Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide Software Release 8.1 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7815486=...
Page 2
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,...
C O N T E N T S Preface xxiii Audience xxiii Organization xxiii Related Documentation Conventions xxvi Obtaining Documentation xxvii Cisco.com xxvii Documentation CD-ROM xxvii Ordering Documentation xxvii Documentation Feedback xxviii Obtaining Technical Assistance xxviii Cisco.com xxviii Technical Assistance Center...
Page 4
Contents Using Command Aliases Specifying Modules, Ports, and VLANs Specifying MAC Addresses Specifying IP Addresses, Host Names, and IP Aliases ROM Monitor CLI Example of a Catalyst 4003 Bootup Display Configuring the Switch IP Address and Default Gateway C H A P T E R Understanding How the Switch Management Interfaces Work Understanding How Automatic IP Configuration Works Automatic IP Configuration Overview...
Page 5
Contents Configuring Gigabit Ethernet Switching C H A P T E R Understanding How Gigabit Ethernet Works Understanding How Gigabit Ethernet Flow Control Works Understanding How Port Negotiation Works Understanding How Oversubscribed Gigabit Ethernet Works Default Gigabit Ethernet Configuration Configuring Gigabit Ethernet Ports Assigning Gigabit Ethernet Port Names Configuring Gigabit Ethernet Port Priority Levels Configuring Flow Control on Gigabit Ethernet Ports...
Page 6
Contents Configuration Example of a Four-Port Fast EtherChannel 6-12 Configuration Example of Two-Port Gigabit EtherChannel 6-14 Understanding the LACP 6-16 LACP Modes 6-16 LACP Parameters 6-17 Configuring EtherChannel Using LACP 6-18 Specifying the EtherChannel Protocol 6-18 Specifying the System Priority 6-19 Specifying the Port Priority 6-19...
Page 7
Contents MST Region 7-19 Message Age and Hop Count 7-21 MST-to-PVST+ Interoperability 7-21 Understanding How BPDU Skewing Works 7-22 Using PVST+ 7-22 Default PVST+ Configuration 7-23 Setting the PVST+ Bridge ID Priority 7-23 Configuring the PVST+ Port Cost 7-25 Configuring PVST+ Port Priority 7-25 Configuring the PVST+ Default Port Cost Mode 7-26...
Page 8
Contents Understanding How PortFast BPDU Guard Works Understanding How PortFast BPDU Filtering Works Understanding How UplinkFast Works Understanding How BackboneFast Works Understanding How Loop Guard Works Configuring PortFast Enabling PortFast on an Access Port Enabling PortFast on a Trunk Port Disabling PortFast 8-10 Resetting PortFast...
Page 9
Contents Configuring a VTP Client Configuring VTP (VTP Transparent Mode) Disabling VTP Using the Off Mode Enabling VTP Version 2 Disabling VTP Version 2 9-10 Enabling VTP Pruning 9-11 Disabling VTP Pruning 9-12 Displaying VTP Statistics 9-12 Understanding How VTP Version 3 Works 9-13 VTP Version 3 Authentication 9-13...
Page 10
Contents Configuring Private VLANs 10-16 Private VLAN Configuration Guidelines 10-17 Creating a Private VLAN 10-19 Viewing the Port Capability of a Private VLAN Port 10-22 Deleting a Private VLAN 10-22 Deleting an Isolated or Community VLAN 10-23 Deleting a Private VLAN Mapping 10-23 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports 11-1...
Page 11
Contents Troubleshooting VMPS 12-11 Troubleshooting Dynamic Ports 12-11 VMPS Example 12-12 Dynamic Port VLAN Membership with Auxiliary VLANs 12-14 Configuration Guidelines 12-15 Configuring Dynamic Port VLAN Membership with Auxiliary VLANs 12-15 Configuring GVRP 13-1 C H A P T E R Understanding How GVRP Works 13-1 GVRP Hardware and Software Requirements...
Page 12
Contents Displaying QoS Information 14-7 Reverting to QoS Defaults 14-7 Disabling QoS 14-7 Configuring Multicast Services 15-1 C H A P T E R Understanding How Multicasting Works 15-1 Understanding Multicasting and Multicast Services Operation 15-1 Joining a Multicast Group 15-2 Leaving a Multicast Group 15-2...
Page 13
Contents Disabling Multicast Group Entries 15-17 Filtering IGMP Traffic 15-17 Using IGMP Traffic Filtering 15-18 IGMP Software Requirements 15-18 Default IGMP Filter Configuration 15-18 IGMP Multicast Filter Activation 15-19 Configuring Port IP Multicast Filtering 15-20 Configuring Port Security 16-1 C H A P T E R Understanding How Port Security Works 16-1 Allowing Traffic Based on the Host MAC Address...
Page 14
Contents Configuring the IP Permit List on the Switch 18-2 Adding IP Addresses to the IP Permit List 18-2 Enabling the IP Permit List 18-3 Disabling the IP Permit List 18-4 Clearing an IP Permit List Entry 18-4 Configuring Protocol Filtering 19-1 C H A P T E R Understanding How Protocol Filtering Works...
Page 15
Contents Setting the CDP Enable State on a Port 21-2 Setting the CDP Message Interval 21-4 Setting the CDP Holdtime 21-4 Displaying CDP Neighbor Information 21-5 Using Switch TopN Reports 22-1 C H A P T E R Understanding How Switch TopN Reports Works 22-1 Running Switch TopN Reports Without the Background Option 22-2...
Page 16
Contents Configuring SNMPv3 from the CLI 24-14 Using CiscoWorks2000 24-17 Configuring RMON 25-1 C H A P T E R Understanding How RMON Works 25-1 Enabling RMON 25-2 Viewing RMON Data 25-2 Supported RMON and RMON2 MIB Objects 25-2 Configuring SPAN and RSPAN 26-1 C H A P T E R Understanding How SPAN and RSPAN Work...
Page 17
Contents Configuring a Login Banner 27-4 Clearing the Login Banner 27-5 Enabling or Disabling the “Cisco Systems Console” Telnet Login Banner 27-5 Defining and Using Command Aliases 27-6 Defining and Using IP Aliases 27-7 Configuring Permanent and Static ARP Entries...
Page 18
Contents Setting the Default Power Allocation for a Port 28-19 Displaying the Power Status for Modules and Individual Ports 28-19 Configuring VoIP 29-1 C H A P T E R Hardware and Software Requirements 29-1 Overview of IP Phones 29-2 Configuring VoIP on a Switch 29-3 Configuring Switch Access Using AAA...
Page 19
Contents Accounting Events 30-48 Specifying When to Create Accounting Records 30-48 Specifying RADIUS Servers 30-49 Updating the Server 30-50 Suppressing Accounting 30-50 Configuring Accounting 30-50 Accounting Default Configuration 30-50 Accounting Configuration Guidelines 30-50 Configuring Accounting 30-51 Accounting Example 30-53 Configuring 802.1x Authentication 31-1 C H A P T E R Understanding How 802.1x Authentication Works...
Page 20
Contents Setting the Trace Severity 31-15 Using the show Commands 31-16 Modifying the Switch Boot Configuration 32-1 C H A P T E R Understanding How the Switch Boot Configuration Works 32-1 Understanding the Boot Process 32-1 Understanding the ROM Monitor 32-2 Understanding the Configuration Register 32-2...
Page 21
Contents Uploading System Software Images to an rcp Server 33-8 Preparing to Upload an Image to an rcp Server 33-9 Uploading Software Images to an rcp Server 33-9 Upgrading the ROM Monitor 33-9 Working With the Flash File System 34-1 C H A P T E R Working With the Flash File System on the Switch 34-1...
Page 22
Contents Default System Message Logging Configuration 37-4 System Log Message Format 37-4 Configuring System Message Logging on the Switch 37-5 Configuring Session Logging Settings 37-5 Configuring the System Message Logging Levels 37-6 Enabling and Disabling the Logging Time Stamp 37-6 Setting the Logging Buffer Size 37-7 Limiting the Number of syslog Messages...
Page 23
Preface This preface describes who should read the Software Configuration Guide, how it is organized, and its document conventions. Audience This publication is for experienced network administrators who are responsible for configuring and maintaining Catalyst enterprise LAN switches. Organization This publication is organized as follows: Chapter Title Description...
Page 24
Chapter 14 Configuring QoS Describes how to configure quality of service (QoS). Chapter 15 Configuring Multicast Services Describes how to configure Cisco Group Management Protocol (CGMP), Internet Group Management Protocol (IGMP) snooping, and GARP Multicast Registration Protocol (GMRP) on the switch.
Preface Related Documentation Chapter Title Description Chapter 27 Administering the Switch Describes how to set the system name, create a login banner, and perform other administrative tasks on the switch. Chapter 28 Power Management Describes power management on the Catalyst 4000 series switches and the Catalyst 4500 series switches, and explains how to configure inline power.
Page 26
Preface Conventions Conventions Throughout this publication, these conventions are used in reference to switch platforms: • Catalyst enterprise LAN switches—Refers to the Catalyst 4000 series and Catalyst 4500 series switches, Catalyst 2948G, and Catalyst 2980G switches. • Catalyst 4000 family switches—Refers to the Catalyst 4000 series and Catalyst 4500 series switches.
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com...
Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.
Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register: http://tools.cisco.com/RPF/register/register.do...
Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL: http://www.ciscopress.com •...
C H A P T E R Product Overview The Catalyst enterprise LAN switches facilitate the migration from traditional shared-hub LANs to large-scale, fully integrated internetworks. These switches provide switched connections to individual workstations, servers, LAN segments, backbones, or other switches, using a variety of media. This chapter consists of these sections: Catalyst 4000 Series Switches, page 1-1 •...
Chapter 1 Product Overview Catalyst 2980G Switch Catalyst 2980G Switch For installation information and a complete description of the Catalyst 2980G switch hardware, refer to Note the Catalyst 2948G and 2980G Installation Guide. Table 1-3 describes the Catalyst 2980G switch. Table 1-3 Catalyst 2980G Switch Product Number...
2948G, and Catalyst 2980G Switches Command Reference. For descriptions of the commands used to configure the Route Switch Module (RSM) and Route Switch Feature Card (RSFC), refer to the Cisco IOS software command reference publications. This chapter consists of these sections: •...
“Example of a Catalyst 4003 Bootup Display” section on page 2-9). If the switch is already booted, press Enter to see this display: Cisco Systems, Inc. Console Enter password: After you successfully connect to the switch through the console port, you can use normal-mode commands to monitor the switch or enter privileged mode to change the configuration.
Trying 172.16.10.10... Connected to Catalyst_1. Escape character is '^]'. Cisco Systems Console Enter password: After you successfully connect to the switch using Telnet, you can use normal-mode commands to monitor the switch or enter privileged mode to change the configuration.
Step 3 To disconnect from the switch CLI, enter the exit command. Console> exit Session Disconnected... Cisco Systems Console Fri Aug 27 1999, 16:14:41 Enter password: Many commands (for example, commands that modify the configuration) can be used only in privileged mode.
Chapter 2 Using the Command-Line Interface Command-Line Editing permit Set IP Permit List redirect Set ICMP redirect enable/disable route Set IP routing table entry unreachable Set ICMP unreachable messages Console> (enable) set ip Note The system repeats the command you entered without the question mark (?). To use the partial-keyword-lookup function, enter ? to display a list of commands that begin with a specific set of characters.
Chapter 2 Using the Command-Line Interface History Substitution History Substitution The history buffer stores the last 20 commands that you entered during a terminal session. History substitution allows you to repeat these commands using special abbreviated commands, that are similar to those used on the UNIX command line.
Chapter 2 Using the Command-Line Interface Using Command Aliases Task Keystrokes To scroll down one line Press the Return key To scroll down one screen Press the Spacebar To quit from the More program Press the Q key Using Command Aliases Aliases are not case sensitive;...
Chapter 2 Using the Command-Line Interface Specifying MAC Addresses Table 2-4 Designating Ports and Port Ranges Example Function Specifies port 1 on module 2 3/4-8 Specifies ports 4, 5, 6, 7, and 8 on module 3 5/2,5/4,6/10 Specifies ports 2 and 4 on module 5 and port 10 on module 6 3/1-2,4/8 Specifies ports 1 and 2 on module 3 and port 8 on module 4 VLANs are identified using the VLAN ID, a single number that is associated with the VLAN.
Chapter 2 Using the Command-Line Interface ROM Monitor CLI ROM Monitor CLI The ROM monitor is a ROM-based program that executes when the switch is powered on, reset, or when a fatal exception occurs. The system enters ROM monitor mode if the nonvolatile RAM (NVRAM) configuration is corrupted, if the switch does not find a valid system image, or if the configuration register is set to enter ROM monitor mode.
Page 44
IP address for Catalyst not configured BOOTP/DHCP will commence after the ports are online Ports are coming online ... Cisco Systems, Inc. Console Enter password: 1999 Aug 12 14:34:05 %SYS-5-MOD_OK:Module 1 is online 1999 Aug 12 14:34:08 %SYS-5-MOD_OK:Module 3 is online...
The in-band (sc0) management interface is connected to the switching fabric and participates in all of the functions of a normal switch port, such as spanning tree, Cisco Discovery Protocol (CDP), and VLAN membership. The out-of-band management interfaces (me1 and sl0) are not connected to the switching fabric and do not participate in any of these functions.
Chapter 3 Configuring the Switch IP Address and Default Gateway Understanding How Automatic IP Configuration Works When you configure the IP address, subnet mask, and broadcast address (and when you configure VLAN membership on the sc0 interface) of the sc0 or me1 interface, you can access the switch through Telnet or SNMP.
Chapter 3 Configuring the Switch IP Address and Default Gateway Understanding How Automatic IP Configuration Works If both the sc0 and me1 interfaces are unconfigured (IP address 0.0.0.0), the me1 interface is brought down to allow the switch to broadcast requests on the sc0 interface. If the me1 interface is configured and the sc0 interface is not, requests are not sent.
Chapter 3 Configuring the Switch IP Address and Default Gateway Preparing to Configure the IP Address and Default Gateway If a BOOTP response is received from a BOOTP server, the switch sets the in-band (sc0) interface IP address to the address that is specified in the BOOTP response. If no DHCPOFFER message or BOOTP response is received in reply, the switch rebroadcasts the request using an exponential backoff algorithm (the amount of time between requests increases exponentially).
Chapter 3 Configuring the Switch IP Address and Default Gateway Default IP Address and Default Gateway Configuration Default IP Address and Default Gateway Configuration Table 3-2 shows the default IP address and default gateway configuration. Table 3-2 Switch IP Address and Default Gateway Default Configuration Feature Default Value In-band (sc0) interface...
Chapter 3 Configuring the Switch IP Address and Default Gateway Setting the Management Ethernet (me1) Interface IP Address This example shows how to specify the VLAN assignment, assign an IP address, specify the subnet mask in dotted decimal format, and verify the configuration: Console>...
Page 51
Chapter 3 Configuring the Switch IP Address and Default Gateway Configuring Default Gateways Note In some cases, you might want to configure static IP routes in addition to default gateways. For information on configuring static routes, see the “Configuring Static Routes” section on page 27-9.
Chapter 3 Configuring the Switch IP Address and Default Gateway Configuring the SLIP (sl0) Interface on the Console Port default 10.1.1.10 10.0.0.0 10.1.1.100 0xff000000 default default 0xff000000 Console> (enable) This example shows how to configure two default gateways on a Catalyst 4500 series, Catalyst 2948G, or Catalyst 2980G switch, with one default gateway reachable through the sc0 interface and one reachable through the me1 interface: Console>...
This example shows how to configure SLIP on the console port and verify the configuration: sparc20% telnet 172.20.52.38 Trying 172.20.52.38 ... Connected to 172.20.52.38. Escape character is '^]'. Cisco Systems, Inc. Console Enter password: Console> enable Enter password: Console> (enable) set interface sl0 10.1.1.1 10.1.1.2 Interface sl0 slip and destination address set.
