point-to-point connection to the switch through the console port from a workstation.
Page 49: Understanding How Dhcp Works
Chapter 3 Configuring the Switch IP Address and Default Gateway Understanding Automatic IP Configuration Note If the CONFIG_FILE environment variable is set, all configuration files are processed before the switch determines whether to broadcast DHCP and RARP requests. For more information about the CONFIG_FILE environment variable, see Chapter 28, “Modifying the Switch Boot Configuration.”...
Page 50: Understanding How Rarp Works
Chapter 3 Configuring the Switch IP Address and Default Gateway Preparing to Configure the IP Address and Default Gateway Table 3-1 Supported DHCP Options (continued) Code Option IP address lease time Option overload Client-identifier TFTP server name If a BOOTP response is received from a BOOTP server, the switch sets the in-band (sc0) interface IP address to the address specified in the BOOTP response.
Page 51: Default Ip Address And Default Gateway Configuration
Chapter 3 Configuring the Switch IP Address and Default Gateway Default IP Address and Default Gateway Configuration – Out-of-band management Ethernet (me1) interface Configure this interface when assigning an IP address and subnet mask to the out-of-band management Ethernet interface on the switch. –...
Page 52: Setting The Management Ethernet (Me1) Interface Ip Address
Chapter 3 Configuring the Switch IP Address and Default Gateway Setting the Management Ethernet (me1) Interface IP Address This example shows how to assign an IP address, specify the number of subnet bits, and specify the VLAN assignment for the in-band (sc0) interface: Console>...
Page 53: Configuring Default Gateways
Chapter 3 Configuring the Switch IP Address and Default Gateway Configuring Default Gateways Configuring Default Gateways The supervisor engine sends IP packets destined for other IP subnets to the default gateway (typically a router interface in the same network or subnet as the switch IP address). The switch does not use the IP routing table to forward traffic from connected devices, only IP traffic generated by the switch itself (for example, Telnet, TFTP, and ping).
Page 54: Configuring The Slip (Sl0) Interface On The Console Port
Chapter 3 Configuring the Switch IP Address and Default Gateway Configuring the SLIP (sl0) Interface on the Console Port ------------- -------- ----------- enabled enabled enabled The primary gateway: 10.1.1.1 Destination Gateway RouteMask Flags Interface --------------- --------------- ---------- ----- -------- --------- default 10.1.1.1 default...
Page 55 This example shows how to configure SLIP on the console port and verify the configuration: sparc20% telnet 172.20.52.38 Trying 172.20.52.38 ... Connected to 172.20.52.38. Escape character is '^]'. Cisco Systems, Inc. Console Enter password: Console> enable Enter password: Console> (enable) set interface sl0 10.1.1.1 10.1.1.2 Interface sl0 slip and destination address set.
Page 56: Using Dhcp Or Rarp To Obtain An Ip Address Configuration
Chapter 3 Configuring the Switch IP Address and Default Gateway Using DHCP or RARP to Obtain an IP Address Configuration Using DHCP or RARP to Obtain an IP Address Configuration For complete information on how the switch uses DHCP or RARP to obtain its IP configuration, see the Note “Understanding Automatic IP Configuration”...
Page 57: Renewing And Releasing A Dhcp-Assigned Ip Address
Chapter 3 Configuring the Switch IP Address and Default Gateway Renewing and Releasing a DHCP-Assigned IP Address Console> (enable) show interface sl0: flags=51<UP,POINTOPOINT,RUNNING> slip 0.0.0.0 dest 0.0.0.0 sc0: flags=63<UP,BROADCAST,RUNNING> vlan 1 inet 172.20.25.244 netmask 255.255.255.0 broadcast 172.20.25.255 dhcp server: 172.20.25.254 Console>...
Page 58 Chapter 3 Configuring the Switch IP Address and Default Gateway Renewing and Releasing a DHCP-Assigned IP Address Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 3-12 78-12647-02...
Page 59: Configuring Ethernet Switching
A R T Configuring Ethernet Switching...
Page 61: Understanding How Ethernet Works
C H A P T E R Configuring Ethernet and Fast Ethernet Switching This chapter describes how to configure Ethernet and Fast Ethernet switching on the Catalyst enterprise LAN switches. The configuration tasks in this chapter apply to Ethernet and Fast Ethernet switch ports on switching modules and fixed-configuration switches, as well as to supervisor engine Fast Ethernet uplink ports.
Page 62: C H A P T E R 4 Configuring Ethernet And Fast Ethernet Switching
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Default Ethernet and Fast Ethernet Configuration The Catalyst enterprise LAN switches solve congestion problems caused by high-bandwidth devices and a large number of users by assigning each device (for example, a server) to its own 10-, 100-, or 1000-Mbps segment.
Page 63: Configuring Ethernet And Fast Ethernet Ports
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports Table 4-1 Ethernet and Fast Ethernet Default Configuration (continued) Feature Default Value Port priority Normal Duplex mode Autonegotiate speed and duplex for 10/100-Mbps Fast • Ethernet ports Autonegotiate duplex for 100-Mbps Fast Ethernet ports •...
Page 64: Setting The Port Priority Level
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports Console> (enable) set port name 1/2 Server Link Port 1/2 name set. Console> (enable) show port 1 Port Name Status Vlan Level Duplex Speed Type ----- ------------------ ---------- ---------- ------ ------ ----- ------------ Router Connection connected trunk...
Page 65: Setting The Port Duplex Mode
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports Note If the port speed is set to auto on a 10/100-Mbps Fast Ethernet port, both speed and duplex are autonegotiated. To set the port speed for a 10/100-Mbps port, perform this task in privileged mode: Task Command Step 1...
Page 66: Configuring A Timeout Period For Ports In Errdisable State
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports Configuring a Timeout Period for Ports in errdisable State A port is in errdisable state if it is enabled in NVRAM, but disabled at runtime by any process. For example, if UniDirectional Link Detection (UDLD) detects a unidirectional link, the port shuts down at runtime.
Page 67: Checking Connectivity
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports Checking Connectivity Note For more detailed information on checking connectivity, see Chapter 19, “Checking Port Status and Connectivity.” Use the ping and traceroute commands to test connectivity out Ethernet or Fast Ethernet ports. To check connectivity out a port, perform this task in privileged mode: Task Command...
Page 68 Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 78-12647-02...
Page 69: Understanding How Gigabit Ethernet Works
C H A P T E R Configuring Gigabit Ethernet Switching This chapter describes how to configure Gigabit Ethernet switching on the Catalyst enterprise LAN switches. The configuration tasks in this chapter apply to Gigabit Ethernet switching modules, fixed-configuration switches, and uplink ports on the supervisor engine. For complete syntax and usage information for the commands used in this chapter, refer to the Command Note Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 70: C H A P T E R 5 Configuring Gigabit Ethernet Switching
Chapter 5 Configuring Gigabit Ethernet Switching Understanding How Gigabit Ethernet Works Sending and Receiving Pause Frames All Catalyst Gigabit Ethernet ports can receive and process pause frames from other devices. However, not all Catalyst Gigabit Ethernet ports can transmit pause frames to other devices. Table 5-1 identifies the Catalyst Gigabit Ethernet switches, modules, and ports that can transmit pause frames to other devices.
Page 71: Understanding How Port Negotiation Works
With Gigabit Ethernet ports, port negotiation is used to exchange flow-control parameters, remote fault information, and duplex information (even though Cisco Gigabit Ethernet ports only support full-duplex mode). With Gigabit Ethernet ports, you configure port negotiation using the set port negotiation command.
Page 72: Oversubscribed Gigabit Ethernet Overview
Chapter 5 Configuring Gigabit Ethernet Switching Understanding How Gigabit Ethernet Works Oversubscribed Gigabit Ethernet Overview The Catalyst 4000 family Gigabit Ethernet modules provide a network-backbone connection for multiple servers or high-end workstations. The following modules are supported: WS-X4412-2GB-T • This 1000BASE-T 14-port module provides 2 dedicated uplink module ports (GBIC) and 12 oversubscribed ports (possible blocking).
Page 73: Oversubscribed Gigabit Ethernet Example
Chapter 5 Configuring Gigabit Ethernet Switching Understanding How Gigabit Ethernet Works Oversubscribed Gigabit Ethernet Example Figure 5-1 shows an example of how the 18-port server switching module (WS-X4418-GB) can connect multiple network servers and high-end workstations to the Gigabit Ethernet network backbone. These configurations are shown: •...
Page 74: Default Gigabit Ethernet Configuration
Chapter 5 Configuring Gigabit Ethernet Switching Default Gigabit Ethernet Configuration Default Gigabit Ethernet Configuration Table 5-7 shows the Gigabit Ethernet default configuration. Table 5-7 Gigabit Ethernet Default Configuration Feature Default Value Port enable state All ports are enabled Port name None Port priority Normal...
Page 75: Setting The Port Name
Chapter 5 Configuring Gigabit Ethernet Switching Configuring Gigabit Ethernet Setting the Port Name You can assign names to the ports on Gigabit Ethernet modules to facilitate switch administration. To assign a name to a port, perform this task in privileged mode: Task Command Step 1...
Page 76: Configuring Flow Control On Gigabit Ethernet Ports
Chapter 5 Configuring Gigabit Ethernet Switching Configuring Gigabit Ethernet <...output truncated...> Last-Time-Cleared -------------------------- Tue Dec 22 1998, 13:42:04 Console> (enable) Configuring Flow Control on Gigabit Ethernet Ports To configure flow control on a Gigabit Ethernet port, perform this task in privileged mode: Task Command Step 1...
Page 77: Configuring A Timeout Period For Ports In Errdisable State
Chapter 5 Configuring Gigabit Ethernet Switching Configuring Gigabit Ethernet ----- ---------------- enabled Console> (enable) To disable port negotiation on a 1000BASE-X Gigabit Ethernet port, perform this task in privileged mode: Task Command Step 1 Disable Gigabit Ethernet port negotiation. set port negotiation mod_num/port_num disable Step 2 Verify the port negotiation configuration.
Page 78 Chapter 5 Configuring Gigabit Ethernet Switching Configuring Gigabit Ethernet This example shows how to ping a remote host and how to trace the hop-by-hop path of packets through the network using traceroute: Console> (enable) ping somehost somehost is alive Console> (enable) traceroute somehost traceroute to somehost.company.com (10.1.2.3), 30 hops max, 40 byte packets 1 engineering-1.company.com (173.31.192.206) 2 ms 1 ms 1 ms 2 engineering-2.company.com (173.31.196.204) 2 ms 3 ms 2 ms...
Page 79: Understanding How Etherchannel Works
C H A P T E R Configuring Fast EtherChannel and Gigabit EtherChannel This chapter describes how to configure Fast EtherChannel and Gigabit EtherChannel port bundles on the Catalyst enterprise LAN switches. The configuration tasks in this chapter apply to Fast Ethernet and Gigabit Ethernet switch ports on switching modules and fixed-configuration switches, as well as to supervisor engine Fast Ethernet and Gigabit Ethernet uplink ports.
Page 80: C H A P T E R 6 Configuring Fast Etherchannel And Gigabit Etherchannel
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Understanding How EtherChannel Works EtherChannel Overview Fast EtherChannel and Gigabit EtherChannel port bundles allow you to group multiple Fast or Gigabit Ethernet ports into a single logical transmission path between the switch and a router, host, or another switch.
Page 81: Understanding Frame Distribution
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Understanding How EtherChannel Works There are four user-configurable channel modes: on, off, auto, and desirable. PAgP packets are exchanged only between ports in auto and desirable mode. Ports configured in on or off mode do not exchange PAgP packets.
Page 82: Default Etherchannel Configuration
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Default EtherChannel Configuration Default EtherChannel Configuration Table 6-2 shows the Fast EtherChannel and Gigabit EtherChannel default configuration. Table 6-2 Fast EtherChannel and Gigabit EtherChannel Default Configuration Feature Default Value Fast EtherChannel auto silent mode on all Fast Ethernet ports Gigabit EtherChannel auto silent mode on all Fast Ethernet ports Frame-distribution method...
Page 83: Configuring Etherchannel
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel • If you disable a port in a channel, the system considers the port as a link failure and the port’s traffic is transferred to one or more of the remaining ports in the channel. •...
Page 84: Defining An Etherchannel Administrative Group
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Port Device-ID Port-ID Platform ----- ------------------------------- ------------------------- ---------------- 069003103(5500) WS-C4000 069003103(5500) WS-C4000 ----- ------------------------------- ------------------------- ---------------- Console> (enable) Defining an EtherChannel Administrative Group You can define an EtherChannel administrative group manually to identify groups of ports that are allowed to form an EtherChannel bundle together.
Page 85: Setting The Etherchannel Spanning Tree Port Cost
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Setting the EtherChannel Spanning Tree Port Cost To set the spanning tree port cost for an EtherChannel, perform this task in privileged mode: Task Command Step 1 Determine the EtherChannel ID of the show channel group admin_group EtherChannel for which you want to set the port cost.
Page 86: Removing An Etherchannel Bundle
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel This example shows how to set the EtherChannel VLAN cost for channel ID 768: Console> (enable) show channel group 20 Admin Port Status Channel Channel group Mode ----- ----- ---------- --------- -------- 1/1 notconnect on 1/2 connected Admin Port...
Page 87: Displaying Etherchannel Configuration Information
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Displaying EtherChannel Configuration Information To display EtherChannel configuration information, perform one of these tasks in privileged mode: Task Command Display EtherChannel configuration information show port channel [mod_num[/port_num]] info by port. [spantree | trunk | protocol | gmrp | gvrp | qos] Display EtherChannel configuration information show channel group [admin_group] info...
Page 88: Displaying Etherchannel Traffic Statistics
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel auto-on auto-on auto-on auto-on ----- -------- -------- -------- Port GMRP GMRP GMRP status registration forwardAll ----- -------- ------------ ---------- enabled normal disabled enabled normal disabled ----- -------- ------------ ---------- Port GVRP GVRP GVRP...
Page 89: Displaying Etherchannel Pagp Statistics
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Examples Displaying EtherChannel PAgP Statistics To display EtherChannel PAgP statistics, perform one of these tasks in privileged mode: Task Command Display EtherChannel PAgP statistics by port. show port channel [mod_num[/port_num]] statistics Display EtherChannel PAgP statistics by show channel group [admin_group] statistics...
Page 90 Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Examples Figure 6-1 Fast EtherChannel Port Bundle Example Switch A Switch B Fast EtherChannel port bundle Step 1 Make sure that all ports on Switch A and Switch B have the same port configuration, including VLAN membership, speed, and duplex.
Page 91: Two-Port Gigabit Etherchannel Configuration Example
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Examples %PAGP-5-PORTFROMSTP:Port 1/4 left bridge port 1/4 %PAGP-5-PORTFROMSTP:Port 1/2 left bridge port 1/2 %PAGP-5-PORTFROMSTP:Port 1/3 left bridge port 1/3 %PAGP-5-PORTFROMSTP:Port 1/4 left bridge port 1/4 %PAGP-5-PORTTOSTP:Port 1/1 joined bridge port 1/1-4 %PAGP-5-PORTTOSTP:Port 1/2 joined bridge port 1/1-4 %PAGP-5-PORTTOSTP:Port 1/3 joined bridge port 1/1-4 %PAGP-5-PORTTOSTP:Port 1/4 joined bridge port 1/1-4...
Page 92 Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Examples Figure 6-2 Gigabit EtherChannel Port Bundle Example Switch A Switch B Gigabit EtherChannel port bundle Step 1 Make sure that all ports on Switch A and Switch B have the same port configuration, such as VLAN membership.
Page 93 Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Examples Step 4 After the EtherChannel bundle is negotiated, enter the show port channel command to verify the configuration. If you configure only the ports on one side of the link on, the show port channel command will show that the ports are channeling, but no traffic will pass over the EtherChannel.
Page 94 Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Examples Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 6-16 78-12647-02...
Page 95: Spanning Tree
A R T Spanning Tree...
Page 97 Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches. How Spanning Tree Protocols Work This section describes the specific functions that are common to all spanning tree protocols. Cisco’s proprietary spanning tree protocols, PVST+ and MISTP, are based on the IEEE 802.1D STP. (See the “Understanding PVST+ and MISTP Modes”...
Page 98: Chapter 7 Configuring Spanning Tree
Chapter 7 Configuring Spanning Tree How Spanning Tree Protocols Work The Spanning Tree Protocol (STP) uses a distributed algorithm that selects one bridge of a redundantly connected network as the root of a spanning tree connected active topology. STP assigns roles to each port depending on what the port’s function is in the active topology.
Page 99: How A Switch Or Port Becomes The Root Switch Or Root Port
Chapter 7 Configuring Spanning Tree How Spanning Tree Protocols Work How a Switch or Port Becomes the Root Switch or Root Port If all switches in a network are enabled with default settings, the switch with the lowest MAC address becomes the root switch.
Page 100 Chapter 7 Configuring Spanning Tree How Spanning Tree Protocols Work A BPDU exchange results in the following: • One switch is elected as the root switch. • The shortest distance to the root switch is calculated for each switch. • A designated switch is selected: the switch that is closest to the root switch through which frames will be forwarded to the root.
Page 101: Spanning Tree Port States
Chapter 7 Configuring Spanning Tree How Spanning Tree Protocols Work Calculating the Port Cost Using the Long Method 802.1t assigns 32-bit (long) default port cost values to each port using a formula that is based on the bandwidth of the port. You can also manually assign port costs between 1–200,000,000. The formula for obtaining default 32-bit port costs is to divide the bandwidth of the port by 200,000,000.
Page 102: Blocking State
Chapter 7 Configuring Spanning Tree How Spanning Tree Protocols Work • Blocking • Listening • Learning • Forwarding Disabled • A port moves through these states: From initialization to blocking • From blocking to either listening or disabled • • From listening to either listening or disabled •...
Page 103: Blocking State
Chapter 7 Configuring Spanning Tree How Spanning Tree Protocols Work Blocking State A port in the blocking state, such as port 2 in Figure 7-3, does not participate in frame forwarding. After initialization a BPDU is sent to each port in the switch. A switch initially assumes it is the root until it exchanges BPDUs with other switches.
Page 104: Listening State
Chapter 7 Configuring Spanning Tree How Spanning Tree Protocols Work Listening State The listening state is the first transitional state a port enters after the blocking state. The port enters this state when the spanning tree determines that the port should participate in frame forwarding. Learning is disabled in the listening state.
Page 105: Learning State
Chapter 7 Configuring Spanning Tree How Spanning Tree Protocols Work Learning State A port in the learning state prepares to participate in frame forwarding. The port enters the learning state from the listening state. Figure 7-5 shows a port in the learning state. Figure 7-5 Port 2 in Learning State All segment...
Page 106: Forwarding State
Chapter 7 Configuring Spanning Tree How Spanning Tree Protocols Work Forwarding State A port in the forwarding state forwards frames, as shown in Figure 7-6. The port enters the forwarding state from the learning state. Figure 7-6 Port 2 in Forwarding State All segment Forwarding frames...
Page 107: Understanding Pvst+ And Mistp Modes
Chapter 7 Configuring Spanning Tree Understanding PVST+ and MISTP Modes Figure 7-7 Port 2 in Disabled State All segment Forwarding frames Port 1 Network Station management addresses BPDUs and data frames Filtering System Frame database module forwarding Network management frames Data frames Port 2...
Page 108: Pvst+ Mode
Chapter 7 Configuring Spanning Tree Understanding PVST+ and MISTP Modes If your network currently uses PVST+ and you plan to use MISTP on any switch, you must first enable Caution MISTP-PVST+ on the switch and configure a MISTP instance to avoid causing loops in the network. PVST+ Mode PVST+ is the default Spanning Tree Protocol used on all Ethernet, Fast Ethernet, and Gigabit Ethernet port-based VLANs on Catalyst 4000 family switches.
Page 109: Bridge Identifiers
Chapter 7 Configuring Spanning Tree Bridge Identifiers MISTP-PVST+ conforms to the limits of PVST+; for example, you can only configure the amount of VLAN ports on your MISTP-PVST+ switches that you configure on your PVST+ switches. Bridge Identifiers This section explains how MAC addresses are used in PVST+ and MISTP as unique bridge identifiers: MAC Address Allocation, page 7-12 •...
Page 110: Default Pvst+ Configuration
Chapter 7 Configuring Spanning Tree Using PVST+ • Configuring PVST+ Port VLAN Priority, page 7-17 • Disabling the PVST+ Mode on a VLAN, page 7-18 Default PVST+ Configuration Table 7-1 shows the default PVST+ configuration. Table 7-3 PVST+ Default Configuration Feature Default Value VLAN 1...
Page 111 Chapter 7 Configuring Spanning Tree Using PVST+ To configure the spanning tree bridge priority for a VLAN, perform this task in privileged mode: Task Command Step 1 Set the bridge ID priority for a VLAN. set spantree priority bridge_ID_priority [vlan] Step 2 Verify the bridge ID priority.
Page 112: Configuring Pvst+ Port Cost
Chapter 7 Configuring Spanning Tree Using PVST+ Configuring PVST+ Port Cost You can configure the port cost of switch ports. Ports with lower port costs are more likely to be chosen to forward frames. Assign lower numbers to ports attached to faster media (such as full duplex) and higher numbers to ports attached to slower media.The possible range of cost is 1 to 65535.
Page 113: Configuring Pvst+ Default Port Cost Mode
