Page 1
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide Release 8.2GLX Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7815908=...
Page 2
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,...
Cisco.com xxix Documentation CD-ROM xxix Ordering Documentation xxix Documentation Feedback Obtaining Technical Assistance Cisco TAC Website Opening a TAC Case TAC Case Priority Definitions xxxi Obtaining Additional Publications and Information xxxi Product Overview C H A P T E R...
Page 4
Contents Completing a Partial Command Scrolling Through Command Output Using Command Aliases Specifying Modules, Ports, and VLANs Specifying MAC Addresses Specifying IP Addresses, Host Names, and IP Aliases ROM Monitor CLI Example of a Catalyst 4003 Bootup Display Configuring the Switch IP Address and Default Gateway C H A P T E R Understanding How the Switch Management Interfaces Work Understanding How Automatic IP Configuration Works...
Page 5
Contents Checking Ethernet and Fast Ethernet Port Connectivity Configuring Gigabit Ethernet Switching C H A P T E R Understanding How Gigabit Ethernet Works Understanding How Gigabit Ethernet Flow Control Works Understanding How Port Negotiation Works Understanding How Oversubscribed Gigabit Ethernet Works Default Gigabit Ethernet Configuration Configuring Gigabit Ethernet Ports Assigning Gigabit Ethernet Port Names...
Page 6
Contents EtherChannel Configuration Examples 6-12 Configuration Example of a Four-Port Fast EtherChannel 6-12 Configuration Example of a Two-Port Gigabit EtherChannel 6-14 Understanding LACP 6-16 LACP Modes 6-16 LACP Parameters 6-17 Configuring EtherChannel Using LACP 6-18 Specifying the EtherChannel Protocol 6-18 Specifying the System Priority 6-19 Specifying the Port Priority...
Page 7
Contents MST Configuration 7-18 MST Region 7-19 Message Age and Hop Count 7-21 MST-to-PVST+ Interoperability 7-21 Understanding How BPDU Skewing Works 7-22 Using PVST+ 7-22 Default PVST+ Configuration 7-22 Setting the PVST+ Bridge ID Priority 7-23 Configuring the PVST+ Port Cost 7-25 Configuring PVST+ Port Priority 7-25...
Page 8
Contents Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and C H A P T E R Loop Guard Understanding How PortFast Works Understanding How PortFast BPDU Guard Works Understanding How PortFast BPDU Filtering Works Understanding How UplinkFast Works Understanding How BackboneFast Works Understanding How Loop Guard Works Configuring PortFast...
Page 9
Contents VTP Version 1 and Version 2 Configuration Guidelines Configuring VTP Version 1 and Version 2 Configuring a VTP Server Configuring a VTP Client Configuring VTP (VTP Transparent Mode) Disabling VTP Using the Off Mode Enabling VTP Version 2 Disabling VTP Version 2 9-10 Enabling VTP Pruning 9-11...
Page 10
Contents Deleting a VLAN 10-12 Configuring Auxiliary VLANs 10-13 Understanding Auxiliary VLANs 10-13 Configuring Private VLANs 10-16 Private VLAN Configuration Guidelines 10-17 Creating a Private VLAN 10-19 Viewing the Port Capability of a Private VLAN Port 10-22 Deleting a Private VLAN 10-22 Deleting an Isolated or Community VLAN 10-23...
Page 11
Contents Maintaining VMPS 12-9 Configuring Static Ports 12-10 Troubleshooting VMPS and Dynamic Port VLAN Membership 12-10 Troubleshooting VMPS 12-11 Troubleshooting Dynamic Ports 12-11 VMPS Example 12-11 Dynamic Port VLAN Membership with Auxiliary VLANs 12-14 Configuration Guidelines 12-14 Configuring Dynamic Port VLAN Membership with Auxiliary VLANs 12-14 Configuring GVRP 13-1...
Page 12
Contents Reverting to the Default Switch CoS Value 14-5 Mapping CoS Values to Transmit Queues and Drop Thresholds 14-6 Reverting to the Default CoS-to-Transmit Queue and Drop Threshold Mapping 14-6 Displaying QoS Information 14-7 Reverting to QoS Defaults 14-7 Disabling QoS 14-7 Configuring Multicast Services 15-1...
Page 14
Contents Configuring the IP Permit List 18-1 C H A P T E R Understanding How the IP Permit List Works 18-1 IP Permit List Default Configuration 18-2 Configuring the IP Permit List on the Switch 18-2 Adding IP Addresses to the IP Permit List 18-2 Enabling the IP Permit List 18-3...
Page 15
Contents Default CDP Configuration 21-1 Configuring CDP on the Switch 21-2 Setting the CDP Global Enable State 21-2 Setting the CDP Enable State on a Port 21-2 Setting the CDP Message Interval 21-4 Setting the CDP Holdtime 21-4 Displaying CDP Neighbor Information 21-5 Using Switch TopN Reports 22-1...
Page 16
Contents Configuring SNMPv1 and SNMPv2c from the CLI 24-9 SNMPv1 and SNMPv2c Enhancements in Software Release 7.5(1) 24-10 Configuring SNMPv3 from the CLI 24-14 Using CiscoWorks2000 24-17 Configuring RMON 25-1 C H A P T E R Understanding How RMON Works 25-1 Enabling RMON 25-2...
Page 17
Creating a Login Banner 27-4 Configuring a Login Banner 27-4 Clearing the Login Banner 27-5 Enabling or Disabling the “Cisco Systems Console” Telnet Login Banner 27-5 Defining and Using Command Aliases 27-6 Defining and Using IP Aliases 27-7 Configuring Permanent and Static ARP Entries...
Page 18
Contents Configuring PoE 28-18 Setting the Power Mode of a Port or Group of Ports 28-18 Setting the Default Power Allocation for a Port 28-19 Displaying the Power Status for Modules and Individual Ports 28-19 Configuring VoIP 29-1 C H A P T E R Hardware and Software Requirements 29-1 Overview of IP Phones...
Page 19
Contents Understanding How Accounting Works 30-47 Accounting Overview 30-47 Accounting Events 30-47 Specifying When to Create Accounting Records 30-48 Specifying RADIUS Servers 30-48 Updating the Server 30-49 Suppressing Accounting 30-49 Configuring Accounting 30-49 Accounting Default Configuration 30-49 Accounting Configuration Guidelines 30-50 Configuring Accounting 30-50...
Page 20
Contents Setting the Back-End Authenticator-to-Authentication-Server Retransmission Time for Transport Layer Packets 31-15 Setting the Back-End Authenticator-to-Host Frame-Retransmission Number 31-16 Setting the Shutdown Timeout Period 31-16 Setting the Back-End Authenticator-to-Host Frame-Retransmission Number 31-16 Setting the Back-End Authenticator-to-Host Frame-Retransmission Number 31-17 Resetting the 802.1x Configuration Parameters to the Default Values 31-17 Setting the Trace Severity 31-18...
Page 21
Contents Uploading Software Images to a TFTP Server 33-5 Downloading System Software Images to the Switch Using rcp 33-5 Understanding How rcp Software Image Downloads Work 33-6 Preparing to Download an Image Using rcp 33-6 Downloading Supervisor Engine Images Using rcp 33-6 Sample rcp Download Procedures 33-7...
Page 22
Contents Displaying Switch-Acceleration Information 36-3 Backplane Channel Module 36-4 Configuring System Message Logging 37-1 C H A P T E R Understanding How System Message Logging Works 37-1 System Log Message Format 37-3 Default System Message Logging Configuration 37-3 System Log Message Format 37-4 Configuring System Message Logging on the Switch 37-4...
Page 23
Contents Clearing the Time Zone 39-7 Clearing NTP Servers 39-7 Disabling NTP 39-8 Acronyms A P P E N D I X N D E X — Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide Release 8.2GLX xxiii 78-15908-01...
Page 25
Preface This preface describes who should read the Software Configuration Guide, how it is organized, and its document conventions. Audience This publication is for experienced network administrators who are responsible for configuring and maintaining Catalyst enterprise LAN switches. Organization This publication is organized as follows: Chapter Title Description...
Page 26
Chapter 14 Configuring QoS Describes how to configure quality of service (QoS). Chapter 15 Configuring Multicast Services Describes how to configure Cisco Group Management Protocol (CGMP), Internet Group Management Protocol (IGMP) snooping, and GARP Multicast Registration Protocol (GMRP) on the switch.
Preface Related Documentation Chapter Title Description Chapter 27 Administering the Switch Describes how to set the system name, create a login banner, and perform other administrative tasks on the switch. Chapter 28 Power Management Describes power management on the Catalyst 4000 series switches and the Catalyst 4500 series switches, and explains how to configure inline power.
Page 28
Preface Conventions • System Message Guide—Catalyst 6500 Series, Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches • Release Notes for Catalyst 4500 Series Supervisor Engine Software Release 8.x Conventions Throughout this publication, these conventions are used in reference to switch platforms: Catalyst enterprise LAN switches—Refers to the Catalyst 4000 series and Catalyst 4500 series •...
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com...
24 hours a day, 365 days a year. Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL: http://tools.cisco.com/RPF/register/register.do...
TAC Case Priority Definitions To ensure that all cases are reported in a standard format, Cisco has established case priority definitions. Priority 1 (P1)—Your network is “down” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Page 32
Preface Obtaining Additional Publications and Information • iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL: http://www.cisco.com/go/iqmagazine • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets.
C H A P T E R Product Overview The Catalyst enterprise LAN switches facilitate the migration from traditional shared-hub LANs to large-scale, fully integrated internetworks. These switches provide switched connections to individual workstations, servers, LAN segments, backbones, or other switches, using a variety of media. This chapter consists of these sections: Catalyst 4000 and Catalyst 4500 Series Switches, page 1-1 •...
Chapter 1 Product Overview Supervisor Engine Software The Catalyst enterprise LAN switches share a command-line interface (CLI) with which you can configure modules and ports on the switches. For more information, see Chapter 2, “Using the Command-Line Interface.” For descriptions of the available CLI commands, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference. For descriptions of the commands that are used to configure the Route Switch Module (RSM) and Route Switch Feature Card (RSFC), refer to the Cisco IOS software command reference publications. This chapter consists of these sections: •...
“Example of a Catalyst 4003 Bootup Display” section on page 2-9). If the switch is already booted, press Enter to see this display: Cisco Systems, Inc. Console Enter password: After you successfully connect to the switch through the console port, you can use normal-mode commands to monitor the switch or enter privileged mode to change the configuration.
Trying 172.16.10.10... Connected to Catalyst_1. Escape character is '^]'. Cisco Systems Console Enter password: After you successfully connect to the switch using Telnet, you can use normal-mode commands to monitor the switch or enter privileged mode to change the configuration.
Step 3 To disconnect from the switch CLI, enter the exit command. Console> exit Session Disconnected... Cisco Systems Console Fri Aug 27 1999, 16:14:41 Enter password: Many commands (for example, commands that modify the configuration) can be used only in privileged mode.
Chapter 2 Using the Command-Line Interface Command-Line Editing permit Set IP Permit List redirect Set ICMP redirect enable/disable route Set IP routing table entry unreachable Set ICMP unreachable messages Console> (enable) set ip Note The system repeats the command that you entered without the question mark (?). To use the partial-keyword-lookup function, enter ? to display a list of commands that begin with a specific set of characters.
Chapter 2 Using the Command-Line Interface History Substitution History Substitution The history buffer stores the last 20 commands that you entered during a terminal session. History substitution allows you to repeat these commands using special abbreviated commands, that are similar to those used on the UNIX command line.
Chapter 2 Using the Command-Line Interface Using Command Aliases Task Keystrokes To scroll down one line Press the Return key To scroll down one screen Press the Spacebar To quit from the More program Press the Q key Using Command Aliases Aliases are not case sensitive;...
Chapter 2 Using the Command-Line Interface Specifying MAC Addresses Table 2-4 Designating Ports and Port Ranges Example Function Specifies port 1 on module 2 3/4-8 Specifies ports 4, 5, 6, 7, and 8 on module 3 5/2,5/4,6/10 Specifies ports 2 and 4 on module 5 and port 10 on module 6 3/1-2,4/8 Specifies ports 1 and 2 on module 3 and port 8 on module 4 VLANs are identified using the VLAN ID, a single number that is associated with the VLAN.
Chapter 2 Using the Command-Line Interface ROM Monitor CLI ROM Monitor CLI The ROM monitor is a ROM-based program that executes when the switch is powered on, reset, or when a fatal exception occurs. The system enters ROM monitor mode if the nonvolatile RAM (NVRAM) configuration is corrupted, if the switch does not find a valid system image, or if the configuration register is set to enter ROM monitor mode.
Page 46
IP address for Catalyst not configured BOOTP/DHCP will commence after the ports are online Ports are coming online ... Cisco Systems, Inc. Console Enter password: 1999 Aug 12 14:34:05 %SYS-5-MOD_OK:Module 1 is online 1999 Aug 12 14:34:08 %SYS-5-MOD_OK:Module 3 is online...
C H A P T E R Configuring the Switch IP Address and Default Gateway This chapter describes how to configure the IP address, subnet mask, and default gateway on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
The in-band (sc0) management interface is connected to the switching fabric and participates in all of the functions of a normal switch port, such as spanning tree, Cisco Discovery Protocol (CDP), and VLAN membership. The out-of-band management interfaces (me1 and sl0) are not connected to the switching fabric and do not participate in any of these functions.
Chapter 3 Configuring the Switch IP Address and Default Gateway Understanding How Automatic IP Configuration Works Note If the CONFIG_FILE environment variable is set, all configuration files are processed before the switch determines whether to broadcast DHCP and RARP requests. For more information about the CONFIG_FILE environment variable, see Chapter 32, “Modifying the Switch Boot Configuration.”...
Chapter 3 Configuring the Switch IP Address and Default Gateway Preparing to Configure the IP Address and Default Gateway Table 3-1 Supported DHCP Options (continued) Code Option IP address lease time Option overload Client-identifier TFTP server name If a BOOTP response is received from a BOOTP server, the switch sets the in-band (sc0) interface IP address to the address that is specified in the BOOTP response.
Chapter 3 Configuring the Switch IP Address and Default Gateway Default IP Address and Default Gateway Configuration – Out-of-band management Ethernet (me1) interface Configure this interface when assigning an IP address and subnet mask to the out-of-band management Ethernet interface on the switch. –...
Chapter 3 Configuring the Switch IP Address and Default Gateway Setting the Management Ethernet (me1) Interface IP Address This example shows how to assign an IP address, specify the number of subnet bits, and specify the VLAN assignment for the in-band (sc0) interface: Console>...
Chapter 3 Configuring the Switch IP Address and Default Gateway Configuring Default Gateways Configuring Default Gateways The supervisor engine sends IP packets that are destined for other IP subnets to the default gateway (typically, a router interface in the same network or subnet as the switch IP address). The switch does not use the IP routing table to forward traffic from connected devices;...
Chapter 3 Configuring the Switch IP Address and Default Gateway Configuring the SLIP (sl0) Interface on the Console Port Console> (enable) show ip route Fragmentation Redirect Unreachable ------------- -------- ----------- enabled enabled enabled The primary gateway: 10.1.1.1 Destination Gateway RouteMask Flags Interface ---------------...
Page 55
This example shows how to configure SLIP on the console port and verify the configuration: sparc20% telnet 172.20.52.38 Trying 172.20.52.38 ... Connected to 172.20.52.38. Escape character is '^]'. Cisco Systems, Inc. Console Enter password: Console> enable Enter password: Console> (enable) set interface sl0 10.1.1.1 10.1.1.2 Interface sl0 slip and destination address set.
Chapter 3 Configuring the Switch IP Address and Default Gateway Using DHCP or RARP to Obtain an IP Address Configuration Using DHCP or RARP to Obtain an IP Address Configuration For complete information on how the switch uses DHCP or RARP to obtain its IP configuration, see the Note “Understanding How Automatic IP Configuration Works”...
Chapter 3 Configuring the Switch IP Address and Default Gateway Renewing and Releasing a DHCP-Assigned IP Address Renewing and Releasing a DHCP-Assigned IP Address If you are using DHCP for IP address assignment, you can perform either of these tasks: •...
Page 58
Chapter 3 Configuring the Switch IP Address and Default Gateway Renewing and Releasing a DHCP-Assigned IP Address Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 3-12 78-15908-01...
C H A P T E R Configuring Ethernet and Fast Ethernet Switching This chapter describes how to configure Ethernet and Fast Ethernet switching on the Catalyst enterprise LAN switches. The configuration procedures in this chapter apply to Ethernet and Fast Ethernet switch ports on switching modules and fixed-configuration switches, as well as to supervisor engine Fast Ethernet uplink ports.
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Default Ethernet and Fast Ethernet Configurations The Catalyst enterprise LAN switches solve congestion problems that are caused by high-bandwidth devices and a large number of users by assigning each device (for example, a server) to its own 10-, 100-, or 1000-Mbps segment.
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports Table 4-1 Ethernet and Fast Ethernet Default Configurations Feature Default Value Port enable state All ports are enabled Port name None Port priority Normal Duplex mode Autonegotiate speed and duplex for 10/100-Mbps Fast •...
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports This example shows how to set the name for ports 1/1 and 1/2 and how to verify that the port names are configured correctly: Console> (enable) set port name 1/1 Router Connection Port 1/1 name set.
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports Make sure that the device on the other end of the link is also configured for autonegotiation, or a port Caution speed or duplex mismatch will result. If the port speed is set to auto on a 10/100-Mbps Fast Ethernet port, both speed and duplex are Note autonegotiated.
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports Setting Ethernet and Fast Ethernet Port Debounce Timers You can set the port debounce timer on a per-port basis for Ethernet, Fast Ethernet, and Gigabit Ethernet ports.
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports This example shows how to display the per-port debounce timer settings: Console> (enable) show port debounce Port Debounce link timer ----- --------------- enable disable Console> (enable) Configuring errdisable State Ethernet and Fast Ethernet Port Timeout Periods A port is in errdisable state if it has been enabled in NVRAM but disabled at runtime by any process.
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports This example shows how to display the errdisable timeout configuration: Console> (enable) show errdisable-timeout ErrDisable Reason Timeout Status ------------------- ------------ bpdu-guard Enable channel-misconfig Disable duplex-mismatch Enable udld Enable other...
C H A P T E R Configuring Gigabit Ethernet Switching This chapter describes how to configure Gigabit Ethernet switching on the Catalyst enterprise LAN switches. The configuration procedures in this chapter apply to Gigabit Ethernet switching modules, fixed-configuration switches, and uplink ports on the supervisor engine. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command...
Page 68
Chapter 5 Configuring Gigabit Ethernet Switching Understanding How Gigabit Ethernet Works Table 5-1 Send Capability by Switch Type, Module, and Ports Switch Type Module Ports Send Catalyst 4000 All modules except WS-X4418-GB All ports except for the Catalyst 4500 and WS-X4412-2GB-T oversubscribed ports listed below Catalyst 4000 WS-X4418-GB...
With Gigabit Ethernet ports, port negotiation is used to exchange flow-control parameters, remote fault information, and duplex information (even though Cisco Gigabit Ethernet ports only support full-duplex mode). With Gigabit Ethernet ports, you configure port negotiation using the set port negotiation command.
Chapter 5 Configuring Gigabit Ethernet Switching Understanding How Gigabit Ethernet Works Understanding How Oversubscribed Gigabit Ethernet Works The Catalyst 4500 series Gigabit Ethernet modules provide a network-backbone connection for multiple servers or high-end workstations. The following modules are supported: • WS-X4412-2GB-T This 1000BASE-T 14-port module provides 2 dedicated uplink module ports (GBIC) and 12 oversubscribed ports (possible blocking).
Page 71
Chapter 5 Configuring Gigabit Ethernet Switching Understanding How Gigabit Ethernet Works Table 5-7 Oversubscribed Port Groupings for Module WS-X4424-GB-RJ45 1, 2, 3, 4 5, 6, 7, 8 9, 10, 11, 12 13, 14, 15, 16 17, 18, 19, 20 21, 22, 23, 24 Table 5-8 shows how the oversubscribed ports are grouped for module WS-X4448-GB-RJ45.
Chapter 5 Configuring Gigabit Ethernet Switching Default Gigabit Ethernet Configuration • The network backbone connection is through a two-port Gigabit EtherChannel trunk link providing 2-Gbps bandwidth. Figure 5-1 Example of a Server Switching Network Topology CAUTION THIS ASSEMBLY CONTAINS Backbone ELECTROSTATI C- SENSITIVE DEVICES Network...