Chapter 3 Configuring the Switch IP Address and Default Gateway Renewing and Releasing a DHCP-Assigned IP Address Task Command Step 3 Add an entry for each switch in the DHCP, BOOTP, or RARP — server configuration, mapping the MAC address of the switch to the IP configuration information for the switch.
Page 55
Chapter 3 Configuring the Switch IP Address and Default Gateway Renewing and Releasing a DHCP-Assigned IP Address This example shows how to renew the lease on a DHCP-assigned IP address: Console> (enable) set interface sc0 dhcp renew Renewing IP address... Console>...
Page 56
Chapter 3 Configuring the Switch IP Address and Default Gateway Renewing and Releasing a DHCP-Assigned IP Address — Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide Release 8.1 3-12 78-15486-01...
C H A P T E R Configuring Ethernet and Fast Ethernet Switching This chapter describes how to configure Ethernet and Fast Ethernet switching on the Catalyst enterprise LAN switches. The configuration procedures in this chapter apply to Ethernet and Fast Ethernet switch ports on switching modules and fixed-configuration switches, as well as to supervisor engine Fast Ethernet uplink ports.
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Default Ethernet and Fast Ethernet Configurations The Catalyst enterprise LAN switches solve congestion problems that are caused by high-bandwidth devices and a large number of users by assigning each device (for example, a server) to its own 10-, 100-, or 1000-Mbps segment.
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports Table 4-1 Ethernet and Fast Ethernet Default Configurations Feature Default Value Port enable state All ports are enabled Port name None Port priority Normal Duplex mode Autonegotiate speed and duplex for 10/100-Mbps Fast •...
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports This example shows how to set the name for ports 1/1 and 1/2 and how to verify that the port names are configured correctly: Console> (enable) set port name 1/1 Router Connection Port 1/1 name set.
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports Make sure that the device on the other end of the link is also configured for autonegotiation, or a port Caution speed or duplex mismatch will result. If the port speed is set to auto on a 10/100-Mbps Fast Ethernet port, both speed and duplex are Note autonegotiated.
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports Setting Ethernet and Fast Ethernet Port Debounce Timers You can set the port debounce timer on a per-port basis for Ethernet, Fast Ethernet, and Gigabit Ethernet ports.
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports This example shows how to display the per-port debounce timer settings: Console> (enable) show port debounce Port Debounce link timer ----- --------------- enable disable Console> (enable) Configuring errdisable State Ethernet and Fast Ethernet Port Timeout Periods A port is in errdisable state if it has been enabled in NVRAM but disabled at runtime by any process.
Chapter 4 Configuring Ethernet and Fast Ethernet Switching Configuring Ethernet and Fast Ethernet Ports This example shows how to display the errdisable timeout configuration: Console> (enable) show errdisable-timeout ErrDisable Reason Timeout Status ------------------- ------------ bpdu-guard Enable channel-misconfig Disable duplex-mismatch Enable udld Enable other...
C H A P T E R Configuring Gigabit Ethernet Switching This chapter describes how to configure Gigabit Ethernet switching on the Catalyst enterprise LAN switches. The configuration procedures in this chapter apply to Gigabit Ethernet switching modules, fixed-configuration switches, and uplink ports on the supervisor engine. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Page 66
Chapter 5 Configuring Gigabit Ethernet Switching Understanding How Gigabit Ethernet Works Table 5-1 Send Capability by Switch Type, Module, and Ports Switch Type Module Ports Send Catalyst 4000 All modules except WS-X4418-GB All ports except for the Catalyst 4500 and WS-X4412-2GB-T oversubscribed ports listed below Catalyst 4000 WS-X4418-GB...
With Gigabit Ethernet ports, port negotiation is used to exchange flow-control parameters, remote fault information, and duplex information (even though Cisco Gigabit Ethernet ports only support full-duplex mode). With Gigabit Ethernet ports, you configure port negotiation using the set port negotiation command.
Page 68
Chapter 5 Configuring Gigabit Ethernet Switching Understanding How Gigabit Ethernet Works • WS-X4418-GB This 1000BASE-X 18-port module provides 2 dedicated uplink module ports (GBIC) and 16 oversubscribed ports (possible blocking). • WS-X4424-GB-RJ45 This 10/100/100BASE-TX module provides 24 oversubscribed ports (possible blocking). •...
Page 69
Chapter 5 Configuring Gigabit Ethernet Switching Understanding How Gigabit Ethernet Works Table 5-8 shows how the oversubscribed ports are grouped for module WS-X4448-GB-RJ45. Table 5-8 Oversubscribed Port Groupings for Module WS-X4448-GB-RJ45 1, 2, 3, 4, 5, 6, 9, 10, 11, 12, 17, 18, 19, 20, 25, 26, 27, 28, 33, 34, 35, 36,...
Chapter 5 Configuring Gigabit Ethernet Switching Configuring Gigabit Ethernet Ports Configuring Gigabit Ethernet Ports The following sections describe how to configure Gigabit Ethernet switching ports on the Catalyst enterprise LAN switches. Note For information on configuring Gigabit EtherChannel, see Chapter 6, “Configuring Fast EtherChannel and Gigabit EtherChannel.”...
Chapter 5 Configuring Gigabit Ethernet Switching Configuring Gigabit Ethernet Ports To configure the port priority level, perform this task in privileged mode: Task Command Step 1 Configure the priority level for a port. set port level mod_num/port_num {normal | high} Step 2 Verify that the port priority level is configured correctly.
Chapter 5 Configuring Gigabit Ethernet Switching Configuring Gigabit Ethernet Ports Enabling Port Negotiation on Gigabit Ethernet Ports Note You cannot enable port negotiation on 1000BASE-T Gigabit Ethernet ports in this release. If a 1000BASE-T GBIC (Gigabit Interface Converter) is inserted in the port that was previously configured as negotiation disabled, the negotiation disabled setting is ignored and the port operates in negotiation-enabled mode.
Chapter 5 Configuring Gigabit Ethernet Switching Configuring Gigabit Ethernet Ports Checking Gigabit Ethernet Port Connectivity Note For more detailed information on checking connectivity, see Chapter 20, “Checking Status and Connectivity.” Enter the ping and traceroute commands to test connectivity out Gigabit Ethernet ports. To check connectivity out a port, perform this task in privileged mode: Task Command...
C H A P T E R Configuring Fast EtherChannel and Gigabit EtherChannel This chapter describes how to configure Fast EtherChannel and Gigabit EtherChannel port bundles on the Catalyst enterprise LAN switches. The configuration procedures in this chapter apply to Fast Ethernet and Gigabit Ethernet switch ports on switching modules and fixed-configuration switches, as well as to supervisor engine Fast Ethernet and Gigabit Ethernet uplink ports.
PAgP is a Cisco-proprietary protocol that can be run only on Cisco switches and those switches released by licensed vendors. LACP, which is defined in IEEE 802.3ad, allows Cisco switches to manage Ethernet channeling with devices that conform to the 802.3ad specification.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Guidelines and Restrictions EtherChannel Configuration Guidelines and Restrictions If improperly configured, some EtherChannel ports are disabled automatically to avoid network loops and other problems. Follow the guidelines below to avoid configuration problems. Note Except where noted, these guidelines apply to both PAgP and LACP.
An EtherChannel will not form if protocol filtering is set differently on the ports. • Cisco Discovery Protocol (CDP) runs on the physical port even after the port is added to a channel. VLAN Trunking Protocol (VTP) and Dual Ring Protocol (DRiP) run on the channel.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Understanding the PAgP Understanding the PAgP Use the information in the following sections if you are configuring EtherChannel using PAgP. If you are using LACP, see the “Understanding the LACP” section on page 6-16.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using PAgP Ports can form an EtherChannel when they are in different channel modes as long as the modes are compatible, as follows: • A port in desirable mode can form an EtherChannel successfully with another port that is in desirable or auto mode.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using PAgP Creating an EtherChannel You create an EtherChannel port bundle by specifying the ports in the channel and the channeling mode. When you create an EtherChannel, an administrative group number is assigned automatically if one is not already assigned to the specified ports.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using PAgP To define an EtherChannel administrative group, perform this task in privileged mode: Task Command Step 1 Define the administrative group by specifying the set port channel port_list admin_group ports in the group.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using PAgP Console> (enable) set channel cost 768 12 Port(s) 1/1,1/2 port path cost are updated to 31. Channel 768 cost is set to 12. Warning:channel cost may not be applicable if channel is broken. Console>...
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using PAgP This example shows how to return a channel to its default configuration and how to verify the configuration: Console> (enable) set port channel 3/5-6 mode auto Port(s) 3/5-6 channel mode set to auto. Console>...
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using PAgP Port Port Portfast Port Port priority vlanpri vlanpri-vlans ----- -------- -------- ------- ------------------------------------------------ 32 disabled 32 disabled ----- -------- -------- ------- ------------------------------------------------ Port Group ----- -------- -------- -------- auto-on auto-on auto-on...
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Examples -------- ---------- ---------- ---------- ---------- ---------- ---------- Console> (enable) Displaying EtherChannel PAgP Statistics To display EtherChannel PAgP statistics, perform one of these tasks in privileged mode: Task Command Display EtherChannel PAgP statistics by port. show port channel [mod_num[/port_num]] statistics Display EtherChannel PAgP statistics by...
Page 87
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Examples Figure 6-1 Example of a Fast EtherChannel Port Bundle Switch A Switch B Fast EtherChannel port bundle To configure a four-port EtherChannel link between two switches, follow these steps: Step 1 Make sure that all ports on Switch A and Switch B have the same port configuration, including VLAN membership, speed, and duplex.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Examples %PAGP-5-PORTFROMSTP:Port 1/2 left bridge port 1/2 %PAGP-5-PORTFROMSTP:Port 1/3 left bridge port 1/3 %PAGP-5-PORTFROMSTP:Port 1/4 left bridge port 1/4 %PAGP-5-PORTFROMSTP:Port 1/2 left bridge port 1/2 %PAGP-5-PORTFROMSTP:Port 1/3 left bridge port 1/3 %PAGP-5-PORTFROMSTP:Port 1/4 left bridge port 1/4 %PAGP-5-PORTTOSTP:Port 1/1 joined bridge port 1/1-4 %PAGP-5-PORTTOSTP:Port 1/2 joined bridge port 1/1-4...
Page 89
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel EtherChannel Configuration Examples Figure 6-2 Example of a Gigabit EtherChannel Port Bundle Switch A Switch B Gigabit EtherChannel port bundle To configure a two-port Gigabit EtherChannel link between two switches, follow these steps: Make sure that all ports on Switch A and Switch B have the same port configuration, such as VLAN Step 1 membership.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Understanding the LACP Step 4 After the EtherChannel bundle is negotiated, enter the show port channel command to verify the configuration. If you configure only the ports on one side of the link on, the show port channel command will show that the ports are channeling, but no traffic will pass over the EtherChannel.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Understanding the LACP Table 6-2 EtherChannel Modes That Use LACP (continued) Mode Description passive LACP mode that places a port into a passive negotiating state in which the port responds (Default) to LACP packets it receives but does not initiate LACP packet negotiation. active LACP mode that places a port into an active negotiating state, in which the port initiates negotiations with other ports by sending LACP packets.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using LACP Configuring EtherChannel Using LACP These sections describe how to configure EtherChannel using LACP: • Specifying the EtherChannel Protocol, page 6-18 Specifying the System Priority, page 6-19 • Specifying the Port Priority, page 6-19 •...
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using LACP Specifying the System Priority Note Although the set lacp-channel system-priority command is a global option, it applies only to modules on which LACP is enabled; it is ignored on modules running PAgP. The system priority value must be a number in the range of 1–65,535, where higher numbers represent lower priority.
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using LACP You can specify an administrative key value to a set of ports. If you do not specify an administrative key value, the system automatically selects a value. In both cases, the value can range from 1–1024. If you choose a value for the administrative key, and this value has already been used in the system, then the system moves all the ports originally associated with the previously assigned administrative key value to another automatically assigned value, and it assigns the modules and ports you specified in the...
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using LACP This example shows how to change the channel mode for ports 4/1 and 4/6, setting it to on. The administrative key for ports 4/1 and 4/6 is unchanged. Console>...
Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Configuring EtherChannel Using LACP Disabling an EtherChannel To disable an EtherChannel, perform this task for ports 2/2 to 2/8: Task Command Disable an EtherChannel. set port lacp-channel mod/port mode off This example shows how to disable an EtherChannel: Console>...
Page 97
Configuring Spanning Tree This chapter describes the IEEE 802.1D bridge Spanning Tree Protocol (STP) and how to use and configure Cisco’s proprietary STPs, Per VLAN Spanning Tree + (PVST+), and Multi-Instance Spanning Tree Protocol (MISTP) on the Catalyst enterprise LAN switches.
Understanding How STPs Work Understanding How STPs Work This section describes the specific functions that are common to all spanning tree protocols. The Cisco proprietary spanning tree protocols, PVST+ and MISTP, are based on the IEEE 802.1D STP. (See the “Understanding How PVST+ and MISTP Modes Work”...
Chapter 7 Configuring Spanning Tree Understanding How STPs Work The following three things determine the topology of an active switched network: • The unique switch identifier (MAC address of the switch) that is associated with each switch • The path cost to the root associated with each switch port •...
Chapter 7 Configuring Spanning Tree Understanding How STPs Work Understanding BPDUs BPDUs contain configuration information about the transmitting switch and its ports, including switch and port MAC addresses, switch priority, port priority, and port cost. Each configuration BPDU contains this information: The unique identifier of the switch that the transmitting switch believes to be the root switch •...
Chapter 7 Configuring Spanning Tree Understanding How STPs Work Table 7-1 Default Port Cost Values Using the Short Method Port Speed Default Cost Value Default Range 10 Mbps 1 to 65535 100 Mbps 1 to 65535 1 Gbps 1 to 65535 Calculating the Port Cost Using the Long Method 802.1t assigns 32-bit (long) default port cost values to each port using a formula that is based on the port bandwidth.
Page 102
Chapter 7 Configuring Spanning Tree Understanding How STPs Work • Listening • Learning • Forwarding • Disabled A port moves through these states: From initialization to blocking • From blocking to either listening or disabled • From listening to either listening or disabled •...
Chapter 7 Configuring Spanning Tree Understanding How STPs Work Blocking State A port in the blocking state, such as Port 2 in Figure 7-3, does not participate in frame forwarding. After initialization, a BPDU is sent to each port in the switch. A switch initially assumes it is the root until it exchanges BPDUs with other switches.
Chapter 7 Configuring Spanning Tree Understanding How STPs Work Figure 7-4 Port 2 in Listening State All segment Forwarding frames Port 1 Network Station management addresses BPDUs and data frames Filtering System Frame database module forwarding BPDUs Network management frames Data frames Port 2...
Chapter 7 Configuring Spanning Tree Understanding How STPs Work Figure 7-5 Port 2 in Learning State All segment Forwarding frames Port 1 Network Station management addresses BPDUs & data frames Filtering System Frame database module forwarding Station addresses BPDUs Network management frames Data...
Page 106
Chapter 7 Configuring Spanning Tree Understanding How STPs Work Figure 7-6 Port 2 in Forwarding State All segment Forwarding frames Port 1 Network Station management addresses BPDUs & data frames Filtering System Frame database module forwarding BPDUs Network Station management addresses &...
Chapter 7 Configuring Spanning Tree Understanding How PVST+ and MISTP Modes Work Disabled State A port in the disabled state does not participate in frame forwarding or STP, as shown in Figure 7-7. A port in the disabled state is virtually nonoperational. Figure 7-7 Port 2 in Disabled State All segment...