Chapter 7 Configuring Spanning Tree Using PVST+ not-connected 32 disabled 0 not-connected 32 disabled 0 not-connected 32 disabled 0 not-connected 32 disabled 0 forwarding 16 disabled 0 not-connected 32 disabled 0 Configuring PVST+ Default Port Cost Mode If any switch in your network is using a port speed of 10 Gb or over and the network is using PVST+ spanning tree mode, all switches in the network must have the same path cost defaults.
Page 114: Configuring Pvst+ Port Vlan Priority
Chapter 7 Configuring Spanning Tree Using PVST+ To configure the port VLAN cost for a port, perform this task in privileged mode: Task Command Configure the port VLAN cost for a set spantree portvlancost {mod/port} [cost cost] VLAN on a switch port. [vlan_list] This example shows how to change the port VLAN cost on a port: Console>...
Page 115: Disabling The Pvst+ Mode On A Vlan
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Disabling the PVST+ Mode on a VLAN When the switch is in PVST+ mode, you can disable spanning-tree on individual VLANs or all VLANs. When you disable spanning tree on a VLAN, the switch does not participate in spanning-tree and any BPDUs received in that VLAN are flooded on all ports.
Page 116: Default Mistp Configuration
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP When all switches in the network are configured in MISTP-PVST+, you can then enable MISTP on all of the switches. These sections describe how to configure PVST+ on Ethernet VLANs: • Default MISTP Configuration, page 7-19 •...
Page 117 Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP If you are working from a Telnet connection to your switch, the first time you enable MISTP-PVST+ or Caution MISTP mode, you must do so from the switch console; do not use a Telnet connection through the data port or you will lose the connection to the switch.
Page 118: Configuring A Mistp Instance
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP 00-50-3e-78-70-00 - 00-50-3e-78-70-00 - 00-50-3e-78-70-00 - Configuring a MISTP Instance This section describes how to configure MISTP instances: • Configuring MISTP Bridge ID Priority, page 7-21 • Configuring MISTP Port Cost, page 7-22 •...
Page 119: Configuring Mistp Port Cost
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Configuring MISTP Port Cost You can configure the port cost of switch ports. Ports with lower port costs are more likely to be chosen to forward frames. Assign lower numbers to ports attached to faster media (such as full duplex) and higher numbers to ports attached to slower media.The possible range is 1 to 65535.
Page 120: Configuring Mistp Port Instance Cost
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP This example shows how to configure the port priority and verify the configuration: Console> (enable) set spantree portpri 2/12 40 Bridge port 2/12 port priority set to 40. Console> (enable) show spantree mistp-instance 1 Instance 1 Spanning tree mode MISTP-PVST+...
Page 121: Enabling A Mistp Instance
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP To configure the port instance priority for a port, perform this task in privileged mode: Task Command Configure the port instance priority on a MISTP set spantree portinstancepri {mod/port} instance. priority [instances] This example shows how to change the port instance priority on a port and verify the configuration: Console>...
Page 122: Mapping Vlans To A Mistp Instance
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Mapping VLANs to a MISTP Instance When you are using MISTP-PVST+ or MISTP on a switch, you must map at least one VLAN to a MISTP instance in order for MISTP-PVST+ or MISTP to be active. Note Chapter 10, “Configuring VLANs”...
Page 123: Unmapping Vlans From A Mistp Instance
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP This command prints a list of the MISTP instances associated with the VLAN, the MAC addresses of the root switches that are sending the BPDUs containing the VLAN mapping information, and the timers associated with the mapping of a VLAN to a MISTP instance.
Page 124: Configuring A Root Switch
Chapter 7 Configuring Spanning Tree Configuring a Root Switch To disable a MISTP instance, perform this task in privileged mode: Task Command Disable a MISTP instance. set spantree disable mistp-instance instance [all] This example shows how to disable a MISTP instance: Console>...
Page 125: Configuring A Secondary Root Switch
Chapter 7 Configuring Spanning Tree Configuring a Root Switch To configure a switch as the primary root switch for an instance, perform this task in privileged mode: Task Command Configure a switch as the primary root switch for set spantree root mistp-instance instance [dia an instance.
Page 126: Configuring A Root Switch To Improve Convergence
Chapter 7 Configuring Spanning Tree Configuring a Root Switch Instances 2-4 bridge hello time set to 2 seconds. Instances 2-4 bridge forward delay set to 9 seconds. Switch is now the root switch for active Instances 1-6. Console> (enable) Configuring a Root Switch to Improve Convergence You can configure the root switch to speed up STP convergence time.
Page 127: Using Root Guard-Preventing Switches From Becoming Root
Chapter 7 Configuring Spanning Tree Configuring Spanning Tree Timers Task Command Step 4 Verify the configuration. show spantree [mod/port] mistp-instance [instances] [active] Step 5 Configure the maximum aging time for a set spantree maxage agingtime [vlans] mistp-instance VLAN or MISTP instance. instances Step 6 Verify the configuration.
Page 128: Configuring Hello Time
Chapter 7 Configuring Spanning Tree Configuring Spanning Tree Timers Exercise care using these commands. For most situations, we recommend that you use the set spantree Caution root and set spantree root secondary commands to modify the spanning tree performance parameters. Table 7-3 describes the switch variables that affect spanning tree performance.
Page 129: Configuring Maximum Aging Time
Chapter 7 Configuring Spanning Tree Configuring Spanning Tree Timers To configure the spanning tree forward delay time for a VLAN, perform this task in privileged mode: Task Command Step 1 Configure the forward delay time for a VLAN or set spantree fwddelay delay [vlan] MISTP instance.
Page 130: Understanding How Bpdu Skewing Works
Chapter 7 Configuring Spanning Tree Understanding How BPDU Skewing Works Understanding How BPDU Skewing Works BPDU skewing is the difference between when the BPDUs are expected to be received and the time BPDUs are actually received. Skewing occurs when the following occurs: •...
Page 131 Chapter 7 Configuring Spanning Tree Configuring Spanning Tree BPDU Skewing To configure the BPDU skewing statistics gathering for a VLAN, perform this task in privileged mode: Task Command Step 1 Configure BPDU skewing. set spantree bpdu-skewing [enable | disable] Step 2 Verify the configuration.
Page 132 Chapter 7 Configuring Spanning Tree Configuring Spanning Tree BPDU Skewing Portfast bpdu-filter disabled for bridge. Uplinkfast disabled for bridge. Backbonefast disabled for bridge. Summary of connected spanning tree ports by vlan VLAN Blocking Listening Learning Forwarding STP Active ----- -------- --------- -------- ---------- ---------- Blocking Listening Learning Forwarding STP Active ----- -------- --------- -------- ---------- ---------- Total...
Page 133: Understanding How Portfast Works
C H A P T E R Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard This chapter describes how to configure the PortFast, UplinkFast, and BackboneFast, and loop guard spanning tree enhancements on the Catalyst enterprise LAN switches. Note For information on configuring spanning tree, see Chapter 7, “Configuring Spanning Tree.”...
Page 134: Configuring Portfast
Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Configuring PortFast PortFast should be used only when connecting a single end station to a switch port. If you enable PortFast Caution on a port connected to another networking device, such as a switch, you can create network loops. When the switch powers up, or when a device is connected to a port, the port normally enters the spanning tree listening state.
Page 135: C H A P T E R 8 Configuring Spanning Tree Portfast, Uplinkfast, And Backbonefast, And Loop Guard
Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Understanding How PortFast BPDU Guard Works blocking enabled 1003 not-connected enabled 1005 not-connected enabled Console> (enable) Disabling Spanning Tree PortFast To disable PortFast on a switch port, perform this task in privileged mode: Task Command Step 1...
Page 136: Enabling Portfast Bpdu Guard
Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Configuring PortFast BPDU Guard Enabling PortFast BPDU Guard Note PortFast is configured on an individual port and the PortFast BPDU guard option is enabled globally. When PortFast is disabled on a port, PortFast BPDU guard becomes inactive. To enable PortFast BPDU guard on a nontrunking switch port, perform this task in privileged mode: Task Command...
Page 137: Disabling Portfast Bpdu Guard
Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Configuring PortFast BPDU Guard Disabling PortFast BPDU Guard To disable PortFast BPDU guard, perform this task in privileged mode: Task Command Step 1 Disable PortFast BPDU guard. set spantree portfast bpdu-guard disable Step 2 Verify the PortFast BPDU guard setting.
Page 138: Understanding How Portfast Bpdu Filtering Works
Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Understanding How PortFast BPDU Filtering Works Understanding How PortFast BPDU Filtering Works BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states.
Page 139: Disabling Portfast Bpdu Filtering
Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Configuring PortFast BPDU Filtering 1003 1005 Blocking Listening Learning Forwarding STP Active ----- -------- --------- -------- ---------- ---------- Total Console> (enable) Disabling PortFast BPDU Filtering To disable PortFast BPDU filtering on a switch, perform this task in privileged mode: Task Command Step 1...
Page 140: Understanding How Uplinkfast Works
Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Understanding How UplinkFast Works Understanding How UplinkFast Works UplinkFast provides fast convergence in the network access layer after a spanning tree topology change using uplink groups. An uplink group is a set of ports (per VLAN), only one of which is forwarding at any given time.
Page 141: Configuring Uplinkfast
Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Configuring UplinkFast As soon as the switch transitions the alternate port to the forwarding state, the switch begins transmitting dummy multicast frames on that port, one for each entry in the local EARL table (except those entries associated with the failed root port).
Page 142: Disabling Uplinkfast
Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Configuring UplinkFast This example shows how to enable UplinkFast with a station-update rate of 40 packets per 100 milliseconds and how to verify that UplinkFast is enabled: Console> (enable) set spantree uplinkfast enable rate 40 VLANs 1-1005 bridge priority set to 49152.
Page 143: Understanding How Backbonefast Works
Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Understanding How BackboneFast Works To disable UplinkFast on a switch, perform this task in privileged mode: Task Command Step 1 (Optional) Disable UplinkFast processing on the clear spantree uplinkfast switch and restore the default bridge priority, port cost, and port-VLAN cost values.
Page 144 Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Understanding How BackboneFast Works Figure 8-3 shows an example BackboneFast network topology. Switch A, the root switch, connects directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that connects directly to Switch B over link L3 is in the blocking state.
Page 145: Configuring Backbonefast
Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Configuring BackboneFast Figure 8-5 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch B Switch C (Designated Bridge) Blocked port Added switch Configuring BackboneFast These sections describe how to configure the BackboneFast feature: Enabling BackboneFast, page 8-13 •...
Page 146: Displaying Backbonefast Statistics
Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Configuring BackboneFast Displaying BackboneFast Statistics To display BackboneFast statistics, perform this task in privileged mode: Task Command Display BackboneFast statistics. show spantree summary This example shows how to display BackboneFast statistics: Console>...
Page 147: Understanding How Loop Guard Works
Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Understanding How Loop Guard Works Understanding How Loop Guard Works Unidirectional link failures may cause a root port or alternate port to become designated as root if BPDUs are absent. Some software failures may introduce temporary loops in the network. The loop guard feature checks if a root port or an alternate root port receives BPDUs.
Page 148 Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Understanding How Loop Guard Works Loop guard interacts with other features as follows: • Loop guard does not affect the functionality of UplinkFast or BackboneFast. • Do not enable loop guard on ports that are connected to a shared link. We recommend that you enable loop guard on root ports and alternate root ports on access Note switches.
Page 149: Configuring Loop Guard
Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Configuring Loop Guard Configuring Loop Guard These sections describe how to configure BackboneFast: • Enabling Loop Guard, page 8-17 Disabling Loop Guard, page 8-17 • Enabling Loop Guard Use the set spantree guard command to enable or disable the spanning tree loop guard feature on a per-port basis.
Page 150 Chapter 8 Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard Configuring Loop Guard Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 8-18 78-12647-02...
Page 151: Configuring Vlans And Vlan Trunks
A R T Configuring VLANs and VLAN Trunks...
Page 153: Configuring Vtp
C H A P T E R Configuring VTP This chapter describes how to configure the VLAN Trunking Protocol (VTP) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 154: Chapter 9 Configuring Vtp
Chapter 9 Configuring VTP Understanding How VTP Works VTP Domain A VTP domain (also called a VLAN management domain) is made up of one or more interconnected switches that share the same VTP domain name. A switch can be configured to be in one and only one VTP domain.
Page 155: Vtp Version 2
Chapter 9 Configuring VTP Understanding How VTP Works • VLAN configuration, including maximum transmission unit (MTU) size for each VLAN • Frame format VTP Version 2 If you use VTP in your network, you must decide whether to use VTP version 1 or version 2. VTP version 2 supports the following features not supported in version 1: •...
Page 156 Chapter 9 Configuring VTP Understanding How VTP Works Figure 9-1 Flooding Traffic without VTP Pruning Switch 4 Port 2 Switch 5 Switch 2 VLAN Port 1 Switch 6 Switch 3 Switch 1 Figure 9-2 shows the same switched network with VTP pruning enabled. The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on the links indicated (port 5 on Switch 2 and port 4 on Switch 4).
Page 157: Default Vtp Configuration
Chapter 9 Configuring VTP Default VTP Configuration Default VTP Configuration Table 9-1 shows the default VTP configuration. Table 9-1 VTP Default Configuration Feature Default Value VTP domain name Null VTP mode Server VTP version 2 enable state Version 2 is disabled VTP password None VTP pruning...
Page 158: Configuring A Vtp Server
Chapter 9 Configuring VTP Configuring VTP • Disabling VTP Pruning, page 9-10 • Monitoring VTP, page 9-10 Configuring a VTP Server When a switch is in VTP server mode, you can change the VLAN configuration and have it propagate throughout the network. To configure the switch as a VTP server, perform this task in privileged mode: Task Command...
Page 159: Disabling Vtp (Vtp Transparent Mode)
Chapter 9 Configuring VTP Configuring VTP This example shows how to configure the switch as a VTP client and verify the configuration: Console> (enable) set vtp domain Lab_Network VTP domain Lab_Network modified Console> (enable) set vtp mode client VTP domain Lab_Network modified Console>...
Page 160: Disabling Vtp Version 2
Chapter 9 Configuring VTP Configuring VTP VTP version 1 and VTP version 2 are not interoperable on switches in the same VTP domain. Every Caution switch in the VTP domain must use the same VTP version. Do not enable VTP version 2 unless every switch in the VTP domain supports version 2.
Page 161: Configuring Vtp Pruning
Chapter 9 Configuring VTP Configuring VTP Configuring VTP Pruning To configure VTP pruning, perform this task in privileged mode: Task Command Step 1 Enable VTP pruning in the management domain. set vtp pruning enable Step 2 (Optional) Make specific VLANs pruning clear vtp pruning vlan_range ineligible on the device.
Page 162: Disabling Vtp Pruning
Chapter 9 Configuring VTP Configuring VTP Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- Console> (enable) Disabling VTP Pruning To disable VTP pruning, perform this task in privileged mode: Task Command Step 1...
Page 163: Chapter 10 Configuring Vlans
C H A P T E R Configuring VLANs This chapter describes how to configure virtual LANs (VLANs) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 164 Figure 10-1 VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Catalyst 4000 Cisco router Floor 3 Catalyst 4000 Fast Ethernet Floor 2 Catalyst 4000 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Page 165: Vlan Default Configuration
Chapter 10 Configuring VLANs VLAN Default Configuration VLAN Default Configuration Table 10-1 shows the default VLAN configuration. Table 10-1 VLAN Default Configuration Feature Default Value Native (default) VLAN VLAN 1 Port VLAN assignments All ports assigned to VLAN 1 VLAN state Enabled MTU size 1500 bytes...
Page 166: Creating Or Modifying An Ethernet Vlan
Chapter 10 Configuring VLANs Configuring VLANs Creating or Modifying an Ethernet VLAN To create a new Ethernet VLAN, perform this task in privileged mode: Task Command Step 1 Create a new Ethernet VLAN. set vlan vlan_num [name name] [said said] [mtu mtu] [translation vlan_num] Step 2 Verify the VLAN configuration.
Page 167: Mapping 802.1Q Vlans To Isl Vlans
The valid range of user-configurable ISL VLANs is 1–1000. The valid range of VLANs specified in the IEEE 802.1Q standard is 0–4095. In a network environment with non-Cisco devices connected to Cisco switches through 802.1Q trunks, you must map 802.1Q VLAN numbers greater than 1000 to ISL VLAN numbers.
Page 168: Clearing 802.1Q-To-Isl Vlan Mappings
Chapter 10 Configuring VLANs Configuring VLANs These restrictions apply when mapping 802.1Q VLANs to ISL VLANs: • You can configure up to seven 802.1Q-to-ISL VLAN mappings on the switch. • You must map 802.1Q VLANs to Ethernet-type ISL VLANs. • Do not enter the native VLAN of any 802.1Q trunk in the mapping table.
Page 169: Deleting A Vlan
Chapter 10 Configuring VLANs Configuring Private VLANs This example shows how to clear all 802.1Q-to-ISL VLAN mappings: Console> (enable) clear vlan mapping dot1q all All vlan mapping entries deleted Console> (enable) Deleting a VLAN When you delete a VLAN in VTP server mode, the VLAN is removed from all switches in the VTP domain.
Page 170 Chapter 10 Configuring VLANs Configuring Private VLANs There are three types of private VLAN ports: promiscuous, isolated, and community. • A promiscuous port communicates with all other private VLAN ports and is the port you use to communicate with routers, LocalDirector, the CSS11000, backup servers, and administrative workstations.
Page 171: Private Vlan Configuration Guidelines
Chapter 10 Configuring VLANs Configuring Private VLANs Private VLAN Configuration Guidelines Follow these guidelines to configure private VLANs: • Designate one VLAN as the primary VLAN. • Designate one VLAN as an isolated VLAN. If you want to use private VLAN communities, you need to designate a community VLAN for each community.
Page 172: Creating A Private Vlan
Chapter 10 Configuring VLANs Configuring Private VLANs • In networks with some switches using MAC address reduction, and others not using MAC address reduction, STP parameters do not necessarily propagate to ensure that the spanning tree topologies match. You should manually double check the STP configuration to ensure that the primary, isolated, and community VLANs spanning tree topologies match.
Page 173 Chapter 10 Configuring VLANs Configuring Private VLANs Note You can bind isolated or community VLAN(s) to the primary VLAN without associating the isolated or community ports to the private VLAN: use the set pvlan primary_vlan_num {isolated_vlan_num | community_vlan_num} command. Note You can change the isolated or community ports associated to the private VLAN without changing the the isolated or community VLANs binding: use the set pvlan primary_vlan_num {isolated_vlan_num | community_vlan_num} mod/port command.
Page 174 Chapter 10 Configuring VLANs Configuring Private VLANs This example shows how to bind VLAN 902 to primary VLAN 7 and assign ports 4/4 through 4/6 as the community port: Console> (enable) set pvlan 7 902 4/4-6 Successfully set the following ports to Private Vlan 7,902:4/4-6 Console>...
Page 175: Viewing The Port Capability Of A Private Vlan Port
Chapter 10 Configuring VLANs Configuring Private VLANs ------- --------- -------------- ------------ isolated community 4/4-6 community 4/7-9 Console> (enable) show pvlan mapping Port Primary Secondary ----- -------- ---------- 901-903 Console> (enable) show port Port Name Status Vlan Duplex Speed Type ----- ------------------ ---------- ---------- ------ ----- ------------ ...truncated output...
Page 176: Deleting An Isolated Or Community Vlan
Chapter 10 Configuring VLANs Configuring Private VLANs This example shows how to delete primary VLAN 7: Console> (enable) clear vlan 7 This command will de-activate all ports on vlan 7 Do you want to continue(y/n) [n]?y Vlan 7 deleted Console> (enable) Deleting an Isolated or Community VLAN If you delete an isolated or community VLAN, the binding with the primary VLAN is broken, any isolated or community ports associated to the VLAN become inactive, and any related mappings on the...
Page 177: Understanding How Vlan Trunks Work
C H A P T E R Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports This chapter describes how to configure Fast Ethernet and Gigabit Ethernet virtual LAN (VLAN) trunks on the Catalyst enterprise LAN switches. Note For complete information on configuring VLANs, see Chapter 10, “Configuring VLANs.”...
Page 178: Trunking Modes And Encapsulation Types
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Understanding How VLAN Trunks Work The Catalyst 4000, 2948G, and 2980G switches support IEEE 802.1Q—802.1Q trunking encalsulation. You can configure a trunk on a single Fast or Gigabit Ethernet port or on a Fast or Gigabit EtherChannel bundle.
Page 179: C H A P T E R 11 Configuring Vlan Trunks On Fast Ethernet And Gigabit Ethernet Ports
To avoid this problem, ensure that trunking is turned off on ports connected to non-switch devices if you do not intend to trunk across those links. When manually enabling trunking on a link to a Cisco router, use the nonegotiate keyword to cause the port to become a trunk but not generate DTP frames.