Chapter 5 Configuring Gigabit Ethernet Switching Configuring Gigabit Ethernet Ports Table 5-10 Gigabit Ethernet Default Configuration (continued) Feature Default Value Native VLAN VLAN 1 Spanning tree port cost Gigabit EtherChannel Disabled on all Gigabit Ethernet ports (auto mode) Configuring Gigabit Ethernet Ports The following sections describe how to configure Gigabit Ethernet switching ports on the Catalyst enterprise LAN switches.
Chapter 5 Configuring Gigabit Ethernet Switching Configuring Gigabit Ethernet Ports Configuring Gigabit Ethernet Port Priority Levels You can configure the priority level for each port. When two ports simultaneously request access to the switching bus, the switch uses the priority level to determine the order in which the ports get access. To configure the port priority level, perform this task in privileged mode: Task Command...
Chapter 5 Configuring Gigabit Ethernet Switching Configuring Gigabit Ethernet Ports Enabling Port Negotiation on Gigabit Ethernet Ports Note You cannot enable port negotiation on 1000BASE-T Gigabit Ethernet ports in this release. If a 1000BASE-T GBIC (Gigabit Interface Converter) is inserted in the port that was previously configured as negotiation disabled, the negotiation-disabled setting is ignored and the port operates in negotiation-enabled mode.
Chapter 5 Configuring Gigabit Ethernet Switching Configuring Gigabit Ethernet Ports Checking Gigabit Ethernet Port Connectivity Note For more detailed information on checking connectivity, see Chapter 20, “Checking Status and Connectivity.” Enter the ping and traceroute commands to test connectivity out Gigabit Ethernet ports. To check connectivity out a port, perform this task in privileged mode: Task Command...
C H A P T E R Configuring Fast EtherChannel and Gigabit EtherChannel This chapter describes how to configure Fast EtherChannel and Gigabit EtherChannel port bundles on the Catalyst enterprise LAN switches. The configuration procedures in this chapter apply to Fast Ethernet and Gigabit Ethernet switch ports on switching modules and fixed-configuration switches, as well as to supervisor engine Fast Ethernet and Gigabit Ethernet uplink ports.
PAgP is a Cisco-proprietary protocol that can be run only on Cisco switches and those switches released by licensed vendors. LACP, which is defined in IEEE 802.3ad, allows Cisco switches to manage Ethernet channeling with devices that conform to the 802.3ad specification.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Guidelines and Restrictions EtherChannel Configuration Guidelines and Restrictions If improperly configured, some EtherChannel ports are disabled automatically to avoid network loops and other problems. Follow the guidelines below to avoid configuration problems. Note Except where noted, these guidelines apply to both PAgP and LACP.
An EtherChannel will not form if protocol filtering is set differently on the ports. • Cisco Discovery Protocol (CDP) runs on the physical port even after the port is added to a channel. • VLAN Trunking Protocol (VTP) and Dual Ring Protocol (DRiP) run on the channel.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Understanding PAgP Understanding PAgP Use the information in the following sections if you are configuring EtherChannel using PAgP. If you are using LACP, see the “Understanding LACP” section on page 6-16. PAgP Modes PAgP facilitates the automatic creation of Fast EtherChannel and Gigabit EtherChannel links by exchanging packets between channel-capable ports.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using PAgP Ports can form an EtherChannel when they are in different channel modes as long as the modes are compatible, as follows: • A port in desirable mode can form an EtherChannel successfully with another port that is in desirable or auto mode.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using PAgP Creating an EtherChannel You create an EtherChannel port bundle by specifying the ports in the channel and the channeling mode. When you create an EtherChannel, an administrative group number is assigned automatically if one is not already assigned to the specified ports.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using PAgP To define an EtherChannel administrative group, perform this task in privileged mode: Task Command Step 1 Define the administrative group by specifying the set port channel port_list admin_group ports in the group.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using PAgP Console> (enable) set channel cost 768 12 Port(s) 1/1,1/2 port path cost are updated to 31. Channel 768 cost is set to 12. Warning:channel cost may not be applicable if channel is broken. Console>...
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using PAgP This example shows how to return a channel to its default configuration and how to verify the configuration: Console> (enable) set port channel 3/5-6 mode auto Port(s) 3/5-6 channel mode set to auto. Console>...
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using PAgP Port Port Portfast Port Port priority vlanpri vlanpri-vlans ----- -------- -------- ------- ------------------------------------------------ 32 disabled 32 disabled ----- -------- -------- ------- ------------------------------------------------ Port Group ----- -------- -------- -------- auto-on auto-on auto-on...
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Examples -------- ---------- ---------- ---------- ---------- ---------- ---------- Console> (enable) Displaying EtherChannel PAgP Statistics To display EtherChannel PAgP statistics, perform one of these tasks in privileged mode: Task Command Display EtherChannel PAgP statistics by port. show port channel [mod_num[/port_num]] statistics Display EtherChannel PAgP statistics by...
Page 89
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Examples Figure 6-1 Example of a Fast EtherChannel Port Bundle Switch A Switch B Fast EtherChannel port bundle To configure a four-port EtherChannel link between two switches, follow these steps: Step 1 Make sure that all ports on Switch A and Switch B have the same port configuration, including VLAN membership, speed, and duplex.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Examples %PAGP-5-PORTFROMSTP:Port 1/2 left bridge port 1/2 %PAGP-5-PORTFROMSTP:Port 1/3 left bridge port 1/3 %PAGP-5-PORTFROMSTP:Port 1/4 left bridge port 1/4 %PAGP-5-PORTFROMSTP:Port 1/2 left bridge port 1/2 %PAGP-5-PORTFROMSTP:Port 1/3 left bridge port 1/3 %PAGP-5-PORTFROMSTP:Port 1/4 left bridge port 1/4 %PAGP-5-PORTTOSTP:Port 1/1 joined bridge port 1/1-4 %PAGP-5-PORTTOSTP:Port 1/2 joined bridge port 1/1-4...
Page 91
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Examples Figure 6-2 Example of a Gigabit EtherChannel Port Bundle Switch A Switch B Gigabit EtherChannel port bundle To configure a two-port Gigabit EtherChannel link between two switches, follow these steps: Make sure that all ports on Switch A and Switch B have the same port configuration, such as VLAN Step 1 membership.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Understanding LACP Step 4 After the EtherChannel bundle is negotiated, enter the show port channel command to verify the configuration. If you configure only the ports on one side of the link on, the show port channel command will show that the ports are channeling, but no traffic will pass over the EtherChannel.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Understanding LACP Table 6-2 EtherChannel Modes That Use LACP (continued) Mode Description passive LACP mode that places a port into a passive negotiating state in which the port responds (Default) to LACP packets that it receives but does not initiate LACP packet negotiation. active LACP mode that places a port into an active negotiating state, in which the port initiates negotiations with other ports by sending LACP packets.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using LACP Configuring EtherChannel Using LACP These sections describe how to configure EtherChannel using LACP: • Specifying the EtherChannel Protocol, page 6-18 Specifying the System Priority, page 6-19 • Specifying the Port Priority, page 6-19 •...
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using LACP Specifying the System Priority Note Although the set lacp-channel system-priority command is a global option, it applies only to modules on which LACP is enabled; it is ignored on modules running PAgP. The system priority value must be a number in the range of 1–65,535, where higher numbers represent lower priority.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using LACP You can specify an administrative key value to a set of ports. If you do not specify an administrative key value, the system automatically selects a value. In both cases, the value can range from 1–1024. If you choose a value for the administrative key, and this value has already been used in the system, then the system moves all the ports that were originally associated with the previously assigned administrative key value to another automatically assigned value, and it assigns the modules and ports...
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using LACP This example shows how to change the channel mode for ports 4/1 and 4/6, setting it to on. The administrative key for ports 4/1 and 4/6 is unchanged. Console>...
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using LACP Disabling an EtherChannel To disable an EtherChannel, perform this task for ports 2/2 to 2/8: Task Command Disable an EtherChannel. set port lacp-channel mod/port mode off This example shows how to disable an EtherChannel: Console>...
Configuring Spanning Tree This chapter describes the IEEE 802.1D bridge Spanning Tree Protocol (STP) and how to use and configure Cisco’s proprietary STPs, Per VLAN Spanning Tree + (PVST+), and Multi-Instance Spanning Tree Protocol (MISTP) on the Catalyst enterprise LAN switches.
Understanding How STPs Work Understanding How STPs Work This section describes the specific functions that are common to all spanning tree protocols. The Cisco proprietary spanning tree protocols, PVST+ and MISTP, are based on the IEEE 802.1D STP. (See the “Understanding How PVST+ and MISTP Modes Work”...
Chapter 7 Configuring Spanning Tree Understanding How STPs Work The following three things determine the topology of an active switched network: • The unique switch identifier (MAC address of the switch) that is associated with each switch • The path cost to the root that is associated with each switch port •...
Chapter 7 Configuring Spanning Tree Understanding How STPs Work Understanding BPDUs BPDUs contain configuration information about the transmitting switch and its ports, including switch and port MAC addresses, switch priority, port priority, and port cost. Each configuration BPDU contains this information: The unique identifier of the switch that the transmitting switch believes to be the root switch •...
Chapter 7 Configuring Spanning Tree Understanding How STPs Work Table 7-1 Default Port Cost Values Using the Short Method Port Speed Default Cost Value Default Range 10 Mbps 1 to 65535 100 Mbps 1 to 65535 1 Gbps 1 to 65535 Calculating the Port Cost Using the Long Method 802.1t assigns 32-bit (long) default port cost values to each port using a formula that is based on the port bandwidth.
Page 104
Chapter 7 Configuring Spanning Tree Understanding How STPs Work At any given time, each port on a switch using STP is in one of these states: • Blocking • Listening • Learning Forwarding • Disabled • A port moves through these states: From initialization to blocking •...
Chapter 7 Configuring Spanning Tree Understanding How STPs Work Blocking State A port in the blocking state, such as Port 2 in Figure 7-3, does not participate in frame forwarding. After initialization, a BPDU is sent to each port in the switch. A switch initially assumes that it is the root until it exchanges BPDUs with other switches.
Chapter 7 Configuring Spanning Tree Understanding How STPs Work Figure 7-4 Port 2 in Listening State All segment Forwarding frames Port 1 Network Station management addresses BPDUs and data frames Filtering System Frame database module forwarding BPDUs Network management frames Data frames Port 2...
Chapter 7 Configuring Spanning Tree Understanding How STPs Work Figure 7-5 Port 2 in Learning State All segment Forwarding frames Port 1 Network Station management addresses BPDUs & data frames Filtering System Frame database module forwarding Station addresses BPDUs Network management frames Data...
Page 108
Chapter 7 Configuring Spanning Tree Understanding How STPs Work Figure 7-6 Port 2 in Forwarding State All segment Forwarding frames Port 1 Network Station management addresses BPDUs & data frames Filtering System Frame database module forwarding BPDUs Network Station management addresses &...
Chapter 7 Configuring Spanning Tree Understanding How PVST+ and MISTP Modes Work Disabled State A port in the disabled state does not participate in frame forwarding or STP, as shown in Figure 7-7. A port in the disabled state is virtually nonoperational. Figure 7-7 Port 2 in Disabled State All segment...
Chapter 7 Configuring Spanning Tree Understanding How PVST+ and MISTP Modes Work The following sections provide an overview of each mode. Caution If your network currently uses PVST+ and you plan to use MISTP on any switch, you must first enable MISTP-PVST+ on the switch and configure an MISTP instance to avoid causing network loops.
Chapter 7 Configuring Spanning Tree Understanding How Bridge Identifiers Work An MISTP instance can have any number of VLANs that are mapped to it, but a VLAN can only be mapped to a single MISTP instance. You can easily move a VLAN (or VLANs) in an MISTP topology to another MISTP instance if it has converged.
The protocol, as implemented in this release, is backward compatible with 802.1D STP, 802.1w, the Rapid Spanning Tree Protocol (RSTP), and the Cisco PVST+ architecture. MST allows you to build multiple spanning trees over VLAN trunks. You can group and associate VLANs to spanning tree instances.
Page 113
Chapter 7 Configuring Spanning Tree Understanding How MST Works MST uses the modified RSTP version called the Multiple Spanning Tree Protocol (MSTP). The MST feature has these characteristics: • MST runs a variant of spanning tree called Internal Spanning Tree (IST). IST augments the Common Spanning Tree (CST) information with internal information about the MST region.
Chapter 7 Configuring Spanning Tree Understanding How MST Works • Do not connect switches with access links because access links may partition a VLAN. • Any MST configuration involving a large number of either existing or new logical VLAN ports should be carried out during the maintenance window.
Chapter 7 Configuring Spanning Tree Understanding How MST Works RSTP Port States The port state controls the forwarding and learning processes and provides the values of discarding, learning, and forwarding. See Table 7-3 for a comparison between STP port states and RSTP port states. Table 7-3 Comparison Between STP and RSTP Port States Operational Status...
Chapter 7 Configuring Spanning Tree Understanding How MST Works To the spanning tree protocol running in the SST region, an MST region appears as a single SST or pseudobridge. Pseudobridges operate as follows: • The same values for root identifiers and root path costs are sent in all BPDUs of all the pseudobridge ports.
Chapter 7 Configuring Spanning Tree Understanding How MST Works • MST configuration table—An array of 4096 bytes. Each byte, interpreted as an unsigned integer, corresponds to a VLAN. The value is the instance number to which the VLAN is mapped. The first byte that corresponds to VLAN 0 and the 4096th byte that corresponds to VLAN 4095 are unused and always set to zero.
Page 118
Chapter 7 Configuring Spanning Tree Understanding How MST Works IST Master The IST master of an MST region is the bridge with the lowest bridge identifier and the least path cost to the CST root. If an MST bridge is the root bridge for CST, then it is the IST master of that MST region. If the CST root is outside the MST region, then one of the MST bridges at the boundary is selected as the IST master.
Chapter 7 Configuring Spanning Tree Understanding How MST Works Message Age and Hop Count IST and MST instances do not use the Message Age and Maximum Age timer settings in the BPDU. IST and MST use a separate hop count mechanism that is very similar to the IP TTL mechanism. You can configure each MST bridge with a maximum hop count.
Chapter 7 Configuring Spanning Tree Understanding How BPDU Skewing Works When you connect a PVST+ switch to two different MST regions, the topology change from the PVST+ switch does not pass beyond the first MST region. In this case, the topology changes are only propagated in the instance to which the VLAN is mapped.
Chapter 7 Configuring Spanning Tree Using PVST+ Table 7-4 PVST+ Default Configuration Feature Default Value VLAN 1 All ports assigned to VLAN 1 Enable state PVST+ enabled for all VLANs MAC address reduction Disabled Bridge priority 32,768 Bridge ID priority 32,769 (bridge priority plus system ID extension of VLAN 1) Port priority Port cost...
Page 122
Chapter 7 Configuring Spanning Tree Using PVST+ This example shows how to set the PVST+ bridge ID when MAC address reduction is not enabled (default): Console> (enable) set spantree priority 30000 1 Spantree 1 bridge priority set to 30000. Console> (enable) show spantree 1 VLAN 1 Spanning tree mode PVST+...
Chapter 7 Configuring Spanning Tree Using PVST+ Configuring the PVST+ Port Cost You can configure the port cost of switch ports. Ports with lower port costs are more likely to be chosen to forward frames. Assign lower numbers to ports that are attached to faster media (such as full duplex), and higher numbers to ports that are attached to slower media.The possible range of cost is from 1–65535.
Chapter 7 Configuring Spanning Tree Using PVST+ To configure the port VLAN cost for a port, perform this task in privileged mode: Task Command Configure the port VLAN cost for a set spantree portvlancost {mod/port} [cost cost] [vlan_list] VLAN on a switch port. This example shows how to configure the port VLAN cost on a port: Console>...
Chapter 7 Configuring Spanning Tree Using Rapid PVST+ Disabling the PVST+ Mode on a VLAN When the switch is in PVST+ mode, you can disable spanning tree on individual VLANs or all VLANs. When you disable spanning tree on a VLAN, the switch does not participate in spanning tree and any BPDUs that are received in that VLAN are flooded on all ports.
Page 127
Chapter 7 Configuring Spanning Tree Using Rapid PVST+ This example shows how to configure Rapid PVST+: Console> (enable) set spantree mode rapid-pvst+ Spantree mode set to RAPID-PVST+. Console> (enable) set spantree link-type 3/1 point-to-point Link type set to point-to-point on port 3/1. Console>...
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Using MISTP-PVST+ or MISTP The default spanning tree mode on the Catalyst 4500 series switches is PVST+ mode. If you want to use MISTP mode in your network, we recommend that you carefully follow the procedures that are described in the following sections in order to avoid loss of connectivity in your network.
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Table 7-5 MISTP Mode Default Configuration (continued) Feature Default Value Hello time 2 sec Forward delay time 15 sec Setting the MISTP-PVST+ Mode or MISTP Mode If you enable MISTP in a PVST+ network, you must be very careful to avoid bringing down the network. This section explains how to enable MISTP or MISTP-PVST+ on your network.
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP This example shows how to display the spanning tree VLAN instance mapping in MISTP mode: Console> (enable) set spantree mode mistp PVST+ database cleaned up. Spantree mode set to MISTP. Console> (enable) show spantree mapping Inst Root Mac Vlans ---- ----------------- --------------------------...
Page 131
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Root Max Age 20 sec Hello Time 2 Forward Delay 15 sec Bridge ID MAC ADDR 00-d0-02-27-9c-00 Bridge ID Priority 32769 (bridge priority:32768, sys ID ext:1) VLANs mapped: 1,74 Bridge Max Age 20 sec Hello Time 2 Forward Delay 15 sec Port...
Page 132
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Bridge ID Priority 32769 (bridge priority:32768, sys ID ext:1) VLANs mapped: 1,74 Bridge Max Age 20 sec Hello Time 2 Forward Delay 15 sec Port Inst Port-State Cost Prio Portfast Channel_id ------------------------ ---- ------------- --------- ---- -------- ---------- forwarding 20000...
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP This example shows how to configure the port instance priority on an MISTP instance and verify the configuration: Console> (enable) set spantree portinstancepri 1/1 16 2 Port 1/1 MISTP Instances 2 using portpri 16. Port 1/1 mistp-instance 1,3-16 using portpri 32.
Page 135
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP • You can only map Ethernet VLANs to MISTP instances. • At least one VLAN in the instance must have an active port in order for MISTP-PVST+ or MISTP to be active. •...
Page 136
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP To determine VLAN mapping conflicts, perform this task in privileged mode: Task Command Determine VLAN mapping conflicts. show spantree conflicts vlan This example shows that there is an attempt to map VLAN 2 to MISTP instance 1 and to MISTP instance 3 on two different switches as seen from a third switch in the topology: Console>...
Chapter 7 Configuring Spanning Tree Configuring a Root Switch Unmapping VLANs from an MISTP Instance The keyword none is used to unmap the specified VLANs from the MISTP instances to which they are currently mapped. When you unmap a VLAN from an MISTP instance, the resulting state of all the ports of the VLAN (if the VLAN exists) is blocking.
Chapter 7 Configuring Spanning Tree Configuring a Root Switch When you specify a switch as the primary root, the default bridge priority is modified so that it becomes the root for the specified VLANs. Set the bridge priority to 8192. If this setting does not result in the switch becoming a root, modify the bridge priority to be 1 less or the same as the bridge priority of the current root switch.
Chapter 7 Configuring Spanning Tree Configuring a Root Switch To configure a switch as the secondary root switch, perform this task in privileged mode: Task Command Configure a switch as the secondary root switch. set spantree root [secondary] vlans [dia network_diameter] [hello hello_time] This example shows how to configure the secondary root switch for VLANs 22 and 24: Console>...
Page 140
Chapter 7 Configuring Spanning Tree Configuring a Root Switch To speed up convergence, use nondefault parameters values that are permitted by 802.1D. The nondefault parameters for a reconvergence of 14 seconds are as follows: Parameter Time Network Diameter (dia) 2 hops Hello Time 2 sec Forward Delay Timer...
Chapter 7 Configuring Spanning Tree Configuring a Root Switch Console> (enable) set spantree root 1-10 dia 4 VLANs 1-10 bridge priority set to 8192 VLANs 1-10 bridge max aging time set to 14 seconds. VLANs 1-10 bridge hello time set to 2 seconds. VLANs 1-10 bridge forward delay set to 9 seconds.
Chapter 7 Configuring Spanning Tree Configuring Spanning Tree Timers Configuring Spanning Tree Timers Spanning tree timers affect the spanning tree performance. You can configure the spanning tree timers for a VLAN in PVST+ or an MISTP instance in MISTP mode. If you do not specify a VLAN when the switch is in PVST+ mode, VLAN 1 is assumed.