Chapter 7 Configuring Spanning Tree Understanding How PVST+ and MISTP Modes Work The following sections provide an overview of each mode. Caution If your network currently uses PVST+ and you plan to use MISTP on any switch, you must first enable MISTP-PVST+ on the switch and configure an MISTP instance to avoid causing network loops.
Chapter 7 Configuring Spanning Tree Understanding How Bridge Identifiers Work MISTP-PVST+ Mode MISTP-PVST+ is a transition spanning tree mode that allows you to use the MISTP functionality on Catalyst 4500 series switches while continuing to communicate with the older Catalyst 5000 family and 6500 series switches in your network that use PVST+.
IEEE standard. The protocol as implemented in this release is backward compatible with 802.1D STP, 802.1w, the Rapid Spanning Tree Protocol (RSTP), and the Cisco PVST+ architecture. MST allows you to build multiple spanning trees over VLAN trunks. You can group and associate VLANs to spanning tree instances.
Page 111
Chapter 7 Configuring Spanning Tree Understanding How MST Works MST uses the modified RSTP version called the Multiple Spanning Tree Protocol (MSTP). The MST feature has these characteristics: • MST runs a variant of spanning tree called Internal Spanning Tree (IST). IST augments the Common Spanning Tree (CST) information with internal information about the MST region.
Chapter 7 Configuring Spanning Tree Understanding How MST Works • Do not connect switches with access links because access links may partition a VLAN. • Any MST configuration involving a large number of either existing or new logical VLAN ports should be carried out during the maintenance window.
Chapter 7 Configuring Spanning Tree Understanding How MST Works RSTP Port States The port state controls the forwarding and learning processes and provides the values of discarding, learning, and forwarding. Table 7-3 provides a comparison between STP port states and RSTP port states.
Chapter 7 Configuring Spanning Tree Understanding How MST Works To the spanning tree protocol running in the SST region, an MST region appears as a single SST or pseudobridge. Pseudobridges operate as follows: • The same values for root identifiers and root path costs are sent in all BPDUs of all the pseudobridge ports.
Chapter 7 Configuring Spanning Tree Understanding How MST Works • MST configuration table—An array of 4096 bytes. Each byte, interpreted as an unsigned integer, corresponds to a VLAN. The value is the instance number to which the VLAN is mapped. The first byte that corresponds to VLAN 0 and the 4096th byte that corresponds to VLAN 4095 are unused and always set to zero.
Page 116
Chapter 7 Configuring Spanning Tree Understanding How MST Works IST Master The IST master of an MST region is the bridge with the lowest bridge identifier and the least path cost to the CST root. If an MST bridge is the root bridge for CST, then it is the IST master of that MST region. If the CST root is out side the MST region, then one of the MST bridges at the boundary is selected as the IST master.
Chapter 7 Configuring Spanning Tree Understanding How MST Works Message Age and Hop Count IST and MST instances do not use the Message Age and Maximum Age timer settings in the BPDU. IST and MST use a separate hop count mechanism that is very similar to the IP TTL mechanism. You can configure each MST bridge with a maximum hop count.
Chapter 7 Configuring Spanning Tree Understanding How BPDU Skewing Works When you connect a PVST+ switch to two different MST regions, the topology change from the PVST+ switch does not pass beyond the first MST region. In this case, the topology changes are only propagated in the instance to which the VLAN is mapped.
Chapter 7 Configuring Spanning Tree Using PVST+ Default PVST+ Configuration Table 7-4 shows the default PVST+ configuration. Table 7-4 PVST+ Default Configuration Feature Default Value VLAN 1 All ports assigned to VLAN 1 Enable state PVST+ enabled for all VLANs MAC address reduction Disabled Bridge priority...
Page 120
Chapter 7 Configuring Spanning Tree Using PVST+ This example shows how to set the PVST+ bridge ID when MAC address reduction is not enabled (default): Console> (enable) set spantree priority 30000 1 Spantree 1 bridge priority set to 30000. Console> (enable) show spantree 1 VLAN 1 Spanning tree mode PVST+...
Chapter 7 Configuring Spanning Tree Using PVST+ Configuring the PVST+ Port Cost You can configure the port cost of switch ports. Ports with lower port costs are more likely to be chosen to forward frames. Assign lower numbers to ports that are attached to faster media (such as full duplex), and higher numbers to ports that are attached to slower media.The possible range of cost is from 1–65535.
Chapter 7 Configuring Spanning Tree Using PVST+ To configure the port VLAN cost for a port, perform this task in privileged mode: Task Command Configure the port VLAN cost for a set spantree portvlancost {mod/port} [cost cost] [vlan_list] VLAN on a switch port. This example shows how to configure the port VLAN cost on a port: Console>...
Chapter 7 Configuring Spanning Tree Using Rapid PVST+ Disabling the PVST+ Mode on a VLAN When the switch is in PVST+ mode, you can disable spanning tree on individual VLANs or all VLANs. When you disable spanning tree on a VLAN, the switch does not participate in spanning tree and any BPDUs that are received in that VLAN are flooded on all ports.
Page 125
Chapter 7 Configuring Spanning Tree Using Rapid PVST+ This example shows how to configure Rapid PVST+: Console> (enable) set spantree mode rapid-pvst+ Spantree mode set to RAPID-PVST+. Console> (enable) set spantree link-type 3/1 point-to-point Link type set to point-to-point on port 3/1. Console>...
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Using MISTP-PVST+ or MISTP The default spanning tree mode on the Catalyst 4500 series switches is PVST+ mode. If you want to use MISTP mode in your network, we recommend that you carefully follow the procedures that are described in the following sections in order to avoid loss of connectivity in your network.
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Table 7-5 MISTP Mode Default Configuration (continued) Feature Default Value Hello time 2 sec Forward delay time 15 sec Setting the MISTP-PVST+ Mode or MISTP Mode If you enable MISTP in a PVST+ network, you must be very careful to avoid bringing down the network. This section explains how to enable MISTP or MISTP-PVST+ on your network.
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP This example shows how to display the spanning tree VLAN instance mapping in MISTP mode: Console> (enable) set spantree mode mistp PVST+ database cleaned up. Spantree mode set to MISTP. Console> (enable) show spantree mapping Inst Root Mac Vlans ---- ----------------- --------------------------...
Page 129
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Root Max Age 20 sec Hello Time 2 Forward Delay 15 sec Bridge ID MAC ADDR 00-d0-02-27-9c-00 Bridge ID Priority 32769 (bridge priority:32768, sys ID ext:1) VLANs mapped: 1,74 Bridge Max Age 20 sec Hello Time 2 Forward Delay 15 sec Port...
Page 130
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Bridge ID Priority 32769 (bridge priority:32768, sys ID ext:1) VLANs mapped: 1,74 Bridge Max Age 20 sec Hello Time 2 Forward Delay 15 sec Port Inst Port-State Cost Prio Portfast Channel_id ------------------------ ---- ------------- --------- ---- -------- ---------- forwarding 20000...
Page 131
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Bridge Max Age 20 sec Hello Time 2 Forward Delay 15 sec Port Inst Port-State Cost Prio Portfast Channel_id ------------------------ ---- ------------- --------- ---- -------- ---------- forwarding 20000 32 disabled 0 forwarding 200000 32 disabled 0...
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP This example shows how to configure the port instance priority on an MISTP instance and verify the configuration: Console> (enable) set spantree portinstancepri 1/1 16 2 Port 1/1 MISTP Instances 2 using portpri 16. Port 1/1 mistp-instance 1,3-16 using portpri 32.
Page 133
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP • You can only map Ethernet VLANs to MISTP instances. • At least one VLAN in the instance must have an active port in order for MISTP-PVST+ or MISTP to be active. •...
Page 134
Chapter 7 Configuring Spanning Tree Using MISTP-PVST+ or MISTP To determine VLAN mapping conflicts, perform this task in privileged mode: Task Command Determine VLAN mapping conflicts. show spantree conflicts vlan This example shows that there is an attempt to map VLAN 2 to MISTP instance 1 and to MISTP instance 3 on two different switches as seen from a third switch in the topology: Console>...
Chapter 7 Configuring Spanning Tree Configuring a Root Switch Unmapping VLANs from an MISTP Instance The keyword none is used to unmap the specified VLANs from the MISTP instances to which they are currently mapped. When you unmap a VLAN from an MISTP instance, the resulting state of all the ports of the VLAN (if the VLAN exists) is blocking.
Chapter 7 Configuring Spanning Tree Configuring a Root Switch When you specify a switch as the primary root, the default bridge priority is modified so that it becomes the root for the specified VLANs. Set the bridge priority to 8192. If this setting does not result in the switch becoming a root, modify the bridge priority to be 1 less or the same as the bridge priority of the current root switch.
Chapter 7 Configuring Spanning Tree Configuring a Root Switch To configure a switch as the secondary root switch, perform this task in privileged mode: Task Command Configure a switch as the secondary root switch. set spantree root [secondary] vlans [dia network_diameter] [hello hello_time] This example shows how to configure the secondary root switch for VLANs 22 and 24: Console>...
Page 138
Chapter 7 Configuring Spanning Tree Configuring a Root Switch To speed up convergence, use nondefault parameters values that are permitted by the IEEE 802.1D standard. Nondefault parameters set for a reconvergence of 14 seconds are as follows: Parameter Time Network Diameter (dia) 2 hops Hello Time 2 sec...
Chapter 7 Configuring Spanning Tree Configuring a Root Switch Console> (enable) set spantree root 1-10 dia 4 VLANs 1-10 bridge priority set to 8192 VLANs 1-10 bridge max aging time set to 14 seconds. VLANs 1-10 bridge hello time set to 2 seconds. VLANs 1-10 bridge forward delay set to 9 seconds.
Chapter 7 Configuring Spanning Tree Configuring Spanning Tree Timers Configuring Spanning Tree Timers Spanning tree timers affect the spanning tree performance. You can configure the spanning tree timers for a VLAN in PVST+ or an MISTP instance in MISTP mode. If you do not specify a VLAN when the switch is in PVST+ mode, VLAN 1 is assumed.
Chapter 7 Configuring Spanning Tree Configuring Spanning Tree Timers Configuring the Forward Delay Time Enter the set spantree fwddelay command to configure the spanning tree forward delay time for a VLAN. The possible range for delay is from 4–30 seconds. To configure the spanning tree forward delay time for a VLAN, perform this task in privileged mode: Task Command...
Chapter 7 Configuring Spanning Tree Configuring MST Configuring MST The following sections describe how to configure MST: Enabling MST To enable and configure MST on the switch, perform this task in privileged mode: Task Command Step 1 Begin in PVST+ mode. set spantree mode mst [mistp | pvst+ | mistp-pvst+ | mst] Step 2 Display the STP ports.
Page 143
Chapter 7 Configuring Spanning Tree Configuring MST Console> (enable) set spantree mst config name cisco revision 1 Edit Buffer modified. Use 'set spantree mst config commit' to apply the changes. Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration:...
Page 144
Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration: Configuration Name: Revision:0 Instance VLANs -------- -------------------------------------------------------------- 1-4094 ======================================================================= NEW MST Region Configuration (Not committed yet) Configuration Name:cisco Revision:1 Instance VLANs -------- -------------------------------------------------------------- 1,51-4094 2-20 21-30 31-40 41-50 ======================================================================= Edit buffer is locked by:Console (pid 142) Console>...
Page 145
Chapter 7 Configuring Spanning Tree Configuring MST ======================================================================= Console> (enable) Console> (enable) set spantree mode mst PVST+ database cleaned up. Spantree mode set to MST. Console> (enable) Console> (enable) Console> (enable) show spantree mst 0 Spanning tree mode Instance VLANs Mapped: 1,51-4094 Designated Root 00-50-3e-66-d0-00...
Page 146
BDRY 20000 32 31-40 4 forwarding BDRY 20000 32 41-50 Console> (enable) Console> (enable) Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration: Configuration Name:cisco Revision:1 Instance VLANs -------- -------------------------------------------------------------- 1,51-4094 2-20 21-30 31-40 41-50 ======================================================================= Console> (enable) Configuring the MST Bridge ID Priority You can set the bridge ID priority for an MST instance when the switch is in MST mode.
Page 147
Chapter 7 Configuring Spanning Tree Configuring MST Console> (enable) show spantree mst 3 Spanning tree mode Instance VLANs Mapped: 31-40 Designated Root 00-10-7b-bb-2f-00 Designated Root Priority 8195 (root priority:8192, sys ID ext:3) Designated Root Cost Remaining Hops 20 Designated Root Port Bridge ID MAC ADDR 00-10-7b-bb-2f-00 Bridge ID Priority...
Page 148
Chapter 7 Configuring Spanning Tree Configuring MST Configuring the MST Port Priority You can configure the port priority of ports. The port with the lowest priority value forwards frames for all VLANs. The possible port priority value is from 0–63; the default is 32. If all ports have the same priority value, the port with the lowest port number forwards frames.
Page 149
Chapter 7 Configuring Spanning Tree Configuring MST Console> (enable) show spantree mst 4 Spanning tree mode Instance VLANs Mapped: 41-50 Designated Root 00-10-7b-bb-2f-00 Designated Root Priority 32772 (root priority:32768, sys ID ext:4) Designated Root Cost Remaining Hops 20 Designated Root Port Bridge ID MAC ADDR 00-10-7b-bb-2f-00 Bridge ID Priority...
[instance] [active] mod/port This example shows how to map a VLAN to MST instance 1 and verify the mapping: Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration: Configuration Name:cisco Revision:1 Instance VLANs -------- --------------------------------------------------------------...
Page 151
Console> (enable) set spantree mst 14 vlan 900-999 Edit Buffer modified. Use 'set spantree mst config commit' to apply the changes. Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration: Configuration Name:cisco Revision:1 Instance VLANs -------- -------------------------------------------------------------- 1,51-4094...
Page 152
Chapter 7 Configuring Spanning Tree Configuring MST Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration: Configuration Name:cisco Revision:1 Instance VLANs -------- -------------------------------------------------------------- 1,51-4094 2-20 21-30 31-40 41-50 ======================================================================= NEW MST Region Configuration (Not committed yet) Configuration Name:cisco...
Chapter 7 Configuring Spanning Tree Configuring Spanning Tree BPDU Skewing ======================================================================= Console> (enable) Console> (enable) show spantree mst 3 Spanning tree mode Instance VLANs Mapped: 31-40 Designated Root 00-10-7b-bb-2f-00 Designated Root Priority 8195 (root priority:8192, sys ID ext:3) Designated Root Cost Remaining Hops 20 Designated Root Port Bridge ID MAC ADDR...
Page 154
Chapter 7 Configuring Spanning Tree Configuring Spanning Tree BPDU Skewing This example shows how to configure BPDU skewing and view the skewing statistics: Console> (debug-eng) set spantree bpdu-skewing Usage:set spantree bpdu-skewing <enable|disable> Console> (debug-eng) Console> (debug-eng) Console> (debug-eng) set spantree bpdu-skewing enable Spantree bpdu-skewing enabled on this switch.
C H A P T E R Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard This chapter describes how to configure the PortFast, BPDU guard, BPDU filter, UplinkFast, BackboneFast, and loop guard spanning tree enhancements on the Catalyst enterprise LAN switches. For information on configuring spanning tree, see Chapter 7, “Configuring Spanning Tree.”...
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Understanding How PortFast BPDU Guard Works You can use PortFast on switch or trunk ports connected to a single workstation, switch, or server to allow those devices to connect to the network immediately, instead of waiting for the port to transition from the listening and learning states to the forwarding state.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Understanding How UplinkFast Works Understanding How UplinkFast Works UplinkFast provides fast convergence using uplink groups in the network access layer after a spanning tree topology change. An uplink group is a set of ports (per VLAN), only one of which is forwarding at any given time.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Understanding How BackboneFast Works As soon as the switch transitions the alternate port to the forwarding state, the switch begins transmitting dummy multicast frames on that port, one for each entry in the local Enhanced Address Recognition Logic (EARL) table (except those entries that are associated with the failed root port).