Page 180: Trunking Support
BPDUs on each VLAN allowed on the trunks. The BPDUs on the native VLAN of the trunk are sent untagged to the reserved IEEE 802.1d spanning-tree multicast MAC address (01-80-C2-00-00-00). The BPDUs on all other VLANs on the trunk are sent tagged to the reserved Cisco Shared Spanning Tree (SSTP) multicast MAC address (01-00-0c-cc-cc-cd).
Page 181: Default Trunk Configuration
Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Default Trunk Configuration • Make sure that the native VLAN is the same on ALL of the 802.1Q trunks connecting the Cisco switches to the non-Cisco 802.1Q cloud. • If you are connecting multiple Cisco switches to a non-Cisco 802.1Q cloud, all of the connections MUST be through 802.1Q trunks.
Page 182: Defining The Allowed Vlans On A Trunk
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Configuring a Trunk Link To configure an 802.1Q trunk, perform this task in privileged mode: Task Command Step 1 Configure an 802.1Q trunk. set trunk mod_num/port_num [on | desirable | auto | nonegotiate] dot1q Step 2 Verify the trunking configuration.
Page 183: Disabling A Trunk Port
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations This example shows how to define the allowed VLANs list for trunk port 1/1 to allow VLANs 1–100, VLAN 250, and VLANs 500–1005, and how to verify the allowed VLAN list for the trunk: Console>...
Page 184: 802.1Q Trunk Over Gigabit Etherchannel Link Example
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Note For examples of configuring trunk links between switches and routers, refer to the Layer 3 Switching Software Configuration Guide—Catalyst 5000 Family, 4000 Family, 2926G Series, 2926 Series, 2948G, and 2980G Switches publication.
Page 185 Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations No ports trunking. Switch_A> (enable) Switch_B> (enable) show port channel No ports channelling Switch_B> (enable) show trunk No ports trunking. Switch_B> (enable) Configure the ports on Switch A to negotiate a Gigabit EtherChannel bundle with the neighboring Step 3 switch.
Page 186 Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations connected auto channel WS-C4003 JAB023806(Sw connected auto channel WS-C4003 JAB023806(Sw ----- ---------- --------- ----------- ------------------------- ---------- Switch_B> (enable) Configure one of the ports in the EtherChannel bundle to negotiate an 802.1Q trunk. The configuration Step 5 is applied to all of the ports in the bundle.
Page 187: Load-Sharing Vlan Traffic Over Parallel Trunks Example
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations -------- --------------------------------------------------------------------- 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- Switch_A> (enable) Switch_B> (enable) show trunk Port Mode Encapsulation...
Page 188 Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Figure 11-2 Parallel Trunk Configuration Before Configuring VLAN-Traffic Load Sharing Trunk 2 VLANs 10, 20, and 30: port-VLAN priority 32 (blocking) VLANs 40, 50, and 60: port-VLAN priority 1 (forwarding) Catalyst 4000 Catalyst 4000 Switch 1...
Page 189 Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations -------------------------------- ------------ ----------- ----------- ---------- BigCorp server Vlan-count Max-vlan-storage Config Revision Notifications ---------- ---------------- --------------- ------------- 1023 disabled Last Updater V2 Mode Pruning PruneEligible on Vlans --------------- -------- -------- ------------------------- 172.20.52.10 disabled enabled...
Page 190 Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 1-2,10,20,30,40,50,60,99-105 1/2Switch_1> (enable) When the trunk links come up, VTP passes the VTP and VLAN configuration to Switch 2. Verify that Step 6 Switch 2 has learned the VLAN configuration by entering the show vlan command on Switch 2: Switch_2>...
Page 191 Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations In this example, VLANs 10, 20, and 30 (Group 1) are forwarded over Trunk 1, and VLANs 40, 50, and 60 (Group 2) are forwarded over Trunk 2. Step 9 On Switch 1, enter the set spantree portvlanpri command to change the port-VLAN priority for the Group 1 VLANs on Trunk 1 (port 1/1) to an integer value lower than the default of 32:...
Page 192 Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Port 1/2 vlans 1005 using portpri 4. Switch_2> (enable) set spantree portvlanpri 1/2 1 50 Port 1/2 vlans 1-39,41-49,51-1004 using portpri 32. Port 1/2 vlans 40,50 using portpri 1. Port 1/2 vlans 1005 using portpri 4.
Page 193 Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Figure 11-3 Parallel Trunk Configuration After Configuring VLAN Traffic Load-Sharing Trunk 2 VLANs 10, 20, 30, 40, 50, and 60: port-VLAN priority 32 (blocking) Catalyst 4000 Catalyst 4000 Switch 1...
Page 194: 802.1Q Nonegotiate Trunk Configuration Example
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations 802.1Q Nonegotiate Trunk Configuration Example This example configuration shows how to configure an 802.1Q Fast Ethernet trunk between two Catalyst 4000 family switches with 802.1Q-capable hardware. (Use the show port capabilities command to see if your hardware is 802.1Q-capable.) In this example, an 802.1Q trunk is configured between port 1/1 on Switch 1 and port 4/1 on Switch 2.
Page 195 Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Step 2 Display the problem on Switch 2 by entering the the show spantree and show spantree statistics commands. The configuration mismatch exists until the port on Switch 2 is properly configured. Switch 2>...
Page 196 Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Figure 11-6 802.1Q Trunking: Final Network Configuration Port 1/1 Port 4/1 Trunk Type: 802.1Q Trunk Type: 802.1Q Trunk Mode: nonegotiate Trunk Mode: nonegotiate 4000 4000 Switch 1 802.1Q Trunk...
Page 197: Disabling Vlan 1 On A Trunk Link
When you disable VLAN 1 on a trunk interface, no user traffic is transmitted or received across that trunk interface, but the supervisor engine will continue to transmit and receive packets from control protocols such as Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), Port Aggregation Protocol (PAgP), Dynamic Trunking Protocol (DTP), and so forth.
Page 198 Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Disabling VLAN 1 on a Trunk Link When a trunk port with VLAN 1 disabled becomes a nontrunk port, it is added to the native VLAN. If the native VLAN is VLAN 1, the port is enabled and added to VLAN 1. To disable VLAN 1 on a trunk interface, perform this task in privileged mode: Task Command...
Page 199: Understanding How Vmps Works
C H A P T E R Configuring Dynamic Port VLAN Membership with VMPS This chapter describes how to configure dynamic port virtual LAN (VLAN) membership using the VLAN Management Policy Server (VMPS) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 200: C H A P T E R 12 Configuring Dynamic Port Vlan Membership With Vmps
Chapter 12 Configuring Dynamic Port VLAN Membership with VMPS VMPS and Dynamic Port Hardware and Software Requirements If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group. If the VLAN is allowed on the port, the VLAN name is returned to the client. If the VLAN is not allowed on the port and VMPS is not in secure mode, the host receives an “access denied”...
Page 201: Dynamic Port Vlan Membership And Vmps Configuration Guidelines
Chapter 12 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership and VMPS Configuration Guidelines Table 12-1 Default VMPS Client and Dynamic Port Configuration (continued) Feature Default Configuration VMPS server retry count 3 attempts Dynamic ports No dynamic ports configured Dynamic Port VLAN Membership and VMPS Configuration Guidelines These guidelines and restrictions apply to dynamic port VLAN membership:...
Page 202: Configuring Vmps
Chapter 12 Configuring Dynamic Port VLAN Membership with VMPS Configuring VMPS and Dynamic Port VLAN Membership Note For an example ASCII text VMPS database configuration file, see the “VMPS Database Configuration File Example” section on page 12-7. Follow these guidelines for creating the VMPS database file: •...
Page 203: Configuring Dynamic Ports On Vmps Clients
Chapter 12 Configuring Dynamic Port VLAN Membership with VMPS Configuring VMPS and Dynamic Port VLAN Membership To configure VMPS, perform this task in privileged mode: Task Command Step 1 Specify the download method. set vmps downloadmethod rcp | tftp [username] Step 2 Configure the IP address of the TFTP or rcp server set vmps downloadserver ip_addr [filename]...
Page 204: Configuring Static Vlan Port Membership
Chapter 12 Configuring Dynamic Port VLAN Membership with VMPS Troubleshooting VMPS and Dynamic Port VLAN Membership Configuring Static VLAN Port Membership To return a port to static VLAN port membership, perform this task in privileged mode: Task Command Step 1 Configure static port VLAN membership set port membership mod_num/port_num static assignment to a port.
Page 205: Troubleshooting Dynamic Port Vlan Membership
Chapter 12 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with VMPS Configuration Examples Troubleshooting Dynamic Port VLAN Membership A dynamic port might shut down under these circumstances: • VMPS is in secure mode and it is illegal for the host to connect to the port. The port shuts down to prevent the host from connecting to the network.
Page 206: Dynamic Port Vlan Membership Configuration Example
Chapter 12 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with VMPS Configuration Examples !vmps-port-group <group-name> ! device <device-id> { port <port-name> | all-ports } vmps-port-group WiringCloset1 device 198.92.30.32 port 3/2 device 172.20.26.141 port 2/8 vmps-port-group “Executive Row” device 198.4.254.222 port 1/2 device 198.4.254.222 port 1/3 device 198.4.254.223 all-ports...
Page 207 Chapter 12 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with VMPS Configuration Examples Figure 12-1 Dynamic Port VLAN Membership Configuration TFTP server Primary VMPS Router Server 1 Switch 1 172.20.22.7 172.20.26.150 Client Switch 2 End station 1 172.20.26.151 Secondary VMPS Server 2...
Page 208: Dynamic Port Vlan Membership With Auxiliary Vlans
Chapter 12 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs To configure VMPS and dynamic ports, follow these steps: Configure the VMPS server addresses on each VMPS client: Step 1 Configure the primary VMPS server IP address: Console>...
Page 209: Configuration Guidelines
Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs Note For detailed information on auxiliary VLANs and Cisco voice-over-IP networks, refer to the "Configuring a Voice-over-IP Network" chapter in the Catalyst 6000 Family Software Configuration Guide.
Page 210 Chapter 12 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs This example shows that the auxiliary VLAN ID specified cannot be the same as the native VLAN ID: Console> (enable) set port auxiliaryvlan 5/10 223 Auxiliary vlan cannot be set to 223 as PVID=223.
Page 211: Chapter 13 Configuring Gvrp
C H A P T E R Configuring GVRP This chapter describes how to configure the GARP VLAN Registration Protocol (GVRP) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 212: Default Gvrp Configuration
Chapter 13 Configuring GVRP Default GVRP Configuration Default GVRP Configuration Table 13-1 shows the default GVRP configuration. Table 13-1 GVRP Default Configuration Feature Default Value GVRP global enable state Disabled GVRP per-trunk enable state Disabled on all ports GVRP dynamic creation of VLANs Disabled GVRP registration mode normal, with VLAN 1 set to fixed, for all ports...
Page 213: Enabling Gvrp Globally
Chapter 13 Configuring GVRP Configuring GVRP Enabling GVRP Globally You must enable GVRP globally before any GVRP processing occurs on the switch. Enabling GVRP globally enables GVRP to perform VLAN pruning on 802.1Q trunk links. Pruning occurs only on GVRP-enabled trunks. For information on setting the per-trunk port GVRP enable state, see the “Enabling GVRP on Individual 802.1Q Trunk Ports”...
Page 214: Enabling Gvrp Dynamic Vlan Creation
Chapter 13 Configuring GVRP Configuring GVRP To enable GVRP on individual 802.1Q-capable ports, perform this task in privileged mode: Task Command Step 1 Enable GVRP on an individual 802.1Q-capable set port gvrp enable mod_num/port_num port. Step 2 Verify the configuration. show gvrp configuration This example shows how to enable GVRP on 802.1Q-capable port 1/1: Console>...
Page 215: Configuring Gvrp Registration
Chapter 13 Configuring GVRP Configuring GVRP Configuring GVRP Registration These sections describe how to configure GVRP registration modes on switch ports: • Setting GVRP Normal Registration, page 13-5 • Setting GVRP Fixed Registration, page 13-5 • Setting GVRP Forbidden Registration, page 13-5 Setting GVRP Normal Registration Configuring an 802.1Q trunk port in normal registration mode allows dynamic creation (if dynamic VLAN creation is enabled), registration, and deregistration of VLANs on the trunk port.
Page 216: Sending Gvrp Vlan Declarations From Blocking Ports
Chapter 13 Configuring GVRP Configuring GVRP To configure GVRP forbidden registration on an 802.1Q trunk port, perform this task in privileged mode: Task Command Step 1 Configure forbidden registration on an 802.1Q set gvrp registration forbidden trunk port. mod_num/port_num Step 2 Verify the configuration.
Page 217: Displaying Gvrp Statistics
Chapter 13 Configuring GVRP Configuring GVRP Note Modifying the GARP timer values affects the behavior of all GARP applications running on the switch, not just GVRP. (For example, GMRP uses the same timers.) You can modify the default GARP timer values on the switch. When setting the timer values, the value for leave must be greater than three times the join value (leave >= join * 3).
Page 218: Clearing Gvrp Statistics
Chapter 13 Configuring GVRP Configuring GVRP Join In Received: Empty Received: LeaveIn Received: Leave Empty Received: Leave All Received: Join Empty Transmitted: Join In Transmitted: Empty Transmitted: Leave In Transmitted: Leave Empty Transmitted: 0 Leave All Transmitted: VTP Message Received: Console>...
Page 219 Chapter 13 Configuring GVRP Configuring GVRP This example shows how to disable GVRP globally on the switch: Console> (enable) set gvrp disable GVRP disabled Console> (enable) Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 13-9 78-12647-02...
Page 220 Chapter 13 Configuring GVRP Configuring GVRP Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 13-10 78-12647-02...
Page 221 A R T Directing and Filtering Traffic...
Page 223: Configuring Qos
C H A P T E R Configuring QoS This chapter describes how to configure quality of service (QoS) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 224: Chapter 14 Configuring Qo
Chapter 14 Configuring QoS Understanding How QoS Works QoS implements scheduling on supported egress ports with transmit queue drop thresholds and multiple transmit queues that use the 802.1p CoS values to give preference to higher-priority traffic. Figure 14-1 shows how QoS affects the traffic flow. Figure 14-1 Traffic Flow Through the Switch with QoS Enabled—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches Apply...
Page 225: Understanding Classification And Marking At The Ingress Port
Chapter 14 Configuring QoS Understanding How QoS Works • Marking is the application of QoS labels to traffic. • Scheduling is the assignment of traffic to a queue. QoS assigns traffic based on CoS values. • Congestion avoidance is the process by which QoS reserves ingress and egress port capacity for traffic with high-priority CoS values.
Page 226: Software Requirements
Chapter 14 Configuring QoS Software Requirements Software Requirements QoS requires supervisor engine software release 5.2 or later releases. Use the show port capabilities command to determine the specific QoS support for a module. QoS Default Configuration Table 14-1 shows the QoS default configuration. Table 14-1 QoS Default Configuration Feature Default Value...
Page 227: Enabling Qos Globally
Chapter 14 Configuring QoS Configuring QoS Enabling QoS Globally To enable QoS globally on the switch, perform this task in privileged mode: Task Command Enable QoS on the switch. set qos enable This example shows how to enable QoS: Console> (enable) set qos enable QoS is enabled.
Page 228: Mapping Cos Values To Transmit Queues And Drop Thresholds
Chapter 14 Configuring QoS Configuring QoS Mapping CoS Values to Transmit Queues and Drop Thresholds Use the set qos map command to associate CoS values to transmit queue drop thresholds. The port_type is hardware-dependent. Use the show port capabilities command to determine the port_type for your hardware.
Page 229: Displaying Qos Information
Chapter 14 Configuring QoS Configuring QoS Displaying QoS Information To display QoS information, perform this task: Task Command Display QoS information. show qos info [runtime | config] This example shows how to display the current QoS configuration information for the switch: Console>...
Page 230 Chapter 14 Configuring QoS Configuring QoS This example shows how to disable QoS: Console> (enable) set qos disable QoS is disabled. Console> (enable) Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 14-8 78-12647-02...
Page 231: Understanding How Multicasting Works
C H A P T E R Configuring Multicast Services This chapter describes how to configure multicast services, including Cisco Group Management Protocol (CGMP), Internet Group Management Protocol (IGMP) snooping, and GARP Multicast Registration Protocol (GMRP) on the Catalyst enterprise LAN switches.
Page 232: C H A P T E R 15 Configuring Multicast Services
Configuring Multicast Services Understanding How Multicasting Works CGMP and IGMP software components run on both the Cisco router and the switch. A CGMP/IGMP-capable IP multicast router sees all IGMP packets and can inform the switch when specific hosts join or leave IP multicast groups.
Page 233: Understanding Gmrp Operation
Layer 3 protocol (such as IP, IPX, and so forth). GMRP software components run on both the switch and on the host (Cisco is not a source for GMRP host software). On the host, GMRP is typically used with IGMP: the host GMRP software generates Layer 2 GMRP versions of the host’s Layer 3 IGMP control packets.
Page 234: Configuring Cgmp
Chapter 15 Configuring Multicast Services Configuring CGMP Configuring CGMP These sections describe how to configure CGMP: • CGMP Hardware and Software Requirements, page 15-4 Default CGMP Configuration, page 15-4 • Enabling CGMP, page 15-4 • Enabling CGMP Fast-Leave Processing, page 15-5 •...
Page 235: Enabling Cgmp Fast-Leave Processing
Chapter 15 Configuring Multicast Services Configuring CGMP This example shows how to enable CGMP and verify the configuration: Console> (enable) set cgmp enable CGMP support for IP multicast enabled. Console> (enable) show cgmp statistics 1 CGMP enabled CGMP statistics for vlan 1: valid rx pkts received 211915 invalid rx pkts received...
Page 236: Displaying Multicast Router Information
Chapter 15 Configuring Multicast Services Configuring CGMP Displaying Multicast Router Information When you enable CGMP, the switch automatically learns to which ports a multicast router is connected. To display dynamically learned multicast router information, perform one of these tasks in privileged mode: Task Command...
Page 237: Displaying Multicast Group Information
Chapter 15 Configuring Multicast Services Configuring CGMP Displaying Multicast Group Information To display information about multicast groups, perform one of these tasks in privileged mode: Task Command Display information about multicast groups. show multicast group [mac_addr] [vlan_id] Display only information about multicast groups show multicast group cgmp [mac_addr] learned dynamically through CGMP.
Page 238: Disabling Cgmp Fast-Leave Processing
Chapter 15 Configuring Multicast Services Configuring GMRP topology notifications received number of CGMP packets dropped 2032227 Console> (enable) Disabling CGMP Fast-Leave Processing To disable CGMP fast-leave processing, perform this task in privileged mode: Task Command Disable CGMP fast-leave processing on the set cgmp leave disable switch.
Page 239: Gmrp Software Requirements
Chapter 15 Configuring Multicast Services Configuring GMRP • Clearing GMRP Statistics, page 15-15 • Disabling GMRP on the Switch, page 15-15 GMRP Software Requirements GMRP requires supervisor engine software release 5.1 or later releases. Default GMRP Configuration Table 15-2 shows the default GMRP configuration. Table 15-2 GMRP Default Configuration Feature Default Value...
Page 240: Enabling Gmrp On Individual Switch Ports
Chapter 15 Configuring Multicast Services Configuring GMRP Port GMRP Status Registration ForwardAll -------------------------------------------- ----------- ------------ ---------- 1/1-2,3/1,6/1-48 Enabled Normal Disabled Console> (enable) Enabling GMRP on Individual Switch Ports You can change the per-port GMRP configuration regardless of whether GMRP is enabled globally. Note However, GMRP will not function on any ports until you enable it globally.
Page 241: Enabling Gmrp Forward-All Option
Chapter 15 Configuring Multicast Services Configuring GMRP This example shows how to disable GMRP on ports 6/10–14 and verify the configuration: Console> (enable) set port gmrp disable 6/10-14 GMRP disabled on ports 6/10-14. Console> (enable) show gmrp configuration Global GMRP Configuration: GMRP Feature is currently enabled on this switch.
Page 242: Configuring Gmrp Registration
Chapter 15 Configuring Multicast Services Configuring GMRP Configuring GMRP Registration These sections describe how to configure GMRP registration modes on switch ports: • Setting Normal Registration Mode, page 15-12 • Setting Fixed Registration Mode, page 15-12 • Setting Forbidden Registration Mode, page 15-13 Setting Normal Registration Mode Configuring a port in normal registration mode allows dynamic GMRP multicast registration and deregistration on the port.
Page 243: Setting Forbidden Registration Mode
Chapter 15 Configuring Multicast Services Configuring GMRP GMRP-Status Registration ForwardAll Port(s) ----------- ------------ ---------- -------------------------------------------- Enabled Normal Disabled 1/1-4 2/1-9,2/11-48 3/1-24 Enabled Fixed Disabled 2/10 Console> (enable) Setting Forbidden Registration Mode Configuring a port in forbidden registration mode deregisters all GMRP multicasts and prevents any further GMRP multicast registration on the port.
Page 244: Displaying Gmrp Statistics
Chapter 15 Configuring Multicast Services Configuring GMRP When setting the timer values, the value for leave must be equal to or greater than three times the join value (leave >= join * 3). The value for leaveall must be greater than the value for leave (leaveall > leave).
Page 245: Clearing Gmrp Statistics
Chapter 15 Configuring Multicast Services Configuring GMRP Join INs:250 Leaves:10 Leave Alls:35 Empties:5 Fwd Alls:0 Fwd Unregistered:0 Total valid GMRP Packets Transmitted:600 Join Empties:200 Join INs:150 Leaves:45 Leave Alls:200 Empties:5 Fwd Alls:0 Fwd Unregistered:0 Total valid GMRP Packets Received:0 Total GMRP packets dropped:0 Total GMRP Registrations Failed:0 Console>...
Page 246: Configuring Multicast Router Ports And Group Entries