Chapter 7 Configuring Spanning Tree Configuring Spanning Tree Timers Configuring the Forward Delay Time Enter the set spantree fwddelay command to configure the spanning tree forward delay time for a VLAN. The possible range for delay is from 4–30 seconds. To configure the spanning tree forward delay time for a VLAN, perform this task in privileged mode: Task Command...
Chapter 7 Configuring Spanning Tree Configuring MST Configuring MST The following sections describe how to configure MST: Enabling MST To enable and configure MST on the switch, perform this task in privileged mode: Task Command Step 1 Begin in PVST+ mode. set spantree mode mst [mistp | pvst+ | mistp-pvst+ | mst] Step 2 Display the STP ports.
Page 145
Chapter 7 Configuring Spanning Tree Configuring MST Console> (enable) set spantree mst config name cisco revision 1 Edit Buffer modified. Use 'set spantree mst config commit' to apply the changes. Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration:...
Page 146
Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration: Configuration Name: Revision:0 Instance VLANs -------- -------------------------------------------------------------- 1-4094 ======================================================================= NEW MST Region Configuration (Not committed yet) Configuration Name:cisco Revision:1 Instance VLANs -------- -------------------------------------------------------------- 1,51-4094 2-20 21-30 31-40 41-50 ======================================================================= Edit buffer is locked by:Console (pid 142) Console>...
Page 147
Chapter 7 Configuring Spanning Tree Configuring MST ======================================================================= Console> (enable) Console> (enable) set spantree mode mst PVST+ database cleaned up. Spantree mode set to MST. Console> (enable) Console> (enable) Console> (enable) show spantree mst 0 Spanning tree mode Instance VLANs Mapped: 1,51-4094 Designated Root 00-50-3e-66-d0-00...
Page 148
BDRY 20000 32 31-40 4 forwarding BDRY 20000 32 41-50 Console> (enable) Console> (enable) Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration: Configuration Name:cisco Revision:1 Instance VLANs -------- -------------------------------------------------------------- 1,51-4094 2-20 21-30 31-40 41-50 ======================================================================= Console> (enable) Configuring the MST Bridge ID Priority You can set the bridge ID priority for an MST instance when the switch is in MST mode.
Page 149
Chapter 7 Configuring Spanning Tree Configuring MST Console> (enable) show spantree mst 3 Spanning tree mode Instance VLANs Mapped: 31-40 Designated Root 00-10-7b-bb-2f-00 Designated Root Priority 8195 (root priority:8192, sys ID ext:3) Designated Root Cost Remaining Hops 20 Designated Root Port Bridge ID MAC ADDR 00-10-7b-bb-2f-00 Bridge ID Priority...
Page 150
Chapter 7 Configuring Spanning Tree Configuring MST Configuring the MST Port Priority You can configure the port priority of ports. The port with the lowest priority value forwards frames for all VLANs. The possible port priority value is from 0–63; the default is 32. If all ports have the same priority value, the port with the lowest port number forwards frames.
Page 151
Chapter 7 Configuring Spanning Tree Configuring MST Console> (enable) show spantree mst 4 Spanning tree mode Instance VLANs Mapped: 41-50 Designated Root 00-10-7b-bb-2f-00 Designated Root Priority 32772 (root priority:32768, sys ID ext:4) Designated Root Cost Remaining Hops 20 Designated Root Port Bridge ID MAC ADDR 00-10-7b-bb-2f-00 Bridge ID Priority...
[instance] [active] mod/port This example shows how to map a VLAN to MST instance 1 and verify the mapping: Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration: Configuration Name:cisco Revision:1 Instance VLANs -------- --------------------------------------------------------------...
Page 153
Console> (enable) set spantree mst 14 vlan 900-999 Edit Buffer modified. Use 'set spantree mst config commit' to apply the changes. Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration: Configuration Name:cisco Revision:1 Instance VLANs -------- -------------------------------------------------------------- 1,51-4094...
Page 154
Chapter 7 Configuring Spanning Tree Configuring MST Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration: Configuration Name:cisco Revision:1 Instance VLANs -------- -------------------------------------------------------------- 1,51-4094 2-20 21-30 31-40 41-50 ======================================================================= NEW MST Region Configuration (Not committed yet) Configuration Name:cisco...
Chapter 7 Configuring Spanning Tree Configuring Spanning Tree BPDU Skewing ======================================================================= Console> (enable) Console> (enable) show spantree mst 3 Spanning tree mode Instance VLANs Mapped: 31-40 Designated Root 00-10-7b-bb-2f-00 Designated Root Priority 8195 (root priority:8192, sys ID ext:3) Designated Root Cost Remaining Hops 20 Designated Root Port Bridge ID MAC ADDR...
Page 156
Chapter 7 Configuring Spanning Tree Configuring Spanning Tree BPDU Skewing This example shows how to configure BPDU skewing and view the skewing statistics: Console> (debug-eng) set spantree bpdu-skewing Usage:set spantree bpdu-skewing <enable|disable> Console> (debug-eng) Console> (debug-eng) Console> (debug-eng) set spantree bpdu-skewing enable Spantree bpdu-skewing enabled on this switch.
Page 157
Chapter 7 Configuring Spanning Tree Configuring Spanning Tree BPDU Skewing Blocking Listening Learning Forwarding STP Active ----- -------- --------- -------- ---------- ---------- Total Console> (enable) Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 7-59 78-15908-01...
Page 158
Chapter 7 Configuring Spanning Tree Configuring Spanning Tree BPDU Skewing Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 7-60 78-15908-01...
C H A P T E R Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard This chapter describes how to configure the PortFast, BPDU guard, BPDU filter, UplinkFast, BackboneFast, and loop guard spanning tree enhancements on the Catalyst enterprise LAN switches. For information on configuring spanning tree, see Chapter 7, “Configuring Spanning Tree.”...
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Understanding How PortFast Works Understanding How PortFast Works PortFast causes a switch or trunk port to enter the spanning tree forwarding state immediately, bypassing the listening and learning states. You can use PortFast on switch or trunk ports that are connected to a single workstation, switch, or server to allow those devices to connect to the network immediately, instead of waiting for the port to transition from the listening and learning states to the forwarding state.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Understanding How UplinkFast Works Understanding How UplinkFast Works UplinkFast provides fast convergence using uplink groups in the network access layer after a spanning tree topology change. An uplink group is a set of ports (per VLAN), only one of which is forwarding at any given time.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Understanding How BackboneFast Works As soon as the switch transitions the alternate port to the forwarding state, the switch begins transmitting dummy multicast frames on that port, one for each entry in the local Enhanced Address Recognition Logic (EARL) table (except those entries that are associated with the failed root port).
Page 163
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Understanding How BackboneFast Works Figure 8-3 Example of BackboneFast before Indirect Link Failure Switch A Switch B (Root) Blocked port Switch C If link L1 fails, Switch C detects this failure as an indirect failure, because it is not connected directly to link L1.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Understanding How Loop Guard Works Figure 8-5 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch B Switch C (Designated Bridge) Blocked port Added switch Understanding How Loop Guard Works Unidirectional link failures may cause a root port or alternate port to become designated as root if...
Page 165
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Understanding How Loop Guard Works Figure 8-6 Triangle Switch Configuration with Loop Guard Designated port Root port Alternate port Figure 8-6 illustrates the following configuration: •...
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast PVID-inconsistent ports. If the port is already blocked by loop guard, misconfigured BPDUs that are received on the port make loop guard recover, but the port is moved into the type-inconsistent state or PVID-inconsistent state.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast This example shows how to enable PortFast on port 1 of module 4 and verify the configuration (the PortFast status is shown in the “Fast-Start” column): Console>...
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast 1005 not-connected 32 enabled Console> (enable) show spantree portfast 4/1 Portfast:enable trunk Portfast BPDU guard is disabled. Portfast BPDU filter is disabled. Console> Note When you enable PortFast between two switches, the system will verify that there are no loops in the network before bringing the blocking trunk to a forwarding state.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast BPDU Guard Resetting PortFast To reset PortFast on a switch or trunk port to its default settings, perform this task in privileged mode: Task Command Step 1...
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast BPDU Guard This example shows how to enable PortFast BPDU guard on module 6 port 1, and verify the configuration in the Per VLAN Spanning Tree + (PVST+) mode: Console>...
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring UplinkFast Configuring UplinkFast The following sections describe how to configure the UplinkFast feature on the switch. Enabling UplinkFast When you enable UplinkFast on the switch, UplinkFast processing is enabled and the spanning tree bridge priority for all VLANs is set to 49,152, making it unlikely that the switch will become the root switch.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring UplinkFast This example shows how to display the UplinkFast feature settings for all VLANs: Console> show spantree uplinkfast Station update rate set to 15 packets/100ms. uplinkfast all-protocols field set to off.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring BackboneFast The portvlancost of all bridge ports set to default value. uplinkfast all-protocols field set to off. uplinkfast disabled for bridge. Console> (enable) show spantree uplinkfast uplinkfast disabled for bridge.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring Loop Guard Blocking Listening Learning Forwarding STP Active ----- -------- --------- -------- ---------- ---------- Total BackboneFast statistics ----------------------- Number of inferior BPDUs received (all VLANs) Number of RLQ req PDUs received (all VLANs) Number of RLQ res PDUs received (all VLANs) Number of RLQ req PDUs transmitted (all VLANs) : 0...
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring Loop Guard Do you want to continue (y/n) [n]? y Loopguard on port 5/1 is enabled. Console> (enable) This example shows how to enable loop guard on all the ports on a switch: Console>...
C H A P T E R Configuring VTP This chapter describes how to configure the VLAN Trunking Protocol (VTP) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 9 Configuring VTP Understanding How VTP Version 1 and Version 2 Work These sections describe how VTP works: • Understanding the VTP Domain, page 9-2 • Understanding VTP Modes, page 9-2 • Understanding VTP Advertisements, page 9-3 Understanding VTP Version 2, page 9-3 •...
Chapter 9 Configuring VTP Understanding How VTP Version 1 and Version 2 Work • Transparent—VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements.
Chapter 9 Configuring VTP Understanding How VTP Version 1 and Version 2 Work Understanding VTP Pruning Note Enabling VTP pruning on a VTP version 3 switch enables pruning only on the switch that you enable it on. VTP pruning is not propagated as it is with VTP version 1 and VTP version 2. VTP pruning enhances network bandwidth use by reducing unnecessary flooded traffic, such as broadcast, multicast, unknown, and flooded unicast packets.
Chapter 9 Configuring VTP Default VTP Version 1 and Version 2 Configuration Figure 9-2 Flooding Traffic with VTP Pruning Switch 4 Port 2 Flooded traffic Port is pruned. Switch 2 VLAN Switch 5 Port Port 1 Switch 6 Switch 3 Switch 1 Enabling VTP pruning on a VTP server enables pruning for the entire management domain.
Chapter 9 Configuring VTP VTP Version 1 and Version 2 Configuration Guidelines VTP Version 1 and Version 2 Configuration Guidelines This section describes the guidelines for implementing VTP in your network: • All switches in a VTP domain must run the same VTP version. You must configure a password on each switch in the management domain when you are in secure •...
Chapter 9 Configuring VTP Configuring VTP Version 1 and Version 2 Configuring a VTP Server When a switch is in VTP server mode, you can change the VLAN configuration and have it propagate throughout the network. To configure the switch as a VTP server, perform this task in privileged mode: Task Command Step 1...
Chapter 9 Configuring VTP Configuring VTP Version 1 and Version 2 This example shows how to configure the switch as a VTP client and verify the configuration: Console> (enable) set vtp domain Lab_Network VTP domain Lab_Network modified Console> (enable) set vtp mode client Changing VTP mode for all features VTP domain Lab_Network modified Console>...
Chapter 9 Configuring VTP Configuring VTP Version 1 and Version 2 Disabling VTP Using the Off Mode When you disable VTP using the off mode, the switch behaves the same as in VTP transparent mode with the exception that VTP advertisements are not forwarded. To disable VTP using the off mode, perform this task in privileged mode: Task Command...
Chapter 9 Configuring VTP Configuring VTP Version 1 and Version 2 This example shows how to enable VTP version 2 and verify the configuration: Console> (enable) set vtp version 2 This command will enable VTP version 2 function in the entire management domain. All devices in the management domain should be version2-capable before enabling.
Chapter 9 Configuring VTP Configuring VTP Version 1 and Version 2 Enabling VTP Pruning To enable VTP pruning, perform this task in privileged mode: Task Command Step 1 Enable VTP pruning in the management domain. set vtp pruning enable Step 2 (Optional) Make specific VLANs pruning clear vtp pruneeligible vlan_range ineligible on the device.
Chapter 9 Configuring VTP Configuring VTP Version 1 and Version 2 Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 16/1 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 16/1 Console> (enable) Disabling VTP Pruning To disable VTP pruning, perform this task in privileged mode: Task Command...
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works Understanding How VTP Version 3 Works VTP version 3 differs from earlier VTP versions in that it does not directly handle VLANs. VTP version 3 is a protocol that is only responsible for distributing a list of opaque databases over an administrative domain. When enabled, VTP version 3 provides the following enhancements to previous VTP versions: •...
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works • If a password is configured as hidden, using the hidden password configuration option, the following occurs: – The password does not appear in plain text in the configuration; the secret hexadecimal format of the password is saved in the configuration.
Page 193
9-4). In Figure 9-4, the Cisco VTP domain is partitioned between switches accepting server X or server Y as a primary server. The switches that are from different partitions do not exchange database information even though they are part of the same domain. If server X changes the VTP configuration, only the left partition of the network accepts it.
Page 194
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works Figure 9-4 VTP Version 3: Partitioned VTP Domain Domain Cisco Domain Cisco Primary Server X Primary Server Y Partitions exist because of discrepancies in the domain configuration that cannot automatically be resolved by VTP.
Page 195
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works Figure 9-5 VTP Version 3: Reconfiguring a Partitioned VTP Domain VTP Instance Partition Y Partition W Partition Z Partition X Figure 9-5, server X has the correct configuration for the domain. To reconfigure this partitioned VTP domain, you need to issue a takeover message from server X to the entire domain, advertising server X as the new primary server for this specific instance.
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works VTP Version 3 Modes The default mode for VTP is version 1, server mode. The off mode can be exited only after you configure a VTP domain name on the switch. The “domain discovery” that is used in VTP version 1 and VTP version 2 is not available in VTP version 3.
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works • A VTP server reverts to client mode if it cannot store the configuration in NVRAM. • A VTP version 3 secondary server can issue a takeover to become a primary server. Primary Server The primary server can initiate or change the VTP configuration.
Page 198
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works Valid Databases A switch advertises a database only if it is valid. The only way to validate a database is to become the primary server. If a switch modifies a database that has been generated by a primary server (this situation is possible in off or transparent modes), the database is invalid.
Page 199
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works • If the database revision number in the advertisement is greater than that of the receiving device, and the advertisement’s checksum and configuration information match, the receiving switch requests the exact subset of databases that are not up to date so that the switch an update its table. The VTP advertisement is regenerated on each of the device’s trunk ports other than the trunk port on which it was received.
Chapter 9 Configuring VTP Default VTP Version 3 Configuration • A VTP version 2 region that is connected to two different VTP version 3 regions may receive contradictory information and keep swapping its database to the VTP version 3 region that has the highest revision number at any given time.
Chapter 9 Configuring VTP Configuring VTP Version 3 This example shows how to enable VTP version 3 and verify the configuration: Console> (enable) set vtp version 3 VTP version 3 cannot be enabled on a switch with No Domain. Console> (enable) set vtp domain ENG VTP domain ENG modified Console>...
Page 202
Chapter 9 Configuring VTP Configuring VTP Version 3 Configuring a VTP Version 3 Server When a switch is in VTP version 3 server mode, you can change the VLAN configuration and have it propagate throughout the network. To configure the switch as a VTP version 3 server, perform this task in privileged mode: Task Command...
Page 203
Chapter 9 Configuring VTP Configuring VTP Version 3 This example shows how to configure the switch as a VTP version 3 client and verify the configuration: Console> (enable) set vtp mode client Changing VTP mode for all features VTP3 domain server modified Note Because there is only the VLAN database in release 8.1(1) and later releases, if you do not specify the vlan keyword with the set vtp mode client command, you will get the same configuration as if you...
Page 204
Chapter 9 Configuring VTP Configuring VTP Version 3 Console> (enable) show vtp domain Version : running VTP3 Domain Name : server Password : not configured Notifications: disabled Switch ID : 00d0.004c.1800 Feature Mode Revision Primary ID Primary Description -------------- -------------- ----------- -------------- ---------------------- VLAN Transparent UNKNOWN...
Chapter 9 Configuring VTP Configuring VTP Version 3 Configuring VTP Version 3 Passwords Note For more information about configuring passwords in VTP version 3, see the “VTP Version 3 Authentication” section on page 9-13. In VTP version 3, you can hide the VTP password from the configuration by adding the hidden keyword to the password configuration.
Chapter 9 Configuring VTP Configuring VTP Version 3 This example shows how to copy the secret, hexadecimal value from the configuration and pasted into the command line and verify the configuration: Console> (enable) set vtp passwd 9fbdf74b43a2815037c1b33aa00445e2 secret Setting secret. VTP3 domain server modified Console>...
Chapter 9 Configuring VTP Configuring VTP Version 3 No conflicting VTP 3 devices found. Do you want to continue (y/n) [n]? y Console> (enable) show vtp domain Version : running VTP3 Domain Name : server Password : configured (hidden) Notifications: disabled Switch ID : 00d0.004c.1800 Feature Mode...
Chapter 9 Configuring VTP Configuring VTP Version 3 VTP Version 3 show Commands Use the show vtp {conflicts | devices | domain | statistics} command to show other devices in the domain or devices in the domain with conflicting (conflicts) configurations. Use the domain keyword to display information that is specific to the VTP domain, and use the statistics keyword to display VTP statistics.
C H A P T E R Configuring VLANs This chapter describes how to configure virtual LANs (VLANs) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Figure 10-1 VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Catalyst 4000 Cisco router Floor 3 Catalyst 4000 Fast Ethernet Floor 2 Catalyst 4000 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Extended-range VLANs: 1025–4094 • Note The term nonreserved VLANs is used to denote any VLANs that are not reserved by Cisco; this includes normal-range and extended-range VLANs. Note With VTP version 3, you can manage extended-range VLANs 1025–4094. These VLANs are propagated with VTP version 3.
Chapter 10 Configuring VLANs VLAN Default Configuration Configurable VLAN Parameters Whenever you create or modify VLANs 2–1005, you can set the parameters as follows: Note Ethernet VLANs 1 and 1025–4094 can use the defaults only. With VTP version 3, you can manage extended-range VLANs 1025–4094. These VLANs are propagated Note with VTP version 3.
Chapter 10 Configuring VLANs VLAN Configuration Guidelines Table 10-2 VLAN Default Configuration (continued) Feature Default Value SAID value 100,000 plus the VLAN number (for example, the SAID for VLAN 3 is 100,003) Pruning eligibility VLANs 2–1000 are pruning eligible; VLANs 1025-4094 are not pruning eligible VLAN Configuration Guidelines This section describes the configuration guidelines for creating and modifying VLANs in your network:...
Chapter 10 Configuring VLANs Configuring VLANs on the Switch Configuring VLANs on the Switch VLANs are either normal range or extended range. VLANs in the normal range are VLANs 2–1000. VLANs in the extended range are VLANs 1025–4094. When you configure normal-range VLANs, VLANs 2–1000, you can configure one VLAN at a time or a range of VLANs, all with a single command.
Chapter 10 Configuring VLANs Configuring VLANs on the Switch This example shows how to create an Ethernet VLAN and verify the configuration: Console> (enable) set vlan 500 name Engineering Vlan 500 configuration successful Console> (enable) show vlan 500 VLAN Name Status IfIndex Mod/Ports, Vlans ---- -------------------------------- --------- ------- ------------------------...
Page 216
Chapter 10 Configuring VLANs Configuring VLANs on the Switch This example shows how to create normal-range VLANs when the switch is in per-VLAN spanning tree + (PVST+) mode: Console> (enable) set vlan 500-520 Vlan 500 configuration successful Vlan 501 configuration successful Vlan 502 configuration successful Vlan 503 configuration successful Vlan 520 configuration successful...
Chapter 10 Configuring VLANs Configuring VLANs on the Switch Creating or Modifying an Extended-Range VLAN Note With VTP version 3, you can manage extended-range VLANs 1025–4094. These VLANs are propagated with VTP version 3. Note With software release 8.1(1), you can name extended-range VLANs. This capability is independent of any VTP version or mode.