Page 161
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Understanding How BackboneFast Works Figure 8-3 Example of BackboneFast before Indirect Link Failure Switch A Switch B (Root) Blocked port Switch C If link L1 fails, Switch C detects this failure as an indirect failure, since it is not connected directly to link L1.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Understanding How Loop Guard Works Figure 8-5 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch B Switch C (Designated Bridge) Blocked port Added switch Understanding How Loop Guard Works Unidirectional link failures may cause a root port or alternate port to become designated as root if BPDUs are absent.
Page 163
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Understanding How Loop Guard Works Figure 8-6 Triangle Switch Configuration with Loop Guard Designated port Root port Alternate port Figure 8-6 illustrates the following configuration: •...
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Configuring PortFast PVID-inconsistent ports. If the port is already blocked by loop guard, misconfigured BPDUs received on the port make loop guard recover, but the port is moved into the type-inconsistent state or PVID-inconsistent state.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast This example shows how to enable PortFast on port 1 of module 4 and verify the configuration (the PortFast status is shown in the “Fast-Start” column): Console>...
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Configuring PortFast 1005 not-connected 32 enabled Console> (enable) show spantree portfast 4/1 Portfast:enable trunk Portfast BPDU guard is disabled. Portfast BPDU filter is disabled. Console> Note When you enable PortFast between two switches, the system will verify that there are no loops in the network before bringing the blocking trunk to a forwarding state.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast BPDU Guard Resetting PortFast To reset PortFast on a switch or trunk port to its default settings, perform this task in privileged mode: Task Command Step 1...
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Configuring PortFast BPDU Guard This example shows how to enable PortFast BPDU guard on module 6 port 1, and verify the configuration in the Per VLAN Spanning Tree + (PVST+) mode: Console>...
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring UplinkFast Configuring UplinkFast The following sections describe how to configure the UplinkFast feature on the switch. Enabling UplinkFast When you enable UplinkFast on the switch, UplinkFast processing is enabled and the spanning tree bridge priority for all VLANs is set to 49,152, making it unlikely that the switch will become the root switch.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Configuring UplinkFast 1/1(fwd),1/2 1/2(fwd) 1/1(fwd),1/2 1/1(fwd),1/2 1/1(fwd),1/2 1/1(fwd),1/2 Console> (enable) This example shows how to display the UplinkFast feature settings for all VLANs: Console> show spantree uplinkfast Station update rate set to 15 packets/100ms.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring BackboneFast This example shows how to disable UplinkFast on the switch and restore the default bridge priority, port cost, and port-VLAN cost values: Console> (enable) clear spantree uplinkfast This command will cause all portcosts, portvlancosts, and the bridge priority on all vlans to be set to default.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Configuring Loop Guard This example shows how to display BackboneFast statistics: Console> (enable) show spantree summary Summary of connected spanning tree ports by vlan Uplinkfast disabled for bridge. Backbonefast enabled for bridge.
Chapter 8 Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard Configuring Loop Guard To enable loop guard on an individual port, perform this task in privileged mode: Task Command Step 1 Enable loop guard on a port. set spantree guard {root | loop | none} mod/port Step 2 Verify that loop guard is enabled.
C H A P T E R Configuring VTP This chapter describes how to configure the VLAN Trunking Protocol (VTP) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 9 Configuring VTP Understanding How VTP Version 1 and Version 2 Work These sections describe how VTP works: • Understanding the VTP Domain, page 9-2 • Understanding VTP Modes, page 9-2 • Understanding VTP Advertisements, page 9-3 Understanding VTP Version 2, page 9-3 •...
Chapter 9 Configuring VTP Understanding How VTP Version 1 and Version 2 Work • Transparent—VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements.
Chapter 9 Configuring VTP Understanding How VTP Version 1 and Version 2 Work Understanding VTP Pruning Note Enabling VTP pruning on a VTP version 3 switch only enables pruning on the switch that you enable it on. VTP pruning is not propagated as it is with VTP version 1 and VTP version 2. VTP pruning enhances network bandwidth use by reducing unnecessary flooded traffic, such as broadcast, multicast, unknown, and flooded unicast packets.
Chapter 9 Configuring VTP Default VTP Version 1 and Version 2 Configuration Figure 9-2 Flooding Traffic with VTP Pruning Switch 4 Port 2 Flooded traffic Port is pruned. Switch 2 VLAN Switch 5 Port Port 1 Switch 6 Switch 3 Switch 1 Enabling VTP pruning on a VTP server enables pruning for the entire management domain.
Chapter 9 Configuring VTP VTP Version 1 and Version 2 Configuration Guidelines VTP Version 1 and Version 2 Configuration Guidelines This section describes the guidelines for implementing VTP in your network: • All switches in a VTP domain must run the same VTP version. You must configure a password on each switch in the management domain when in secure mode.
Chapter 9 Configuring VTP Configuring VTP Version 1 and Version 2 Configuring a VTP Server When a switch is in VTP server mode, you can change the VLAN configuration and have it propagate throughout the network. To configure the switch as a VTP server, perform this task in privileged mode: Task Command Step 1...
Chapter 9 Configuring VTP Configuring VTP Version 1 and Version 2 This example shows how to configure the switch as a VTP client and verify the configuration: Console> (enable) set vtp domain Lab_Network VTP domain Lab_Network modified Console> (enable) set vtp mode client Changing VTP mode for all features VTP domain Lab_Network modified Console>...
Chapter 9 Configuring VTP Configuring VTP Version 1 and Version 2 Disabling VTP Using the Off Mode When you disable VTP using the off mode, the switch behaves the same as in VTP transparent mode with the exception that VTP advertisements are not forwarded. To disable VTP using the off mode, perform this task in privileged mode: Task Command...
Chapter 9 Configuring VTP Configuring VTP Version 1 and Version 2 This example shows how to enable VTP version 2 and verify the configuration: Console> (enable) set vtp version 2 This command will enable VTP version 2 function in the entire management domain. All devices in the management domain should be version2-capable before enabling.
Chapter 9 Configuring VTP Configuring VTP Version 1 and Version 2 Enabling VTP Pruning To enable VTP pruning, perform this task in privileged mode: Task Command Step 1 Enable VTP pruning in the management domain. set vtp pruning enable Step 2 (Optional) Make specific VLANs pruning clear vtp pruneeligible vlan_range ineligible on the device.
Chapter 9 Configuring VTP Configuring VTP Version 1 and Version 2 Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 16/1 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 16/1 Console> (enable) Disabling VTP Pruning To disable VTP pruning, perform this task in privileged mode: Task Command...
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works Understanding How VTP Version 3 Works VTP version 3 differs from earlier VTP versions in that it does not directly handle VLANs. VTP version 3 is a protocol that is only responsible for distributing a list of opaque databases over an administrative domain. When enabled, VTP version 3 provides the following enhancements to previous VTP versions: •...
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works • If a password is configured as hidden, using the hidden password configuration option, the following occurs: – The password does not appear in plain text in the configuration; the secret hexadecimal format of the password is saved in the configuration.
Page 191
9-4). Figure 9-4, the Cisco VTP domain is partitioned between switches accepting server X or server Y as a primary server. The switches that are from different partitions do not exchange database information even though they are part of the same domain. If server X changes the VTP configuration, only the left partition of the network accepts it.
Page 192
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works Figure 9-4 VTP Version 3: Partitioned VTP Domain Domain Cisco Domain Cisco Primary Server X Primary Server Y Partitions exist because of discrepancies in the domain configuration that cannot automatically be resolved by VTP.
Page 193
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works Figure 9-5 VTP Version 3: Reconfiguring a Partitioned VTP Domain VTP Instance Partition Y Partition W Partition Z Partition X Figure 9-5, server X has the correct configuration for the domain. To reconfigure this partitioned VTP domain, you need to issue a takeover message from server X to the entire domain, advertising server X as the new primary server for this specific instance.
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works VTP Version 3 Modes The default mode for VTP is version 1, server mode. The off mode can only be exited after you configure a VTP domain name on the switch. The “domain discovery” that is used in VTP version 1 and VTP version 2 is not available in VTP version 3.
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works • A VTP server reverts to client mode if it cannot store the configuration in NVRAM. • A VTP version 3 secondary server can issue a takeover to become a primary server. Primary Server The primary server can initiate or change the VTP configuration.
Page 196
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works Valid Databases A switch advertises a database only if it is valid. The only way to validate a database is to become the primary server. If a switch modifies a database that has been generated by a primary server (this is possible in off or transparent modes), the database is invalid.
Page 197
Chapter 9 Configuring VTP Understanding How VTP Version 3 Works • If the database revision number in the advertisement is freater than that of the receiving device, and the advertisement’s checksum and configuration information match, the receiving switch requests the exact subset of databases for which it is not up to date. The VTP advertisement is regenerated on each of the device’s trunk ports other than the trunk port on which it was received.
Chapter 9 Configuring VTP Default VTP Version 3 Configuration • A VTP version 2 region that is connected to two different VTP version 3 regions may receive contradictory information and keep swapping its database to the VTP version 3 region that has the highest revision number at any given time.
Chapter 9 Configuring VTP Configuring VTP Version 3 This example shows how to enable VTP version 3 and verify the configuration: Console> (enable) set vtp version 3 VTP version 3 cannot be enabled on a switch with No Domain. Console> (enable) set vtp domain ENG VTP domain ENG modified Console>...
Page 200
Chapter 9 Configuring VTP Configuring VTP Version 3 Configuring a VTP Version 3 Server When a switch is in VTP version 3 server mode, you can change the VLAN configuration and have it propagate throughout the network. To configure the switch as a VTP version 3 server, perform this task in privileged mode: Task Command...
Page 201
Chapter 9 Configuring VTP Configuring VTP Version 3 This example shows how to configure the switch as a VTP version 3 client and verify the configuration: Console> (enable) set vtp mode client Changing VTP mode for all features VTP3 domain server modified Note Because there is only the VLAN database in release 8.1(1), using the above example without specifying the vlan keyword results in the same configuration as using the vlan keyword.
Page 202
Chapter 9 Configuring VTP Configuring VTP Version 3 Console> (enable) show vtp domain Version : running VTP3 Domain Name : server Password : not configured Notifications: disabled Switch ID : 00d0.004c.1800 Feature Mode Revision Primary ID Primary Description -------------- -------------- ----------- -------------- ---------------------- VLAN Transparent UNKNOWN...
Chapter 9 Configuring VTP Configuring VTP Version 3 Configuring VTP Version 3 Passwords Note For additional details, see the “VTP Version 3 Authentication” section on page 9-13. VTP version 3 introduces a way of hiding the VTP password from the configuration. This is achieved by adding the hidden keyword to the password configuration.
Chapter 9 Configuring VTP Configuring VTP Version 3 This example shows how to copy the secret, hexadecimal value from the configuration and pasted into the command line and verify the configuration: Console> (enable) set vtp passwd 9fbdf74b43a2815037c1b33aa00445e2 secret Setting secret. VTP3 domain server modified Console>...
Chapter 9 Configuring VTP Configuring VTP Version 3 Do you want to continue (y/n) [n]? y Console> (enable) show vtp domain Version : running VTP3 Domain Name : server Password : configured (hidden) Notifications: disabled Switch ID : 00d0.004c.1800 Feature Mode Revision Primary ID...
C H A P T E R Configuring VLANs This chapter describes how to configure virtual LANs (VLANs) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Figure 10-1 VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Catalyst 4000 Cisco router Floor 3 Catalyst 4000 Fast Ethernet Floor 2 Catalyst 4000 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Extended-range VLANs: 1025–4094 • Note The term nonreserved VLANs is used to denote any VLANs that are not reserved by Cisco; this includes normal-range and extended-range VLANs. Note With VTP version 3, you can manage extended-range VLANs 1025–4094. These VLANs are propagated with VTP version 3.
Chapter 10 Configuring VLANs VLAN Default Configuration Configurable VLAN Parameters Whenever you create or modify VLANs 2–1005, you can set the parameters as follows: Note Ethernet VLANs 1 and 1025–4094 can use the defaults only. With VTP version 3, you can manage extended-range VLANs 1025–4094. These VLANs are propagated Note with VTP version 3.
Chapter 10 Configuring VLANs VLAN Configuration Guidelines Table 10-2 VLAN Default Configuration (continued) Feature Default Value SAID value 100,000 plus the VLAN number (for example, the SAID for VLAN 3 is 100,003) Pruning eligibility VLANs 2–1000 are pruning eligible; VLANs 1025-4094 are not pruning eligible VLAN Configuration Guidelines This section describes the configuration guidelines for creating and modifying VLANs in your network:...
Chapter 10 Configuring VLANs Configuring VLANs on the Switch Configuring VLANs on the Switch VLANs are either normal range or extended range. VLANs in the normal range are VLANs 2–1000. VLANs in the extended range are VLANs 1025–4094. When you configure normal-range VLANs, VLANs 2–1000, you can configure one VLAN at a time or a range of VLANs, all with a single command.
Chapter 10 Configuring VLANs Configuring VLANs on the Switch This example shows how to create an Ethernet VLAN and verify the configuration: Console> (enable) set vlan 500 name Engineering Vlan 500 configuration successful Console> (enable) show vlan 500 VLAN Name Status IfIndex Mod/Ports, Vlans ---- -------------------------------- --------- ------- ------------------------...
Page 214
Chapter 10 Configuring VLANs Configuring VLANs on the Switch This example shows how to create normal-range VLANs when the switch is in per-VLAN spanning tree + (PVST+) mode: Console> (enable) set vlan 500-520 Vlan 500 configuration successful Vlan 501 configuration successful Vlan 502 configuration successful Vlan 503 configuration successful Vlan 520 configuration successful...
Chapter 10 Configuring VLANs Configuring VLANs on the Switch Creating or Modifying an Extended-Range VLAN Note With VTP version 3, you can manage extended-range VLANs 1025–4094. These VLANs are propagated with VTP version 3. Note With software release 8.1(1), you can name extended-range VLANs. This capability is independent of any VTP version or mode.
Chapter 10 Configuring VLANs Configuring VLANs on the Switch This example shows how to change the state of an extended-range Ethernet VLAN and verify the configuration: Console> (enable) set vlan 2000 state suspend Vlan 2000 configuration successful Console> (enable) show vlan 2000 VLAN Name Status IfIndex Mod/Ports, Vlans...
Mapping 802.1Q VLANs to ISL VLANs Your network might have non-Cisco devices that are connected to the Catalyst 6500 series switches through 802.1Q trunks or traffic from a non-Cisco switch that has VLANs in the Catalyst 6500 series reserved range, 1002–1024.
Chapter 10 Configuring VLANs Configuring VLANs on the Switch To map an 802.1Q VLAN to an ISL VLAN, perform this task in privileged mode: Task Command Step 1 Map an 802.1Q VLAN to an ISL Ethernet VLAN. set vlan mapping dot1q dot1q_vlan isl isl_vlan The valid range for dot1q_vlan is from 1001–4095.
• Port 3 connects to a PC or other device. Figure 10-2 shows how you can connect a Cisco IP Phone to a Catalyst 4500 series switch. — Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide Release 8.1...
Page 220
A new VLAN means a new subnet and a new set of IP addresses. You can configure switch ports to send Cisco Discovery Protocol (CDP) packets that instruct an attached Cisco IP Phone to transmit voice traffic to the switch in these frame types: 802.1Q frames carrying the auxiliary VLAN ID and Layer 2 CoS set to 5 (the switch port drops all...
Page 221
802.3 frames, which are untagged and carry no VLAN ID and no Layer 2 CoS value (enter the set port auxiliaryvlan mod[/port] untagged command) Note The Cisco IP Phone always sets Layer 3 IP precedence to 5 in voice traffic. Auxiliary VLAN Configuration Guidelines This section describes the guidelines for configuring auxiliary VLANs: •...