Chapter 15 Configuring Multicast Services Configuring Multicast Router Ports and Group Entries Configuring Multicast Router Ports and Group Entries These sections describe how to manually specify multicast router ports and configure multicast group entries: • Specifying Multicast Router Ports, page 15-16 •...
Page 247: Clearing Multicast Router Ports
Chapter 15 Configuring Multicast Services Configuring Multicast Router Ports and Group Entries This example shows how to define multicast groups manually and verify the configuration (the asterisks indicate the entry was manually configured): Console> (enable) set cam static 01-00-11-22-33-44 2/6-12 Static multicast entry added to CAM table.
Page 248 Chapter 15 Configuring Multicast Services Configuring Multicast Router Ports and Group Entries Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 15-18 78-12647-02...
Page 249: Understanding How Port Security Works
C H A P T E R Configuring Port Security This chapter describes how to configure port security on the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands used in this chapter, refer to the Command Note Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 250: Chapter 16 Configuring Port Security
Chapter 16 Configuring Port Security Understanding How Port Security Works Allocation of the maximum number of MAC addresses for each port depends on your network configuration. The following combinations are examples of valid allocations: • 1025 (1 + 1024) addresses on 1 port and 1 address each on the rest of the ports. •...
Page 251: Restricting Traffic Based On The Host Mac Address
Chapter 16 Configuring Port Security Port Security Configuration Guidelines Restricting Traffic Based on the Host MAC Address You can filter traffic based on a host MAC address, so that packets tagged with a specific source MAC address are discarded. When you specify a MAC address filter with the set cam filter command, incoming traffic from that host MAC address is dropped, and packets addressed to that host are not forwarded.
Page 252: Enabling Port Security
Chapter 16 Configuring Port Security Configuring Port Security Enabling Port Security Port security is either autoconfigured or enabled manually by specifying a MAC address. If a MAC address is not specified, the source address from the incoming traffic is autoconfigured and secured, up to the maximum number of MAC addresses allowed.
Page 253: Specifying The Maximum Number Of Secure Mac Addresses
Chapter 16 Configuring Port Security Configuring Port Security Specifying the Maximum Number of Secure MAC Addresses You can specify the number of MAC addresses to secure on a port. By default, at least one MAC address per port can be secured. In addition to this default, a global resource of up to 1024 MAC addresses is available to be shared by the ports.
Page 254: Clearing Mac Addresses
Chapter 16 Configuring Port Security Configuring Port Security Clearing MAC Addresses Enter the clear port security command to clear MAC addresses from a list of secure addresses on a port. Note If the clear command is executed on a MAC address that is in use, that MAC address may be learned and made secure again.
Page 255: Specifying Shutdown Time
Chapter 16 Configuring Port Security Configuring Port Security Note If you restrict the number of secure MAC addresses on a port to one and additional hosts attempt to connect to that port, port security blocks these additional hosts from being connected to that port as well as to any other port in the same VLAN for the duration of the VLAN aging time.
Page 256: Restricting Traffic Based On Host Mac Address
Chapter 16 Configuring Port Security Configuring Port Security 3/24 1 00-e0-4f-ac-b4-00 Console> (enable) Restricting Traffic Based on Host MAC Address To restrict incoming or outgoing traffic for a specific MAC address, perform this task in privileged mode: Task Command Step 1 Discard traffic destined to or originating from a set cam static | permanent filter unicast_mac specific MAC address.
Page 257 Chapter 16 Configuring Port Security Configuring Port Security Task Command Step 1 Display the configuration. show port security [statistics] mod_num/ port_num Step 2 Display the port security statistics. show port security statistics [system] [mod_num/port_num] This example shows how to display port security configuration information and statistics: Console>...
Page 258 Chapter 16 Configuring Port Security Configuring Port Security Total ports: 48 Total MAC address(es): 48 Total global address space used (out of 1024): 0 Status: installed Console> (enable) Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 16-10 78-12647-02...
Page 259: Chapter 17 Configuring The Ip Permit List
C H A P T E R Configuring the IP Permit List This chapter describes how to configure the IP permit list on the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands used in this chapter, refer to the Command Note Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 260: Ip Permit List Default Configuration
Chapter 17 Configuring the IP Permit List IP Permit List Default Configuration You can specify the same IP address in more than one entry in the permit list if the masks are different. The mask is applied to the address before it is stored in NVRAM, so that entries that have the same effect (but different addresses) are not stored.
Page 261: Enabling Ip Permit List
Chapter 17 Configuring the IP Permit List Configuring the IP Permit List Console> (enable) set ip permit 172.20.52.3 all 172.20.52.3 added to IP permit list. Console> (enable) set ip permit 172.20.52.31 255.255.255.224 ssh 172.20.52.31 with mask 255.255.255.224 added to Ssh permit list. Console>...
Page 262: Disabling The Ip Permit List
Chapter 17 Configuring the IP Permit List Configuring the IP Permit List Ssh permit list enabled. Snmp permit list enabled. Permit List Mask Access-Type ---------------- ---------------- ------------- 172.16.0.0 255.255.0.0 telnet 172.20.0.0 255.255.0.0 snmp 172.20.52.0 255.255.255.224 172.20.52.3 telnet ssh snmp Denied IP Address Last Accessed Time Type ----------------- ------------------ ------ Denied IP Address Last Accessed Time Type...
Page 263 Chapter 17 Configuring the IP Permit List Configuring the IP Permit List Disable the IP permit list before clearing IP permit entries or host addresses. This action prevents your Caution connection from being dropped by the switch you are configuring in case you clear your current IP address.
Page 264 Chapter 17 Configuring the IP Permit List Configuring the IP Permit List Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 17-6 78-12647-02...
Page 265: Chapter 18 Configuring Protocol Filtering
Flood traffic for each protocol group is forwarded out a port only if that port belongs to the appropriate protocol group. Layer 2 protocols, such as Spanning Tree Protocol (STP) and Cisco Discovery Protocol (CDP), are not affected by protocol filtering. Dynamic VLAN ports and ports that have port security enabled are members of all protocol groups.
Page 266: Default Protocol Filtering Configuration
Chapter 18 Configuring Protocol Filtering Default Protocol Filtering Configuration For example, if a host that supports both IP and Internetwork Packet Exchange (IPX) is connected to a switch port configured as auto for IPX, and the host is transmitting only IP traffic, the port to which the host is connected will not forward any IPX flood traffic to the host.
Page 267: Configuring Protocol Filtering
Chapter 18 Configuring Protocol Filtering Configuring Protocol Filtering Configuring Protocol Filtering To configure protocol filtering on Ethernet, Fast Ethernet, and Gigabit Ethernet ports, perform this task in privileged mode: Task Command Step 1 Enable protocol filtering on the switch. set protocolfilter enable Step 2 Set the protocol membership of the desired ports.
Page 268 Chapter 18 Configuring Protocol Filtering Configuring Protocol Filtering Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 18-4 78-12647-02...
Page 269: Monitoring And Managing The Switch
A R T Monitoring and Managing the Switch...
Page 271: Checking Module Status
C H A P T E R Checking Port Status and Connectivity This chapter describes how to check switch port status and connectivity on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 272: Checking Port Status
Chapter 19 Checking Port Status and Connectivity Checking Port Status This example shows how to check module status on a Catalyst 2948G switch: Console> (enable) show module Mod Slot Ports Module-Type Model Status --- ---- ----- ------------------------- ------------------- -------- Switching Supervisor WS-X2948 10/100/1000 Ethernet WS-X2948G...
Page 273: C H A P T E R 19 Checking Port Status And Connectivity
Chapter 19 Checking Port Status and Connectivity Checking Port Status disabled disabled 17 disabled disabled 18 disabled disabled 19 disabled disabled 20 Port Send FlowControl Receive FlowControl RxPause TxPause Unsupported admin oper admin oper opcodes ----- -------- -------- -------- -------- ------- ------- ----------- desired desired...
Page 274: Checking Port Capabilities
Chapter 19 Checking Port Status and Connectivity Checking Port Capabilities Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left ----- -------- ----------------- -------- ----------------- ------------------ Port Status Channel Admin Ch Mode Group Id ----- ---------- -------------------- ----- ----- inactive auto silent Port Align-Err FCS-Err Xmit-Err Rcv-Err...
Page 275: Using Telnet
Chapter 19 Checking Port Status and Connectivity Using Telnet Security Membership static,dynamic Fast start QOS scheduling rx-(none),tx-(2q1t) CoS rewrite ToS rewrite Rewrite UDLD Inline power AuxiliaryVlan 1..1000,untagged,none SPAN source,destination This example shows you how to display the port capabilities for port 5 on module 3: Console>...
Page 276: Changing The Login Timer
Chapter 19 Checking Port Status and Connectivity Changing the Login Timer This example shows how to Telnet from the switch to the remote host labsparc: Console> (enable) telnet labsparc Trying 172.16.10.3... Connected to labsparc. Escape character is '^]'. UNIX(r) System V Release 4.0 (labsparc) login: Changing the Login Timer The login timer is the number of minutes after which an idle session is disconnected.
Page 277: Monitoring User Sessions
Chapter 19 Checking Port Status and Connectivity Monitoring User Sessions Note If you are using Kerberos to authenticate to the switch, you will not be able to use the secure shell encryption feature. To enable SSH on the switch, perform this task in privileged mode: Task Command Create the RSA host key.
Page 278: Using Ping
Chapter 19 Checking Port Status and Connectivity Using Ping This example shows how to display information about user sessions using the noalias keyword to display the IP addresses of connected hosts: Console> (enable) show users noalias Session User Location -------- ---------------- ------------------------- console telnet 10.10.10.12...
Page 279: Executing Ping
Chapter 19 Checking Port Status and Connectivity Using Ping These default values apply to the ping-s command: Table 19-1 Ping Default Values Ping Ping-s Number of 0=continuous Packets ping Packet Size Wait Time Source Host IP – Address Address Ping will return one of the following responses: •...
Page 280: Using Layer 2 Traceroute
Chapter 19 Checking Port Status and Connectivity Using Layer 2 Traceroute 808 bytes from 12.20.2.3: icmp_seq=5. time=2 ms 808 bytes from 12.20.2.3: icmp_seq=6. time=2 ms 808 bytes from 12.20.2.3: icmp_seq=7. time=2 ms 808 bytes from 12.20.2.3: icmp_seq=8. time=2 ms 808 bytes from 12.20.2.3: icmp_seq=9. time=3 ms ----17.20.2.3 PING Statistics---- 10 packets transmitted, 10 packets received, 0% packet loss round-trip (ms)
Page 281: Identifying A Layer 2 Path
Chapter 19 Checking Port Status and Connectivity Using IP Traceroute • The maximum number of hops an l2trace query will try is 10; this includes hops involved in source tracing. • The Layer 2 Traceroute utility does not work with Token Ring VLANs, or when multiple devices are attached to one port via hubs, or when multiple neighbors are on a port.
Page 282: Executing Ip Traceroute
Chapter 19 Checking Port Status and Connectivity Using IP Traceroute drops the datagram and sends back an Internet Control Message Protocol (ICMP) time-exceeded message to the sender. The traceroute facility determines the address of the first hop by examining the source address field of the ICMP time-exceeded message.
Page 283: Chapter 20 Configuring Cdp
CDP is a media- and protocol-independent protocol that runs on all Cisco-manufactured equipment including routers, bridges, access and communication servers, and switches. Using CDP, you can view information about all the Cisco devices directly attached to the switch. In addition, CDP detects native VLAN and port duplex mismatches.
Page 284: Configuring Cdp
Chapter 20 Configuring CDP Configuring CDP Table 20-1 CDP Default Configuration Feature Default Value CDP global enable state Enabled CDP port enable state Enabled on all ports CDP message interval 60 seconds CDP holdtime 180 seconds Configuring CDP These sections describe how to configure CDP: •...
Page 285: Setting The Cdp Enable State On A Port
Chapter 20 Configuring CDP Configuring CDP Setting the CDP Enable State on a Port You can enable or disable CDP on a per-port basis. You must enable CDP globally before the switch will transmit CDP messages on any ports. To change the CDP enable state on a per-port basis, perform this task in privileged mode: Task Command Step 1...
Page 286: Setting The Cdp Message Interval
: 100 Hold Time : 225 Console> (enable) Displaying CDP Neighbor Information To display information about directly connected Cisco devices, enter the show cdp neighbors command. Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 20-4 78-12647-02...
Page 287 To display the device capability codes for the connected device, enter the capabilities keyword. To display the device capability codes for the connected device, enter the detail keyword. • To display information about directly connected Cisco devices, perform this task in privileged mode: Task Command View information about CDP neighbors.
Page 288 Chapter 20 Configuring CDP Configuring CDP Platform: WS-C2948 Port-ID (Port on Neighbors's Device): 2/2 VTP Management Domain: Lab_Network Native VLAN: 522 Duplex: full Console> (enable) Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 20-6 78-12647-02...
Page 289: Chapter 21 Using Switch Topn Reports
C H A P T E R Using Switch TopN Reports This chapter describes how to use the Switch TopN Reports utility on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 290: Running Switch Topn Reports Without The Background Option
Chapter 21 Using Switch TopN Reports Understanding How Switch TopN Reports Works When the Switch TopN Reports utility starts, it gathers data from the appropriate hardware counters, and then goes into sleep mode for a user-specified period. When the sleep time ends, the utility gathers the current data from the same hardware counters, compares the current data from the earlier data, and stores the difference.
Page 291: Running And Viewing Switch Topn Reports
Chapter 21 Using Switch TopN Reports Running and Viewing Switch TopN Reports Running and Viewing Switch TopN Reports To start a Switch TopN Report in the background and view the results, perform this task in privileged mode: Task Command Step 1 Start the Switch TopN Reports utility in the show top [N] [metric] [interval interval] background.
Page 292: Running And Viewing Switch Topn Reports
Chapter 21 Using Switch TopN Reports Running and Viewing Switch TopN Reports PortType: Metric: pkts (Tx + Rx) Port Band- Uti Bytes Pkts Bcst Mcst Error Over width (Tx + Rx) (Tx + Rx) (Tx + Rx) (Tx + Rx) (Rx) flow ----- ----- --- -------------------- ---------- ---------- ---------- ----- ----...
Page 293 Chapter 21 Using Switch TopN Reports Running and Viewing Switch TopN Reports This example shows how to remove a specific Switch TopN report and how to remove all stored reports: Console> (enable) clear top 4 Console> (enable) 06/16/1998,17:36:45:MGMT-5:TopN report 4 killed by Console//. Console>...
Page 294 Chapter 21 Using Switch TopN Reports Running and Viewing Switch TopN Reports Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 21-6 78-12647-02...
Page 295: Chapter 22 Configuring Udld
C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 296: Udld Software And Hardware Requirements
Chapter 22 Configuring UDLD UDLD Software and Hardware Requirements The switch periodically transmits UDLD messages (packets) to neighbor devices on ports with UDLD enabled. If the messages are echoed back to the sender within a specific time frame and they are lacking a specific acknowledgment (echo), the link is flagged as unidirectional and the port is shut down.
Page 297: Default Udld Configuration
Chapter 22 Configuring UDLD Default UDLD Configuration Default UDLD Configuration Table 22-1 shows the default UDLD configuration. Table 22-1 UDLD Default Configuration Feature Default Value UDLD global enable state Globally disabled UDLD per-port enable state Enabled on all Ethernet, Fast Ethernet, and •...
Page 298: Enabling Udld On Individual Ports
Chapter 22 Configuring UDLD Configuring UDLD Enabling UDLD on Individual Ports To enable UDLD on individual ports, perform this task in privileged mode: Task Command Step 1 Enable UDLD on a specific port. set udld enable mod_num/port_num Step 2 Verify the configuration. show udld port [mod_num[/port_num]] This example shows how to enable UDLD on port 4/1 and verify the configuration: Console>...
Page 299: Specifying The Udld Message Interval
Software release 5.4(3) and later releases have UDLD aggressive mode. UDLD aggressive mode is disabled by default and its use is recommended only for point-to-point links between Cisco switches running software release 5.4(3) or later releases. With aggressive mode enabled, when a port on a bidirectional link stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor.
Page 300: Displaying The Udld Configuration
Chapter 22 Configuring UDLD Configuring UDLD This example shows how to enable UDLD aggressive mode on the switch: Console> (enable) set udld aggressive-mode enable 4/1 Aggressive UDLD enabled on port 4/1. Console> (enable) This example shows how to verify that UDLD aggressive mode is enabled on the switch: Console>...
Page 301 Chapter 22 Configuring UDLD Configuring UDLD Table 22-2 show udld Command Output Fields Field Description UDLD Status of whether UDLD is enabled or disabled. Message Interval Message interval in seconds. Port Module and port numbers. Admin Status Status of whether administration status is enabled or disabled. Aggressive Mode Status of whether aggressive mode is enabled or disabled.
Page 302 Chapter 22 Configuring UDLD Configuring UDLD Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 22-8 78-12647-02...
Page 303: Chapter 23 Configuring Snmp
C H A P T E R Configuring SNMP This chapter describes how to configure Simple Network Management Protocol (SNMP) on Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 304 HMAC MD5 or SHA algorithms and encrypts the packet using the CBC-DES (DES-56) algorithm. security model—The security strategy used by the SNMP agent. Currently, Cisco IOS supports three security models: SNMPv1, SNMPv2c, and SNMPv3.
Page 305: Understanding How Snmp Works
Chapter 23 Configuring SNMP Understanding How SNMP Works Understanding How SNMP Works SNMP is an application-layer protocol that facilitates the exchange of management information between network devices. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. There are three versions of SNMP: •...
Page 306: Snmp Ifindex Persistence Feature
Chapter 23 Configuring SNMP Understanding How SNMPv1 and SNMPv2c Work • A group determines the list of notifications its users can receive. • A group also defines the security model and security level for its users. SNMP ifindex Persistence Feature The SNMP ifIndex persistence feature is always enabled.
Page 307: Snmpv1 And Snmpv2C Default Configuration
RMON in the supervisor engine module software (see Chapter 24, “Configuring RMON”) RMON and RMON2 on an external SwitchProbe device • For information about MIBs, see http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. Note SNMPv1 and SNMPv2c Default Configuration Table 23-2 describes the SNMP default configuration.
Page 308: Configuring Snmpv1 And Snmpv2C From The Cli
Chapter 23 Configuring SNMP Configuring SNMPv1 and SNMPv2c from the CLI Configuring SNMPv1 and SNMPv2c from the CLI This section provides basic SNMPv1 and SNMPv2c configuration information. For detailed information Note on the SNMP commands supported by the Catalyst enterprise LAN switches, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 309: Understanding Snmpv3
Chapter 23 Configuring SNMP Understanding SNMPv3 read-write-all Root Trap-Rec-Address Trap-Rec-Community ---------------------------------------- -------------------- 172.16.10.10 read-write 172.16.10.20 read-write-all Console> (enable) Note To disable access for an SNMP community, set the community string for that community to the null string (do not enter a value for the community string). Understanding SNMPv3 SNMPv3 cpntains all the functionality of SNMPv1 and SNMPv2, but SNMPv3 has significant enhancements to adminstration and security.
Page 310: Dispatcher
Chapter 23 Configuring SNMP Understanding SNMPv3 Figure 23-1 SNMP Entity for Traditional SNMP Agents Other SNMP Entity SNMP Engine Dispatcher Message Processing Security Access Control Subsystem Subsystem Subsystem Transport Mapping v1MP User-based View-based security access control model model v2c MP Message Dispatcher Other Other...
Page 311: Security Subsystem
Chapter 23 Configuring SNMP Understanding SNMPv3 Security Subsystem The Security Subsystem authenticates and encrypts messages. Each outgoing message is passed to the Security Subsystem from the Message Processing Subsystem. Depending on the services required, the Security Subsystem may encrypt the enclosed PDU and some fields in the message header. In addition, the Security Subsystem may generate an authentication code and insert it into the message header.
Page 312: Configuring Snmpv3 From An Nms
Chapter 23 Configuring SNMP Configuring SNMPv3 from an NMS Configuring SNMPv3 from an NMS To configure SNMP from an Network Management System (NMS), refer to your NMS documentation (also see the “Using CiscoWorks2000” section on page 23-13). The switch supports up to 20 trap receivers through the RMON2 trap destination table. Configure the RMON2 trap destination table from the NMS.
Page 313 Chapter 23 Configuring SNMP Configuring SNMPv3 from the CLI Task Command Step 9 Configure the community table for set snmp community {access_type} [community_string] the system default part, which (access_type = read-only | read-write | read-write-all) maps community strings of previous versions of SNMP to SNMPv3.
Page 314 Chapter 23 Configuring SNMP Configuring SNMPv3 from the CLI Console> (enable) set snmp user guestuser2 authentication sha guestuser2password Snmp user was set to guestuser2 authProt sha authPasswd guestuser2password privProt no-priv with engineid 00:00:00:09:00:10:7b:f2:82:00:00:00 nonvolatile. These examples show how to set guestuser1 and guestuser2 as members of the groups guestgroup and mygroup: Console>...