Chapter 10 Configuring VLANs Configuring VLANs on the Switch This example shows how to change the state of an extended-range Ethernet VLAN and verify the configuration: Console> (enable) set vlan 2000 state suspend Vlan 2000 configuration successful Console> (enable) show vlan 2000 VLAN Name Status IfIndex Mod/Ports, Vlans...
Mapping 802.1Q VLANs to ISL VLANs Your network might have non-Cisco devices that are connected to the Catalyst 6500 series switches through 802.1Q trunks or traffic from a non-Cisco switch that has VLANs in the Catalyst 6500 series reserved range, 1002–1024.
Chapter 10 Configuring VLANs Configuring VLANs on the Switch To map an 802.1Q VLAN to an ISL VLAN, perform this task in privileged mode: Task Command Step 1 Map an 802.1Q VLAN to an ISL Ethernet VLAN. set vlan mapping dot1q dot1q_vlan isl isl_vlan The valid range for dot1q_vlan is from 1001–4095.
Port 3 connects to a PC or other device. Figure 10-2 shows how you can connect a Cisco IP Phone to a Catalyst 4500 series switch. When the IP phone connects to a 10/100 port on the Catalyst 4500 series switch, the access port (PC-to-phone jack) of the IP phone can be used to connect a PC.
Page 222
A new VLAN means a new subnet and a new set of IP addresses. You can configure switch ports to send Cisco Discovery Protocol (CDP) packets that instruct an attached Cisco IP Phone to transmit voice traffic to the switch in these frame types: •...
Page 223
Chapter 10 Configuring VLANs Configuring Auxiliary VLANs Auxiliary VLAN Configuration Guidelines This section describes the guidelines for configuring auxiliary VLANs: The IP phone and a device that is attached to the phone are in the same VLAN and must be in the •...
Chapter 10 Configuring VLANs Configuring Private VLANs Table 10-3 Keyword Descriptions Keyword Action dot1p Specify that the phone send packets with 802.1p priority 5. untagged Specify that the phone send untagged packets. none Specify that the switch not send any auxiliary VLAN information in the CDP packets from that port.
Chapter 10 Configuring VLANs Configuring Private VLANs Privacy is granted at Layer 2 because the switch blocks outgoing traffic to all isolated ports. You assign all isolated ports to an isolated VLAN where this hardware function occurs. Traffic that is received from an isolated port is forwarded to all promiscuous ports only.
Page 226
Chapter 10 Configuring VLANs Configuring Private VLANs • Bind the isolated and/or community VLAN(s) to the primary VLAN and assign the isolated or community ports. You will achieve these results: – Isolated/community VLAN spanning tree properties are set to those of the primary VLAN. –...
Chapter 10 Configuring VLANs Configuring Private VLANs • If you enable MAC address reduction on a Catalyst 4500 series switch, you might want to enable MAC address reduction on all the switches in your network to ensure that the STP topologies of the private VLANs match.
Page 228
Chapter 10 Configuring VLANs Configuring Private VLANs To create a private VLAN, perform this task in privileged mode: Task Command Step 1 Create the primary VLAN. set vlan vlan_num pvlan-type primary Step 2 Set the isolated or community VLAN(s). set vlan vlan_num pvlan-type {isolated | community} Step 3 Bind the isolated or community VLAN(s) to the...
Page 229
Chapter 10 Configuring VLANs Configuring Private VLANs This example shows how to bind VLAN 903 to primary VLAN 7 and assign ports 4/7 through 4/9 as the community ports: Console> (enable) set pvlan 7 903 Successfully set association between 7 and 903. Console>...
Chapter 10 Configuring VLANs Configuring Private VLANs Deleting an Isolated or Community VLAN If you delete an isolated or community VLAN, the binding with the primary VLAN is broken, any isolated or community ports that are associated to the VLAN become inactive, and any related mappings on the promiscuous port(s) are deleted.
C H A P T E R Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports This chapter describes how to configure Fast Ethernet and Gigabit Ethernet virtual LAN (VLAN) trunks on the Catalyst enterprise LAN switches. Note For complete information on configuring VLANs, see Chapter 10, “Configuring VLANs.”...
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Understanding How VLAN Trunks Work You can configure a trunk on a single Fast or Gigabit Ethernet port or on a Fast or Gigabit EtherChannel bundle. For more information about Fast and Gigabit EtherChannel, see Chapter 6, “Configuring Fast EtherChannel and Gigabit EtherChannel.”...
When manually enabling trunking on a link to a Cisco router, use the nonegotiate keyword to cause the port to become a trunk but not generate DTP frames.
802.1Q cloud separating the Cisco switches is treated as a single broadcast segment between all switches that are connected to the non-Cisco 802.1Q cloud through 802.1Q trunks. Make sure that the native VLAN is the same on all of the 802.1Q trunks connecting the Cisco •...
Default Trunk Configuration • If you are connecting multiple Cisco switches to a non-Cisco 802.1Q cloud, all of the connections must be through 802.1Q trunks. You cannot connect Cisco switches to a non-Cisco 802.1Q cloud through ISL trunks or through access ports. Doing so will cause the switch to place the ISL trunk port or access port into the spanning-tree “port inconsistent”...
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Configuring a Trunk Link Before configuring an 802.1Q trunk you must set a VTP domain and enter the VLANs that will be used in the trunk or channel. For more information see Chapter 9, “Configuring VTP,”...
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Configuring a Trunk Link Note When you first configure a port as a trunk, the set trunk command always adds all VLANs to the allowed VLAN list for the trunk, even if you specify a VLAN range (any specified VLAN range is ignored). To modify the allowed VLANs list, use the clear trunk and set trunk commands to specify the allowed VLANs.
When you disable VLAN 1 on a trunk interface, no user traffic is transmitted or received across that trunk interface, but the supervisor engine continues to transmit and receive packets from control protocols such as Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), Port Aggregation Protocol (PAgP), Dynamic Trunking Protocol (DTP), and so forth.
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 2-6,10,20,50,100,152,200,300,400,500,521,524,570,776,802,850,917,999 Console> (enable) Example VLAN Trunk Configurations The following sections contain examples of a VLAN trunk configurations: For examples of configuring trunk links between switches and routers, refer to the Layer 3 Switching Note Software Configuration Guide—Catalyst 5000 Family, 4000 Family, 2926G Series, 2926 Series, 2948G,...
Page 242
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Switch_B> (enable) set vlan 1 3/3-6 VLAN Mod/Ports ---- ----------------------- 3/3-6 Switch_B> (enable) Configure one of the ports in the EtherChannel bundle to negotiate an 802.1Q trunk. The configuration Step 2 is applied to all of the ports in the bundle.
Page 243
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations 1-1005, 1025-4094 1-1005, 1025-4094 1-1005, 1025-4094 1-1005, 1025-4094 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 1-1005, 1025-4094 1-1005, 1025-4094 1-1005, 1025-4094 1-1005, 1025-4094 Switch_A>...
Page 244
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Switch_A> (enable) set port channel 2/3-6 desirable Port(s) 2/3-6 channel mode set to desirable. Switch_A> (enable) %PAGP-5-PORTFROMSTP:Port 2/3 left bridge port 2/3 %ETHC-5-PORTFROMSTP:Port 2/4 left bridge port 2/4 %ETHC-5-PORTFROMSTP:Port 2/5 left bridge port 2/5 %ETHC-5-PORTFROMSTP:Port 2/6 left bridge port 2/6 %ETHC-5-PORTFROMSTP:Port 2/4 left bridge port 2/4...
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Load-Sharing VLAN Traffic over Parallel Trunks Example Using spanning tree port-VLAN priorities, you can load-share VLAN traffic over parallel trunk ports so that traffic from some VLANs travels over one trunk, while traffic from other VLANs travels over the other trunk.
Page 246
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Vlan 30 configuration successful Switch_1> (enable) set vlan 40 Vlan 40 configuration successful Switch_1> (enable) set vlan 50 Vlan 50 configuration successful Switch_1> (enable) set vlan 60 Vlan 60 configuration successful Switch_1>...
Page 247
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Port Mode Encapsulation Status Native vlan -------- ----------- ------------- ------------ ----------- desirable dot1q trunking desirable dot1q trunking Port Vlans allowed on trunk -------- --------------------------------------------------------------------- 1-1005,1025-4094 1-1005,1025-4094 Port...
Page 248
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations blocking disabled blocking disabled blocking disabled blocking disabled blocking disabled blocking disabled 1003 not-connected disabled 1005 not-connected disabled Switch_1> (enable) Divide the configured VLANs into two groups. You might want traffic from one-half of the VLANs to Step 8 go over one trunk link and one half over the other trunk link;...
Page 249
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Switch_2> (enable) set spantree portvlanpri 1/1 1 20 Port 1/1 vlans 1-9,11-19,21-1004 using portpri 32. Port 1/1 vlans 10,20 using portpri 1. Port 1/1 vlans 1005 using portpri 4. Switch_2>...
Page 250
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Figure 11-3 Parallel Trunk Configuration after Configuring VLAN Traffic Load-Sharing Trunk 2 VLANs 10, 20, 30, 40, 50, and 60: port-VLAN priority 32 (blocking) Catalyst 4500 Catalyst 4500 Switch 1...
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations 802.1Q Nonegotiate Trunk Configuration Example This configuration shows how to configure an 802.1Q Fast Ethernet trunk between two Catalyst 4500 series switches with 802.1Q-capable hardware. (Use the show port capabilities command to see if your hardware is 802.1Q-capable.) The initial network configuration is shown in Figure 11-4.
Page 252
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Switch 2> (enable) show spantree 1 VLAN 1 Spanning tree enabled Spanning tree type ieee Designated Root 00-60-09-79-c3-00 Designated Root Priority 32768 Designated Root Cost Designated Root Port Root Max Age 20 sec...
Page 253
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Figure 11-6 802.1Q Trunking: Final Network Configuration Port 1/1 Port 4/1 Trunk Type: 802.1Q Trunk Type: 802.1Q Trunk Mode: nonegotiate Trunk Mode: nonegotiate Switch 1 802.1Q Trunk Switch 2 Verify the 802.1Q configuration on Switch 1 by entering the show trunk and show spantree commands.
Page 254
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Port Vlans allowed on trunk -------- --------------------------------------------------------------------- 1-1005, 1025-4094 Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 1-3,1003,1005 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 1005...
C H A P T E R Configuring Dynamic VLAN Membership with VMPS This chapter describes how to configure dynamic VLAN membership for ports in your network using the VLAN Management Policy Server (VMPS) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command...
Chapter 12 Configuring Dynamic VLAN Membership with VMPS VMPS and Dynamic Port Hardware and Software Requirements If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group. If the VLAN is allowed on the port, the VLAN name is returned to the client. If the VLAN is not allowed on the port and VMPS is in open mode, the host receives an “access denied”...
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Configuring VMPS Configuring VMPS To configure VMPS, follow these steps: Step 1 Create the VMPS Database. See the “Creating the VMPS Database” section on page 12-4. Determine the MAC addresses of the hosts that you want assigned to VLANs dynamically. On your workstation or PC, create an ASCII text file that contains the MAC address-to-VLAN mappings.
Page 259
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Configuring VMPS Section 2, MAC addresses, lists MAC addresses and authorized VLAN names for each MAC address. • Enter the MAC address of each host and the VLAN name to which each should belong. •...
Page 260
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Configuring VMPS !vmps mode {open | secure} ! The default mode is open. !vmps fallback <vlan-name> !vmps no-domain-req { allow | deny } ! The default value is allow. vmps domain WBU vmps mode open vmps fallback default vmps no-domain-req deny...
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Configuring VMPS Configuring the VMPS Server When you enable VMPS on the VMPS server, the switch downloads the VMPS database from the TFTP or rcp server and begins accepting VMPS requests. You can set one primary and up to two backup VMPS servers. The primary VMPS server and backup VMPS servers do not communicate with each other about the VMPS database.
Page 262
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Configuring VMPS This example shows how to specify the primary VMPS server and two backup VMPS servers, and verify the VMPS server specification: Console> (enable) set vmps server 192.0.0.1 primary 192.0.0.1 added to VMPS table as primary domain server. Console>...
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Configuring VMPS Monitoring VMPS To display information about MAC address-to-VLAN mappings, perform one of these tasks in privileged mode: Task Command Show the VLAN to which a MAC address is mapped in show vmps mac [mac_address] the database.
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Troubleshooting VMPS and Dynamic Port VLAN Membership To download the VMPS database manually and refresh the existing VMPS database, perform this task in privileged mode. If you are updating the VMPS database, you need to download the VMPS database to the primary and backup VMPS servers.
Chapter 12 Configuring Dynamic VLAN Membership with VMPS VMPS Example Troubleshooting VMPS Table 12-2 shows the VMPS error messages that you might see when you enter the set vmps state enable or the download vmps command. Table 12-2 VMPS Error Messages VMPS Error Message Recommended Action Specify the TFTP server address using the set vmps tftpserver...
Page 266
Chapter 12 Configuring Dynamic VLAN Membership with VMPS VMPS Example • Switch 3 and Switch 10 are secondary VMPS servers. • End stations are connected to these clients: – Switch 2 – Switch 9 The database configuration file is called Bldg-G.db and is stored on a TFTP server with IP address •...
Page 267
Chapter 12 Configuring Dynamic VLAN Membership with VMPS VMPS Example :To configure VMPS and dynamic ports, follow these steps: Configure Switch 1 as the primary VMPS server. Step 1 Configure the IP address of the TFTP server on which the ASCII file resides: Console>...
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs Dynamic Port VLAN Membership with Auxiliary VLANs This section describes how to configure a dynamic port to belong to two VLANs—a native VLAN and an auxiliary VLAN. This section uses the following terminology: •...
Page 269
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs Console> (enable) set port auxiliaryvlan 5/9 untagged Port 2/48 allows the connected device send and receive untagged packets and without 802.1p priority. Console> (enable) This example shows how to specify port 5/9 as a dynamic port: Console>...
Page 270
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 12-16 78-15908-01...
C H A P T E R Configuring GVRP This chapter describes how to configure the Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 13 Configuring GVRP Default GVRP Configuration Default GVRP Configuration Table 13-1 shows the default GVRP configuration. Table 13-1 GVRP Default Configuration Feature Default Value GVRP global enable state Disabled GVRP per-trunk enable state Disabled on all ports GVRP dynamic creation of VLANs Disabled GVRP registration mode normal, with VLAN 1 set to fixed, for all ports GVRP applicant state...
Chapter 13 Configuring GVRP Configuring GVRP on the Switch To enable GVRP globally on the switch, perform this task in privileged mode: Task Command Step 1 Enable GVRP on the switch. set gvrp enable Step 2 Verify the configuration. show gvrp configuration This example shows how to enable GVRP and verify the configuration: Console>...
Chapter 13 Configuring GVRP Configuring GVRP on the Switch This example shows how to enable GVRP on 802.1Q-capable port 1/1: Console> (enable) set port gvrp enable 1/1 GVRP enabled on 1/1. Console> (enable) Enabling GVRP Dynamic VLAN Creation You can enable GVRP dynamic VLAN creation only if these conditions are met: •...
Page 275
Chapter 13 Configuring GVRP Configuring GVRP on the Switch To configure GVRP normal registration on an 802.1Q trunk port, perform this task in privileged mode: Task Command Step 1 Configure normal registration on an 802.1Q trunk port. set gvrp registration normal mod_num/port_num Step 2 Verify the configuration.
Chapter 13 Configuring GVRP Configuring GVRP on the Switch Sending GVRP VLAN Declarations from Blocking Ports To prevent undesirable Spanning Tree Protocol (STP) topology reconfiguration on a port that is connected to a device that does not support per-VLAN STP, configure the GVRP active applicant state on the port.
Chapter 13 Configuring GVRP Configuring GVRP on the Switch Set the same GARP timer values on all Layer 2-connected devices. If the GARP timers are set differently Caution on Layer 2-connected devices, GARP applications (for example, GMRP and GVRP) do not operate successfully.
Chapter 13 Configuring GVRP Configuring GVRP on the Switch Clearing GVRP Statistics To clear all GVRP statistics on the switch, perform this task in privileged mode: Task Command Clear GVRP statistics. clear gvrp statistics {mod_num/port_num | all} This example shows how to clear all GVRP statistics on the switch: Console>...
Page 279
C H A P T E R Configuring QoS This chapter describes how to configure quality of service (QoS) on Catalyst enterprise LAN switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 14 Configuring QoS Understanding How QoS Works QoS implements scheduling on supported egress ports with transmit queue drop thresholds and multiple transmit queues that use the 802.1p CoS values to give preference to higher-priority traffic. Figure 14-1 shows how QoS affects the traffic flow. Figure 14-1 Traffic Flow Through the Switch with QoS Enabled—Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Apply...
Chapter 14 Configuring QoS Understanding How QoS Works • Marking is the application of QoS labels to traffic. • Scheduling is the assignment of traffic to a queue. QoS assigns traffic based on CoS values. • Congestion avoidance is the process by which QoS reserves ingress and egress port capacity for traffic with high-priority CoS values.
Chapter 14 Configuring QoS Software Requirements Software Requirements QoS requires supervisor engine software release 5.2 or later releases. Use the show port capabilities command to determine the specific QoS support for a module. QoS Default Configuration Table 14-1 shows the QoS default configuration. Table 14-1 QoS Default Configuration Feature Default Value...
Chapter 14 Configuring QoS Configuring QoS on the Switch Enabling QoS Globally To enable QoS globally on the switch, perform this task in privileged mode: Task Command Enable QoS globally. set qos enable This example shows how to enable QoS globally: Console>...
Chapter 14 Configuring QoS Configuring QoS on the Switch Mapping CoS Values to Transmit Queues and Drop Thresholds Enter the set qos map command to associate CoS values to transmit queue drop thresholds. The port_type is hardware dependent. Enter the show port capabilities command to determine the port_type for your hardware.
Chapter 14 Configuring QoS Configuring QoS on the Switch Displaying QoS Information To display QoS information, perform this task: Task Command Display QoS information. show qos info [runtime | config] This example shows how to display the current QoS configuration information for the switch: Console>...
Page 286
Chapter 14 Configuring QoS Configuring QoS on the Switch This example shows how to disable QoS: Console> (enable) set qos disable QoS is disabled. Console> (enable) Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 14-8 78-15908-01...
For more information on IP multicast and IGMP, refer to RFC 1112. GMRP is described in IEEE 802.1p. Note CGMP and IGMP software components run on the Cisco router and the switch. A CGMP/IGMP-capable IP multicast router sees all IGMP packets and can inform the switch when specific hosts join or leave IP multicast groups.
Chapter 15 Configuring Multicast Services Understanding How Multicasting Works When the CGMP/IGMP-capable router receives an IGMP control packet, it creates a CGMP or IGMP packet that contains the request type (either join or leave), the multicast group address, and the MAC address of the host.
Layer 3 protocol (such as IP, IPX, and so forth). GMRP software components run on both the switch and on the host (Cisco is not a source for GMRP host software). On the host, GMRP is typically used with IGMP. The host GMRP software generates Layer 2 GMRP versions of the host’s Layer 3 IGMP control packets.
Chapter 15 Configuring Multicast Services Configuring CGMP Configuring CGMP The following sections describe how to configure CGMP. CGMP Hardware and Software Requirements CGMP requires these hardware and software versions: Software release 2.2 or later releases • Router running CGMP • Default CGMP Configuration Table 15-1 shows the default CGMP configuration.
Chapter 15 Configuring Multicast Services Configuring CGMP Displaying Multicast Router Information When you enable CGMP, the switch automatically learns to which ports a multicast router is connected. To display dynamically learned multicast router information, perform one of these tasks in privileged mode: •...
Chapter 15 Configuring Multicast Services Configuring CGMP Task Command Display the total number of multicast addresses show multicast group count [vlan_id] (groups) in each VLAN. Display the total number of multicast addresses show multicast group count cgmp [vlan_id] (groups) in each VLAN that were learned dynamically through CGMP.
Chapter 15 Configuring Multicast Services Configuring CGMP Disabling CGMP Leave Processing To disable CGMP leave processing on the switch, perform this task in privileged mode: Task Command Disable CGMP leave processing. set cgmp leave disable This example shows how to disable CGMP leave processing on the switch: Console>...
Chapter 15 Configuring Multicast Services Configuring GMRP Port based GMRP Configuration: Port GMRP Status Registration ForwardAll -------------------------------------------- ----------- ------------ ---------- 1/1-2,3/1,6/1-48 Enabled Normal Disabled Console> (enable) Enabling GMRP on Individual Switch Ports Note You can change the per-port GMRP configuration regardless of whether GMRP is enabled globally. However, GMRP will not function until you enable it globally.