Chapter 10 Configuring VLANs Configuring Private VLANs The default setting is none. Table 10-3 lists the set port auxiliaryvlan command keywords and their descriptions. Table 10-3 Keyword Descriptions Keyword Action dot1p Specify that the phone send packets with 802.1p priority 5. untagged Specify that the phone send untagged packets.
Chapter 10 Configuring VLANs Configuring Private VLANs Privacy is granted at the Layer 2 level because the switch blocks outgoing traffic to all isolated ports. You assign all isolated ports to an isolated VLAN where this hardware function occurs. Traffic that is received from an isolated port is forwarded to all promiscuous ports only.
Page 224
Chapter 10 Configuring VLANs Configuring Private VLANs • Bind the isolated and/or community VLAN(s) to the primary VLAN and assign the isolated or community ports. You will achieve these results: – Isolated/community VLAN spanning tree properties are set to those of the primary VLAN. –...
Chapter 10 Configuring VLANs Configuring Private VLANs • If you enable MAC address reduction on a Catalyst 4500 series switch, you might want to enable MAC address reduction on all the switches in your network to ensure that the STP topologies of the private VLANs match.
Page 226
Chapter 10 Configuring VLANs Configuring Private VLANs To create a private VLAN, perform this task in privileged mode: Task Command Step 1 Create the primary VLAN. set vlan vlan_num pvlan-type primary Step 2 Set the isolated or community VLAN(s). set vlan vlan_num pvlan-type {isolated | community} Step 3 Bind the isolated or community VLAN(s) to the...
Page 227
Chapter 10 Configuring VLANs Configuring Private VLANs This example shows how to bind VLAN 903 to primary VLAN 7 and assign port 4/7 through 4/9 as the community ports: Console> (enable) set pvlan 7 903 Successfully set association between 7 and 903. Console>...
Chapter 10 Configuring VLANs Configuring Private VLANs Deleting an Isolated or Community VLAN If you delete an isolated or community VLAN, the binding with the primary VLAN is broken, any isolated or community ports that are associated to the VLAN become inactive, and any related mappings on the promiscuous port(s) are deleted.
C H A P T E R Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports This chapter describes how to configure Fast Ethernet and Gigabit Ethernet virtual LAN (VLAN) trunks on the Catalyst enterprise LAN switches. Note For complete information on configuring VLANs, see Chapter 10, “Configuring VLANs.”...
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Understanding How VLAN Trunks Work Fast Ethernet and Gigabit Ethernet trunk ports support five different trunking modes (see Table 11-1). In addition, on certain Fast Ethernet and Gigabit Ethernet ports, you can specify whether the trunk uses ISL encapsulation, 802.1Q encapsulation, or whether the encapsulation type is autonegotiated.
To avoid this problem, ensure that trunking is turned off on ports connected to nonswitch devices if you do not intend to trunk across those links. When manually enabling trunking on a link to a Cisco router, use the nonegotiate keyword to cause the port to become a trunk but not generate DTP frames.
BPDUs on each VLAN allowed on the trunks. The BPDUs on the native VLAN of the trunk are sent untagged to the reserved IEEE 802.1d spanning-tree multicast MAC address (01-80-C2-00-00-00). The BPDUs on all other VLANs on the trunk are sent tagged to the reserved Cisco Shared Spanning Tree (SSTP) multicast MAC address (01-00-0c-cc-cc-cd).
Default Trunk Configuration • If you are connecting multiple Cisco switches to a non-Cisco 802.1Q cloud, all of the connections must be through 802.1Q trunks. You cannot connect Cisco switches to a non-Cisco 802.1Q cloud through ISL trunks or through access ports. Doing so will cause the switch to place the ISL trunk port or access port into the spanning-tree “port inconsistent”...
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Configuring a Trunk Link Before configuring an 802.1Q trunk you must set a VTP domain and enter the VLANs that will be used in the trunk or channel. For more information see Chapter 9, “Configuring VTP,”...
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Configuring a Trunk Link Note When you first configure a port as a trunk, the set trunk command always adds all VLANs to the allowed VLAN list for the trunk, even if you specify a VLAN range (any specified VLAN range is ignored). To modify the allowed VLANs list, use the clear trunk and set trunk commands to specify the allowed VLANs.
When you disable VLAN 1 on a trunk interface, no user traffic is transmitted or received across that trunk interface, but the supervisor engine will continue to transmit and receive packets from control protocols such as Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), Port Aggregation Protocol (PAgP), Dynamic Trunking Protocol (DTP), and so forth.
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 2-6,10,20,50,100,152,200,300,400,500,521,524,570,776,802,850,917,999 Console> (enable) Example VLAN Trunk Configurations The following sections contains examples of a VLAN trunk configurations: For examples of configuring trunk links between switches and routers, refer to the Layer 3 Switching Note Software Configuration Guide—Catalyst 5000 Family, 4000 Family, 2926G Series, 2926 Series, 2948G,...
Page 240
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Switch_B> (enable) set vlan 1 3/3-6 VLAN Mod/Ports ---- ----------------------- 3/3-6 Switch_B> (enable) Configure one of the ports in the EtherChannel bundle to negotiate an 802.1Q trunk. The configuration Step 2 is applied to all of the ports in the bundle.
Page 241
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations 1-1005, 1025-4094 1-1005, 1025-4094 1-1005, 1025-4094 1-1005, 1025-4094 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 1-1005, 1025-4094 1-1005, 1025-4094 1-1005, 1025-4094 1-1005, 1025-4094 Switch_A>...
Page 242
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Switch_A> (enable) set port channel 2/3-6 desirable Port(s) 2/3-6 channel mode set to desirable. Switch_A> (enable) %PAGP-5-PORTFROMSTP:Port 2/3 left bridge port 2/3 %ETHC-5-PORTFROMSTP:Port 2/4 left bridge port 2/4 %ETHC-5-PORTFROMSTP:Port 2/5 left bridge port 2/5 %ETHC-5-PORTFROMSTP:Port 2/6 left bridge port 2/6 %ETHC-5-PORTFROMSTP:Port 2/4 left bridge port 2/4...
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Load-Sharing VLAN Traffic over Parallel Trunks Example Using spanning tree port-VLAN priorities, you can load-share VLAN traffic over parallel trunk ports so that traffic from some VLANs travels over one trunk, while traffic from other VLANs travels over the other trunk.
Page 244
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Vlan 40 configuration successful Switch_1> (enable) set vlan 50 Vlan 50 configuration successful Switch_1> (enable) set vlan 60 Vlan 60 configuration successful Switch_1> (enable) Verify the VTP and VLAN configuration on Switch 1 by entering the show vtp domain and show vlan Step 3 commands:...
Page 245
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations desirable dot1q trunking desirable dot1q trunking Port Vlans allowed on trunk -------- --------------------------------------------------------------------- 1-1005,1025-4094 1-1005,1025-4094 Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 1,10,20,30,40,50,60 1,10,20,30,40,50,60...
Page 246
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations blocking disabled blocking disabled blocking disabled blocking disabled 1003 not-connected disabled 1005 not-connected disabled Switch_1> (enable) Step 8 Divide the configured VLANs into two groups. You might want traffic from one-half of the VLANs to go over one trunk link and onehalf over the other trunk link;...
Page 247
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Port 1/1 vlans 10,20 using portpri 1. Port 1/1 vlans 1005 using portpri 4. Switch_2> (enable) set spantree portvlanpri 1/1 1 30 Port 1/1 vlans 1-9,11-19,21-29,31-1004 using portpri 32. Port 1/1 vlans 10,20,30 using portpri 1.
Page 248
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Figure 11-3 Parallel Trunk Configuration after Configuring VLAN Traffic Load-Sharing Trunk 2 VLANs 10, 20, 30, 40, 50, and 60: port-VLAN priority 32 (blocking) Catalyst 4000 Catalyst 4000 Switch 1...
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations 802.1Q Nonegotiate Trunk Configuration Example This sample configuration shows how to configure an 802.1Q Fast Ethernet trunk between two Catalyst 4500 series switches with 802.1Q-capable hardware. (Use the show port capabilities command to see if your hardware is 802.1Q-capable.) The initial network configuration is shown in Figure 11-4.
Page 250
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Step 2 Display the problem on Switch 2 by entering the the show spantree and show spantree statistics commands. The configuration mismatch exists until the port on Switch 2 is properly configured. Switch 2>...
Page 251
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Figure 11-6 802.1Q Trunking: Final Network Configuration Port 1/1 Port 4/1 Trunk Type: 802.1Q Trunk Type: 802.1Q Trunk Mode: nonegotiate Trunk Mode: nonegotiate 4000 4000 Switch 1 802.1Q Trunk...
Page 252
Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Example VLAN Trunk Configurations Port Vlans allowed on trunk -------- --------------------------------------------------------------------- 1-1005, 1025-4094 Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 1-3,1003,1005 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 1005...
C H A P T E R Configuring Dynamic VLAN Membership with VMPS This chapter describes how to configure dynamic VLAN membership for ports in your network using the VLAN Management Policy Server (VMPS) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 12 Configuring Dynamic VLAN Membership with VMPS VMPS and Dynamic Port Hardware and Software Requirements If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group. If the VLAN is allowed on the port, the VLAN name is returned to the client. If the VLAN is not allowed on the port and VMPS is in open mode, the host receives an “access denied”...
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Default VMPS and Dynamic Port Configuration Default VMPS and Dynamic Port Configuration Table 12-1 shows the default VMPS configurations. Table 12-1 Defaults for VMPS Servers and VMPS Clients Feature Default Configuration VMPS Server VMPS enable state Disabled VMPS management domain...
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Configuring VMPS • Static secure ports cannot become dynamic ports. You must turn off security on the static secure port before it can become dynamic. • Static ports that are trunking cannot become dynamic ports. You must turn off trunking on the trunk port before changing it from static to dynamic.
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Configuring VMPS • Define the security mode. VMPS can operate in open or secure mode. If you set it to open mode, VMPS returns an access denied response for an unauthorized MAC address and returns the fallback VLAN for a MAC address not listed in the VMPS database.
Page 258
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Configuring VMPS The example at the end of this section has three VLAN port policies specified: – In the first VLAN port policy, the VLAN hardware or software is restricted to port 3/2 on the VMPS client 198.92.30.32 and port 2/8 on the VMPS client 172.20.23.141.
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Configuring VMPS Configuring VMPS Clients When you configure a VMPS client, you must configure VMPS on the VMPS client before setting dynamic ports. You cannot make trunk ports or secure ports a dynamic port. If you attempt to make a trunk port a dynamic port, VMPS disables trunking on the port to make it a dynamic port.
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Configuring VMPS connect dyn-5 normal half 10 BASE-T connect dyn-5 normal half 10 BASE-T Console> (enable) Note The show port command displays dyn- in the Vlan column of the display when a VLAN has not been assigned to a port.
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Configuring VMPS To reconfirm the dynamic port VLAN membership assignments, perform this task in privileged mode: Task Command Step 1 Reconfirm dynamic port VLAN membership. reconfirm vmps Step 2 Verify the dynamic VLAN reconfirmation status. show dvlan statistics This example shows how to reconfirm dynamic port VLAN membership assignments: Console>...
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Troubleshooting VMPS and Dynamic Port VLAN Membership Console> (enable) set port membership 3/1 static Port 3/1 vlan assignment set to static. Spantree port fast start option set to default for ports 3/1. Console>...
Chapter 12 Configuring Dynamic VLAN Membership with VMPS VMPS Example When you move a PC from a hub connected to the switch to a direct port on the VMPS client, both ports remain assigned to the same VLAN. The VMPS query and response messages are multicast packets with a destination address of 01000CCCCCCD.
Page 265
Chapter 12 Configuring Dynamic VLAN Membership with VMPS VMPS Example Figure 12-1 Dynamic Port VLAN Membership Configuration TFTP server Primary VMPS Router Server 1 Switch 1 172.20.22.7 172.20.26.150 Client Switch 2 End station 1 172.20.26.151 Secondary VMPS Server 2 Switch 3 172.20.26.152 Switch 4 172.20.26.153...
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs After entering these commands, the file Bldg-G.db is downloaded to Switch 1. Switch 1 becomes the VMPS server. Step 2 Configure Switch 2 and Switch 3 as backup VMPS servers. Configure the IP address of the TFTP server on which the ASCII file resides: Console>...
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs With software release 6.2(1) and later releases, the dynamic ports can belong to two VLANs. The switch port configured for connecting an IP phone can have separate VLANs configured for carrying the following: Voice traffic to and from the IP phone (auxiliary VLAN) •...
Page 268
Chapter 12 Configuring Dynamic VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs Console> (enable) set port auxiliaryvlan 5/10 223 Auxiliary vlan cannot be set to 223 as PVID=223. Console> (enable) — Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide Release 8.1 12-16 78-15486-01...
C H A P T E R Configuring GVRP This chapter describes how to configure the Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 13 Configuring GVRP Default GVRP Configuration Default GVRP Configuration Table 13-1 shows the default GVRP configuration. Table 13-1 GVRP Default Configuration Feature Default Value GVRP global enable state Disabled GVRP per-trunk enable state Disabled on all ports GVRP dynamic creation of VLANs Disabled GVRP registration mode normal, with VLAN 1 set to fixed, for all ports GVRP applicant state...
Chapter 13 Configuring GVRP Configuring GVRP on the Switch To enable GVRP globally on the switch, perform this task in privileged mode: Task Command Step 1 Enable GVRP on the switch. set gvrp enable Step 2 Verify the configuration. show gvrp configuration This example shows how to enable GVRP and verify the configuration: Console>...
Chapter 13 Configuring GVRP Configuring GVRP on the Switch This example shows how to enable GVRP on 802.1Q-capable port 1/1: Console> (enable) set port gvrp enable 1/1 GVRP enabled on 1/1. Console> (enable) Enabling GVRP Dynamic VLAN Creation You can enable GVRP dynamic VLAN creation only if these conditions are met: •...
Page 273
Chapter 13 Configuring GVRP Configuring GVRP on the Switch To configure GVRP normal registration on an 802.1Q trunk port, perform this task in privileged mode: Task Command Step 1 Configure normal registration on an 802.1Q trunk port. set gvrp registration normal mod_num/port_num Step 2 Verify the configuration.
Chapter 13 Configuring GVRP Configuring GVRP on the Switch Sending GVRP VLAN Declarations from Blocking Ports To prevent undesirable Spanning Tree Protocol (STP) topology reconfiguration on a port that is connected to a device that does not support per-VLAN STP, configure the GVRP active applicant state on the port.
Chapter 13 Configuring GVRP Configuring GVRP on the Switch Set the same GARP timer values on all Layer 2-connected devices. If the GARP timers are set differently Caution on Layer 2-connected devices, GARP applications (for example, GMRP and GVRP) do not operate successfully.
Chapter 13 Configuring GVRP Configuring GVRP on the Switch Clearing GVRP Statistics To clear all GVRP statistics on the switch, perform this task in privileged mode: Task Command Clear GVRP statistics. clear gvrp statistics {mod_num/port_num | all} This example shows how to clear all GVRP statistics on the switch: Console>...
C H A P T E R Configuring QoS This chapter describes how to configure quality of service (QoS) on Catalyst enterprise LAN switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 14 Configuring QoS Understanding How QoS Works QoS implements scheduling on supported egress ports with transmit queue drop thresholds and multiple transmit queues that use the 802.1p CoS values to give preference to higher-priority traffic. Figure 14-1 shows how QoS affects the traffic flow. Figure 14-1 Traffic Flow Through the Switch with QoS Enabled—Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Apply...
Chapter 14 Configuring QoS Understanding How QoS Works • Marking is the application of QoS labels to traffic. • Scheduling is the assignment of traffic to a queue. QoS assigns traffic based on CoS values. • Congestion avoidance is the process by which QoS reserves ingress and egress port capacity for traffic with high-priority CoS values.