Page 315: Using Ciscoworks2000
Using CiscoWorks2000 CiscoWorks2000 is a family of web-based and management platform-independent products for managing Cisco enterprise networks and devices. CiscoWorks2000 includes Resource Manager Essentials and CWSI Campus, which allow you to deploy, configure, monitor, manage, and troubleshoot a switched internetwork. For more information, see the following publications: •...
Page 316 Chapter 23 Configuring SNMP Using CiscoWorks2000 Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 23-14 78-12647-02...
Page 317: Chapter 24 Configuring Rmon
C H A P T E R Configuring RMON This chapter describes how to configure RMON on the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands used in this chapter, refer to the Command Note Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 318: Enabling Rmon
Chapter 24 Configuring RMON Enabling RMON Enabling RMON RMON is disabled by default. Note To enable RMON, perform this task in privileged mode: Task Command Step 1 Enable RMON on the switch. set snmp rmon enable Step 2 Verify that RMON is enabled. show snmp This example shows how to enable RMON on the switch and how to verify that RMON is enabled: Console>...
Page 319 Chapter 24 Configuring RMON Supported RMON and RMON2 MIB Objects Table 24-1 Supervisor Engine RMON and RMON2 Support Module Object Identifier (OID) Definition Source Supervisor ...mib-2(1).rmon(16).statistics(1).etherStatsTable(1) Counters for packets, RFC 1757 Engine octets, broadcasts, errors, etc. Supervisor ...mib-2(1).rmon(16).history(2).historyControlTable(1) Periodically samples and RFC 1757 Engine ...mib-2(1).rmon(16).history(2).etherHistoryTable(2)
Page 320 Chapter 24 Configuring RMON Supported RMON and RMON2 MIB Objects Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 24-4 78-12647-02...
Page 321: Chapter 25 Configuring Span And Rspan
C H A P T E R Configuring SPAN and RSPAN This chapter describes how to configure the Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 4000 family switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 322: Destination Port
Chapter 25 Configuring SPAN and RSPAN Understanding How SPAN and RSPAN Work Destination Port A destination port (also called a monitor port) is a switch port where SPAN sends packets for analysis. After a port becomes an active destination port, it does not forward any traffic except that required for the SPAN session.
Page 323: Reflector Port
Chapter 25 Configuring SPAN and RSPAN Understanding How SPAN and RSPAN Work Reflector Port The reflector port is the mechanism you use to copy packets onto an RSPAN VLAN. The reflector port forwards only the traffic from the RSPAN source session with which it is affiliated. Any device connected to a port set as a reflector port loses connectivity until the RSPAN source session is disabled.
Page 324: Trunk Vlan Filtering
Chapter 25 Configuring SPAN and RSPAN SPAN and RSPAN Session Limits Trunk VLAN Filtering In software release 6.3(1) and later releases, you can use the filter option to select a set of VLANs in a trunk used in a SPAN session. Trunk VLAN filtering is the analysis of network traffic on a selected set of VLANs on trunk source ports.
Page 325: Span Configuration Guidelines
Chapter 25 Configuring SPAN and RSPAN SPAN Configuration Guidelines Figure 25-1 Example SPAN Configuration Port 5 traffic mirrored on Port 10 1 2 3 4 5 6 7 8 9 10 11 12 E6 E7 SwitchProbe For SPAN configuration, the source ports and the destination port must be on the same switch. SPAN does not affect the switching of network traffic on source ports;...
Page 326: Configuring Span
Chapter 25 Configuring SPAN and RSPAN Configuring SPAN Configuring SPAN To configure SPAN, perform this task in privileged mode: Task Command Step 1 Configure a SPAN source and a SPAN destination set span {src_mod/src_ports | src_vlan} port. dest_mod/dest_port [rx | tx | both] [filter vlan] [inpkts {enable | disable}] [learning {enable | disable}] [create] Step 2...
Page 327 Chapter 25 Configuring SPAN and RSPAN Configuring SPAN This example shows how to set VLAN 522 as the SPAN source and port 2/12 as the SPAN destination. Only transmit traffic is monitored. Normal incoming packets on the SPAN destination port are allowed. Console>...
Page 328: Configuring Rspan
For destination or intermediate switches—Any Catalyst 4000 family or Catalyst 6000 family switch • supervisor engine You cannot place any third-party or other Cisco switches in the end-to-end path for RSPAN traffic. Understanding How RSPAN Work See the “Understanding How SPAN and RSPAN Work” section on page 25-1...
Page 329: Rspan Configuration Guidelines
Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN RSPAN has all the features of SPAN (see the “ Understanding How SPAN Works” section on page 25-4), plus support for source ports and destination ports distributed across multiple switches, allowing remote monitoring of multiple switches across your network.
Page 330: Configuring Rspan
Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN • For RSPAN, trunking is required if you have a source switch with all source ports in one VLAN (VLAN 2, for example) and it is connected to the destination switch through an uplink port that is also in the same VLAN.
Page 331 Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN To configure RSPAN VLANs, perform this task in privileged mode: Task Command Step 1 Configure RSPAN VLANs. set vlan vlan_num [rspan] Step 2 Verify the RSPAN VLAN configuration. show vlan This example shows how to set VLAN 500 as an RSPAN VLAN: Console>...
Page 332 Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN Reflector : Port 2/34 Rspan Vlan : 500 Admin Source : Port 2/3 Oper Source : Port 2/3 Direction : transmit/receive Incoming Packets: - Learning Filter : 50,850 Status : active Console> (enable) 2001 May 02 13:25:59 %SYS-5-SPAN_CFGSTATECHG:remote span sourc e session active for remote span vlan 500 To configure RSPAN source VLANs, perform this task in privileged mode: Task...
Page 333: Disabling Rspan Sessions
Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN Rspan Vlan : 500 Admin Source Oper Source Direction Incoming Packets: disabled Learning : enabled Filter Status : active Console> (enable) Disabling RSPAN Sessions When disabling an RSPAN session, you must disable all source and destination sessions on all participating switches.
Page 334: Rspan Configuration Examples
Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN RSPAN Configuration Examples The following sections have several examples on how to configure RSPAN. Configuring a Single RSPAN Session This example shows how to configure a single RSPAN session. Figure 25-3 shows an RSPAN configuration;...
Page 335: Adding Rspan Source Ports In Intermediate Switches
Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN Table 25-2 Making Modifications to an Active RSPAN Session Switch Action RSPAN CLI Commands A (source) Disable the RSPAN session. set rspan disable source 901 B (source) Remove source port 3/2 from RSPAN session. set rspan source 3/1, 3/3 901 reflector 3/4 B (source) Add source port 3/2 to RSPAN session.
Page 336 Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 25-16 78-12647-02...
Page 337: Administering The Switch
A R T Administering the Switch...
Page 339: Chapter 26 Administering The Switch
C H A P T E R Administering the Switch This chapter describes how to perform various administrative tasks on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 340: Configuring A Static System Name And Prompt
Chapter 26 Administering the Switch Setting the System Name and System Prompt If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt (a greater-than symbol [>] is appended). The prompt is updated whenever the system name changes, unless you have manually configured the prompt using the set prompt command.
Page 341: Clearing The System Name
Chapter 26 Administering the Switch Setting the System Contact and Location This example shows how to set the system prompt the switch: Console> (enable) set prompt Catalyst4012> Catalyst4012> (enable) Clearing the System Name To clear the system name, perform this task in privileged mode: Task Command Clear the system name.
Page 342: Setting The System Clock
Chapter 26 Administering the Switch Setting the System Clock System Name System Location System Contact ------------------------ ------------------------ ------------------------ --- Sunnyvale CA sysadmin@corp.com Console> (enable) Setting the System Clock You can configure the switch to obtain the time and date using the Network Time Protocol (NTP). For Note information on configuring NTP, see Chapter 35, “Configuring NTP.”...
Page 343: Clearing The Login Banner
Chapter 26 Administering the Switch Defining and Using Command Aliases Unauthorized access prohibited. Contact sysadmin@corp.com for access. MOTD banner set Console> (enable) Clearing the Login Banner To clear the login banner, perform this task in privileged mode: Task Command Clear the message of the day. set banner motd cc This example shows how to clear the login banner: Console>...
Page 344 Chapter 26 Administering the Switch Defining and Using Command Aliases --- ---- ----- ------------------------- ------------------- --- -------- 1000BaseX Ethernet WS-X4306 Mod Module-Name Serial-Num --- ------------------- -------------------- JAB024000YY Mod MAC-Address(es) --- -------------------------------------- ------ ---------- ----------------- 00-10-7b-f6-b2-1a to 00-10-7b-f6-b2-1f 0.2 Console> (enable) sp3 Port Name Status...
Page 345: Defining And Using Ip Aliases
Chapter 26 Administering the Switch Defining and Using IP Aliases Defining and Using IP Aliases You can use the set ip alias command to define aliases for IP addresses. IP aliases can make it easier to refer to other network devices when you use ping, telnet, and other commands, even when (DNS) is not enabled.
Page 346 Chapter 26 Administering the Switch Configuring Permanent and Static ARP Entries To configure a static or permanent ARP entry, perform this task in privileged mode: Task Command Step 1 Configure a static or permanent ARP entry. set arp [dynamic | permanent | static] {ip_addr hw_addr} Step 2 (Optional) Specify the ARP aging time.
Page 347: Configuring Static Routes
Chapter 26 Administering the Switch Configuring Static Routes Console> (enable) show arp ARP Aging time = 300 sec + - Permanent Arp Entries * - Static Arp Entries + 10.1.1.1 at 00-80-1c-93-80-60 on vlan 1 * 20.1.1.1 at 00-80-1c-93-80-40 on vlan 1 Console>...
Page 348: Scheduling A System Reset
Chapter 26 Administering the Switch Scheduling a System Reset 172.16.16.0 172.20.52.127 0xfffff000 default 172.20.52.121 172.20.52.120 172.20.52.124 0xfffffff8 default default 0xff000000 Console> (enable) Scheduling a System Reset These sections describe how to schedule a system reset: Scheduling a Reset at a Specific Time, page 26-10 •...
Page 349: Scheduling A Reset Within A Specified Amount Of Time
Chapter 26 Administering the Switch Power Management Reset scheduled for 23:00:00, Sat Aug 18 2001 (in 0 day 8 hours 39 minutes). Console> (enable) This example shows how to schedule a reset with a minimum of downtime: Console> (enable) reset mindown at 23:00 08/18 Software upgrade to 6.3(1) Reset scheduled at 23:00:00, Sat Aug 18 2001.
Page 350: Power Redundancy
Chapter 26 Administering the Switch Power Management In systems with redundant power supplies, both power supplies must be of the same wattage. The Catalyst 4000 family switches allow you to mix AC-input and DC-input power supplies in the same chassis. For detailed information on supported power supply configurations for each chassis, refer to the Catalyst 4000 Family Installation Guide.
Page 351 Chapter 26 Administering the Switch Power Management has been inserted and Insufficient power supplies operating. Additionally, if a chassis that has been operating in 1+1 redundancy mode with a valid module configuration is powered down, and you insert a module or change the module configuration inappropriately and power on the switch again, the module(s) in the chassis (at boot up) that require more power than is available, are placed into reset mode.
Page 352: Power Consumption Of Modules
Chapter 26 Administering the Switch Power Management This configuration requires 445W and cannot be used in 1+1 redundancy mode. Remember, when considering the 1+1 redundancy mode, you must carefully plan the configuration of the module power usage of your chassis. An incorrect configuration will momentary disrupt your system during the evaluation cycle.
Page 353: Setting The Power Budget
Chapter 26 Administering the Switch Power Management Table 26-1 Power Consumption for Catalyst 4006 Modules (continued) Power Consumed Power Consumed During Operation in Reset Mode Module 12-port 1000BASE-T Gigabit Ethernet, plus 2-port 1000BASE-X (GBIC) Gigabit Ethernet WS-X4416 24-port 1000BASE-X Gigabit Ethernet WS-X4424-GE-RJ45 48-port 1000BASE-X Gigabit Ethernet WS-X4448-GB-LX...
Page 354: Generating System Status Reports For Tech Support
Chapter 26 Administering the Switch Generating System Status Reports for Tech Support Generating System Status Reports for Tech Support Using a single command, you can generate a report that contains status information about your switch. This command is a combination of several show system status commands (Refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches for these commands.) You can upload the report to a TFTP server and send it to the Technical Assistance Center (TAC).
Page 355: Chapter 27 Configuring Switch Access Using Aaa
C H A P T E R Configuring Switch Access Using AAA This chapter describes how to configure authentication, authorization, and accounting (AAA) to monitor and control access to the command-line interface (CLI) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 356: Authentication Overview
Chapter 27 Configuring Switch Access Using AAA Understanding How Authentication Works Authentication Overview You can configure any combination of these authentication methods to control access to the switch: • Login authentication • Local authentication • TACACS+ authentication RADIUS authentication • Kerberos authentication •...
Page 357: Understanding How Tacacs+ Authentication Works
Chapter 27 Configuring Switch Access Using AAA Understanding How Authentication Works Understanding How TACACS+ Authentication Works TACACS+ is an enhanced version of TACACS, a User Datagram Protocol (UDP)-based access-control protocol specified by RFC 1492. TACACS+ controls access to network devices by exchanging Network Access Server (NAS) information between a network device and a centralized database to determine the identity of a user or device.
Page 358: Understanding How Radius Authentication Works
Chapter 27 Configuring Switch Access Using AAA Understanding How Authentication Works Understanding How RADIUS Authentication Works RADIUS is a client-server authentication and authorization access protocol used by the NAS to authenticate users attempting to connect to a network device. The NAS functions as a client, passing user information to one or more RADIUS servers.
Page 359 Chapter 27 Configuring Switch Access Using AAA Understanding How Authentication Works Table 27-1 Kerberos Terminology Term Definition Kerberized Applications and services that have been modified to support the Kerberos credential infrastructure. Kerberos credential General term referring to authentication tickets, such as ticket granting tickets and service credentials.
Page 360: Using Kerberized Login Procedure
Chapter 27 Configuring Switch Access Using AAA Understanding How Authentication Works Using Kerberized Login Procedure You can use a Kerberized Telnet session if you are logging in through the in-band management port. After the Telnet client and services have been Kerberized, the following process takes place when a user attempts to Telnet to the switch: The Telnet client asks the user for the username and issues a request for a TGT to the KDC on the Kerberos server.
Page 361: Understanding How 802.1X Authentication Works
Chapter 27 Configuring Switch Access Using AAA Understanding How Authentication Works Note A non-Kerberized login can be performed through a modem or terminal server through the in-band management port. Telnet does not support non-Kerberized login. If a non-Kerberized login is launched, the following process takes place: The switch prompts you for a username and password.
Page 362 Chapter 27 Configuring Switch Access Using AAA Understanding How Authentication Works Table 27-2 defines the terms used in 802.1x. Table 27-2 802.1x Terminology Term Definition Authenticator PAE (Referred to as the “authenticator”) entity at one end of a point-to-point LAN segment that enforces supplicant authentication. The authenticator is independent of the actual authentication method and functions only as a pass-through for the authentication exchange.
Page 363: Traffic Control
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Traffic Control You can restrict traffic in both directions or just incoming traffic. Authentication Server The frames exchanged between the authenticator and the authentication server are dependent on the authentication mechanism, so they are not defined by the 802.1x standard. You can use other protocols, but we recommend RADIUS for authentication, particularly when the authentication server is located remotely, because RADIUS has extensions that support encapsulation of EAP frames built into it.
Page 364: Authentication Default Configuration
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Authentication Default Configuration Table 27-3 shows the default configuration for authentication. Table 27-3 Default Authentication Configuration Feature Default Value Login authentication (console and Telnet) Enabled Local authentication (console and Telnet) Enabled TACACS+ login authentication (console and Telnet) Disabled TACACS+ enable authentication (console and Telnet)
Page 365: Authentication Configuration Guidelines
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Table 27-3 Default Authentication Configuration (continued) Feature Default Value 802.1x number of frames retransmitted from backend authenticator to supplicant 802.1x automatic supplicant reauthentication time 3600 seconds 802.1x automatic authenticator reauthentication of supplicant Disabled Authentication Configuration Guidelines These guidelines apply when configuring authentication on the switch:...
Page 366: Configuring Login Authentication
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Configuring Login Authentication These sections describe how to configure login authentication on the switch: • Setting Authentication Login Attempts on the Switch, page 27-12 • Setting Authentication Login Attempts for Privileged Mode, page 27-13 Setting Authentication Login Attempts on the Switch To set up login authentication on the switch, perform this task in privileged mode: Task...
Page 367: Setting Authentication Login Attempts For Privileged Mode
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Setting Authentication Login Attempts for Privileged Mode To set up login authentication for privileged mode, perform this task in privileged mode: Task Command Step 1 Enable login attempt for privileged mode. Use the set authentication enable attempt {count} console or telnet keywords if you want to enable [console | telnet]...
Page 368: Enabling Local Authentication
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Enabling Local Authentication Local login and enable authentication are enabled for both console and Telnet connections by default. Note You do not need to perform these tasks unless you want to modify the default configuration or you have disabled local authentication.
Page 369: Setting The Enable Password
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication To set the login password for local authentication, perform this task in privileged mode: Task Command Set the login password for access. Enter your old set password password (press Return on a switch with no password configured), enter your new password, and reenter your new password.
Page 370: Recovering A Lost Password
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication To disable local authentication on the switch, perform this task in privileged mode: Task Command Step 1 Disable local login authentication. Use the set authentication login local disable [all | console or telnet keywords to disable local console | http | telnet] authentication only for console or Telnet connection attempts.
Page 371: Configuring Tacacs+ Authentication
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Step 6 Enter the set password or set enablepass command, as appropriate. Step 7 When prompted for your old password, press Return. Step 8 Enter and confirm your new password. Configuring TACACS+ Authentication These sections describe how to configure TACACS+ authentication on the switch.
Page 372: Enabling Tacacs+ Authentication
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Tacacs key: Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server Status ----------------------------------------...
Page 373: Specifying The Tacacs+ Key
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication tacacs enabled(primary) enabled(primary) radius disabled disabled local enabled enabled Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs enabled(primary) enabled(primary) radius disabled disabled local enabled enabled Console> (enable) Specifying the TACACS+ Key If you configure a TACACS+ key on the client, make sure you configure an identical key on the Note TACACS+ server.
Page 374: Setting The Tacacs+ Login Attempts
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication This example shows how to set the server timeout interval and verify the configuration: Console> (enable) set tacacs timeout 30 Tacacs timeout set to 30 seconds. Console> (enable) show tacacs Tacacs key: Secret_TACACS_key Tacacs login attempts: 3 Tacacs timeout: 30 seconds Tacacs direct request: disabled...
Page 375: Disabling Tacacs+ Directed Request
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication This example shows how to enable TACACS+ directed request and verify the configuration: Console> (enable) set tacacs directedrequest enable Tacacs direct request has been enabled. Console> (enable) show tacacs Tacacs key: Secret_TACACS_key Tacacs login attempts: 5 Tacacs timeout: 30 seconds Tacacs direct request: enabled...
Page 376: Clearing The Tacacs+ Key
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Clearing the TACACS+ Key To clear the TACACS+ key, perform this task in privileged mode: Task Command Step 1 Clear the TACACS+ key. clear tacacs key Step 2 Verify the TACACS+ configuration. show tacacs This example shows how to clear the TACACS+ key: Console>...
Page 377: Configuring Radius Authentication
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Configuring RADIUS Authentication These sections describe how to configure RADIUS authentication on the switch. • Specifying RADIUS Servers, page 27-23 • Enabling RADIUS Authentication, page 27-24 • Specifying the RADIUS Key, page 27-25 Setting the RADIUS Timeout Interval, page 27-26 •...
Page 378: Enabling Radius Authentication