Chapter 15 Configuring Multicast Services Configuring GMRP This example shows how to disable GMRP on ports 6/10–14 and verify the configuration: Console> (enable) set port gmrp disable 6/10-14 GMRP disabled on ports 6/10-14. Console> (enable) show gmrp configuration Global GMRP Configuration: GMRP Feature is currently enabled on this switch.
Chapter 15 Configuring Multicast Services Configuring GMRP Configuring GMRP Registration The following sections describe how to configure GMRP registration modes on switch ports. Setting Normal Registration Mode Configuring a port in normal registration mode allows dynamic GMRP multicast registration and deregistration on the port.
Chapter 15 Configuring Multicast Services Configuring GMRP ----------- ------------ ---------- -------------------------------------------- Enabled Normal Disabled 1/1-4 2/1-9,2/11-48 3/1-24 Enabled Fixed Disabled 2/10 Console> (enable) Setting Forbidden Registration Mode Configuring a port in forbidden registration mode deregisters all GMRP multicasts and prevents any further GMRP multicast registration on the port.
Chapter 15 Configuring Multicast Services Configuring GMRP When you set the timer values, the value for leave must be equal to or greater than three times the join value (leave >= join * 3). The value for leaveall must be greater than the value for leave (leaveall >...
Chapter 15 Configuring Multicast Services Configuring Multicast Router Ports and Group Entries Specifying Multicast Router Ports When you enable CGMP or GMRP, the switch automatically learns to which ports a multicast router is connected. However, you can manually specify multicast router ports. To specify multicast router ports manually, perform this task in privileged mode: Task Command...
Chapter 15 Configuring Multicast Services Filtering IGMP Traffic If a port is set to deny, matched IPs are dropped; all others are forwarded. If the filtering action causes an IGMP packet to be dropped, the switch port requesting the stream of IP multicast traffic cannot receive IP multicast traffic for that group.
Chapter 15 Configuring Multicast Services Filtering IGMP Traffic IGMP Multicast Filter Activation IGMP multicast filters associate with each physical switch port. The following sections show configurations for controlling IGMP multicast filter activation/deactivation on the switch. Enabling and Verifying IGMP Multicast Filtering To enable IGMP traffic filtering on the switch, perform this task in privileged mode: Task Command...
Chapter 15 Configuring Multicast Services Filtering IGMP Traffic Configuring Port IP Multicast Filtering IP multicast group profiles consist of one or more ranges of IP multicast addresses that are associated with a filtering and monitoring action and are configured on a per-switch-port basis. Given a particular profile that is associated with a switch port, you can configure the filter action as follows: If the filter action is to permit, the matching IGMP packet is forwarded for normal processing.
Page 307
Chapter 15 Configuring Multicast Services Filtering IGMP Traffic This example shows how to verify the status of an IGMP multicast filter profile to accept IP addresses: Console> (enable) show igmp filter profile 1 match-action igmp filter match action is permit Console>...
Page 308
Chapter 15 Configuring Multicast Services Filtering IGMP Traffic Listing or Removing All IGMP Multicast Filters To list, remove, and verify all IGMP multicast filter profiles, perform this task in privileged mode: Task Command Step 1 Display all IGMP multicast filter profiles. show igmp filter all Step 2 Remove all IGMP multicast filter profiles.
Page 309
Chapter 15 Configuring Multicast Services Filtering IGMP Traffic This example shows how to display the association of IGMP multicast filter profiles for all ports: Console> (enable) show igmp filter map all Port Profile ---- ------- 2/10 2/11 2/12 2/13 2/14 2/15 2/16 2/46...
C H A P T E R Configuring Port Security This chapter describes how to configure port security on the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 16 Configuring Port Security Understanding How Port Security Works After you allocate the maximum number of MAC addresses on a port, you can either specify the secure MAC address for the port manually or have the port dynamically configure the MAC address of the connected devices.
Chapter 16 Configuring Port Security Port Security Configuration Guidelines Blocking Unicast Flood Packets on Secure Ports You can block unicast flood packets on a secure Ethernet port by disabling the unicast flood feature. If you disable unicast flood on a port, the port will drop unicast flood packets when the port reaches the allowed maximum number of MAC addresses.
Chapter 16 Configuring Port Security Configuring Port Security on the Switch This example shows how to enable port security using the learned MAC address on a port: Console> (enable) set port security 2/1 enable Port 2/1 port security enabled with the learned mac address. Trunking disabled for Port 2/1 due to Security Mode This example shows how to verify the port security: Console>...
Chapter 16 Configuring Port Security Configuring Port Security on the Switch This example shows how to set the number of MAC addresses to be secured: Console> (enable) set port security 4/7 maximum 20 Maximum number of secure addresses set to 20 for port 4/7. Console>...
Chapter 16 Configuring Port Security Configuring Port Security on the Switch This example removes one MAC address from the secure address list on port 4/7: Console> (enable) clear port security 4/7 00-11-22-33-44-55 00-11-22-33-44-55 cleared from secure address list for port 4/7 Console>...
Chapter 16 Configuring Port Security Configuring Port Security on the Switch Enabling MAC Address Notification Enabling MAC address notification allows you to monitor MAC addresses at the module and port level that were added by the switch or removed from the CAM table. A new MAC address is added when either of the following occurs: •...
Chapter 16 Configuring Port Security Configuring Port Security on the Switch To set the SNMP trap MAC address notification, perform this task in privileged mode: Task Command Set the SNMP traps on the system. set snmp trap enable macnotification This example shows how to enable MAC address notification globally, enable notification of added and removed MAC addresses, and set the interval time between notifications: Console>...
Chapter 16 Configuring Port Security Configuring Port Security on the Switch This example shows how to set the port to drop all packets that are coming in on the port from insecure hosts: Console> (enable) set port security 4/7 violation restrict Port security violation on port 4/7 will cause insecure packets to be dropped.
Chapter 16 Configuring Port Security Monitoring Port Security This example shows how to disable security on a port: Console> (enable) set port security 2/1 disable Port 2/1 port security disabled. Console> (enable) show port security 2/1 Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex ----- -------- --------- ------------- -------- -------- -------- ------- 3/24 disabled...
Page 321
Chapter 16 Configuring Port Security Monitoring Port Security • Total number of secure MAC addresses • Age and shutdown timeout • Shutdown and security mode • Statistics data related to port security To display port security configuration information and statistics, perform this task in privileged mode: Task Command Step 1...
Page 322
Chapter 16 Configuring Port Security Monitoring Port Security This example shows how to display port security statistics on the system: Console> (enable) show port security statistics system Module 1: Total ports: 2 Total MAC address(es): 2 Total global address space used (out of 1024): 0 Status: installed Module 3: Module does not support port security feature...
C H A P T E R Configuring Unicast Flood Blocking This chapter describes how to configure unicast flood blocking on the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 17 Configuring Unicast Flood Blocking Configuration Guidelines for Unicast Flood Blocking Configuration Guidelines for Unicast Flood Blocking This section lists the guidelines for configuring unicast flood blocking: • Only Ethernet ports can block unicast flood traffic. If the Ethernet port is part of an IPX network, you must manually enter a static CAM entry in the •...
Chapter 17 Configuring Unicast Flood Blocking Configuring Unicast Flood Blocking on the Switch This example shows how to disable unicast flood packets on a port: Console> (enable) set port unicast-flood 4/1 disable WARNING: Trunking & Channelling will be disabled on the port. Unicast Flooding is successfully disabled on the port 4/1.
C H A P T E R Configuring the IP Permit List This chapter describes how to configure the IP permit list on the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 18 Configuring the IP Permit List IP Permit List Default Configuration You can specify the same IP address in more than one entry in the permit list if the masks are different. The mask is applied to the address before it is stored in NVRAM, so that entries that have the same effect (but different addresses) are not stored.
Chapter 18 Configuring the IP Permit List Configuring the IP Permit List on the Switch 172.20.0.0 255.255.0.0 snmp 172.20.52.0 255.255.255.224 172.20.52.3 telnet ssh snm Denied IP Address Last Accessed Time Type Telnet Count SNMP Count ----------------- ------------------ ------ ------------ ---------- 172.100.101.104 01/20/97,07:45:20 SNMP...
Chapter 18 Configuring the IP Permit List Configuring the IP Permit List on the Switch 172.100.101.104 01/20/97,07:45:20 SNMP 1430 172.187.206.222 01/21/97,14:23:05 Telnet Console> (enable) show snmp RMON: Disabled Extended RMON Netflow: Disabled Traps Enabled: ippermit Port Traps Enabled: None Community-Access Community-String ---------------- --------------------...
Page 331
Chapter 18 Configuring the IP Permit List Configuring the IP Permit List on the Switch To clear an IP permit list entry, perform this task in privileged mode: Task Command Step 1 Disable the IP permit list. set ip permit disable [ssh | snmp | telnet] Step 2 Specify the IP address to remove from the IP clear ip permit {ip_address [mask] | all} [ssh |...
Page 332
Chapter 18 Configuring the IP Permit List Configuring the IP Permit List on the Switch Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 18-6 78-15908-01...
Flood traffic for each protocol group is forwarded out a port only if that port belongs to the appropriate protocol group. Layer 2 protocols, such as Spanning Tree Protocol (STP) and Cisco Discovery Protocol (CDP), are not affected by protocol filtering. Dynamic VLAN ports and ports that have port security enabled are members of all protocol groups.
Chapter 19 Configuring Protocol Filtering Default Protocol Filtering Configuration For example, if a host that supports both IP and Internetwork Packet Exchange (IPX) is connected to a switch port that is configured as auto for IPX, and the host is transmitting only IP traffic, the port to which the host is connected will not forward any IPX flood traffic to the host.
Chapter 19 Configuring Protocol Filtering Configuring Protocol Filtering on the Switch This example shows how to enable protocol filtering, set the protocol membership of ports, and verify the configuration: Console> (enable) set protocolfilter enable Protocol filtering enabled on this switch. Console>...
Page 336
Chapter 19 Configuring Protocol Filtering Configuring Protocol Filtering on the Switch Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 19-4 78-15908-01...
C H A P T E R Checking Status and Connectivity This chapter describes how to check switch status and connectivity on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 20 Checking Status and Connectivity Checking Port Status This example shows how to check module status on a Catalyst 2948G switch: Console> (enable) show module Mod Slot Ports Module-Type Model Status --- ---- ----- ------------------------- ------------------- -------- Switching Supervisor WS-X2948 10/100/1000 Ethernet WS-X2948G...
Page 339
Chapter 20 Checking Status and Connectivity Checking Port Status disabled disabled 15 disabled disabled 16 disabled disabled 17 disabled disabled 18 disabled disabled 19 disabled disabled 20 Port Send FlowControl Receive FlowControl RxPause TxPause Unsupported admin oper admin oper opcodes ----- -------- -------- -------- --------...
Chapter 20 Checking Status and Connectivity Displaying the Port MAC Address disabled shutdown 1 disabled Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left ----- -------- ----------------- -------- ----------------- ------------------ Port Status Channel Admin Ch Mode Group Id ----- ---------- -------------------- ----- ----- inactive auto silent Port...
Chapter 20 Checking Status and Connectivity Displaying Port Capabilities Displaying Port Capabilities You can display the capabilities of any port in a switch using the show port capabilities command. This example shows you how to display the port capabilities for ports on module 2: Console>...
Chapter 20 Checking Status and Connectivity Using Telnet Flow control Security Membership static,dynamic Fast start QOS scheduling rx-(none),tx-(2q1t) CoS rewrite ToS rewrite Rewrite UDLD Inline power AuxiliaryVlan 1..1000,untagged,none SPAN source,destination Console> (enable) Using Telnet You can access the switch CLI using Telnet. In addition, you can use Telnet from the switch to access other devices in the network.
Chapter 20 Checking Status and Connectivity Using Secure Shell Encryption for Telnet Sessions This example shows how to set the logout timer value to 10 minutes: Console> (enable) set logout 10 Sessions will be automatically logged out after 10 minutes of idle time. Console>...
Chapter 20 Checking Status and Connectivity Monitoring User Sessions Monitoring User Sessions You can display the currently active user sessions on the switch using the show users command. The command output displays all active console port and Telnet sessions on the switch. To display the active user sessions on the switch, perform this task in privileged mode: Task Command...
Chapter 20 Checking Status and Connectivity Using Ping Executing Ping To ping another device on the network from the switch, perform one of these tasks in normal EXEC mode or privileged EXEC mode: Task Command Ping a remote host. ping host Ping a remote host using ping options.
This section lists the guidelines for the Layer 2 traceroute: • Layer 2 traceroute works for unicast traffic only. You must enable Cisco Discovery Protocol (CDP) on all of the Catalyst 4500 series, Catalyst 5000 • family, and Catalyst 6500 series switches in the network. (See Chapter 21, “Configuring CDP,”...
Chapter 20 Checking Status and Connectivity Using IP Traceroute This example shows the source and destination MAC addresses specified, with no VLAN specified but with the detail keyword specified. For each Catalyst 4500 series, 5000 family, and 6500 series switch found in the path, the output shows the device type, device name, device IP address, in port name, in port speed, in port duplex mode, out port name, out port speed, and out port duplex mode.
Chapter 20 Checking Status and Connectivity Using IP Traceroute Executing IP Traceroute To trace the path that packets take through the network, perform this task in privileged mode: Task Command Execute IP traceroute to trace the path that traceroute [-n] [-w wait_time] [-i initial_ttl] [-m packets take through the network.
Page 350
Chapter 20 Checking Status and Connectivity Using IP Traceroute Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 20-14 78-15908-01...
CDP is a media- and protocol-independent protocol that runs on all Cisco-manufactured equipment including routers, bridges, access and communication servers, and switches. Using CDP, you can view information about all the Cisco devices that are directly attached to the switch. In addition, CDP detects native VLAN and port duplex mismatches.
Chapter 21 Configuring CDP Configuring CDP on the Switch Table 21-1 CDP Default Configuration Feature Default Value CDP global enable state Enabled CDP port enable state Enabled on all ports CDP message interval 60 sec CDP holdtime 180 sec Configuring CDP on the Switch The following sections describe how to configure CDP.
Page 353
Chapter 21 Configuring CDP Configuring CDP on the Switch To set the CDP enable state on a per-port basis, perform this task in privileged mode: Task Command Step 1 Set the CDP enable state on individual ports. set cdp {enable | disable} [mod_num/port_num] Step 2 Verify the CDP configuration.
Configuring CDP on the Switch Setting the CDP Message Interval The CDP message interval specifies how often the switch will transmit CDP messages to directly connected Cisco devices. To set the default CDP message interval, perform this task in privileged mode: Task...
Configuring CDP Configuring CDP on the Switch Displaying CDP Neighbor Information To display information about directly connected Cisco devices, enter the show cdp neighbors command. To display specific information, use the following keywords: • To display the native VLAN for the connected ports, enter the vlan keyword.
Page 356
Chapter 21 Configuring CDP Configuring CDP on the Switch Platform: WS-C2948 Port-ID (Port on Neighbors's Device): 2/2 VTP Management Domain: Lab_Network Native VLAN: 522 Duplex: full Console> (enable) Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 21-6 78-15908-01...
C H A P T E R Using Switch TopN Reports This chapter describes how to use the Switch TopN Reports utility on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 22 Using Switch TopN Reports Running and Viewing Switch TopN Reports Running and Viewing Switch TopN Reports To run a Switch TopN Report in the background and view the results, perform this task in privileged mode: Task Command Step 1 Run the Switch TopN Reports utility in the show top [N] [metric] [interval interval] background.
Page 361
Chapter 22 Using Switch TopN Reports Running and Viewing Switch TopN Reports This example shows how to remove a specific Switch TopN report and how to remove all stored reports: Console> (enable) clear top 4 Console> (enable) 06/16/1998,17:36:45:MGMT-5:TopN report 4 killed by Console//. Console>...
C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 23 Configuring UDLD UDLD Software and Hardware Requirements The switch periodically transmits UDLD messages (packets) to neighbor devices on ports with UDLD enabled. If the messages are echoed back to the sender within a specific time frame and they are lacking a specific acknowledgment (echo), the link is flagged as unidirectional and the port is shut down.
Chapter 23 Configuring UDLD Configuring UDLD on the Switch Table 23-1 UDLD Default Configuration Feature Default Value UDLD global enable state Globally disabled UDLD per-port enable state • Enabled on all Ethernet, Fast Ethernet, and Gigabit Ethernet ports using fiber-optic media •...
Chapter 23 Configuring UDLD Configuring UDLD on the Switch Enabling UDLD on Individual Ports To enable UDLD on individual ports, perform this task in privileged mode: Task Command Step 1 Enable UDLD on a specific port. set udld enable mod_num/port_num Step 2 Verify the configuration.
Software release 5.4(3) and later releases support UDLD aggressive mode. UDLD aggressive mode is disabled by default and its use is recommended only for point-to-point links between Cisco switches running software release 5.4(3) or later releases. With aggressive mode enabled, when a port on a bidirectional link stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor.
Chapter 23 Configuring UDLD Configuring UDLD on the Switch This example shows how to verify that UDLD aggressive mode is enabled: Console> (enable) show udld port 4/1 UDLD : enabled Message Interval: 10 seconds Port Admin Status Aggressive Mode Link State -------- ------------ --------------- ---------...
Page 369
Chapter 23 Configuring UDLD Configuring UDLD on the Switch Table 23-2 show udld Command Output Fields (continued) Field Description Port Module and port numbers. Admin Status Status of whether administration status is enabled or disabled. Aggressive Mode Status of whether aggressive mode is enabled or disabled. Link State Status of the link: undetermined (a detection is in progress and a neighboring UDLD has been disabled), not applicable (UDLD has been disabled), shutdown...
Page 370
Chapter 23 Configuring UDLD Configuring UDLD on the Switch Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 23-8 78-15908-01...
C H A P T E R Configuring SNMP This chapter describes how to configure Simple Network Management Protocol (SNMP) on Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 24 Configuring SNMP SNMP Terminology Table 24-1 SNMP Terminology Term Definition authentication The process of ensuring message integrity and protection against message replays, including data integrity and data origin authentication. authoritative One of the SNMP copies used in network communication is designated as the SNMP engine allowed SNMP engine that protects against message replay, delay, and redirection.
Chapter 24 Configuring SNMP Understanding How SNMP Works Table 24-1 SNMP Terminology (continued) Term Definition SNMP This second version of SNMP supports centralized and distributed network Version 2c management strategies and includes improvements in the Structure of Management (SNMPv2c) Information (SMI), protocol operations, management architecture, and security. SNMP engine A copy of SNMP that can reside on the local or remote device.
Chapter 24 Configuring SNMP Understanding How SNMP Works Security Models and Levels A security model is an authentication strategy that is set up for a user and the group in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level will determine which security mechanism is employed when handling an SNMP packet.
Chapter 24 Configuring SNMP Understanding How SNMPv1 and SNMPv2c Work Understanding How SNMPv1 and SNMPv2c Work The components of SNMPv1 and SNMPv2c network management fall into three categories: • Managed devices (such as a switch) SNMP agents and MIBs, including Remote Monitoring (RMON) MIBs, which run on managed •...
Chapter 24 Configuring SNMP Understanding SNMPv3 Note For information about MIBs, refer to this URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. SNMPv1 and SNMPv2c Default Configuration Table 24-3 describes the SNMP default configuration. Table 24-3 SNMP Default Configuration Feature Default Setting SNMP community strings •...
Page 377
Chapter 24 Configuring SNMP Understanding SNMPv3 • Security Subsystem • Access Control Subsystem Figure 24-1 SNMP Entity for Traditional SNMP Agents Other SNMP Entity SNMP Engine Dispatcher Message Processing Security Access Control Subsystem Subsystem Subsystem Transport Mapping v1MP User-based View-based security access control model...
Page 378
Chapter 24 Configuring SNMP Understanding SNMPv3 Subsystem may support a single message format corresponding to a single version of SNMP (SNMPv1, SNMPv2c, SNMPv3), or it may contain a number of modules, each supporting a different version of SNMP. Security Subsystem The Security Subsystem authenticates and encrypts messages.
By default, the separate CWI software image is not present in Flash memory. You must install it separately with the CV image. For more information on the CWI, CiscoView, and installing the images on your switch, refer to this URL: http://www.cisco.com/en/US/partner/products/hw/switches/ps663/products_tech_note09186a00800941 56.shtml Configuring SNMPv1 and SNMPv2c from the CLI Note This section provides basic SNMPv1 and SNMPv2c configuration information.