Chapter 14 Configuring QoS Software Requirements Software Requirements QoS requires supervisor engine software release 5.2 or later releases. Use the show port capabilities command to determine the specific QoS support for a module. QoS Default Configuration Table 14-1 shows the QoS default configuration. Table 14-1 QoS Default Configuration Feature Default Value...
Chapter 14 Configuring QoS Configuring QoS on the Switch Enabling QoS Globally To enable QoS globally on the switch, perform this task in privileged mode: Task Command Enable QoS globally. set qos enable This example shows how to enable QoS globally: Console>...
Chapter 14 Configuring QoS Configuring QoS on the Switch Mapping CoS Values to Transmit Queues and Drop Thresholds Enter the set qos map command to associate CoS values to transmit queue drop thresholds. The port_type is hardware dependent. Enter the show port capabilities command to determine the port_type for your hardware.
Chapter 14 Configuring QoS Configuring QoS on the Switch Displaying QoS Information To display QoS information, perform this task: Task Command Display QoS information. show qos info [runtime | config] This example shows how to display the current QoS configuration information for the switch: Console>...
Page 284
Chapter 14 Configuring QoS Configuring QoS on the Switch This example shows how to disable QoS: Console> (enable) set qos disable QoS is disabled. Console> (enable) — Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide Release 8.1 14-8 78-15486-01...
For more information on IP multicast and IGMP, see RFC 1112. GMRP is described in IEEE 802.1p. Note CGMP and IGMP software components run on the Cisco router and the switch. A CGMP/IGMP-capable IP multicast router sees all IGMP packets and can inform the switch when specific hosts join or leave IP multicast groups.
Chapter 15 Configuring Multicast Services Understanding How Multicasting Works When the CGMP/IGMP-capable router receives an IGMP control packet, it creates a CGMP or IGMP packet that contains the request type (either join or leave), the multicast group address, and the MAC address of the host.
Layer 3 protocol (such as IP, IPX, and so forth). GMRP software components run on both the switch and on the host (Cisco is not a source for GMRP host software). On the host, GMRP is typically used with IGMP: the host GMRP software generates Layer 2 GMRP versions of the host’s Layer 3 IGMP control packets.
Chapter 15 Configuring Multicast Services Configuring CGMP Configuring CGMP The following sections describe how to configure CGMP. CGMP Hardware and Software Requirements CGMP requires these hardware and software versions: Software release 2.2 or later releases • Router running CGMP • Default CGMP Configuration Table 15-1 shows the default CGMP configuration.
Chapter 15 Configuring Multicast Services Configuring CGMP Displaying Multicast Router Information When you enable CGMP, the switch automatically learns to which ports a multicast router is connected. To display dynamically learned multicast router information, perform one of these tasks in privileged mode: •...
Chapter 15 Configuring Multicast Services Configuring CGMP Task Command Display the total number of multicast addresses show multicast group count [vlan_id] (groups) in each VLAN. Display the total number of multicast addresses show multicast group count cgmp [vlan_id] (groups) in each VLAN that were learned dynamically through CGMP.
Chapter 15 Configuring Multicast Services Configuring CGMP Disabling CGMP Leave Processing To disable CGMP leave processing on the switch, perform this task in privileged mode: Task Command Disable CGMP leave processing. set cgmp leave disable This example shows how to disable CGMP leave processing on the switch: Console>...
Chapter 15 Configuring Multicast Services Configuring GMRP Port based GMRP Configuration: Port GMRP Status Registration ForwardAll -------------------------------------------- ----------- ------------ ---------- 1/1-2,3/1,6/1-48 Enabled Normal Disabled Console> (enable) Enabling GMRP on Individual Switch Ports Note You can change the per-port GMRP configuration regardless of whether GMRP is enabled globally. However, GMRP will not function until you enable it globally.
Chapter 15 Configuring Multicast Services Configuring GMRP This example shows how to disable GMRP on ports 6/10–14 and verify the configuration: Console> (enable) set port gmrp disable 6/10-14 GMRP disabled on ports 6/10-14. Console> (enable) show gmrp configuration Global GMRP Configuration: GMRP Feature is currently enabled on this switch.
Chapter 15 Configuring Multicast Services Configuring GMRP Configuring GMRP Registration The following sections describe how to configure GMRP registration modes on switch ports. Setting Normal Registration Mode Configuring a port in normal registration mode allows dynamic GMRP multicast registration and deregistration on the port.
Chapter 15 Configuring Multicast Services Configuring GMRP Enabled Normal Disabled 1/1-4 2/1-9,2/11-48 3/1-24 Enabled Fixed Disabled 2/10 Console> (enable) Setting Forbidden Registration Mode Configuring a port in forbidden registration mode deregisters all GMRP multicasts and prevents any further GMRP multicast registration on the port. To configure GMRP forbidden registration on a port, perform this task in privileged mode: Task Command...
Chapter 15 Configuring Multicast Services Configuring GMRP When you set the timer values, the value for leave must be equal to or greater than three times the join value (leave >= join * 3). The value for leaveall must be greater than the value for leave (leaveall >...
Chapter 15 Configuring Multicast Services Configuring Multicast Router Ports and Group Entries Specifying Multicast Router Ports When you enable CGMP or GMRP, the switch automatically learns to which ports a multicast router is connected. However, you can manually specify multicast router ports. To specify multicast router ports manually, perform this task in privileged mode: Task Command...
Chapter 15 Configuring Multicast Services Filtering IGMP Traffic If a port is set to permit, only matching IPs are forwarded; all others are dropped. If a filtering action permits a particular IGMP packet, only that packet is forwarded for processing, and all others are dropped.
Chapter 15 Configuring Multicast Services Filtering IGMP Traffic IGMP Multicast Filter Activation IGMP multicast filters associate with each physical switch port. The following sections show configurations for controlling IGMP multicast filter activation/deactivation on the switch. Enabling and Verifying IGMP Multicast Filtering To enable IGMP traffic filtering on the switch, perform this task in privileged mode: Task Command...
Chapter 15 Configuring Multicast Services Filtering IGMP Traffic Configuring Port IP Multicast Filtering IP multicast group profiles consist of one or more ranges of IP multicast addresses that are associated with a filtering and monitoring action and are configured on a per-switch-port basis. Given a particular profile that is associated with a switch port, you can configure the filter action.
Page 305
Chapter 15 Configuring Multicast Services Filtering IGMP Traffic This example shows how to permit an IP address or range of IP addresses: Console> (enable) set igmp filter profile 1 match-action permit igmp filter match-action set to permit Console> (enable) This example shows how to verify the status of an IGMP multicast filter profile to accept IP addresses: Console>...
Page 306
Chapter 15 Configuring Multicast Services Filtering IGMP Traffic This example shows how to verify that an IGMP multicast filter profile 1 was deleted: Console> (enable) show igmp filter profile 1 Console> (enable) Listing or Removing All IGMP Multicast Filters To list, remove, and verify all IGMP multicast filter profiles, perform this task in privileged mode: Task Command Step 1...
Page 307
Chapter 15 Configuring Multicast Services Filtering IGMP Traffic This example shows how to display the association of IGMP multicast filter profiles with module 2/port 48: Console> (enable) show igmp filter map 2/48 Port Profile ---- ------- 2/48 This example shows how to display the association of IGMP multicast filter profiles for all ports: Console>...
C H A P T E R Configuring Port Security This chapter describes how to configure port security on the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 16 Configuring Port Security Understanding How Port Security Works After you allocate the maximum number of MAC addresses on a port, you can either specify the secure MAC address for the port manually or have the port dynamically configure the MAC address of the connected devices.
Chapter 16 Configuring Port Security Port Security Configuration Guidelines Blocking Unicast Flood Packets on Secure Ports You can block unicast flood packets on a secure Ethernet port by disabling the unicast flood feature. If you disable unicast flood on a port, the port will drop unicast flood packets when the port reaches the allowed maximum number of MAC addresses.
Chapter 16 Configuring Port Security Configuring Port Security on the Switch This example shows how to verify the port security: Console> (enable) show port 2/1 Port Name Status Vlan Level Duplex Speed Type ----- ------------------ ---------- ---------- ------ ------ ----- ------------ connected normal half...
Chapter 16 Configuring Port Security Configuring Port Security on the Switch This example shows how to reduce the number of MAC addresses; it also shows how to display the list of cleared MAC addresses: Console> (enable) set port security 4/7 maximum 18 Maximum number of secure addresses set to 18 for port 4/7 00-11-22-33-44-55 cleared from secure address list for port 4/7 00-11-22-33-44-66 cleared from secure address list for port 4/7...
Chapter 16 Configuring Port Security Configuring Port Security on the Switch This example removes all MAC addresses from ports 4/5–7: Console> (enable) clear port security 4/5-7 all All addresses cleared from secure address list for ports 4/5-7 Console> (enable) Configuring Unicast Flood Blocking on Secure Ports To configure unicast flood blocking, you must disable the unicast flood feature.
Chapter 16 Configuring Port Security Configuring Port Security on the Switch Enabling MAC Address Notification Enabling MAC address notification allows you to monitor MAC addresses at the module and port level that were added by the switch or removed from the CAM table. A new MAC address is added when either of the following occurs: •...
Chapter 16 Configuring Port Security Configuring Port Security on the Switch This example shows how to enable MAC address notification globally, how to enable notification of added and removed MAC addresses, and how to set interval time between notifications: Console> (enable) set cam notification enable MAC address change detection globally enabled Be sure to specify which ports are to detect MAC address changes with the 'set cam notification [added|removed] enable <m/p>...
Chapter 16 Configuring Port Security Configuring Port Security on the Switch Setting the Shutdown Time You can specify how long a port is to remain disabled in the event of a security violation. By default, the port is shut down permanently. The valid range is from 1–1440 minutes. If you set the time to zero, the shutdown is disabled for this port.
Chapter 16 Configuring Port Security Monitoring Port Security Restricting Traffic for a Host MAC Address To restrict incoming or outgoing traffic for a specific MAC address, perform this task in privileged mode: Task Command Step 1 Restrict traffic that is destined to or originating set cam {static | permanent} filter unicast_mac from a specific MAC address.
Page 319
Chapter 16 Configuring Port Security Monitoring Port Security To display port security configuration information and statistics, perform this task in privileged mode: Task Command Step 1 Display the configuration. show port security [statistics] mod_num/ port_num Step 2 Display the port security statistics. show port security [statistics] [system] [mod_num/port_num] These examples show how to display port security configuration information and statistics:...
Page 320
Chapter 16 Configuring Port Security Monitoring Port Security Total ports: 48 Total MAC address(es): 48 Total global address space used (out of 1024): 0 Status: installed Console> (enable) — Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide Release 8.1 16-12 78-15486-01...
C H A P T E R Configuring Unicast Flood Blocking This chapter describes how to configure unicast flood blocking on the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 17 Configuring Unicast Flood Blocking Configuration Guidelines for Unicast Flood Blocking Configuration Guidelines for Unicast Flood Blocking This section lists the guidelines for configuring unicast flood blocking: • Only Ethernet ports can block unicast flood traffic. If the Ethernet port is part of an IPX network, you must manually enter a static CAM entry in the •...
Chapter 17 Configuring Unicast Flood Blocking Configuring Unicast Flood Blocking on the Switch This example shows how to disable unicast flood packets on a port: Console> (enable) set port unicast-flood 4/1 disable WARNING: Trunking & Channelling will be disabled on the port. Unicast Flooding is successfully disabled on the port 4/1.
C H A P T E R Configuring the IP Permit List This chapter describes how to configure the IP permit list on the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 18 Configuring the IP Permit List IP Permit List Default Configuration You can specify the same IP address in more than one entry in the permit list if the masks are different. The mask is applied to the address before it is stored in NVRAM, so that entries that have the same effect (but different addresses) are not stored.
Chapter 18 Configuring the IP Permit List Configuring the IP Permit List on the Switch Ssh permit list disabled. Snmp permit list disabled. Permit List Mask Access-Type ---------------- ---------------- ------------- 172.16.0.0 255.255.0.0 telnet 172.20.0.0 255.255.0.0 snmp 172.20.52.0 255.255.255.224 172.20.52.3 telnet ssh snm Denied IP Address Last Accessed Time Type Telnet Count...
Chapter 18 Configuring the IP Permit List Configuring the IP Permit List on the Switch Denied IP Address Last Accessed Time Type ----------------- ------------------ ------ Denied IP Address Last Accessed Time Type Telnet Count SNMP Count ----------------- ------------------ ------ ------------ ---------- 172.100.101.104 01/20/97,07:45:20...
Page 329
Chapter 18 Configuring the IP Permit List Configuring the IP Permit List on the Switch To clear an IP permit list entry, perform this task in privileged mode: Task Command Step 1 Disable the IP permit list. set ip permit disable [ssh | snmp | telnet] Step 2 Specify the IP address to remove from the IP clear ip permit {ip_address [mask] | all} [ssh |...
Page 330
Chapter 18 Configuring the IP Permit List Configuring the IP Permit List on the Switch — Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide Release 8.1 18-6 78-15486-01...
Flood traffic for each protocol group is forwarded out a port only if that port belongs to the appropriate protocol group. Layer 2 protocols, such as Spanning Tree Protocol (STP) and Cisco Discovery Protocol (CDP), are not affected by protocol filtering. Dynamic VLAN ports and ports that have port security enabled are members of all protocol groups.
Chapter 19 Configuring Protocol Filtering Default Protocol Filtering Configuration For example, if a host that supports both IP and Internetwork Packet Exchange (IPX) is connected to a switch port that is configured as auto for IPX, and the host is transmitting only IP traffic, the port to which the host is connected will not forward any IPX flood traffic to the host.
Chapter 19 Configuring Protocol Filtering Configuring Protocol Filtering on the Switch This example shows how to enable protocol filtering, set the protocol membership of ports, and verify the configuration: Console> (enable) set protocolfilter enable Protocol filtering enabled on this switch. Console>...
C H A P T E R Checking Status and Connectivity This chapter describes how to check switch status and connectivity on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 20 Checking Status and Connectivity Checking Port Status This example shows how to check module status on a Catalyst 2948G switch: Console> (enable) show module Mod Slot Ports Module-Type Model Status --- ---- ----- ------------------------- ------------------- -------- Switching Supervisor WS-X2948 10/100/1000 Ethernet WS-X2948G...
Page 337
Chapter 20 Checking Status and Connectivity Checking Port Status disabled disabled 17 disabled disabled 18 disabled disabled 19 disabled disabled 20 Port Send FlowControl Receive FlowControl RxPause TxPause Unsupported admin oper admin oper opcodes ----- -------- -------- -------- -------- ------- ------- ----------- desired desired desired...
Chapter 20 Checking Status and Connectivity Displaying the Port MAC Address Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left ----- -------- ----------------- -------- ----------------- ------------------ Port Status Channel Admin Ch Mode Group Id ----- ---------- -------------------- ----- ----- inactive auto silent Port Align-Err FCS-Err Xmit-Err...
Chapter 20 Checking Status and Connectivity Displaying Port Capabilities Displaying Port Capabilities You can display the capabilities of any port in a switch using the show port capabilities command. This example shows you how to display the port capabilities for ports on module 2: Console>...
Chapter 20 Checking Status and Connectivity Using Telnet Flow control Security Membership static,dynamic Fast start QOS scheduling rx-(none),tx-(2q1t) CoS rewrite ToS rewrite Rewrite UDLD Inline power AuxiliaryVlan 1..1000,untagged,none SPAN source,destination Console> (enable) Using Telnet You can access the switch CLI using Telnet. In addition, you can use Telnet from the switch to access other devices in the network.
Chapter 20 Checking Status and Connectivity Using Secure Shell Encryption for Telnet Sessions This example shows how to set the logout timer value to 10 minutes: Console> (enable) set logout 10 Sessions will be automatically logged out after 10 minutes of idle time. Console>...