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Enabling RADIUS Authentication Specify at least one RADIUS server before enabling RADIUS authentication on the switch. For Note information on specifying a RADIUS server, see the “Specifying RADIUS Servers” section on page 27-23.
Page 379: Specifying The Radius Key
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Console> (enable) Specifying the RADIUS Key The RADIUS key is used to encrypt and authenticate all communication between the RADIUS client and server. You must configure the same key on the client and the RADIUS server. The length of the key is limited to 65 characters.
Page 380: Setting The Radius Timeout Interval
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Setting the RADIUS Timeout Interval You can specify the timeout interval between retransmissions to the RADIUS server. The default timeout is 5 seconds. To specify the RADIUS timeout interval, perform this task in privileged mode: Task Command Step 1...
Page 381: Setting The Radius Dead Time
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication This example shows how to specify the RADIUS retransmit count as 4 and how to verify the configuration: Console> (enable) set radius retransmit 4 Radius retransmit count set to 4. Console> (enable) show radius Login Authentication: Console Session Telnet Session...
Page 382: Clearing Radius Servers
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication ---------------------- ----------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Radius Deadtime: 5 minutes Radius Key: Secret_RADIUS_key Radius Retransmit: Radius Timeout: 10 seconds Radius-Server Status Auth-port ----------------------------- ------- ------------ 172.20.52.3 primary 1812...
Page 383: Disabling Radius Authentication
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication radius disabled disabled local enabled(primary) enabled(primary) Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Radius Deadtime: 0 minutes Radius Key: Radius Retransmit: Radius Timeout: 5 seconds Radius-Server...
Page 384: Configuring Kerberos Authentication
Step 1 will use. In the following example, a database called CISCO.EDU is created: /usr/local/sbin/kdb5_util create -r CISCO.EDU -s Add the switch to the database. The following example adds a switch called Cat4012 to the CISCO.EDU Step 2 database: ank host/Cat4012.cisco.edu@CISCO.EDU Add the user name.
Page 385: Enabling Kerberos
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Enabling Kerberos To enable Kerberos authentication, perform this task in privileged mode: Task Command Step 1 Specify Kerberos as the authentication method. set authentication login kerberos enable [all | console | http | telnet] [primary] Step 2 Verify the configuration.
Page 386: Specifying A Kerberos Server
This example shows how to define a local-realm and how to verify the configuration: Console> (enable) set kerberos local-realm CISCO.COM Kerberos local realm for this switch set to CISCO.COM. Console> (enable) show kerberos Kerberos Local Realm:CISCO.COM Kerberos server entries: Realm:CISCO.COM,...
Page 387: Mapping A Kerberos Realm To A Host Name Or Dns Domain
{dns-domain | host} entry. kerberos-realm This example shows how to map a Kerberos realm, called cisco.com, to a DNS domain and how to clear the entry: Console> (enable) set kerberos realm CISCO CISCO.COM Kerberos DnsDomain-Realm entry set to CISCO - CISCO.COM Console>...
Page 388: Deleting An Srvtab Entry
This example shows how to retrieve a SRVTAB file from the KDC, enter a SRVTAB directly into the switch, and verify the configuration: Console> (enable) set kerberos srvtab remote 187.20.32.10 /users/jdoe/krb5/ninerskeytab Console> (enable) Console> (enable) set kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0 Kerberos SRVTAB entry set to Principal:host/niners.cisco.com@CISCO.COM...
Page 389: Enabling Credentials Forwarding
Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/aspen-niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 00?91:107:423=:;9 Console> (enable) This example shows how to configure the switch so that Kerberos clients are mandatory for users to authenticate to other network services: Console>...
Page 390: Disabling Credentials Forwarding
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Disabling Credentials Forwarding To clear the credentials forwarding configuration, perform this task in privileged mode: Task Command Clear the credentials forwarding configuration. clear kerberos credentials forward This example shows how to clear the credentials forwarding configuration and verify the change: Console>...
Page 391: Defining A Private Des Key
Kerberos Credentials Forwarding Disabled Kerberos Pre Authentication Method set to Encrypted Unix Time Stamp Kerberos config key:abcd Kerberos SRVTAB Entries Srvtab Entry 1:host/aspen-niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 12151><88?=>>3>11 Console> (enable) To clear the DES key, perform this task in privileged mode: Task Command Clear a DES key from the switch.
Page 392: Monitoring And Maintaining Kerberos
Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0 Srvtab Entry 2:host/niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 00?58:127:223=:;9 Console> (enable) To display Kerberos credentials information, perform this task in privileged mode:...
Page 393: Configuring 802.1X Authentication
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication To clear all Kerberos credentials, perform this task in privileged mode: Task Command Clear all credentials. clear kerberos creds This example shows how to clear all credentials from the switch: Console> (enable) clear kerberos creds Console>...
Page 394: Disabling 802.1X Globally
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication To globally enable 802.1x authentication, perform this task in privileged mode: Task Command Globally enable 802.1x. set dot1x system-auth-control enable This example shows how to globally enable 802.1x authentication: Console> (enable) set dot1x system-auth-control enable dot1x system-auth-control enabled.
Page 395: Setting And Enabling Automatic Reauthentication Of The Supplicant
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication This example shows how to enable 802.1x authentication on port 1 in module 4, initialize 802.1x authentication on the same port, and verify the configuration: Console> (enable) set port dot1x 4/1 port-control auto Port 4/1 dot1x port-control is set to auto.
Page 396: Manually Reauthenticating The Supplicant
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Manually Reauthenticating the Supplicant You can manually reauthenticate the supplicant connected to a specific port at any time. When you want to configure automatic 802.1x supplicant reauthentication, see the “Setting and Enabling Automatic Reauthentication of the Supplicant”...
Page 397: Setting The Quiet Period
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Setting the Quiet Period When the authenticator cannot authenticate the supplicant, it remains idle for set a period of time, and then tries again. The idle time is determined by the quiet-period value. (The default is 60 seconds.) You may set the value from 0 to 65535 seconds.
Page 398: Layer Packets
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication This example shows how to set the back-end authenticator-to-supplicant retransmission time for the EAP-request frame to 15 seconds: Console> (enable) set dot1x supp-timeout 15 dot1x supp-timeout set to 15 seconds. Setting the Back-End Authenticator-to-Authentication-Server Retransmission Time for Transport Layer Packets The authentication server notifies the back-end authenticator each time it receives a transport layer packet.
Page 399: Resetting The 802.1X Configuration Parameters To The Default Values
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Resetting the 802.1x Configuration Parameters to the Default Values You can reset the 802.1x configuration parameters to the default values with a single command, which also globally disables 802.1x. To reset the 802.1x configuration parameters to the default values, perform this task in privileged mode: Task Command Step 1...
Page 400: Using The Show Commands
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication Using the show Commands You can use these show commands to access information about 802.1x authentication and its configuration: show port dot1x help • show port dot1x • show port dot1x statistics •...
Page 401: Authentication Example
Chapter 27 Configuring Switch Access Using AAA Authentication Example This example shows how to display the statistics for the different types of EAP frames transmitted and received by the authenticator on port 1 on module 4: Console> (enable) show port dot1x statistics 4/1 Port Tx_Req/Id Tx_Req Tx_Total Rx_Start Rx_Logoff Rx_Resp/Id Rx_Resp -----...
Page 402 Chapter 27 Configuring Switch Access Using AAA Authentication Example Figure 27-3 TACACS+ Example Network Topology TACACS+ server 172.20.52.10 Switch Console port connection Terminal Workstation A This example shows how to configure the switch so that TACACS+ authentication is enabled for Telnet connections and local authentication is enabled for console connections.
Page 403: Understanding How Authorization Works
Chapter 27 Configuring Switch Access Using AAA Understanding How Authorization Works Understanding How Authorization Works These sections describe how authorization works: • Authorization Overview, page 27-49 Authorization Events, page 27-49 • TACACS+ Primary Options and Fallback Options, page 27-49 • TACACS+ Command Authorization, page 27-50 •...
Page 404: Tacacs+ Command Authorization
Chapter 27 Configuring Switch Access Using AAA Understanding How Authorization Works TACACS+ Command Authorization You can require authorization for all commands or for configuration (enable mode) commands only. Configuration commands include the following: • copy • clear • commit • configure •...
Page 405: Configuring Authorization
Chapter 27 Configuring Switch Access Using AAA Configuring Authorization Configuring Authorization These sections describe how to configure authorization: • Authorization Default Configuration, page 27-51 TACACS+ Authorization Configuration Guidelines, page 27-51 • Configuring TACACS+ Authorization, page 27-51 • Authorization Default Configuration Table 27-4 shows the default authorization configuration.
Page 406: Enabling Tacacs+ Authorization
Chapter 27 Configuring Switch Access Using AAA Configuring Authorization Enabling TACACS+ Authorization To enable TACACS+ authorization on the switch, perform this task in privileged mode: Task Command Step 1 Enable authorization for normal login mode. Use set authorization exec enable {option} the console or telnet keywords if you want to {fallbackoption} [console | telnet | both] enable authorization only for console port or...
Page 407: Disabling Tacacs+ Authorization
Chapter 27 Configuring Switch Access Using AAA Configuring Authorization all: Console: -------- Primary Fallback ------- -------- exec: tacacs+ deny enable: tacacs+ deny commands: config: tacacs+ deny all: Console> (enable) Disabling TACACS+ Authorization To disable TACACS+ authorization on the switch, perform this task in privileged mode: Task Command Step 1...
Page 408: Authorization Example
Chapter 27 Configuring Switch Access Using AAA Authorization Example This example shows how to disable TACACS+ command authorization for both console and Telnet connections and how to verify the configuration: Console> (enable) set authorization commands disable both Successfully disabled commands authorization. Console>...
Page 409: Understanding How Accounting Works
Chapter 27 Configuring Switch Access Using AAA Understanding How Accounting Works Figure 27-4 TACACS+ Example Network Topology TACACS+ server 172.20.52.10 Switch Console port connection Terminal Workstation A In this example, TACACS+ authorization is enabled for enable mode access to the switch for both Telnet and console connections, authorizing configuration commands: Console>...
Page 410: Accounting Overview
Chapter 27 Configuring Switch Access Using AAA Understanding How Accounting Works • Updating the Server, page 27-58 • Suppressing Accounting, page 27-58 Accounting Overview You can configure these accounting methods to monitor access to the switch: TACACS+ accounting • RADIUS accounting •...
Page 411: Specifying When To Create Accounting Records
Chapter 27 Configuring Switch Access Using AAA Understanding How Accounting Works Specifying When to Create Accounting Records You can configure the switch to gather accounting information and create records. When Accounting is configured (using the set accounting command), the switch can generate two types of records: •...
Page 412: Updating The Server
Chapter 27 Configuring Switch Access Using AAA Configuring Accounting local enabled(primary) enabled(primary) Radius Deadtime: 0 minutes Radius Key: Radius Retransmit: Radius Timeout: 5 seconds Radius-Server Status Auth-port ----------------------------- ------- ------------ 172.20.52.3 primary 1812 Console> (enable) Updating the Server You can configure the switch to send accounting information to the TACACS+ server. There are two options: •...
Page 413: Accounting Configuration Guidelines
Chapter 27 Configuring Switch Access Using AAA Configuring Accounting Table 27-5 Accounting Default Configuration Feature Default Value Accounting Disabled Accounting events (exec, system, commands, and connect) Disabled Accounting records Stop-only Accounting Configuration Guidelines These guidelines apply when configuring accounting on the switch: Configure RADIUS and TACACS+ servers before enabling accounting.
Page 414 Chapter 27 Configuring Switch Access Using AAA Configuring Accounting Task Command Step 6 Configure accounting to be updated as new set accounting update {new-info | {periodic information is available. [interval]}} Step 7 Verify the accounting configuration. show accounting This example shows how to enable stop-only TACACS+ accounting events: Console>...
Page 415: Disabling Accounting
Chapter 27 Configuring Switch Access Using AAA Configuring Accounting Disabling Accounting To disable accounting on the switch, perform this task in privileged mode: Task Command Step 1 Disable accounting for connection events. set accounting connect disable Step 2 Disable accounting for EXEC mode. set accounting exec disable Step 3 Disable accounting for system events.
Page 416: Accounting Example
Chapter 27 Configuring Switch Access Using AAA Accounting Example ----- ----- ------ Exec Connect Command System Console> (enable) Accounting Example Figure 27-5 shows a simple network topology using TACACS+. When Workstation A initiates an accountable event on the switch, the switch gathers event information and forwards the information to the server at the conclusion of the event.
Page 417 Chapter 27 Configuring Switch Access Using AAA Accounting Example Accounting information: ----------------------- Active Accounted actions on tty0, User (null) Priv 0 Active Accounted actions on tty288091924, User (null) Priv 0 Overall Accounting Traffic: Starts Stops Active ----- ----- ------ Exec Connect Command System...
Page 418 Chapter 27 Configuring Switch Access Using AAA Accounting Example Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 27-64 78-12647-02...
Page 419: Chapter 28 Modifying The Switch Boot Configuration
C H A P T E R Modifying the Switch Boot Configuration This chapter describes how to modify the switch boot configuration, including the BOOT environment variable and the configuration register on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 420: Understanding The Rom Monitor
Chapter 28 Modifying the Switch Boot Configuration Understanding How the Switch Boot Configuration Works Two user-configurable parameters determine how the switch boots: the configuration register and the BOOT environment variable. The configuration register is described in the “Understanding the Configuration Register” section on page 28-2.
Page 421: Understanding The Boot Environment Variable
Chapter 28 Modifying the Switch Boot Configuration Understanding How the Switch Boot Configuration Works The other bits in the configuration register function as follows when set: • Bit 5 (0x0020): Enables CONFIG_FILE recurrence. • Bit 6 (0x0040): Causes system software to clear NVRAM contents. •...
Page 422: Default Switch Boot Configuration
Chapter 28 Modifying the Switch Boot Configuration Default Switch Boot Configuration When the switch boots up, if any of the files specified in the CONFIG_FILE environment variable are valid configuration files, the configuration in NVRAM is erased and the system uses the specified configuration file to configure the switch.
Page 423: Setting Config_File Recurrence
Chapter 28 Modifying the Switch Boot Configuration Setting the Configuration Register The following boot methods are supported: • ROM monitor—Use the rommon keyword to keep the switch in ROM-monitor mode at startup. • Bootflash—Use the bootflash keyword to cause the switch to boot from the first image stored in the onboard Flash.
Page 424: Setting The Switch To Ignore The Nvram Configuration
Chapter 28 Modifying the Switch Boot Configuration Setting the Configuration Register To set the switch to retain the current CONFIG_FILE environment variable indefinitely, perform this task in privileged mode: Task Command Set the switch to retain the current CONFIG_FILE set boot config-register auto-config environment variable indefinitely.
Page 425: Setting The Boot Environment Variable
Chapter 28 Modifying the Switch Boot Configuration Setting the BOOT Environment Variable Setting the BOOT Environment Variable These sections describe how to modify the BOOT environment variable: • Setting the BOOT Environment Variable, page 28-7 Clearing the BOOT Environment Variable Settings, page 28-7 •...
Page 426: Setting And Clearing The Config_File Environment Variable
Chapter 28 Modifying the Switch Boot Configuration Setting and Clearing the CONFIG_FILE Environment Variable Setting and Clearing the CONFIG_FILE Environment Variable These sections describe how to set and clear the CONFIG_FILE environment variable: For more information about using configuration files, see Chapter 31, “Working with Configuration Note Files.”...
Page 427: Displaying The Switch Boot Configuration
Chapter 28 Modifying the Switch Boot Configuration Displaying the Switch Boot Configuration Displaying the Switch Boot Configuration To display the current configuration register, BOOT environment variable, and CONFIG_FILE environment variable settings, perform this task in privileged mode: Task Command Display the current configuration register, BOOT show boot [mod_num] environment variable, and CONFIG_FILE environment variable settings.
Page 428 Chapter 28 Modifying the Switch Boot Configuration Displaying the Switch Boot Configuration Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 28-10 78-12647-02...
Page 429: Chapter 29 Working With System Software Images
C H A P T E R Working with System Software Images This chapter describes how to work with system software image files on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 430: Understanding How Tftp Software Image Downloads Work
Chapter 29 Working with System Software Images Downloading System Software Images to the Switch Using TFTP • Downloading Supervisor Engine Images Using TFTP, page 29-2 • Example TFTP Download Procedures, page 29-3 Understanding How TFTP Software Image Downloads Work You can download system software images to the switch using the Trivial File Transfer Protocol (TFTP). TFTP allows you to download system image files over the network from a TFTP server.
Page 431: Example Tftp Download Procedures
Chapter 29 Working with System Software Images Downloading System Software Images to the Switch Using TFTP Note The Catalyst 4000 family, 2948G, and 2980G switches have only one Flash device (bootflash). The switch downloads the image file from the TFTP server, and the image is copied to the bootflash. The switch remains operational while the image downloads.
Page 432 Chapter 29 Working with System Software Images Downloading System Software Images to the Switch Using TFTP Copyright (c) 1994-1997 by cisco Systems, Inc. Presto processor with 32768 Kbytes of main memory Autoboot executing command: "boot bootflash:cat4000.6-1-1.bin" CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCC Uncompressing file:...
Page 433: Uploading System Software Images To A Tftp Server
Chapter 29 Working with System Software Images Uploading System Software Images to a TFTP Server Uploading System Software Images to a TFTP Server These sections describe how to upload system software images from a switch to a TFTP server: • Preparing to Upload an Image to a TFTP Server, page 29-5 Uploading Software Images to a TFTP Server, page 29-5 •...
Page 434: Downloading System Software Images To The Switch Using Rcp
Chapter 29 Working with System Software Images Downloading System Software Images to the Switch Using rcp Downloading System Software Images to the Switch Using rcp These sections describe how to download system software images to the switch supervisor engine and to intelligent modules using rcp: •...
Page 435: Sample Rcp Download Procedures
Do you want to continue (y/n) [n]? y Console> (enable) 07/21/2000,13:51:39:SYS-5:System reset from Console// System Bootstrap, Version 3.1(2) Copyright (c) 1994-1997 by cisco Systems, Inc. Presto processor with 32768 Kbytes of main memory Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4...
Page 436 EARL RAM Test ....Passed EARL Serial Prom Test ..Passed Level2 Cache ....Present Level2 Cache test....Passed Boot image: bootflash:cat4000.6-1-1.bin Cisco Systems Console Enter password: 07/21/2000,13:52:51:SYS-5:Module 1 is online 07/21/2000,13:53:11:SYS-5:Module 4 is online 07/21/2000,13:53:11:SYS-5:Module 5 is online 07/21/2000,13:53:14:PAGP-5:Port 1/1 joined bridge port 1/1.
Page 437: Uploading System Software Images To An Rcp Server
Chapter 29 Working with System Software Images Uploading System Software Images to an rcp Server Uploading System Software Images to an rcp Server These sections describe how to upload system software images from a switch to an rcp server: • Preparing to Upload an Image to an rcp Server, page 29-9 Uploading Software Images to an rcp Server, page 29-9 •...
Page 438 Chapter 29 Working with System Software Images Uploading System Software Images to an rcp Server Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 29-10 78-12647-02...
Page 439: Chapter 30 Using The Flash File System
C H A P T E R Using the Flash File System This chapter describes how to use the Flash file system on the Catalyst enterprise LAN switches. The Flash file system provides a number of useful commands to help you manage system image and configuration files.
Page 440: Setting The Text File Configuration Mode
Chapter 30 Using the Flash File System Using the Flash File System To set the default Flash device, perform this task: Task Command Step 1 Set the default Flash device for the system. cd [[m/][bootflash:]] Step 2 Verify the default Flash device for the system. pwd [mod_num] This example shows how to change the default Flash device to bootflash: and verify the default device: Console>...
Page 441: Listing The Files On A Flash Device