Chapter 24 Configuring SNMP Configuring SNMPv1 and SNMPv2c from the CLI Setting Multiple SNMP Community Strings You can set multiple SNMP community strings by entering the community-ext keyword. Community strings that are defined with the community-ext keyword cannot be duplicates of existing community strings.
Page 382
Chapter 24 Configuring SNMP Configuring SNMPv1 and SNMPv2c from the CLI private1 read-write 1.3.6 secret1 read-write-all 500 1.3.6.1.4.1.9.9 Trap-Rec-Address Trap-Rec-Community Trap-Rec-Port Trap-Rec-Owner Trap-Rec-Index ---------------- ------------------ ------------- -------------- -------------- Console> (enable) Clearing SNMP Community Strings You can clear community strings by entering the clear snmp community-ext command. When you use this command to clear a community string, corresponding entries in the vacmAccessTable and vacmSecurityToGroup tables are also removed.
Page 383
Chapter 24 Configuring SNMP Configuring SNMPv1 and SNMPv2c from the CLI This example shows how to display the SNMP configuration: Console> (enable) show snmp access-list Access-Number IP-Addresses/IP-Mask ------------- ------------------------- 172.20.60.100/255.0.0.0 1.1.1.1/- 172.20.60.7/- 2.2.2.2/- 2.2.2.2/155.0.0.0 1.1.1.1/2.1.2.4 2.2.2.2/- 2.2.2.5/- Console> (enable) Clearing IP Addresses Associated with Access Numbers To clear IP addresses that are associated with access numbers from the CLI, perform this task in privileged mode: Task...
Chapter 24 Configuring SNMP Configuring SNMPv3 from the CLI Console> (enable) show snmp ifalias 1 ifIndex ifName ifAlias ---------- -------------------- --------------------------------- Inband port Console> (enable) Configuring SNMPv3 from the CLI This section provides very basic SNMP v3 configuration information. For detailed information on the Note SNMP commands that are supported by the Catalyst enterprise LAN switches, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command...
Page 385
Chapter 24 Configuring SNMP Configuring SNMPv3 from the CLI Task Command Step 10 Configure the community table for set snmp community index {index_name} name mappings between different [community_string] security {security_name} context community strings and security {context_name} transporttag {tag_value} [volatile | models with full permissions.
Page 386
Chapter 24 Configuring SNMP Configuring SNMPv3 from the CLI These examples show how to set guestuser1 and guestuser2 as members of the groups guestgroup and mygroup: Console> (enable) set snmp group guestgroup user guestuser1 security-model v3 Snmp group was set to guestgroup user guestuser1 and version v3, nonvolatile. Console>...
Using CiscoWorks2000 CiscoWorks2000 is a family of web-based and management platform-independent products for managing Cisco enterprise networks and devices. CiscoWorks2000 includes Resource Manager Essentials and CWSI Campus, which allow you to deploy, configure, monitor, manage, and troubleshoot a switched internetwork. For more information, refer to the following publications: •...
C H A P T E R Configuring RMON This chapter describes how to configure RMON on the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 25 Configuring RMON Enabling RMON The embedded RMON agent allows the switch to monitor network traffic from all ports simultaneously at the data-link layer of the OSI model without requiring a dedicated monitoring probe or network analyzer. Enabling RMON Note RMON is disabled by default.
Chapter 25 Configuring RMON Supported RMON and RMON2 MIB Objects Supported RMON and RMON2 MIB Objects Table 25-1 lists the RMON and RMON2 MIB objects that are supported by the supervisor engine software. Table 25-1 Supervisor Engine RMON and RMON2 Support Module Object Identifier (OID) Definition...
C H A P T E R Configuring SPAN and RSPAN This chapter describes how to configure the Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 26 Configuring SPAN and RSPAN Understanding How SPAN and RSPAN Work After the system is on, a SPAN or RSPAN destination session remains inactive until the destination port is operational. An RSPAN source session remains inactive until any of the source ports are operational or the RSPAN VLAN becomes active.
Chapter 26 Configuring SPAN and RSPAN Understanding How SPAN and RSPAN Work Reflector Port The reflector port is the mechanism that you use to copy packets onto an RSPAN VLAN. The reflector port forwards only the traffic from the RSPAN source session with which it is affiliated. Any device that is connected to a port that is set as a reflector port loses connectivity until the RSPAN source session is disabled.
Chapter 26 Configuring SPAN and RSPAN SPAN and RSPAN Session Limits • Inactive VLANs are not allowed for VSPAN configuration. • A VSPAN session is made inactive if any of the source VLANs become RSPAN VLANs. Trunk VLAN Filtering In software release 6.3(1) and later releases, you can enter the filter keyword to select a set of VLANs in a trunk that is used in a SPAN session.
Chapter 26 Configuring SPAN and RSPAN Configuring SPAN Figure 26-1 Example SPAN Configuration Port 5 traffic mirrored on Port 10 1 2 3 4 5 6 7 8 9 10 11 12 E6 E7 SwitchProbe For SPAN configuration, the source ports and the destination port must be on the same switch. SPAN does not affect the switching of network traffic on source ports;...
Chapter 26 Configuring SPAN and RSPAN Configuring SPAN Configuring SPAN To configure SPAN, perform this task in privileged mode: Task Command Step 1 Configure a SPAN source and a SPAN destination set span {src_mod/src_ports | src_vlan} port. dest_mod/dest_port [rx | tx | both] [filter vlan] [inpkts {enable | disable}] [learning {enable | disable}] [create] Step 2...
Page 399
Chapter 26 Configuring SPAN and RSPAN Configuring SPAN This example shows how to set VLAN 522 as the SPAN source and port 2/12 as the SPAN destination. Only transmit traffic is monitored. Normal incoming packets on the SPAN destination port are allowed. Console>...
• • For destination or intermediate switches—Any Catalyst 4500 series or Catalyst 6500 series switch supervisor engine You cannot place any third-party or other Cisco switches in the end-to-end path for RSPAN traffic. Understanding How RSPAN Works Note See the “Understanding How SPAN and RSPAN Work”...
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN RSPAN has all the features of SPAN (see the “Understanding How SPAN Works” section on page 26-4), plus support for source ports and destination ports that are distributed across multiple switches, allowing remote monitoring of multiple switches across your network.
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN • For RSPAN, trunking is required if you have a source switch with all source ports in one VLAN (VLAN 2, for example) and it is connected to the destination switch through an uplink port that is also in the same VLAN.
Page 403
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN To configure RSPAN VLANs, perform this task in privileged mode: Task Command Step 1 Configure RSPAN VLANs. set vlan vlan_num [rspan] Step 2 Verify the RSPAN VLAN configuration. show vlan This example shows how to set VLAN 500 as an RSPAN VLAN: Console>...
Page 404
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN Reflector : Port 2/34 Rspan Vlan : 500 Admin Source : Port 2/3 Oper Source : Port 2/3 Direction : transmit/receive Incoming Packets: - Learning Filter : 50,850 Status : active Console> (enable) 2001 May 02 13:25:59 %SYS-5-SPAN_CFGSTATECHG:remote span source session active for remote span vlan 500 To configure RSPAN source VLANs, perform this task in privileged mode: Task...
Page 405
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN This example shows how to specify port 3/1 as the RSPAN destination port in VLAN 500: Console> (enable) set rspan destination 3/1 500 Rspan Type : Destination Destination : Port 3/1 Rspan Vlan : 500 Admin Source Oper Source...
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN RSPAN Configuration Examples The following sections provide examples that show how to configure RSPAN. Configuring a Single RSPAN Session This example shows how to configure a single RSPAN session. Figure 26-3 shows an RSPAN configuration;...
Page 407
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN Table 26-2 Making Modifications to an Active RSPAN Session Switch Action RSPAN CLI Commands A (source) Disable the RSPAN session. set rspan disable source 901 B (source) Remove source port 3/2 from the RSPAN session. set rspan source 3/1, 3/3 901 reflector 3/4 B (source) Add source port 3/2 to the RSPAN session.
Page 408
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN the access switches (other ports in any of the switches can also be configured for RSPAN). If there is no change in the route for SPAN traffic, the destination switch and the intermediate switches need to be configured only once.
Page 409
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN Figure 26-6 Adding Multiple Probes to an RSPAN Session Switch D Probe 1 Probe 2 Destination switch (data center) Switch C Switch F Probe 3 Intermediate switch(es) (distribution) Source switch(es) Switch B (access) Switch A Switch E...
• Setting the System Clock, page 27-4 Creating a Login Banner, page 27-4 • Enabling or Disabling the “Cisco Systems Console” Telnet Login Banner, page 27-5 • Defining and Using Command Aliases, page 27-6 • Defining and Using IP Aliases, page 27-7 •...
Chapter 27 Administering the Switch Setting the System Name and System Prompt If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt (a greater-than symbol [>] is appended). The prompt is updated whenever the system name changes, unless you have manually configured the prompt using the set prompt command.
Chapter 27 Administering the Switch Setting the System Contact and Location This example shows how to set the system prompt for the switch: Console> (enable) set prompt Catalyst4012> Catalyst4012> (enable) Clearing the System Name To clear the system name, perform this task in privileged mode: Task Command Clear the system name.
Chapter 27 Administering the Switch Setting the System Clock disable 9600 0% Wed Apr 24 2002, 15:46:01 Power Capacity of the Chassis:2 supplies WARNING:Power supplies of different values have been inserted System Name System Location System Contact ------------------------ ------------------------ ------------------------ --- Sunnyvale CA sysadmin@corp.com 4006...
Enabling or Disabling the “Cisco Systems Console” Telnet Login Banner By default, the Cisco Systems Console Telnet login banner is enabled. To enable or disable the “Cisco Systems Console” Telnet login banner, perform this task in privileged mode: Task Command...
Chapter 27 Administering the Switch Defining and Using Command Aliases This example shows how to display the Cisco Systems Console Telnet login banner content: Console> (enable) show banner MOTD banner: Welcome to the Catalyst 4012 Switch! Unauthorized access prohibited. Contact sysadmin@corp.com for access.
Chapter 27 Administering the Switch Defining and Using IP Aliases --- -------------------------------------- ------ ---------- ----------------- 00-10-7b-f6-b2-1a to 00-10-7b-f6-b2-1f 0.2 Console> (enable) sp3 Port Name Status Vlan Level Duplex Speed Type ----- ------------------ ---------- ---------- ------ ------ ----- ------------ notconnect 1 normal full 1000 1000BaseSX...
Chapter 27 Administering the Switch Configuring Permanent and Static ARP Entries Console> (enable) set ip alias sparc 172.20.52.3 IP alias added. Console> (enable) set ip alias cat4003 172.20.52.71 IP alias added. This example shows what happens when you use the IP aliases with the ping command: Console>...
Chapter 27 Administering the Switch Configuring Static Routes This example shows how to display the ARP cache: Console> (enable) show arp ARP Aging time = 300 sec + - Permanent Arp Entries * - Static Arp Entries * 20.1.1.1 at 00-80-1c-93-80-40 on vlan 1 172.20.52.35 at 00-80-1c-93-80-40 on vlan 1 172.20.52.35 at 00-80-1c-93-80-40 on vlan 1 Console>...
Chapter 27 Administering the Switch Scheduling a System Reset In software releases prior to software release 5.1, the classful subnet mask is always used (you cannot specify the subnet mask for the destination network). To configure a static route, perform this task in privileged mode: Task Command Step 1...
Chapter 27 Administering the Switch Scheduling a System Reset To schedule a reset at a specific time, perform this task in privileged mode: Task Command Step 1 Schedule the reset time at a specific time. reset [mindown] at {hh:mm} [mm/dd] [reason] Step 2 Verify the scheduled reset.
This command is a combination of several show system status commands. (Refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference for these commands.) You can upload the report to a TFTP server and send it to the Cisco Technical Assistance Center (TAC).
C H A P T E R Power Management This chapter describes the power management feature in the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 28 Power Management Understanding How Power Management Works on the Catalyst 4500 Series Switches Power Management Overview Catalyst 4500 series switches support the following power supplies: • Fixed wattage—These power supplies always deliver a fixed amount of inline and system power: –...
Page 425
Chapter 28 Power Management Understanding How Power Management Works on the Catalyst 4500 Series Switches Redundant Mode Guidelines This section describes the guidelines for using redundant mode in the Catalyst 4500 series switches: By default, the power supplies in a Catalyst 4500 series switch are set to redundant mode. •...
Chapter 28 Power Management Understanding How Power Management Works on the Catalyst 4500 Series Switches Available Power for Power Supplies Table 28-1 lists the power that is provided by the power supplies for the Catalyst 4500 series switches. Table 28-1 Available Power Power Supply Redundant Mode (W) Combined Mode (W)
Chapter 28 Power Management Understanding How Power Management Works on the Catalyst 4500 Series Switches • Combined mode requires that you install two power supplies in your switch. If you have only one power supply, and you set the switch to combined mode, the switch places each module in reset mode.
Chapter 28 Power Management Understanding How Power Management Works on the Catalyst 4006 Switch Understanding How Power Management Works on the Catalyst 4006 Switch These sections describe how to manage power for the Catalyst 4006 switch. For information on power management for the Catalyst 4500 series switches, see the “Understanding Note How Power Management Works on the Catalyst 4500 Series Switches”...
Chapter 28 Power Management Understanding How Power Management Works on the Catalyst 4006 Switch If you choose to use the 1+1 redundancy mode, the type and number of modules that are supported are limited by the power that is available from a single power supply. To determine the power consumption for each module in your chassis, see the “Power Consumption for Modules”...
Page 430
Chapter 28 Power Management Understanding How Power Management Works on the Catalyst 4006 Switch During the evaluation cycle, the modules are removed and reinserted. The switch reactivates only the modules that it is able to support with the limited power available and leaves the remaining modules in reset mode.
Chapter 28 Power Management Power Consumption for Modules Power Consumption for Modules Table 28-2 lists how much power is consumed by the components on the Catalyst 4500 series and the Catalyst 4006 switch. See Table 28-2. Table 28-2 Power Consumption for Catalyst 4500 Series and 4000 Series Components Power Consumed Power Consumed Module...
Chapter 28 Power Management Migrating a Supervisor Engine II from a Catalyst 4006 Switch to a Catalyst 4500 Series Switch Table 28-2 Power Consumption for Catalyst 4500 Series and 4000 Series Components (continued) Power Consumed Power Consumed Module During Operation (W) in Reset Mode (W) 48-port 1000BASE-X Gigabit Ethernet WS-X4448-GB-LX...
Chapter 28 Power Management Understanding How PoE Works If the bridge priority of the Catalyst 4006 switch has been lowered administratively and you use the same configuration in the new Catalyst 4500 series switch, then the switch remains the root switch and the spanning tree topology does not change.
For example, the default allocated power is 7 W for a Cisco IP Phone requiring 6.3 W. The supervisor engine allocates 7 W for the Cisco IP Phone and powers it up. After the Cisco IP Phone is operational, it sends a CDP message with the actual power requirement to the supervisor engine. The supervisor engine then decreases the allocated power to the required amount if the port is set to Auto mode.
Page 435
Caution When you plug a Cisco IP phone into a port and turn the power on, the supervisor engine waits 4 seconds for the link to go up on the line. During this time, if you unplug the phone cable and plug in a network device, you could damage the device.
Wall-power If you insert a Cisco legacy powered Inline power device and remove it before it can boot, Network switching and then insert a network device within...
Chapter 28 Power Management Configuring Power Management This example shows how to set the power management mode to redundant: Console>(enable) set power budget 1 Console> (enable) show environment power Total Inline Power Available: 774.00 Watts (15.48 Amps @50V) Total Inline Power Drawn From the System: 62.00 Watts ( 1.24 Amps @50V) Remaining Inline Power in the System: 696.50 Watts (13.93 Amps @50V) Configured Default Inline Power allocation per port: 15.400 Watts (0.30 Amps @50V) Module Total Allocated Max H/W Supported Max H/W Supported...
Chapter 28 Power Management Configuring Power Management Setting the DC Power Input To set the DC power input for the 1400-W DC power supply, perform this task in privileged mode: Task Command Step 1 Set the input wattage for the 1400-W DC power supply. set power dcinput Step 2 Verify the configuration.
Chapter 28 Power Management Configuring Power Management This example shows how to set the power budget to 1 (1+1 redundancy mode) and verify the power budget and current power usage for the switch: Console> (enable) set power budget 1 Warning: Your power supply budget will be constrained to the power available from only one power supply.
Chapter 28 Power Management Configuring PoE System Name System Location System Contact ------------------------ ------------------------ ------------------------ --- Switch# Migrating a Supervisor Engine II from a Catalyst 4006 Switch to a Catalyst 4500 Series Switch To migrate your supervisor engine from a Catalyst 4006 switch to a Catalyst 4503 or 4506 switch, perform this task: Task Command...
Chapter 28 Power Management Configuring PoE Note If you configure the max-wattage values that are multiples of 420 on a Catalyst 4500 series switch with the set port inlinepower mod/port static | auto max-wattage command, the power drawn from the global allocation is possibliy slightly smaller than the power that is reported in the Total PWR Allocated to Module field of the show environment power command.
Page 442
Total inline power drawn by module 6: 26.46 Watts ( 0.63 Amps @42V) Port InlinePowered PowerAllocated Device IEEE class DiscoverMode Admin Oper Detected mWatt mA @42V ----- ------ ------ -------- ----- -------- ---------- ---------- ------------ static on 5040 Cisco None cisco Port Maximum Power Actual Consumption absentCounter OverCurrent mWatt mA @42V mWatt...
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference. Hardware and Software Requirements The hardware and software requirements for the Catalyst 4500 series switches and Cisco CallManager are as follows: • Catalyst 4006, Catalyst 4500 series, Catalyst 5000 family, and Catalyst 6500 series switches running supervisor engine software release 6.1(1) or later releases...
Overview of IP Phones Catalyst 4000 series and 4500 series can connect to a Cisco IP Phone and carry IP voice traffic. If necessary, the switch can supply electrical power to the circuit connecting it to a Cisco IP Phone.
The Catalyst 4500 series switch can sense if it is connected to a Cisco IP Phone. The Catalyst 4006 or Catalyst 4500 series switch can supply inline power to a Cisco IP Phone if there is no power on the circuit. You can connect a Cisco IP Phone to an AC power source, in which case, the phone provides the power to the voice circuit.
C H A P T E R Configuring Switch Access Using AAA This chapter describes how to configure authentication, authorization, and accounting (AAA) to monitor and control access to the command-line interface (CLI) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works • Local user authentication • TACACS+ authentication • RADIUS authentication • Kerberos authentication Kerberos authentication does not work if TACACS+ is used as the authentication method. Note When local authentication is enabled together with one or more other authentication methods, local authentication is always attempted last.
Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works Understanding How Local User Authentication Works Local user authentication uses local user accounts and passwords that you create to validate the login attempts of local users. Each switch can have a maximum of 25 local user accounts. Before you can enable local user authentication, you must define at least one local user account.
Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works You can configure a TACACS+ key on the client and server. If you configure a key on the switch, it must be the same as the one that is configured on the TACACS+ servers. The TACACS+ clients and servers use the key to encrypt all TACACS+ transmitted packets.
Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works RADIUS authentication is disabled by default. You can enable RADIUS authentication and other authentication methods at the same time. You can specify which method to use first using the primary keyword.
Page 452
Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works Table 30-1 Kerberos Terminology (continued) Term Definition SRVTAB A password that a network service shares with the KDC. The network service authenticates an encrypted service credential by using the SRVTAB (also known as a KEYTAB) to decrypt it.
Page 453
Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works Figure 30-1 Kerberized Telnet Connection Host Kerberos server (Telnet client) (contains KDC) Catalyst 4500 switch Using a Non-Kerberized Login Procedure If you log into a switch using a non-Kerberized login procedure, the switch takes care of authentication to the KDC on behalf of the login client.
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Figure 30-2 Non-Kerberized Telnet Connection Configuring Authentication The following sections describe how to configure the different authentication methods. Authentication Default Configuration Table 30-2 shows the default configuration for authentication. Table 30-2 Default Authentication Configuration Feature Default Login authentication (console and Telnet)
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Table 30-2 Default Authentication Configuration (continued) Feature Default Kerberos login authentication (console and Telnet) Disabled Kerberos enable authentication (console and Telnet) Disabled Kerberos server IP address None specified Kerberos DES key None specified Kerberos server auth-port Port 750...
Page 456
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Setting the Authentication Login Attempts on the Switch To set the authentication login attempts on the switch, perform this task in privileged mode: Task Command Step 1 Set the authentication login attempts on the switch. Enter set authentication login attempt {count} the console or telnet keywords if you want to set the local [console | telnet]...