Chapter 20 Checking Status and Connectivity Monitoring User Sessions Monitoring User Sessions You can display the currently active user sessions on the switch using the show users command. The command output displays all active console port and Telnet sessions on the switch. To display the active user sessions on the switch, perform this task in privileged mode: Task Command...
Chapter 20 Checking Status and Connectivity Using Ping Executing Ping To ping another device on the network from the switch, perform one of these tasks in normal or privileged mode: Task Command Ping a remote host. ping host Ping a remote host using ping options. ping -s host [packet_size] [packet_count] This example shows how to ping a remote host from normal executive mode: Console>...
Chapter 20 Checking Status and Connectivity Using Layer 2 Traceroute Using Layer 2 Traceroute The Layer 2 Traceroute utility allows you to identify the physical path that a packet takes from a source to a destination. This utility determines the path by looking at the forwarding engine tables of the switches in the path.
Chapter 20 Checking Status and Connectivity Using IP Traceroute Console> (enable) l2trace 00-01-22-33-44-55 10-22-33-44-55-66 detail l2trace vlan number is 10. 00-01-22-33-44-55 found in C4000 named wiring-1 on port 4/1 10Mb half duplex C4000:wiring-1:192.168.242.10:4/1 10Mb half duplex -> 5/2 100MB full duplex C4000:backup-wiring-1:192.168.242.20:1/1 100Mb full duplex ->...
Page 347
Chapter 20 Checking Status and Connectivity Using IP Traceroute This example shows the basic usage of the traceroute command: Console> (enable) traceroute 10.1.1.100 traceroute to 10.1.1.100 (10.1.1.100), 30 hops max, 40 byte packets 1 10.1.1.1 (10.1.1.1) 1 ms 2 ms 1 ms 2 10.1.1.100 (10.1.1.100) 2 ms...
Page 348
Chapter 20 Checking Status and Connectivity Using IP Traceroute — Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide Release 8.1 20-14 78-15486-01...
CDP is a media- and protocol-independent protocol that runs on all Cisco-manufactured equipment including routers, bridges, access and communication servers, and switches. Using CDP, you can view information about all the Cisco devices that are directly attached to the switch. In addition, CDP detects native VLAN and port duplex mismatches.
Chapter 21 Configuring CDP Default CDP Configuration Default CDP Configuration Table 21-1 shows the default CDP configuration. Table 21-1 CDP Default Configuration Feature Default Value CDP global enable state Enabled CDP port enable state Enabled on all ports CDP message interval 60 sec CDP holdtime 180 sec...
Page 351
Chapter 21 Configuring CDP Configuring CDP on the Switch To set the CDP enable state on a per-port basis, perform this task in privileged mode: Task Command Step 1 Set the CDP enable state on individual ports. set cdp {enable | disable} [mod_num/port_num] Step 2 Verify the CDP configuration.
Configuring CDP on the Switch Setting the CDP Message Interval The CDP message interval specifies how often the switch will transmit CDP messages to directly connected Cisco devices. To set the default CDP message interval, perform this task in privileged mode: Task...
Configuring CDP Configuring CDP on the Switch Displaying CDP Neighbor Information To display information about directly connected Cisco devices, enter the show cdp neighbors command. To display specific information, use the following keywords: • To display the native VLAN for the connected ports, enter the vlan keyword.
C H A P T E R Using Switch TopN Reports This chapter describes how to use the Switch TopN Reports utility on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 22 Using Switch TopN Reports Running and Viewing Switch TopN Reports Running and Viewing Switch TopN Reports To run a Switch TopN Report in the background and view the results, perform this task in privileged mode: Task Command Step 1 Run the Switch TopN Reports utility in the show top [N] [metric] [interval interval] background.
Page 359
Chapter 22 Using Switch TopN Reports Running and Viewing Switch TopN Reports This example shows how to remove a specific Switch TopN report and how to remove all stored reports: Console> (enable) clear top 4 Console> (enable) 06/16/1998,17:36:45:MGMT-5:TopN report 4 killed by Console//. Console>...
C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 23 Configuring UDLD UDLD Software and Hardware Requirements The switch periodically transmits UDLD messages (packets) to neighbor devices on ports with UDLD enabled. If the messages are echoed back to the sender within a specific time frame and they are lacking a specific acknowledgment (echo), the link is flagged as unidirectional and the port is shut down.
Chapter 23 Configuring UDLD Configuring UDLD on the Switch Table 23-1 UDLD Default Configuration Feature Default Value UDLD global enable state Globally disabled UDLD per-port enable state • Enabled on all Ethernet, Fast Ethernet, and Gigabit Ethernet ports using fiber-optic media •...
Chapter 23 Configuring UDLD Configuring UDLD on the Switch Enabling UDLD on Individual Ports To enable UDLD on individual ports, perform this task in privileged mode: Task Command Step 1 Enable UDLD on a specific port. set udld enable mod_num/port_num Step 2 Verify the configuration.
Software release 5.4(3) and later releases support UDLD aggressive mode. UDLD aggressive mode is disabled by default and its use is recommended only for point-to-point links between Cisco switches running software release 5.4(3) or later releases. With aggressive mode enabled, when a port on a bidirectional link stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor.
Chapter 23 Configuring UDLD Configuring UDLD on the Switch This example shows how to verify that UDLD aggressive mode is enabled: Console> (enable) show udld port 4/1 UDLD : enabled Message Interval: 10 seconds Port Admin Status Aggressive Mode Link State -------- ------------ --------------- ---------...
Page 367
Chapter 23 Configuring UDLD Configuring UDLD on the Switch Table 23-2 show udld Command Output Fields (continued) Field Description Port Module and port numbers. Admin Status Status of whether administration status is enabled or disabled. Aggressive Mode Status of whether aggressive mode is enabled or disabled. Link State Status of the link: undetermined (detection in progress, neighboring UDLD has been disabled), not applicable (UDLD has been disabled), shutdown...
C H A P T E R Configuring SNMP This chapter describes how to configure Simple Network Management Protocol (SNMP) on Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 24 Configuring SNMP SNMP Terminology Table 24-1 SNMP Terminology Term Definition authentication The process of ensuring message integrity and protection against message replays, including data integrity and data origin authentication. authoritative One of the SNMP copies that is used in network communication is designated as SNMP engine the allowed SNMP engine which protects against message replay, delay, and redirection.
Chapter 24 Configuring SNMP Understanding How SNMP Works Table 24-1 SNMP Terminology (continued) Term Definition SNMP This second version of SNMP supports centralized and distributed network Version 2c management strategies and includes improvements in the Structure of Management (SNMPv2c) Information (SMI), protocol operations, management architecture, and security. SNMP engine A copy of SNMP that can reside on the local or remote device.
Chapter 24 Configuring SNMP Understanding How SNMP Works Security Models and Levels A security model is an authentication strategy that is set up for a user and the group in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level will determine which security mechanism is employed when handling an SNMP packet.
Chapter 24 Configuring SNMP Understanding How SNMPv1 and SNMPv2c Work Understanding How SNMPv1 and SNMPv2c Work The components of SNMPv1 and SNMPv2c network management fall into three categories: • Managed devices (such as a switch) SNMP agents and MIBs, including Remote Monitoring (RMON) MIBs, which run on managed •...
Chapter 24 Configuring SNMP SNMPv1 and SNMPv2c Default Configuration Note For information about MIBs, refer to this URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. SNMPv1 and SNMPv2c Default Configuration Table 24-3 describes the SNMP default configuration. Table 24-3 SNMP Default Configuration Feature Default Setting SNMP community strings •...
Page 375
Chapter 24 Configuring SNMP Configuring SNMPv1 and SNMPv2c from the CLI To configure SNMPv1 and SNMPv2c from the command-line interface (CLI), perform this task in privileged mode: Task Command Step 1 Define the SNMP community strings for set snmp community read-only community_string each access type.
Chapter 24 Configuring SNMP Configuring SNMPv1 and SNMPv2c from the CLI SNMPv1 and SNMPv2c Enhancements in Software Release 7.5(1) The following sections describe enhancements that were added to software release 7.5(1). Setting Multiple SNMP Community Strings You can set multiple SNMP community strings using the community-ext keyword. Community strings that are defined with the community-ext keyword cannot be duplicates of existing community strings.
Page 378
Chapter 24 Configuring SNMP Configuring SNMPv1 and SNMPv2c from the CLI Console> (enable) set snmp access-list 2 172.20.60.7 Access number 2 has been updated with new IP Address 172.20.60.7 Console> (enable) set snmp access-list 2 172.20.60.7 mask 255.255.255.0 Access number 2 has been updated with existing IP Address 172.20.60.7 mask 255.255.255.0 Console>...
Chapter 24 Configuring SNMP Understanding SNMPv3 These examples show how to specify and display an interface alias: Console> (enable) set snmp ifalias 1 Inband port ifIndex 1 alias set Console> (enable) Console> (enable) show snmp ifalias 1 ifIndex ifName ifAlias ---------- -------------------- --------------------------------- Inband port Console>...
Page 380
Chapter 24 Configuring SNMP Understanding SNMPv3 Figure 24-1 SNMP Entity for Traditional SNMP Agents Other SNMP Entity SNMP Engine Dispatcher Message Processing Security Access Control Subsystem Subsystem Subsystem Transport Mapping v1MP User-based View-based security access control model model v2c MP Message Dispatcher Other Other...
Page 381
Chapter 24 Configuring SNMP Understanding SNMPv3 Security Subsystem The Security Subsystem authenticates and encrypts messages. Each outgoing message is passed to the Security Subsystem from the Message Processing Subsystem. Depending on the services required, the Security Subsystem may encrypt the enclosed PDU and some fields in the message header. In addition, the Security Subsystem may generate an authentication code and insert it into the message header.
Chapter 24 Configuring SNMP Configuring SNMPv3 from an NMS Configuring SNMPv3 from an NMS To configure SNMP from a Network Management System (NMS), refer to your NMS documentation (also see the “Using CiscoWorks2000” section on page 24-17). The switch supports up to 20 trap receivers through the RMON2 trap destination table. Configure the RMON2 trap destination table from the NMS.
Page 383
Chapter 24 Configuring SNMP Configuring SNMPv3 from the CLI Task Command Step 10 Configure the community table for set snmp community index {index_name} name mappings between different [community_string] security {security_name} context community strings and security {context_name} transporttag {tag_value} [volatile | models with full permissions.
Page 384
Chapter 24 Configuring SNMP Configuring SNMPv3 from the CLI These examples show how to set guestuser1 and guestuser2 as members of the groups guestgroup and mygroup: Console> (enable) set snmp group guestgroup user guestuser1 security-model v3 Snmp group was set to guestgroup user guestuser1 and version v3, nonvolatile. Console>...
Using CiscoWorks2000 CiscoWorks2000 is a family of web-based and management platform-independent products for managing Cisco enterprise networks and devices. CiscoWorks2000 includes Resource Manager Essentials and CWSI Campus, which allow you to deploy, configure, monitor, manage, and troubleshoot a switched internetwork. For more information, refer to the following publications: •...
C H A P T E R Configuring RMON This chapter describes how to configure RMON on the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference. This chapter consists of these sections: Understanding How RMON Works, page 25-1 •...
Chapter 25 Configuring RMON Enabling RMON Enabling RMON RMON is disabled by default. Note To enable RMON, perform this procedure in privileged mode: Task Command Step 1 Enable RMON. set snmp rmon enable Step 2 Verify that RMON is enabled. show snmp This example shows how to enable RMON and how to verify that RMON is enabled: Console>...
Page 389
Chapter 25 Configuring RMON Supported RMON and RMON2 MIB Objects Table 25-1 Supervisor Engine RMON and RMON2 Support Module Object Identifier (OID) Definition Source Supervisor ...mib-2(1).rmon(16).statistics(1).etherStatsTable(1) Counters for packets, RFC 1757 engine octets, broadcasts, errors, etc. Supervisor ...mib-2(1).rmon(16).history(2).historyControlTable(1) Periodically samples and RFC 1757 engine ...mib-2(1).rmon(16).history(2).etherHistoryTable(2)
C H A P T E R Configuring SPAN and RSPAN This chapter describes how to configure the Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 4000 family switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 26 Configuring SPAN and RSPAN Understanding How SPAN and RSPAN Work Destination Port A destination port (also called a monitor port) is a switch port where SPAN sends packets for analysis. After a port becomes an active destination port, it does not forward any traffic except that required for the SPAN session.
Chapter 26 Configuring SPAN and RSPAN Understanding How SPAN and RSPAN Work Reflector Port The reflector port is the mechanism that you use to copy packets onto an RSPAN VLAN. The reflector port forwards only the traffic from the RSPAN source session with which it is affiliated. Any device that is connected to a port set as a reflector port loses connectivity until the RSPAN source session is disabled.
Chapter 26 Configuring SPAN and RSPAN SPAN and RSPAN Session Limits • Inactive VLANs are not allowed for VSPAN configuration. • A VSPAN session is made inactive if any of the source VLANs become RSPAN VLANs. Trunk VLAN Filtering In software release 6.3(1) and later releases, you can use the filter option to select a set of VLANs in a trunk that is used in a SPAN session.
Chapter 26 Configuring SPAN and RSPAN Configuring SPAN Figure 26-1 Example SPAN Configuration Port 5 traffic mirrored on Port 10 1 2 3 4 5 6 7 8 9 10 11 12 E6 E7 SwitchProbe For SPAN configuration, the source ports and the destination port must be on the same switch. SPAN does not affect the switching of network traffic on source ports;...
Chapter 26 Configuring SPAN and RSPAN Configuring SPAN Configuring SPAN To configure SPAN, perform this task in privileged mode: Task Command Step 1 Configure a SPAN source and a SPAN destination set span {src_mod/src_ports | src_vlan} port. dest_mod/dest_port [rx | tx | both] [filter vlan] [inpkts {enable | disable}] [learning {enable | disable}] [create] Step 2...
Page 397
Chapter 26 Configuring SPAN and RSPAN Configuring SPAN This example shows how to set VLAN 522 as the SPAN source and port 2/12 as the SPAN destination. Only transmit traffic is monitored. Normal incoming packets on the SPAN destination port are allowed. Console>...
• For destination or intermediate switches—Any Catalyst 4500 series or Catalyst 6500 series switch • supervisor engine You cannot place any third-party or other Cisco switches in the end-to-end path for RSPAN traffic. Understanding How RSPAN Works Note See the “Understanding How SPAN and RSPAN Work”...
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN RSPAN has all the features of SPAN (see the “Understanding How SPAN Works” section on page 26-4), plus support for source ports and destination ports that are distributed across multiple switches, allowing remote monitoring of multiple switches across your network.
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN • For RSPAN, trunking is required if you have a source switch with all source ports in one VLAN (VLAN 2, for example) and it is connected to the destination switch through an uplink port that is also in the same VLAN.
Page 401
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN To configure RSPAN VLANs, perform this task in privileged mode: Task Command Step 1 Configure RSPAN VLANs. set vlan vlan_num [rspan] Step 2 Verify the RSPAN VLAN configuration. show vlan This example shows how to set VLAN 500 as an RSPAN VLAN: Console>...
Page 402
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN Reflector : Port 2/34 Rspan Vlan : 500 Admin Source : Port 2/3 Oper Source : Port 2/3 Direction : transmit/receive Incoming Packets: - Learning Filter : 50,850 Status : active Console> (enable) 2001 May 02 13:25:59 %SYS-5-SPAN_CFGSTATECHG:remote span source session active for remote span vlan 500 To configure RSPAN source VLANs, perform this task in privileged mode: Task...
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN Rspan Vlan : 500 Admin Source Oper Source Direction Incoming Packets: disabled Learning : enabled Filter Status : active Console> (enable) Disabling RSPAN Sessions When disabling an RSPAN session, you must disable all source and destination sessions on all participating switches.