Chapter 30 Using the Flash File System Using the Flash File System System configuration file set to: nvram The nvram file will be used for configuration during the next bootup. Console> (enable) show config mode System configuration mode set to text. System configuration file set to nvram.
Page 442: Displaying The Contents Of A File On A Flash Device
Chapter 30 Using the Flash File System Using the Flash File System This example shows how to list the files on the default Flash device: Console> (enable) dir -#- -length- -----date/time------ name 3846376 Jun 14 2000 14:13:10 cat4000-k4.6-1-0-104-ORL.bin 3761580 Jun 14 2000 14:16:05 cat4000.6-1-0-104-ORL.bin 3795052 bytes available (7608212 bytes used) Console>...
Page 443 Chapter 30 Using the Flash File System Using the Flash File System To copy a file, perform one of these tasks in privileged mode: Task Command Copy a Flash file to a TFTP server, Flash memory, copy file-id {tftp | rcp | flash | file-id | config} or to the running configuration.
Page 444: Deleting Files
Chapter 30 Using the Flash File System Using the Flash File System Upload configuration to bootflash:4012_config.cfg 9942096 bytes available on device bootflash, proceed (y/n) [n]? y ...... Configuration has been copied successfully. Console> (enable) This example shows how to upload a configuration file on bootflash to a TFTP server: Console>...
Page 445: Restoring Deleted Files
Chapter 30 Using the Flash File System Using the Flash File System This example shows how to permanently remove all deleted files from a Flash device: Console> (enable) squeeze bootflash: All deleted files will be removed, proceed (y/n) [n]? y Squeeze operation may take a while, proceed (y/n) [n]? y Erasing squeeze log Console>...
Page 446 Chapter 30 Using the Flash File System Using the Flash File System Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 30-8 78-12647-02...
Page 447: Chapter 31 Working With Configuration Files
C H A P T E R Working with Configuration Files This chapter describes how to work with switch configuration files on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 448: Creating A Configuration File
Chapter 31 Working with Configuration Files Creating a Configuration File If passwords already exist, you cannot enter the set password and set enablepass commands because the password verification will fail. If you enter passwords in the configuration file, the switch mistakenly attempts to execute the passwords as commands as it executes the file. Some commands must be followed by a blank line in the configuration file.
Page 449: Copying Configuration Files Using Tftp
Chapter 31 Working with Configuration Files Copying Configuration Files Using TFTP To configure switch using a configuration file stored on a Flash device in the Flash file system, follow these steps: Log into the switch through the console port or a Telnet session. Step 1 Locate the configuration file using the cd and dir commands (for more information, see Chapter 30,...
Page 450 Chapter 31 Working with Configuration Files Copying Configuration Files Using TFTP Preparing to Download a Configuration File Using TFTP Before you begin downloading a configuration file using TFTP, do the following: Ensure that the workstation acting as the TFTP server is configured properly. •...
Page 451: Uploading Configuration Files To A Tftp Server
Chapter 31 Working with Configuration Files Copying Configuration Files Using TFTP Uploading Configuration Files to a TFTP Server These sections describe how to upload the running configuration or a configuration file stored on a Flash device to a TFTP server: •...
Page 452: Copying Configuration Files Using Rcp
Chapter 31 Working with Configuration Files Copying Configuration Files Using rcp Copying Configuration Files Using rcp Remote copy protocol (rcp) provides another method of downloading, uploading, and copying configuration files between remote hosts and the switch. rcp uses Transmission Control Protocol (TCP), which is a connection-oriented protocol;...
Page 453: Uploading Configuration Files To An Rcp Server
Chapter 31 Working with Configuration Files Copying Configuration Files Using rcp This example shows how to configure a switch using a configuration file downloaded from an rcp server: Console> (enable) copy rcp config IP address or name of remote host []? 172.20.52.3 Name of file to copy from []? dns-config.cfg Configure using rcp:dns-config.cfg (y/n) [n]? y Finished network download.
Page 454: Clearing The Configuration
Chapter 31 Working with Configuration Files Clearing the Configuration This example shows how to upload the running configuration on a switch, to an rcp server for storage: Console> (enable) copy config rcp IP address or name of remote host []? 172.20.52.3 Name of file to copy to []? cat4000_config.cfg Upload configuration to rcp:cat4000_config.cfg, (y/n) [n]? y ..
Page 455 Chapter 31 Working with Configuration Files Clearing the Configuration This example shows how to clear the configuration on a specific module: Console> (enable) clear config 2 This command will clear module 2 configuration. Do you want to continue (y/n) [n]? y ......
Page 456 Chapter 31 Working with Configuration Files Clearing the Configuration Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 31-10 78-12647-02...
Page 457: Chapter 32 Configuring Switch Acceleration
C H A P T E R Configuring Switch Acceleration This chapter describes the Backplane Channel module and the switch acceleration feature supported on the Catalyst 4000 family supervisor engine. This chapter consists of these sections: • Understanding Switch Acceleration, page 32-1 Configuring Switch Acceleration, page 32-3 •...
Page 458: Understanding Switch Acceleration
Chapter 32 Configuring Switch Acceleration Understanding Switch Acceleration Switch Acceleration Configuration Modes Switch acceleration is supported in different configuration modes. The Supervisor Engine II supports a mesh configuration with no uplink connections. With the Backplane Channel module installed, two additional modes are supported. Figure 32-1 shows the possible configurations.
Page 459: Configuring Switch Acceleration
Chapter 32 Configuring Switch Acceleration Configuring Switch Acceleration Configuring Switch Acceleration By default, switch acceleration is disabled on the Supervisor Engine II. Before you enable switch acceleration, you need to disable the two front-panel Gigabit Ethernet uplink ports on Supervisor Engine II. To enable switch acceleration, perform this task in privileged mode: Task Command...
Page 460: Configuring Switch Acceleration
Chapter 32 Configuring Switch Acceleration Backplane Channel Module The Backplane Channel module provides the following benefits in the default configuration mode: • Full-mesh connection between all three switch engines • Multilink load balancing between SE1 and SE2 and between SE2 and SE3 •...
Page 461: Chapter 33 Configuring System Message Logging
C H A P T E R Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 462 Chapter 33 Configuring System Message Logging Understanding How System Message Logging Works Table 33-1 System Message Log Facilities Facility Name Definition Cisco Discovery Protocol Dynamic Trunking Protocol drip Dual Ring Protocol dvlan Dynamic VLAN earl Enhanced Address Recognition Logic fddi...
Page 463: System Log Message Format
Chapter 33 Configuring System Message Logging System Log Message Format Table 33-2 System Message Log Severity Level Definitions Severity Level Keyword Description emergencies System unusable alerts Immediate action required critical Critical condition errors Error conditions warnings Warning conditions notifications Normal but significant conditions informational Informational messages...
Page 464: Default System Message Logging Configuration
Chapter 33 Configuring System Message Logging Default System Message Logging Configuration Default System Message Logging Configuration Table 33-4 describes the default system message logging configuration. Table 33-4 Default System Message Logging Configuration Configuration Parameter Default Setting System message logging to the console Enabled System message logging to Telnet sessions Enabled...
Page 465: Configuring The System Message Logging Levels
Chapter 33 Configuring System Message Logging Configuring System Message Logging When you disable or enable logging to console sessions, the enable state is applied to all future console sessions. For example, if you disable logging to the console, disconnect from the console port, and later reconnect, logging is still disabled for the console.
Page 466: Changing The Logging Timestamp Enable State
Chapter 33 Configuring System Message Logging Configuring System Message Logging To change the system message logging severity level setting for a logging facility, perform this task in privileged mode: Task Command Step 1 Set the severity level for logging facilities. set logging level {all | facility} severity [default] Step 2 Verify the system message logging configuration.
Page 467: Configuring The Syslog Daemon On A Unix Syslog Server
Chapter 33 Configuring System Message Logging Configuring System Message Logging Configuring the syslog Daemon on a UNIX syslog Server Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. Log in as root, and perform these steps: Add a line such as the following to the file /etc/syslog.conf: Step 1 myfile.log...
Page 468: Displaying The Logging Configuration
Chapter 33 Configuring System Message Logging Configuring System Message Logging This example shows how to specify a syslog server, set the facility and severity levels, and enable logging to the server: Console> (enable) set logging server 10.10.10.100 10.10.10.100 added to System logging server table. Console>...
Page 469: Displaying System Messages
Chapter 33 Configuring System Message Logging Configuring System Message Logging This example shows how to display the current system message logging configuration: Console> (enable) show logging Logging buffer size: timestamp option: disabled Logging history size: Logging console: enabled Logging server: enabled {syslog.bigcorp.com} server facility:...
Page 470 Chapter 33 Configuring System Message Logging Configuring System Message Logging To display the messages in the switch logging buffer, perform one of these tasks: Task Command Display the first number_of_messages messages show logging buffer [number_of_messages] in the buffer. Display the last number_of_messages messages in show logging buffer -[number_of_messages] the buffer.
Page 471: Chapter 34 Configuring Dns
C H A P T E R Configuring DNS This chapter describes how to configure the Domain Name System (DNS) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 472: Configuring Dns
Chapter 34 Configuring DNS Configuring DNS Configuring DNS The following sections describe how to configure DNS: • Setting Up and Enabling DNS, page 34-2 Clearing a DNS Server, page 34-3 • Clearing the DNS Domain Name, page 34-3 • Disabling DNS, page 34-3 •...
Page 473: Clearing A Dns Server
Chapter 34 Configuring DNS Configuring DNS Clearing a DNS Server To clear DNS servers from the DNS server table, perform this task in privileged mode: Task Command Step 1 Remove one or all of the DNS servers from the clear ip dns server [ip_addr | all] table.
Page 474 Chapter 34 Configuring DNS Configuring DNS Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 34-4 78-12647-02...
Page 475: Chapter 35 Configuring Ntp
C H A P T E R Configuring NTP This chapter describes how to configure the Network Time Protocol (NTP) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
Page 476: Default Ntp Configuration
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that you obtain the time service for your network from the public NTP servers available on the IP Internet.
Page 477: Configuring Ntp In Broadcast-Client Mode
Chapter 35 Configuring NTP Configuring NTP Configuring NTP in Broadcast-Client Mode Configure the switch in NTP broadcast-client mode if an NTP broadcast server, such as a router, regularly broadcasts time-of-day information on the network. To compensate for any server-to-client packet latency, you can specify an NTP broadcast delay (a time adjustment factor for the receiving of broadcast packets by the switch).
Page 478: Configuring Authentication In Client Mode
Chapter 35 Configuring NTP Configuring NTP This example shows how to configure the NTP server address, enable NTP client mode on the switch, and verify the configuration: Console> (enable) set ntp server 172.20.52.65 NTP server 172.20.52.65 added. Console> (enable) set ntp client enable NTP Client mode enabled Console>...
Page 479: Setting The Time Zone
Chapter 35 Configuring NTP Configuring NTP This example shows how to configure the NTP server address, enable NTP client and authentication modes on the switch, and verify the configuration: Console> (enable) set ntp server 172.20.52.65 key 879 NTP server 172.20.52.65 with key 879 added. Console>...
Page 480 Chapter 35 Configuring NTP Configuring NTP To enable the daylight saving time clock adjustment following the U.S. rules, perform this task in privileged mode: Task Command Step 1 Enable the daylight saving time clock adjustment. set summertime enable [zone_name] set summertime recurring Step 2 Verify the configuration.
Page 481: Disabling The Daylight Saving Time Adjustment
Chapter 35 Configuring NTP Configuring NTP Offset: 1440 minutes (1 day) Recurring: no Console> (enable) Disabling the Daylight Saving Time Adjustment To disable the daylight saving time clock adjustment, perform this task in privileged mode: Task Command Step 1 Disable the daylight saving time clock set summertime disable [zone_name] adjustment.
Page 482: Disabling Ntp
Chapter 35 Configuring NTP Configuring NTP Disabling NTP To disable NTP broadcast-client mode on the switch, perform this task in privileged mode: Task Command Step 1 Disable NTP broadcast-client mode. set ntp broadcastclient disable Step 2 Verify the NTP configuration. show ntp [noalias] This example shows how to disable NTP client mode on the switch: Console>...
Page 483: Appendix
A R T Appendix...
Page 485: A Acronyms
A P P E N D I X Acronyms This appendix defines the acronyms used in this publication. ATM adaptation layer access control entry add-drop multiplexer Authority and Format Identifier active monitor present automated packet recognition/translation APaRT Address Resolution Protocol ATM switch processor Asynchronous Transfer Mode Bridge Protocol Data Unit...
Page 486: Appendix A Acronym
Appendix A Acronyms content-addressable memory column address strobe constant bit rate Copper Data Distributed Interface CDDI Cisco Discovery Protocol Cisco Group Management Protocol CGMP command-line interface Common Open Policy Service COPS class of service Cyclic Redundancy Check Concentrator Relay Function...
Page 487 Appendix A Acronyms Enhanced Address Recognition Logic EARL European Computer Manufacturers Association ECMA electrically erasable programmable read-only memory EEPROM Electronic Industries Association emulated local area network ELAN end-system identifier frame check sequence FDDI Fiber Distributed Data Interface full duplex Fast Simple Server Redundancy Protocol FSSRP foil twisted-pair General Attribute Registration Protocol...
Page 488 Appendix A Acronyms International Code Designator Internet Control Message Protocol ICMP Initial Domain Part Internet Group Management Protocol IGMP Integrated Local Management Interface ILMI initial microprogram load IMPL Internet Protocol interprocessor communication Internetwork Packet Exchange Inter-Switch Link International Organization of Standardization Key Distribution Center local area network LAN Emulation...
Page 489 Appendix A Acronyms LAN emulation server logical link control Media Access Control Manufacturing Automation Protocol maximum burst size Master Communication Processor Management Information Base media-independent interface multilayer switching Multilayer Switching Protocol MLSP multilayer switching-route processor MLS-RP multi-mode Maintenance Operation Protocol message-of-the-day MOTD Multiprotocol over ATM client...
Page 490 Appendix A Acronyms NetFlow Feature Card NFFC Enhanced NetFlow Feature Card NFFC II Netflow LAN Switching NFLS Next Hop Client Next Hop Resolution Protocol NHRP Next Hop Server Network Management Processor Network-Network Interface network service access point NSAP Network Time Protocol nonvolatile ram NVRAM operation, administration, and maintenance...
Page 491 Appendix A Acronyms physical layer convergence procedure PLCP physical layer interface module PLIM Point-to-Point Protocol permanent virtual circuit (or permanent virtual connection in ATM terminology) quality of service Remote Authentication Dial-In User Service RADIUS row address strobe RAS-to-CAS delay Remote Copy Protocol Router Group Management Protocol RGMP routing information field...
Page 492 Appendix A Acronyms Serial Control Protocol sustainable cell rate Session Description Protocol search engine Serial Line Internet Protocol SLIP single-mode standby monitor present station management System Network Architecture Subnetwork Access Protocol SNAP Simple Network Management Protocol SNMP Switched Port Analyzer SPAN source-route bridging source-route transparent bridging...
Page 493 Appendix A Acronyms type of service Token Ring Bridge Relay Function TrBRF Token Ring Concentrator Relay Function TrCRF token rotation timer time to live teletype universal asynchronous receiver/transmitter UART unspecified bit rate Unidirectional Link Detection Protocol UDLD User Datagram Protocol User-Network Interface Coordinated Universal Time Variable Bit Rate...
Page 494 Appendix A Acronyms VLAN Query Protocol VLAN Trunk Protocol Weighted Random Early Detect WRED Weighted Round Robin Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 A-10 78-12647-02...
Page 495: I N D E X
I N D E X aliases Numerics See command aliases; IP aliases 10/100 port speed, setting aliases, command 802.1Q example 11-8, 11-18 configuring entries 26-7 mapping VLANs to ISL 10-5 attempts, limiting telnet 27-12 overview 11-1 audience xxiii restrictions 11-4 authentication supported switches (table) 11-4...
Page 496 26-9 MAC addresses Cisco Discovery Protocol 7-12 PVST+ See CDP 7-14 bridge protocol data units Cisco Group Management Protocol See BPDUs See CGMP CiscoWorks2000 23-13 classification frames 14-3 Classless InterDomain Routing Catalyst 2948G switches, overview (table)
Page 497 Index designating VLANs establishing connections help monitoring user sessions 19-7 history substitution SLIP and operating system message logging settings 33-5 clock, setting 26-4 conventions, document xxvi command aliases creating configuring default switch values 26-5 14-5 using drop thresholds command line interface mapping 14-6 See CLI...
Page 498 CoS mapping 14-6 default configuration transmit queue 14-3 displaying PAgP statistics 6-11 displaying statistics 6-10 non-Cisco devices and 11-3 EtherChannel IDs overview 11-2 example configuration 11-8 duplex mode frame distribution Fast Ethernet hardware support Dynamic Host Configuration Protocol...
Page 499 Index See protocol filtering forward delay timer 7-30 setting port duplex frame classification setting port name overview 14-3 setting port priority frame distribution, EtherChannel setting port speed examples, general conventions xxvi GARP Multicast Registration Protocol See GMRP Fast EtherChannel GARP timers example 6-11 setting...
Page 500 Index software requirements images 15-9 viewing statistics 15-14 See software images; system images GVRP in-band (sc0) interface clearing statistics See sc0 interface 13-8 configuring registration 13-5 inferior BPDUs, BackboneFast and 8-11 disabling interfaces 13-8 enabling me1 (out-of-band management) 13-3 3-4, 3-6 registration 13-5 sc0 (in-band)
Page 501 Index overview 15-1 router ports and 15-16 Layer 2 traceroute See also multicast groups; multicast routers utility 19-10 IP permit list leave processing, CGMP adding addresses 17-2 disabling 15-8 clearing entries 17-4 enabling 15-5 default configuration 17-2 limiting telnet attempts 27-12 disabling 17-4...
Page 502 Index configuring Ethernet 4-1, 18-1 configuring Fast Ethernet 4-1, 6-1, 18-1 MAC addresses configuring Gigabit Ethernet allocating 7-12 configuring supervisor engine blocking 16-1 designating on command-line bridge identifiers 7-12 Ethernet designating configuring port security and 16-1 Gigabit Ethernet management interfaces configuring overview modules, switch fabric accelerator...
Page 503 Index NFFC/NFFC II passwords IGMP snooping and 15-4 recovering lost 27-16 protocol filtering and setting enable 18-1 27-15 permit lists SPAN, configuring 25-1 See IP permit lists normal mode, switch CLI ping executing 19-9 clearing time zone 35-7 overview 19-8 configuring broadcast-client mode 35-3 testing connectivity...
Page 504 Index port security prompt clearing MAC addresses 16-5 configuring 26-2 configuration guidelines overview 16-3 26-1 configuring protocol filtering 16-1 to 16-9 specifying age time 16-5 configuring 18-3 specifying secure MAC addresses default configuration 16-4 18-2 specifying security violation action overview 16-6 18-1 specifying shutdown time...
Page 505 Index Quality of Service Remote Copy Protocol See QoS See rcp Remote Monitoring See RMON Remote Switched Port Analyzer See RSPAN RADIUS report, system status 26-16 configuration guidelines 27-59 Reverse Address Resolution Protocol overview 27-56, 27-58 See RARP RADIUS accounting RMON accounting events 27-56...
Page 506 Index running configuration software images downloading via rcp 31-6 downloading using rcp 29-6 downloading using TFTP 29-2 supervisor engine, description uploading to rcp server 29-9 uploading to TFTP server 29-5 sc0 interface SPAN assigning IP address configuration guidelines 25-5 configuring configuring 25-6 DHCP and...
Page 507 Index Switched Port Analyzer BPDUs and See SPAN forward delay timer switch management interfaces 7-31 hello time See me1 interface; sc0 interface; sl0 interface 7-31 MAC address allocation 7-12 switch TopN reports maximum age timer background option 7-31 21-2 overview foreground execution 21-2, 21-3 PortFast, configuring...
Page 508 Index system message logging TACACS+ authentication changing enable state timestamp 33-6 configuration guidelines 27-11 configuring default configuration 33-4 27-10 configuring daemon disabling 33-7 27-22 configuring syslog daemon 33-7 enabling 27-18 default configuration example configuration 33-4 27-47 displaying configuration login attempts allowed 33-8 27-20 displaying message log...
Page 509 Index configuring hello time 7-30 configuring maximum aging time 7-30 UDLD GARP 13-6, 15-13 default configuration 22-3 login 19-6 disabling globally 22-4 time zone disabling on ports 22-4 clearing 35-7 displaying configuration 22-6 setting 35-5 enabling aggressive mode 22-5 TopN reports enabling globally 22-3 See switch TopN reports...
Page 510 Index VLANs allowed on trunk 11-6 configuration guidelines assigning ports to configuring client 10-4 assigning to ports configuring server 10-4 configuration guidelines 10-3 configuring transparent mode default configuration default configuration 10-3 deleting disabling 10-7 designating on command-line domains Ethernet 10-4 monitoring 9-10 in-band (sc0) interface assignment...