Page 457
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Setting the Authentication Login Attempts for Privileged Mode To set the authentication login attempts for privileged mode, perform this task in privileged mode: Task Command Step 1 Set the authentication login attempts for privileged set authentication enable attempt {count} mode.
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Configuring Local Authentication The following sections describe how to configure local authentication on the switch. Enabling Local Authentication Note Local login and enable authentication are enabled for both console and Telnet connections by default. You do not need to perform these tasks unless you want to modify the default configuration or you have disabled local authentication.
Page 459
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Note Passwords that are set in software release 5.3 and earlier releases remain non-case sensitive. You must reset the password after installing software release 5.4 or a later release to activate case sensitivity. To set the login password for local authentication, perform this task in privileged mode: Task Command...
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Disabling Local Authentication Make sure that RADIUS or TACACS+ authentication is configured and operating correctly before Caution disabling local login or enabling authentication. If you disable local authentication when RADIUS or TACACS+ is not correctly configured, or if the RADIUS or TACACS+ server is not online, you may be unable to log in to the switch.
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Step 1 Connect to the switch through the supervisor engine console port. You cannot recover the password if you are connected through a Telnet connection. Step 2 Enter the reset system command to reboot the switch. Step 3 At the “Enter Password”...
Page 462
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Enabling Local User Authentication To enable local user authentication on the switch, perform this task in privileged mode: Task Command Step 1 Enable local user authentication. set localuser authentication enable Step 2 Verify the local user authentication configuration.
Page 464
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Console> (enable) set tacacs server 172.20.52.10 172.20.52.10 added to TACACS server table as backup server. Console> (enable) show tacacs Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius disabled disabled...
Page 465
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication This example shows how to enable TACACS+ authentication for console and Telnet connections and verify the configuration: Console> (enable) set authentication login tacacs enable tacacs login authentication set to enable for console and telnet session. Console>...
Page 466
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication To set the TACACS+ timeout interval, perform this task in privileged mode: Task Command Step 1 Set the TACACS+ timeout interval. set tacacs timeout seconds Step 2 Verify the TACACS+ configuration. show tacacs This example shows how to set the server timeout interval and verify the configuration: Console>...
Page 467
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication To enable TACACS+ directed request, perform this task in privileged mode: Task Command Step 1 Enable TACACS+ directed request on the switch. set tacacs directedrequest enable Step 2 Verify the TACACS+ configuration. show tacacs This example shows how to enable TACACS+ directed request and verify the configuration: Console>...
Page 468
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication This example shows how to clear a specific TACACS+ server from the configuration: Console> (enable) clear tacacs server 172.20.52.3 172.20.52.3 cleared from TACACS table Console> (enable) This example shows how to clear all TACACS+ servers from the configuration: Console>...
Page 470
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Enabling RADIUS Authentication Specify at least one RADIUS server before enabling RADIUS authentication on the switch. For Note information on specifying a RADIUS server, see the “Specifying RADIUS Servers” section on page 30-23.
Page 471
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Console> (enable) Specifying the RADIUS Key Use the RADIUS key to encrypt and authenticate all communication between the RADIUS client and server.
Page 472
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication To set the RADIUS timeout interval, perform this task in privileged mode: Task Command Step 1 Set the RADIUS timeout interval. set radius timeout seconds Step 2 Verify the RADIUS configuration. show radius This example shows how to set the RADIUS timeout interval and verify the configuration: Console>...
Page 474
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication ----------------------------- ------- ------------ 172.20.52.3 primary 1812 172.20.52.2 1812 Console> (enable) Specifying Optional Attributes for RADIUS Servers You can specify optional attributes in the RADIUS ACCESS_REQUEST packet. The set radius attribute command allows you to specify the transmission of certain optional attributes such as Framed-IP address, NAS-Port, Called-Station-Id, and Calling-Station-Id.
Page 475
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Clearing RADIUS Servers To clear one or more RADIUS servers, perform this task in privileged mode: Task Command Step 1 Specify the IP address of the RADIUS server to clear radius server [ip_addr | all] clear from the configuration.
Step 1 Before you can enter the switch in the Kerberos server’s key table, you must create the database that the KDC will use. In the following example, a database called CISCO.EDU is created: /usr/local/sbin/kdb5_util create -r CISCO.EDU -s Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX...
Page 477
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Step 2 Add the switch to the database. The following example adds a switch called Cat4012 to the CISCO.EDU database: ank host/Cat4012.cisco.edu@CISCO.EDU Step 3 Add the username as follows: ank user1@CISCO.EDU...
Page 478
This example shows how to define a local realm and how to verify the configuration: Console> (enable) set kerberos local-realm CISCO.COM Kerberos local realm for this switch set to CISCO.COM. Console> (enable) show kerberos Kerberos Local Realm:CISCO.COM Kerberos server entries: Realm:CISCO.COM,...
Page 479
Clear the Kerberos realm domain or host mapping entry. clear kerberos realm {dns-domain | host} kerberos-realm This example shows how to map a Kerberos realm, called CISCO.COM, to a DNS domain and how to clear the entry: Console> (enable) set kerberos realm CISCO CISCO.COM Kerberos DnsDomain-Realm entry set to CISCO - CISCO.COM...
Page 480
This example shows how to retrieve an SRVTAB file from the KDC, enter an SRVTAB directly into the switch, and verify the configuration: Console> (enable) set kerberos srvtab remote 187.20.32.10 /users/jdoe/krb5/ninerskeytab Console> (enable) Console> (enable) set kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0 Kerberos SRVTAB entry set to Principal:host/niners.cisco.com@CISCO.COM...
Page 482
Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/aspen-niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 00?91:107:423=:;9 Console> (enable) This example shows how to configure the switch so that Kerberos clients are mandatory for users to authenticate to other network services: Console>...
Page 483
Kerberos Credentials Forwarding Disabled Kerberos Pre Authentication Method set to Encrypted Unix Time Stamp Kerberos config key:abcd Kerberos SRVTAB Entries Srvtab Entry 1:host/aspen-niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 12151><88?=>>3>11 Console> (enable) To clear the DES key, perform this task in privileged mode: Task Command Clear a DES key from the switch.
Chapter 30 Configuring Switch Access Using AAA Authentication Example To display the Kerberos credentials, perform this task in privileged mode: Task Command Display the Kerberos credentials. show kerberos creds This example shows how to display the Kerberos credentials: Console> (enable) show kerberos creds No Kerberos credentials.
Chapter 30 Configuring Switch Access Using AAA Understanding How Authorization Works This example shows how to configure the switch so that TACACS+ authentication is enabled for Telnet connections and local authentication is enabled for console connections. In addition, a TACACS+ encryption key is specified.
Chapter 30 Configuring Switch Access Using AAA Understanding How Authorization Works • EXEC mode (normal login)—When the authorization feature is enabled for EXEC mode, the user must supply a valid username and password pair to access the EXEC mode. Authorization is required only if you have enabled the authorization feature.
Chapter 30 Configuring Switch Access Using AAA Configuring Authorization The following TACACS+ authorization process occurs for every command that you enter: • If you have disabled the command authorization feature, the TACACS+ server allows you to execute any command on the switch. •...
Chapter 30 Configuring Switch Access Using AAA Configuring Authorization • Configure RADIUS and TACACS+ servers before enabling authorization. See the “Specifying TACACS+ Servers” section on page 30-17 or the “Specifying RADIUS Servers” section on page 30-23 for more information on server setup. Configure RADIUS and TACACS+ keys to encrypt protocol packets before enabling authorization.
Page 490
Chapter 30 Configuring Switch Access Using AAA Configuring Authorization This example shows how to enable TACACS+ command authorization for both console and Telnet connections. Authorization is configured with the tacacs+ option. The fallback option is deny. Console> (enable) set authorization commands enable config tacacs+ deny both Successfully enabled commands authorization.
Page 491
Chapter 30 Configuring Switch Access Using AAA Configuring Authorization Task Command Step 3 Disable authorization of configuration set authorization commands disable [console | commands. Enter the console or telnet keywords telnet | both] if you want to disable the authorization only for the console port or for the Telnet connection attempts.
Chapter 30 Configuring Switch Access Using AAA Authorization Example Authorization Example Figure 30-4 shows a simple example of network topology that uses TACACS+. In this example, TACACS+ authorization is enabled for enable mode access to the switch for both Telnet and console connections, authorizing configuration commands.
Chapter 30 Configuring Switch Access Using AAA Understanding How Accounting Works Understanding How Accounting Works The following sections describe how accounting works. Accounting Overview You can configure these accounting methods to monitor access to the switch: TACACS+ accounting • RADIUS accounting •...
Chapter 30 Configuring Switch Access Using AAA Understanding How Accounting Works Specifying When to Create Accounting Records You can configure the switch to gather accounting information and create records. When you configure accounting (using the set accounting command), the switch can generate two types of records: •...
Chapter 30 Configuring Switch Access Using AAA Configuring Accounting local enabled(primary) enabled(primary) Radius Deadtime: 0 minutes Radius Key: Radius Retransmit: Radius Timeout: 5 seconds Radius-Server Status Auth-port ----------------------------- ------- ------------ 172.20.52.3 primary 1812 Console> (enable) Updating the Server You can configure the switch to send accounting information to the TACACS+ server. There are two options: •...
Chapter 30 Configuring Switch Access Using AAA Configuring Accounting Accounting Configuration Guidelines This section lists the guidelines for configuring accounting on the switch: • Configure RADIUS and TACACS+ servers before enabling accounting. See the “Specifying TACACS+ Servers” section on page 30-17 or the “Specifying RADIUS Servers”...
Page 497
Chapter 30 Configuring Switch Access Using AAA Configuring Accounting Console> (enable) set accounting system enable stop-only tacacs+ Accounting set to enable for system events in stop-only mode. Console> (enable) Console> (enable) set accounting commands enable all stop-only tacacs+ Accounting set to enable for commands-all events in stop-only mode. Console>...
Page 498
Chapter 30 Configuring Switch Access Using AAA Configuring Accounting Task Command Step 5 Disable suppression of information for unknown set accounting suppress null-username disable users. Step 6 Verify the accounting configuration. show accounting This example shows how to disable stop-only accounting: Console>...
Chapter 30 Configuring Switch Access Using AAA Accounting Example Accounting Example Figure 30-5 shows a simple network topology using TACACS+. When Workstation A initiates an accountable event on the switch, the switch gathers event information and forwards the information to the server at the conclusion of the event.
Page 500
Chapter 30 Configuring Switch Access Using AAA Accounting Example Connect Command System Console> (enable) Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 30-54 78-15908-01...
C H A P T E R Configuring 802.1x Authentication This chapter describes how to configure 802.1x authentication on the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference publication.
In this release, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Chapter 31 Configuring 802.1x Authentication Understanding How 802.1x Authentication Works Authentication Initiation and Message Exchange The switch or the host can initiate authentication. If you enable authentication on a port by using the set port dot1x mod/port port-control auto command, the switch must initiate authentication when it determines that the port link state transitions from down to up.
Chapter 31 Configuring 802.1x Authentication Understanding How 802.1x Authentication Works Ports in Authorized and Unauthorized States The switch port state determines if the host is granted access to the network. The port starts in the unauthorized state. In this state, the port disallows all ingress and egress traffic except for 802.1x protocol packets.
Chapter 31 Configuring 802.1x Authentication Understanding How 802.1x Authentication Works Table 31-1 802.1x Terminology Term Definition Authenticator PAE (Referred to as the “authenticator”) entity at one end of a point-to-point LAN segment that enforces host authentication. The authenticator is independent of the actual authentication method and functions only as a pass-through for the authentication exchange.
Chapter 31 Configuring 802.1x Authentication Understanding How 802.1x Authentication Works 802.1x Parameters Configurable on the Switch With 802.1x, you can do the following: • Specify force-authorized port control, force-unauthorized port control, or automatic 802.1x port control • Enable or disable multiple hosts on a specific port •...
NVRAM-configured VLAN. In order for the 802.1x VLAN assignment using a RADIUS server to successfully complete, the RADIUS server must return the following three RFC 2868 attributes back to the authenticator (the Cisco switch to which the host attaches): [64] Tunnel-Type = VLAN •...
Chapter 31 Configuring 802.1x Authentication Understanding How 802.1x Authentication Works Using 802.1x Authentication on Ports Configured for Auxiliary VLAN Traffic Because IP phones do not have host PAE capability, when auxiliary VLAN-tagged packets are received on a port that is configured for 802.1x authentication, they are forwarded as authorized traffic. Ports that are configured for 8021x authentication must be in single-host authentication mode to forward auxiliary VLAN-tagged packets.
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch • Do not assign a guest VLAN that is equal to an auxiliary VLAN because an 802.1x-enabled auxiliary VLAN port will not be put into the guest VLAN if the auxiliary VLAN on the port is the same as the guest VLAN.
You can specify multiple authentications so that more than one host can gain access to an 802.1x port. Multiple authentication is Cisco proprietary and allows multiple dot1x-hosts on a port; every host is authenticated separately. Use these guidelines when enabling multiple 802.1x authentications: Traffic from non-802.1x hosts on multiple authenticated ports is blocked.
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch To enable multiple 802.1x authentications, perform this task in privileged mode: Task Command Step 1 Enable multiple 802.1x authentication on a set port dot1x mod/port specific port. multiple-authentication {enable | disable} Step 2 Verify the 802.1x configuration.
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch Console> (enable) show port dot1x 4/1 Port Auth-State BEnd-State Port-Control Port-Status ----- ------------------- ---------- ------------------- ------------- connecting finished auto unauthorized Port Multiple Host Re-authentication ----- ------------- ----------------- disabled enabled Manually Reauthenticating the Host You can manually reauthenticate the host that is connected to a specific port at any time.
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch Disabling Multiple Hosts You can disable access for multiple users on any port where it is enabled. To disable acess for multiple users on a specific port, perform this task in privileged mode: Task Command Disable multiple hosts on a specific port.
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch This example shows how to set the authenticator-to-host retransmission time for the EAP-request/identity frame to 15 seconds: Console> (enable) set dot1x tx-period 15 dot1x tx-period set to 15 seconds. Setting the Supplicant-to-Host Retransmission Time for EAP-Request Frames The host notifies the back-end authenticator that it received the EAP-request frame.
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch Setting the Back-End Authenticator-to-Host Frame-Retransmission Number The authentication server notifies the back-end authenticator each time that it receives a specific number of frames. When the back-end authenticator does not receive this notification after sending the frames, the back-end authenticator waits a set period of time and then retransmits the frames.
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch To set the number of frames that are retransmitted from the back-end authenticator to the host, perform this task in privileged mode: Task Command Set the back-end authenticator-to-host frame retransmission set dot1x max-req count number.
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch This example shows how to reset the 802.1x configuration parameters to the default values: Console> (enable) clear dot1x config This command will disable dot1x on all ports and take dot1x parameter values back to factory defaults.
Page 519
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch To display the usage options for the show port dot1x command, perform this task in normal mode: Task Command Display the usage options for the show port dot1x command. show port dot1x help This example shows how to display the usage options for the show port dot1x command: Console>...
Page 520
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch To display the global 802.1x parameters, perform this task in normal mode: Task Command Display the PAE capabilities, protocol version, show dot1x system-auth-control, and other global dot1x parameters. This example shows how to display the global 802.1x parameters: Console>...
C H A P T E R Modifying the Switch Boot Configuration This chapter describes how to modify the switch boot configuration, including the BOOT environment variable and the configuration register on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 32 Modifying the Switch Boot Configuration Understanding How the Switch Boot Configuration Works Understanding the ROM Monitor The ROM monitor code executes upon switch power-up, reset, or when a fatal exception occurs. The system enters ROM-monitor mode if the switch does not find a valid system image, if the NVRAM configuration is corrupted, or if the configuration register is set to enter ROM-monitor mode.
Chapter 32 Modifying the Switch Boot Configuration Understanding How the Switch Boot Configuration Works • Bit 7 (0x0080): Enables OEM bit (not used). • Bit 8 (0x0100): Disables break. • Bit 9 (0x0200): Uses secondary bootstrap (not used by the ROM monitor). •...
Chapter 32 Modifying the Switch Boot Configuration Default Switch Boot Configuration If any specified file is not a valid configuration file, the entry is skipped and subsequent files are tried until there are no additional images specified. If no valid configuration file is specified, the system retains the last configuration that is stored in NVRAM.
Chapter 32 Modifying the Switch Boot Configuration Setting the Configuration Register To set the configuration register boot field, perform this task in privileged mode: Task Command Specify the boot field in the configuration set boot config-register boot {rommon | register. bootflash | system} [mod_num] This example shows how to force the switch to enter ROM-monitor mode at the next startup: Console>...
Chapter 32 Modifying the Switch Boot Configuration Setting the BOOT Environment Variable Setting the Switch to Ignore the NVRAM Configuration You can cause the system software to ignore the configuration information that is stored in NVRAM when the switch is restarted. This command affects only the configuration register bits that control whether the switch ignores the NVRAM configuration and leaves the remaining bits unaltered.
Chapter 32 Modifying the Switch Boot Configuration Setting and Clearing the CONFIG_FILE Environment Variable Clearing the BOOT Environment Variable Settings To clear entries from the BOOT environment variable, perform one of these tasks in privileged mode: Task Command Clear a specific image from the BOOT clear boot system flash device:[filename] environment variable.
Chapter 32 Modifying the Switch Boot Configuration Displaying the Switch Boot Configuration This example shows how to set the list of configuration files to the CONFIG_FILE environment variable: Console> (enable) set boot auto-config bootflash:generic.cfg;bootflash:4003_1_noc.cfg CONFIG_FILE variable = bootflash:generic.cfg;bootflash:4003_1_noc.cfg WARNING: nvram configuration may be lost during next bootup, and re-configured using the file(s) specified.
C H A P T E R Working with System Software Images This chapter describes how to work with system software image files on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 33 Working with System Software Images Downloading System Software Images to the Switch Using TFTP Understanding How TFTP Software Image Downloads Work You can download system software images to the switch using the Trivial File Transfer Protocol (TFTP). TFTP allows you to download system image files over the network from a TFTP server. When you download a software image, the image file downloads to the supervisor engine Flash memory.
This command will reset the system. Do you want to continue (y/n) [n]? y Console> (enable) 07/21/2000,13:51:39:SYS-5:System reset from Console// System Bootstrap, Version 3.1(2) Copyright (c) 1994-1997 by cisco Systems, Inc. Presto processor with 32768 Kbytes of main memory Autoboot executing command: "boot bootflash:cat4000.6-1-1.bin" CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...
EARL RAM Test ....Passed EARL Serial Prom Test ..Passed Level2 Cache ....Present Level2 Cache test....Passed Boot image: bootflash:cat4000.6-1-1.bin Cisco Systems Console Enter password: 07/21/2000,13:52:51:SYS-5:Module 1 is online 07/21/2000,13:53:11:SYS-5:Module 4 is online 07/21/2000,13:53:11:SYS-5:Module 5 is online 07/21/2000,13:53:14:PAGP-5:Port 1/1 joined bridge port 1/1.
Chapter 33 Working with System Software Images Downloading System Software Images to the Switch Using rcp Preparing to Upload an Image to a TFTP Server Before you attempt to upload a software image to a TFTP server, do the following: •...
Chapter 33 Working with System Software Images Downloading System Software Images to the Switch Using rcp Understanding How rcp Software Image Downloads Work You can download system software images to the switch using the remote copy protocol (rcp); rcp allows you to download system image files over the network from an rcp server.
This command will reset the system. Do you want to continue (y/n) [n]? y Console> (enable) 07/21/2000,13:51:39:SYS-5:System reset from Console// System Bootstrap, Version 3.1(2) Copyright (c) 1994-1997 by cisco Systems, Inc. Presto processor with 32768 Kbytes of main memory Autoboot executing command: "boot bootflash:cat4000.6-1-1.bin" CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...
EARL RAM Test ....Passed EARL Serial Prom Test ..Passed Level2 Cache ....Present Level2 Cache test....Passed Boot image: bootflash:cat4000.6-1-1.bin Cisco Systems Console Enter password: 07/21/2000,13:52:51:SYS-5:Module 1 is online 07/21/2000,13:53:11:SYS-5:Module 4 is online 07/21/2000,13:53:11:SYS-5:Module 5 is online 07/21/2000,13:53:14:PAGP-5:Port 1/1 joined bridge port 1/1.
If done improperly, the system can be unbootable, and you will you have to return it to Cisco for repair. Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX...
Page 538
ROMMON versions, but you will have to substitute appropriate version numbers in the upgrade image names. To upgrade the ROMMON follow these steps: Download the promupgrade program from Cisco.com and place it on a TFTP server in a directory that Step 1 is accessible from the switch to be upgraded.
Page 539
OIR of the supervisor engine for at least 5 minutes. If the process is not allowed to complete, you might damage the switch and have to return it to Cisco for repair. Upgrading the ROMMON takes up to 5 minutes because the switch boots the promupgrade image. This program erases the current ROMMON from the Flash memory and installs the new one.
Page 540
The ROMMON version number is listed as the System Bootstrap Version. For example, the following system is running ROMMON version 6.1(4): Console> (enable) show version WS-C4003 Software, Version NmpSW:5.5(8) Copyright (c) 1995-2001 by Cisco Systems, Inc. Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 33-12 78-15908-01...
Page 541
Chapter 33 Working with System Software Images Upgrading the ROM Monitor NMP S/W compiled on May 24 2001, 21:12:09 GSP S/W compiled on May 24 2001, 18:39:50 System Bootstrap Version:6.1(4) Hardware Version:1.0 Model:WS-C4003 Serial #:xxxxxxxxx Console > (enable) Step 10 Enter the clear boot system flash promupgrade_image command to remove the promupgrade program from the autoboot string.
Page 542
Chapter 33 Working with System Software Images Upgrading the ROM Monitor Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 33-14 78-15908-01...
C H A P T E R Working With the Flash File System This chapter describes how to use the Flash file system on the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands that are used in this chapter, see Note Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch Setting the Text File Configuration Mode When you configure the switch to use text file configuration mode, the switch stores its configuration as a text file in nonvolatile storage, either in NVRAM or Flash memory.
Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch Task Command Display a list of all files on a Flash device, including dir [[m/]device:][filename] all deleted files. Display a detailed list of files on a Flash device. dir [[m/]device:][filename] long This example shows how to list the files on the default Flash device: Console>...
Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch Copying Files Enter the copy command to perform these tasks: • Download a system image or configuration file from a TFTP or rcp server to a Flash device •...
Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch This example shows how to copy the running configuration to Flash memory: Console> (enable) copy config flash Flash device [bootflash]? bootflash: Name of file to copy to []? 4012_config.cfg Upload configuration to bootflash:4012_config.cfg 9942096 bytes available on device bootflash, proceed (y/n) [n]? y ..
Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch To delete files from a Flash device, perform this task in privileged mode: Task Command Step 1 Delete a file from a Flash device. delete [[m/]device:]filename Step 2 If desired, permanently remove all deleted files on the Flash device...
Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch Verifying a File Checksum To verify the checksum of a file on a Flash device, perform this task in privileged mode: Task Command Verify the checksum of a file on a Flash device.
Page 550
Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 34-8 78-15908-01...
C H A P T E R Working with Configuration Files This chapter describes how to work with switch configuration files on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 35 Working with Configuration Files Creating a Configuration File If passwords already exist, you cannot enter the set password and set enablepass commands because the password verification will fail. If you enter passwords in the configuration file, the switch mistakenly attempts to execute the passwords as commands as it executes the file. Some commands must be followed by a blank line in the configuration file.
Chapter 35 Working with Configuration Files Copying Configuration Files Using TFTP To configure a switch using a configuration file that is stored on a Flash device in the Flash file system, follow these steps: Log in to the switch through the console port or a Telnet session. Step 1 Locate the configuration file using the cd and dir commands (for more information, see the“Listing the...
Chapter 35 Working with Configuration Files Copying Configuration Files Using TFTP Preparing to Download a Configuration File Using TFTP Before you begin downloading a configuration file using TFTP, do the following: Ensure that the workstation acting as the TFTP server is configured properly. •...
Chapter 35 Working with Configuration Files Copying Configuration Files Using rcp Preparing to Upload a Configuration File to a TFTP Server Before you attempt to upload a configuration file to a TFTP server, do the following: Ensure that the workstation acting as the TFTP server is configured properly. •...
Chapter 35 Working with Configuration Files Copying Configuration Files Using rcp have access to a server that supports rsh. (Most UNIX systems support rsh.) Because you are copying a file from one place to another, you must have read permission on the source file and write permission on the destination file.
Chapter 35 Working with Configuration Files Copying Configuration Files Using rcp >> set ip dns enable DNS is enabled >> set ip dns domain corp.com Default DNS domain name set to corp.com Console> (enable) Uploading Configuration Files to an rcp Server The next two sections describe how to upload the running configuration or a configuration file that is stored on a Flash device to an rcp server.
Chapter 35 Working with Configuration Files Clearing the Configuration Clearing the Configuration To clear the configuration on the entire switch, perform this task in privileged mode: Task Command Clear the switch configuration. clear config all This example shows how to clear the configuration for the entire switch: Console>...
C H A P T E R Configuring Switch Acceleration This chapter describes how to configure switch acceleration on the Catalyst enterprise LAN switches. This chapter consists of these sections: Understanding How Switch Acceleration Works, page 36-1 • • Configuring Switch Acceleration on the Switch, page 36-3 Backplane Channel Module, page 36-4 •...
Page 560
Chapter 36 Configuring Switch Acceleration Understanding How Switch Acceleration Works By default, there is no direct internal connection between SE1 and SE3. Traffic coming in on SE1 that is destined for SE3, or vice versa, must go through SE2, which could potentially create congestion. To avoid congestion, you can disable the uplink ports and create a direct internal link between SE1 and SE3.
Chapter 36 Configuring Switch Acceleration Configuring Switch Acceleration on the Switch Configuring Switch Acceleration on the Switch By default, switch acceleration is disabled on the Supervisor Engine II. Before you enable switch acceleration, you must disable the two front-panel Gigabit Ethernet uplink ports on Supervisor Engine II.
Chapter 36 Configuring Switch Acceleration Backplane Channel Module Backplane Channel Module The Backplane Channel Module provides multilink load balancing between the switch engines. The Backplane Channel Module also allows you to retain the Gigabit Ethernet uplinks on the supervisor engine. The Backplane Channel Module provides the following in the default configuration mode: •...
C H A P T E R Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Page 564
Table 37-1 describes the facility types that are supported by the system message logs. Table 37-1 System Message Log Facilities Facility Name Definition Access Control Lists Cisco Discovery Protocol cops Common Open Policy Service drip Dual Ring Protocol Dynamic Trunking Protocol...
Chapter 37 Configuring System Message Logging System Log Message Format System Log Message Format System log messages begin with a percent sign ( ) and can contain up to 80 characters. Messages are displayed in the following format: mm/dd/yyy:hh/mm/ss:facility-severity-MNEMONIC:description Table 37-2 describes the elements of syslog messages.
Chapter 37 Configuring System Message Logging System Log Message Format System Log Message Format System log messages begin with a percent sign ( ) and can contain up to 80 characters. Messages are displayed in the following format: mm/dd/yyy:hh/mm/ss:facility-severity-MNEMONIC:description Table 37-4 describes the elements of syslog messages.
Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch Note If you enter the set logging session command while you are connected through the console port, the command has the same effect as entering the set logging console command. However, if you enter the set logging console command while you are connected through a Telnet session, the default console logging enable state is changed.
Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch This example shows how to set the logging severity level to 5 for all facilities (for the current session only): Console> (enable) set logging level all 5 All system logging facilities for this session set to severity 5(notifications) Console>...
Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch To limit the number of syslog messages, perform this task in privileged mode: Task Command Step 1 Limit the number of syslog messages. set logging history severity severity_level Step 2 Verify the system message logging configuration.
Page 570
Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch To configure the switch to log messages to a syslog server, perform this task in privileged mode: Task Command Step 1 Specify the IP address of as many as three syslog set logging server ip_addr servers.
Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch Displaying the Logging Configuration Enter the show logging command to display the current system message logging configuration. Enter the noalias keyword to display the IP addresses instead of the host names of the configured syslog servers.
Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch Displaying System Messages Use the show logging buffer command to display the messages in the switch logging buffer. If you do not specify number_of_messages, the default is to display the last 20 messages in the buffer. To display the messages in the switch logging buffer, perform one of these tasks: Task Command...
C H A P T E R Configuring DNS This chapter describes how to configure the Domain Name System (DNS) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Chapter 38 Configuring DNS Default DNS Configuration Default DNS Configuration Table 38-1 shows the default DNS configuration. Table 38-1 Default DNS Configuration Feature Default Value DNS enable state Disabled DNS default domain name Null DNS servers None specified Configuring DNS on the Switch The following sections describe how to configure DNS: Setting Up and Enabling DNS, page 38-2 •...
Chapter 38 Configuring DNS Configuring DNS on the Switch dns_serv2 dns_serv1 primary dns_serv3 Console> (enable) Clearing a DNS Server To clear DNS servers from the DNS server table, perform this task in privileged mode: Task Command Step 1 Clear one or all of the DNS servers from the table. clear ip dns server [ip_addr | all] Step 2 Verify the DNS configuration.
Page 576
Chapter 38 Configuring DNS Configuring DNS on the Switch This example shows how to disable DNS on the switch: Console> (enable) set ip dns disable DNS is disabled Console> (enable) Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX 38-4 78-15908-01...
C H A P T E R Configuring NTP This chapter describes how to configure the Network Time Protocol (NTP) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that you obtain the time service for your network from the public NTP servers available on the IP Internet.
Chapter 39 Configuring NTP Configuring NTP on the Switch To enable NTP broadcast-client mode on the switch, perform this task in privileged mode: Task Command Step 1 Enable NTP broadcast-client mode. set ntp broadcastclient enable Step 2 (Optional) Set the estimated NTP broadcast packet delay. set ntp broadcast delay microseconds Step 3 Verify the NTP configuration.
Chapter 39 Configuring NTP Configuring NTP on the Switch This example shows how to configure the NTP server address, enable NTP client mode on the switch, and verify the configuration: Console> (enable) set ntp server 172.20.52.65 NTP server 172.20.52.65 added. Console>...
Chapter 39 Configuring NTP Configuring NTP on the Switch This example shows how to configure the NTP server address, enable NTP client and authentication modes on the switch, and verify the configuration: Console> (enable) set ntp server 172.20.52.65 key 879 NTP server 172.20.52.65 with key 879 added.
Page 582
Chapter 39 Configuring NTP Configuring NTP on the Switch To enable the daylight saving time clock adjustment following the U.S. standards, perform this task in privileged mode: Task Command Step 1 Enable the daylight saving time clock adjustment. set summertime enable [zone_name] set summertime recurring Step 2 Verify the configuration.
Chapter 39 Configuring NTP Configuring NTP on the Switch Offset: 1440 minutes (1 day) Recurring: no Console> (enable) Disabling the Daylight Saving Time Adjustment To disable the daylight saving time clock adjustment, perform this task in privileged mode: Task Command Step 1 Disable the daylight saving time clock adjustment.
Chapter 39 Configuring NTP Configuring NTP on the Switch Disabling NTP To disable NTP broadcast-client mode on the switch, perform this task in privileged mode: Task Command Step 1 Disable NTP broadcast-client mode. set ntp broadcastclient disable Step 2 Verify the NTP configuration. show ntp [noalias] This example shows how to disable NTP broadcast-client mode on the switch: Console>...
A P P E N D I X Acronyms ATM adaptation layer access control entry add-drop multiplexer Authority and Format Identifier active monitor present automated packet recognition/translation APaRT Address Resolution Protocol ATM switch processor Asynchronous Transfer Mode bridge protocol data unit BDPU Bridge Relay Function broadcast and unknown server...
Appendix A Acronyms Copper Distributed Data Interface CDDI Cisco Discovery Protocol Cisco Group Management Protocol CGMP command-line interface Common Open Policy Service COPS class of service Cyclic Redundancy Check Concentrator Relay Function Data Country Code Digital Equipment Corporation domain-specific part format identifier...
Page 587
Appendix A Acronyms emulated local area network ELAN end-system identifier frame check sequence Fiber Distributed Data Interface FDDI full duplex Fast Simple Server Redundancy Protocol FSSRP foil twisted-pair fiber to the home FTTH General Attribute Registration Protocol GARP Gigabit Interface Converter GBIC GARP Multicast Registration Protocol GMRP...
Page 588
Appendix A Acronyms Internet Protocol interprocessor communication Internetwork Packet Exchange Inter-Switch Link International Organization of Standardization key distribution center local-area network LAN Emulation LANE local-area transport Link Control Protocol LAN Emulation Client LAN Emulation Configuration Server LECS link error monitor link error rate LAN Emulation Server logical link control...
Page 589
Appendix A Acronyms Multilayer Switching Multilayer Switching Protocol MLSP multilayer switching-route processor MLS-RP multimode Maintenance Operation Protocol message-of-the-day MOTD Multiprotocol over ATM client multiprotocol over ATM MPOA multiprotocol over ATM server maximum transmission unit nearest available upstream neighbor NAUN non-broadcast multi-access NBMA non-bused spare NetFlow Data Export...
Page 590
Appendix A Acronyms Operation, Administration, and Maintenance out-of-band Open System Interconnection One-Time-Password Port Aggregation Protocol PAgP port adapter module pulse code modulation Personal Computer Memory Card International Association PCMCIA peak cell rate protocol data unit physical sublayer protocol independent multicast physical layer convergence procedure PLCP physical layer interface module...
Page 591
Appendix A Acronyms Router Group Management Protocol RGMP routing information field remote monitoring RMON read-only memory route processor Route Switch Module Security Association Identifier SAID synergy advanced multipurpose bus arbiter SAMBA service access point segmentation and reassembly Serial Control Protocol sustainable cell rate Session Description Protocol search engine...
Page 592
Appendix A Acronyms 1) Spanning Tree Protocol 2) shielded twisted-pair Spanning Tree Protocol Extensions (MIB) STPX switched virtual circuit Terminal Access Controller Access Control System Plus TACACS+ Transmission Control Protocol/Internet Protocol TCP/IP Trivial File Transfer Protocol TFTP ticket granting ticket Telecommunications Industry Association type-length value type of service...
Page 593
Appendix A Acronyms variable bit rate virtual circuit virtual channel connection Virtual Channel Descriptor 1) virtual channel identifier; 2) virtual connection identifier Virtual Configuration Register virtual LAN VLAN VLAN Membership Policy Server VMPS virtual path identifier VLAN Query Protocol VLAN Trunking Protocol weighted random early detect WRED Weighted Round Robin...
I N D E X See IP addresses; MAC addresses Numerics Address Resolution Protocol 10/100 port speed, setting See ARP 1400W DC power supply 28-5 administration 802.1Q switch 27-1, 38-1 example 11-9, 11-19 administrative groups, EtherChannel mapping VLANs to ISL 10-11 advertisements, VTP overview...
Page 596
27-9 bridge identifiers Cisco Discovery Protocol MAC addresses 7-13 See CDP PVST+ Cisco Group Management Protocol 7-23 bridge protocol data unit See CGMP See BPDU Cisco IP Phones — Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide Release 8.2GLX...
Page 597
Index sound quality community strings 29-2 CiscoView 24-9 defining 24-9 CiscoWorks2000 overview 24-17 24-5 CIST CONFIG_FILE variable 7-15 classification setting recurrence 32-5 frames configuration 14-3 classless interdomain routing clearing the 35-8 See CIDR configuration files class of service creating 35-2 See CoS downloading via RCP 35-6...
Page 598
39-5 drop thresholds default configurations CoS mapping 14-6 Ethernet transmit queue 14-3 Fast Ethernet TACACS+ accounting 30-49 non-Cisco devices and 11-3 default gateway, configuring overview 11-2 default IGMP filter configuration 15-18 duplex mode denying filter match-action 15-21 Fast Ethernet DHCP...
Page 599
Index setting setting port duplex 30-13 enabling IGMP multicast filtering 15-19 setting port name enabling IGMP traffic filtering setting port priority 15-20 encapsulation type descriptions, trunks (table) setting port speed 11-2 encryption See also protocol filtering See secure shell encryption examples, conventions xxviii environment variables...
Page 601
See sc0 interface overview 15-1 inferior BPDUs, BackboneFast and router ports and group entries 15-15 inline power See also multicast groups; multicast routers configuring on Cisco IP phones 29-3 IP permit lists See PoE adding addresses 18-2 interfaces clearing entries...
Page 602
30-10, 30-11 See RADIUS keys; TACACS+ keys overview 30-2 login banner clearing 27-5 configuring 27-4 LACP displaying or suppressing the "Cisco Systems Console" configuration parameters 6-17 login banner 27-5 configuration procedures 6-18 overview 27-4 modes 6-16 login passwords...
Page 603
Index allocating modules 7-13 blocking 16-1 checking status 20-1 blocking unicast flood packets configuring Ethernet 17-1 4-1, 19-1 bridge identifiers configuring Fast Ethernet 7-13 4-1, 6-1, 19-1 designating configuring Gigabit Ethernet disabling notification configuring supervisor engine 16-7 enabling notification designating on command line 16-7 port security and 16-1...
Page 604
Index M-record configuring 7-15 25-1 M-tree 7-15 See also RMON; SNMP multicast Network Time Protocol See IP multicast See NTP multicast filter profiles New Software Features in Release 7.7 establishing and verifying extended VLAN support with VTP version 3 15-20 10-3, 10-4, 10-6, 10-9 removing...
Page 605
20-10 port IP multicast filtering 15-20 overview 20-9 port names testing connectivity 4-8, 5-10 Ethernet Fast Ethernet configuring on Cisco IP phones 28-11 Gigabit Ethernet modes 28-12 setting 4-3, 5-7 Port Aggregation Protocol port negotiation See PAgP configuring port-based authentication...
Page 606
Index dynamic VLAN membership overview redundancy 12-1 28-6 private VLAN 10-16 redundant mode 28-2 reconfirming VMPS voice 12-9 28-11 setting the debounce timer power supplies speed fixed 28-2 10/100 Fast Ethernet variable 28-2 Port security priority enabling with 802.1x authentication 31-7 See port priority port security...
Page 607
Index port priority suppressing accounting 7-25 30-49 port VLAN cost 7-26 updating the server 30-49 RADIUS authentication configuration guidelines 30-9 default configuration 30-8, 30-49 disabling 30-30 enabling 30-24 overview 30-4 mapping drop thresholds 14-6 servers, specifying optional attributes 30-28 reverting to port default 14-5 setting deadtime 30-27...
Page 608
Index removing hosts disabling 31-18 26-13 removing multicast filter profiles 15-21 hardware requirements 26-8 removing multicast port filter associations overview 15-23 26-1 reports session limits 26-4 IGMP filering 15-17 See also SPAN; VSPAN reports, system status RSTP 27-12 reserved-range VLANs overview 7-16 See VLANs...
Page 609
Index console port and source ports 26-2 overview traffic 26-4 SLIP interface spanning tree See sl0 interface dummy MAC addresses and SNMP EtherChannel port costs benefits EtherChannel port-VLAN costs 24-6 clearing IP addresses associated with access spanning tree BackboneFast convergence numbers 24-13 See BackboneFast...
Page 610
Index me1 interface displaying configuration 37-9 sc0 interface displaying message log 37-10 sl0 interface facilities (table) 37-2 software description limiting the number of syslog messages 37-6 software images overview message format 37-3, 37-4 startup configuration overview 32-1 37-1 static routes setting buffer size 27-9 37-6...
Page 611
Index configuring overview 27-2 30-40 overview 27-1 primary options 30-41 system prompt sample configuration 30-46 configuring TACACS+ keys 27-2 overview 27-1 clearing 30-22 system reset specifying 30-19 scheduling Telnet 27-10 system status report disconnecting user sessions 20-8 generating 27-12 executing 20-6 limiting attempts 30-10...
Page 612
Index system message logging and blocking MAC addresses 37-1 17-1 VMPS 12-10, 12-11 guidelines for 17-2 trunks disabling 17-3 802.1Q restrictions disabling on a secure port 11-4 16-6 allowed VLANs 11-6 displaying 17-3 autonegotiation enabling 11-2 17-2 configuring IEEE 802.1Q enabling on a secure port 11-5 16-6...
Page 613
Index assigning switch ports to for auxiliary VLANs 10-10 12-14 auxiliary 10-13 monitoring 12-9 configuration guidelines overview 10-5 12-1 default configuration reconfirm dynamic port assignments 10-4 12-9 deleting 10-12 reconfirming membership 12-9 designating on command line troubleshooting 12-11 Ethernet troubleshooting dynamic ports 10-6, 10-7 12-11 extended range...
Page 614
Index default configuration disabling 9-8, 9-9 domains modes client server transparent monitoring 9-12 overview pruning configuring 9-11 disabling 9-12 figure overview server, configuring statistics 9-12 transparent mode, configuring version 2 disabling 9-10 enabling overview version 3 configuring 9-22 default configuration 9-22 naming extended range VLANs 10-4, 10-9...