This manual is also suitable for:

Catalyst 4000 series Catalyst 2948g Catalyst 2980g

Cisco WS-C4003 - Catalyst 4000 Chassis Switch Software Configuration Manual

Chapter 1 Product Overview

CHAPTER 2 Using the Command-Line Interface

CHAPTER 3 Configuring the Switch IP Address and Default Gateway

Configuring Ethernet Switching

CHAPTER 4 Configuring Ethernet and Fast Ethernet Switching

CHAPTER 5 Configuring Gigabit Ethernet Switching

CHAPTER 6 Configuring Fast Etherchannel and Gigabit Etherchannel

Spanning Tree

Chapter 7 Configuring Spanning Tree

CHAPTER 8 Configuring Spanning Tree Portfast, Uplinkfast, and Backbonefast, and Loop Guard

Configuring Vlans and VLAN Trunks

Chapter 9 Configuring VTP

Chapter 10 Configuring Vlans

CHAPTER 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports

CHAPTER 12 Configuring Dynamic Port VLAN Membership with VMPS

Chapter 13 Configuring GVRP

Configuring Qos

Chapter 14 Configuring Qo

Quick Links

Software Configuration Guide

Troubleshooting

Related Manuals for Cisco WS-C4003 - Catalyst 4000 Chassis Switch

Summary of Contents for Cisco WS-C4003 - Catalyst 4000 Chassis Switch