Page 404
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN Configuring a Single RSPAN Session This example shows how to configure a single RSPAN session. Figure 26-3 shows an RSPAN configuration; see Table 26-1 for the necessary commands to configure this RSPAN session. Table 26-1 assumes that you have already set up RSPAN VLAN 901 for this session on all the switches using the set vlan vlan_num rspan command.
Page 405
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN Table 26-2 Making Modifications to an Active RSPAN Session (continued) Switch Action RSPAN CLI Commands B (source) Remove source port 3/2 from RSPAN session. set rspan source 3/1, 3/3 901 reflector 3/4 B (source) Add source port 3/2 to RSPAN session.
Page 406
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN source ports in the access switches (other ports in any of the switches can also be configured for RSPAN). If there is no change in the route for SPAN traffic, the destination switch and the intermediate switches need to be configured only once.
Page 407
Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN Figure 26-6 Adding Multiple Probes to an RSPAN Session Switch D Probe 1 Probe 2 Destination switch (data center) Switch C Switch F Probe 3 Intermediate switch(es) (distribution) Source switch(es) Switch B (access) Switch A Switch E...
Setting the System Clock, page 27-4 • Creating a Login Banner, page 27-4 • • Enabling or Disabling the “Cisco Systems Console” Telnet Login Banner, page 27-5 Defining and Using Command Aliases, page 27-6 • • Defining and Using IP Aliases, page 27-7 Configuring Permanent and Static ARP Entries, page 27-8 •...
Chapter 27 Administering the Switch Setting the System Name and System Prompt If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt (a greater-than symbol [>] is appended). The prompt is updated whenever the system name changes, unless you have manually configured the prompt using the set prompt command.
Chapter 27 Administering the Switch Setting the System Contact and Location This example shows how to set the system prompt for the switch: Console> (enable) set prompt Catalyst4012> Catalyst4012> (enable) Clearing the System Name To clear the system name, perform this task in privileged mode: Task Command Clear the system name.
Chapter 27 Administering the Switch Setting the System Clock disable 9600 0% Wed Apr 24 2002, 15:46:01 Power Capacity of the Chassis:2 supplies WARNING:Power supplies of different values have been inserted System Name System Location System Contact ------------------------ ------------------------ ------------------------ --- Sunnyvale CA sysadmin@corp.com 4006...
Enabling or Disabling the “Cisco Systems Console” Telnet Login Banner By default, the Cisco Systems Console Telnet login banner is enabled. To enable or disable the “Cisco Systems Console” Telnet login banner, perform this task in privileged mode: Task Command...
Chapter 27 Administering the Switch Defining and Using Command Aliases This example shows how to display the Cisco Systems Console Telnet login banner content: Console> (enable) show banner MOTD banner: Welcome to the Catalyst 4012 Switch! Unauthorized access prohibited. Contact sysadmin@corp.com for access.
Chapter 27 Administering the Switch Defining and Using IP Aliases --- -------------------------------------- ------ ---------- ----------------- 00-10-7b-f6-b2-1a to 00-10-7b-f6-b2-1f 0.2 Console> (enable) sp3 Port Name Status Vlan Level Duplex Speed Type ----- ------------------ ---------- ---------- ------ ------ ----- ------------ notconnect 1 normal full 1000 1000BaseSX...
Chapter 27 Administering the Switch Configuring Permanent and Static ARP Entries This example shows how to define two IP aliases, sparc, which refers to IP address 172.20.52.3, and cat4003, which refers to IP address 172.20.52.71. This example also shows how to verify the currently defined IP aliases: Console>...
Chapter 27 Administering the Switch Configuring Static Routes This example sets the ARP aging time: Console> (enable) set arp agingtime 300 ARP aging time set to 300 seconds. Console> (enable) This example shows how to display the ARP cache: Console> (enable) show arp ARP Aging time = 300 sec + - Permanent Arp Entries * - Static Arp Entries...
Chapter 27 Administering the Switch Scheduling a System Reset The switch forwards IP traffic that is generated by the switch using the longest address match in the IP routing table. The switch does not use the IP routing table to forward traffic from connected devices. The IP routing table is used by the switch only to forward IP traffic that is generated by the switch itself (for example, Telnet, TFTP, and ping).
Chapter 27 Administering the Switch Scheduling a System Reset Note The maximum scheduled reset time is 24 days. To schedule a reset at a specific time, perform this task in privileged mode: Task Command Step 1 Schedule the reset time at a specific time. reset [mindown] at {hh:mm} [mm/dd] [reason] Step 2 Verify the scheduled reset.
This command is a combination of several show system status commands. (Refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference for these commands.) You can upload the report to a TFTP server and send it to the Cisco Technical Assistance Center (TAC).
C H A P T E R Power Management This chapter describes the power management feature in the Catalyst 4500 series and Catalyst 4000 series switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 28 Power Management Understanding How Power Management Works on the Catalyst 4500 Series Switches Power Management Overview Catalyst 4500 series switches support the following power supplies: • Fixed wattage—These power supplies always deliver a fixed amount of inline and system power: –...
Page 423
Chapter 28 Power Management Understanding How Power Management Works on the Catalyst 4500 Series Switches Redundant Mode Guidelines This section describes the guidelines for using redundant mode in the Catalyst 4500 series switches: By default, the power supplies in a Catalyst 4500 series switch are set to redundant mode. •...
Chapter 28 Power Management Understanding How Power Management Works on the Catalyst 4500 Series Switches Available Power for Power Supplies Table 28-1 lists the power that is provided by the power supplies for the Catalyst 4500 series switches. Table 28-1 Available Power Power Supply Redundant Mode (W) Combined Mode (W)
Chapter 28 Power Management Understanding How Power Management Works on the Catalyst 4500 Series Switches • Combined mode requires that you install two power supplies in your switch. If you have only one power supply, and you set the switch to combined mode, the switch places each module in reset mode.
Chapter 28 Power Management Understanding How Power Management Works on the Catalyst 4006 Switch Understanding How Power Management Works on the Catalyst 4006 Switch These sections describe how to manage power for the Catalyst 4006 switch. For information on power management for the Catalyst 4500 series switches, see the “Understanding Note How Power Management Works on the Catalyst 4500 Series Switches”...
Chapter 28 Power Management Understanding How Power Management Works on the Catalyst 4006 Switch If you choose to use the 1+1 redundancy mode, the type and number of modules that are supported are limited by the power that is available from a single power supply. To determine the power consumption for each module in your chassis, see the “Power Consumption for Modules”...
Page 428
Chapter 28 Power Management Understanding How Power Management Works on the Catalyst 4006 Switch These scenarios initiate the five-minute evaluation countdown timer. When this timer runs out, the switch tries to resolve this power limitation by evaluating the type and number of modules that are installed.
Chapter 28 Power Management Power Consumption for Modules Power Consumption for Modules Table 28-2 lists how much power is consumed by the components on the Catalyst 4500 series and the Catalyst 4006 switch. See Table 28-2. Table 28-2 Power Consumption for Catalyst 4500 Series and 4000 Series Components Power Consumed Power Consumed Module...
Chapter 28 Power Management Migrating a Supervisor Engine II from a Catalyst 4006 Switch to a Catalyst 4500 Series Switch Table 28-2 Power Consumption for Catalyst 4500 Series and 4000 Series Components (continued) Power Consumed Power Consumed Module During Operation (W) in Reset Mode (W) 48-port 1000BASE-X Gigabit Ethernet WS-X4448-GB-LX...
Chapter 28 Power Management Understanding How Inline Power Works If the bridge priority of the Catalyst 4006 switch has been lowered administratively and you use the same configuration in the new Catalyst 4500 series switch, then the switch remains the root switch and the spanning tree topology does not change.
For example, the default allocated power is 7 W for a Cisco IP Phone requiring 6.3 W. The supervisor engine allocates 7 W for the Cisco IP Phone and powers it up. After the Cisco IP Phone is operational, it sends a CDP message with the actual power requirement to the supervisor engine. The supervisor engine then decreases the allocated power to the required amount if the port is set to Auto mode.
Page 433
Auto mode. In addition, the switching module informs the supervisor engine if an unpowered phone is removed. When you plug a Cisco IP phone into a port and turn the power on, the supervisor engine waits 4 seconds Caution for the link to go up on the line.
Wall-power If you insert a Cisco legacy powered Inline power device and remove it before it can boot, Network switching and then insert a network device within...
Chapter 28 Power Management Configuring Power Management This example shows how to set the power management mode to redundant: Console>(enable) set power budget 1 Console> (enable) show environment power Total Inline Power Available: 774.00 Watts (15.48 Amps @50V) Total Inline Power Drawn From the System: 62.00 Watts ( 1.24 Amps @50V) Remaining Inline Power in the System: 696.50 Watts (13.93 Amps @50V) Configured Default Inline Power allocation per port: 15.400 Watts (0.30 Amps @50V) Module Total Allocated Max H/W Supported Max H/W Supported...
Chapter 28 Power Management Configuring Power Management Setting the DC Power Input To set the DC power input for the 1400 W DC power supply, perform this task in privileged mode: Task Command Step 1 Set the input wattage for the 1400 W DC power supply. set power dcinput Step 2 Verify the configuration.
Chapter 28 Power Management Configuring Power Management This example shows how to set the power budget to 1 (1+1 redundancy mode) and display the power budget and current power usage for the switch: Console> (enable) set power budget 1 Warning: Your power supply budget will be constrained to the power available from only one power supply.
Chapter 28 Power Management Configuring Inline Power System Name System Location System Contact ------------------------ ------------------------ ------------------------ --- Switch# Migrating a Supervisor Engine II from a Catalyst 4006 Switch to a Catalyst 4500 Series Switch To migrate your supervisor engine from a Catalyst 4006 switch to a Catalyst 4503 or 4506 switch, perform this task: Task Command...
Chapter 28 Power Management Configuring Inline Power Note If you configure the max-wattage values that are multiples of 420 on a Catalyst 4500 series switch with the set port inlinepower mod/port static | auto max-wattage command, the power drawn from the global allocation is possibliy slightly smaller than the power reported in the Total PWR Allocated to Module field of the show environment power command.
Page 440
Total inline power drawn by module 6: 26.46 Watts ( 0.63 Amps @42V) Port InlinePowered PowerAllocated Device IEEE class DiscoverMode Admin Oper Detected mWatt mA @42V ----- ------ ------ -------- ----- -------- ---------- ---------- ------------ static on 5040 Cisco None cisco Port Maximum Power Actual Consumption absentCounter OverCurrent mWatt mA @42V mWatt...
Configuring VoIP on a Switch, page 29-3 • Hardware and Software Requirements The hardware and software requirements for the Catalyst 4500 series switches and Cisco CallManager are as follows: Catalyst 4006, Catalyst 4500 series, Catalyst 5000 family, and Catalyst 6500 series switches running •...
Catalyst 4000, 4500, 2926G, or 2926 series switches can connect to an IP Phone and carry IP voice traffic. If necessary, the switch can supply electrical power to the circuit connecting it to an IP Phone. Cisco classifies three types of IP phones based on the discovery methods that are used to discover the phone: •...
• The Catalyst 4500 series switch can sense if it is connected to a Cisco IP Phone. The Catalyst 4006 or Catalyst 4500 series switch can supply inline power to an IP Phone if there is no power on the circuit.
C H A P T E R Configuring Switch Access Using AAA This chapter describes how to configure authentication, authorization, and accounting (AAA) to monitor and control access to the command-line interface (CLI) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works • Local user authentication • TACACS+ authentication • RADIUS authentication • Kerberos authentication Kerberos authentication does not work if TACACS+ is used as the authentication method. Note When local authentication is enabled together with one or more other authentication methods, local authentication is always attempted last.
Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works Understanding How Local User Authentication Works Local user authentication uses local user accounts and passwords that you create to validate the login attempts of local users. Each switch can have a maximum of 25 local user accounts. Before you can enable local user authentication, you must define at least one local user account.
Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works You can configure a TACACS+ key on the client and server. If you configure a key on the switch, it must be the same as the one that is configured on the TACACS+ servers. The TACACS+ clients and servers use the key to encrypt all TACACS+ transmitted packets.
Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works RADIUS authentication is disabled by default. You can enable RADIUS authentication and other authentication methods at the same time. You can specify which method to use first using the primary keyword.
Page 450
Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works Table 30-1 Kerberos Terminology (continued) Term Definition SRVTAB A password that a network service shares with the KDC. The network service authenticates an encrypted service credential by using the SRVTAB (also known as a KEYTAB) to decrypt it.
Page 451
Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works Figure 30-1 Kerberized Telnet Connection Host Kerberos server (Telnet client) (contains KDC) 4000 Catalyst 4000 switch Using a Non-Kerberized Login Procedure If you log into a switch using a non-Kerberized login procedure, the switch takes care of authentication to the KDC on behalf of the login client.
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Figure 30-2 Non-Kerberized Telnet Connection Configuring Authentication The following sections describe how to configure the different authentication methods. Authentication Default Configuration Table 30-2 shows the default configuration for authentication. Table 30-2 Default Authentication Configuration Feature Default Login authentication (console and Telnet)
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Table 30-2 Default Authentication Configuration (continued) Feature Default Kerberos login authentication (console and Telnet) Disabled Kerberos enable authentication (console and Telnet) Disabled Kerberos server IP address None specified Kerberos DES key None specified Kerberos server auth-port Port 750...
Page 454
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Setting Authentication Login Attempts on the Switch To set authentication login attempts on the switch, perform this task in privileged mode: Task Command Step 1 Set authentication login attempts on the switch. Use the set authentication login attempt {count} console or telnet keywords if you want to enable local [console | telnet]...
Page 455
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Setting Authentication Login Attempts for Privileged Mode To set authentication login attempts for privileged mode, perform this task in privileged mode: Task Command Step 1 Set authentication login attempts for privileged mode. set authentication enable attempt {count} Enter the console or telnet keywords if you want to [console | telnet]...
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Configuring Local Authentication The following sections describe how to configure local authentication on the switch. Enabling Local Authentication Note Local login and enable authentication are enabled for both console and Telnet connections by default. You do not need to perform these tasks unless you want to modify the default configuration or you have disabled local authentication.
Page 457
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Setting the Login Password The login password controls access to the user mode CLI. Passwords are case sensitive, contain up to 30 characters, and use any printable ASCII characters, including a space. Passwords that are set in software release 5.3 and earlier releases remain non-case sensitive.
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Disabling Local Authentication Make sure that RADIUS or TACACS+ authentication is configured and operating correctly before Caution disabling local login or enabling authentication. If you disable local authentication when RADIUS or TACACS+ is not correctly configured, or if the RADIUS or TACACS+ server is not online, you may be unable to log in to the switch.
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Step 1 Connect to the switch through the supervisor engine console port. You cannot recover the password if you are connected through a Telnet connection. Step 2 Enter the reset system command to reboot the switch. Step 3 At the “Enter Password”...
Page 460
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Enabling Local User Authentication To enable local user authentication on the switch, perform this task in privileged mode: Task Command Step 1 Enable local user authentication. set localuser authentication enable Step 2 Verify the local user authentication configuration.
Page 462
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication This example shows how to specify TACACS+ servers and verify the configuration: Console> (enable) set tacacs server 172.20.52.3 172.20.52.3 added to TACACS server table as primary server. Console> (enable) set tacacs server 172.20.52.2 primary 172.20.52.2 added to TACACS server table as primary server.
Page 463
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication To enable TACACS+ authentication, perform this task in privileged mode: Task Command Step 1 Enable TACACS+ authentication for normal login set authentication login tacacs enable [all | mode. Enter the console or telnet keywords if you console | http | telnet] [primary] want to enable TACACS+ only for console port or Telnet connection attempts.
Page 464
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Tacacs key: Secret_TACACS_key Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server Status ---------------------------------------- ------- 172.20.52.3 172.20.52.2 primary 172.20.52.10 Console> (enable) Setting the TACACS+ Timeout Interval You can set the timeout interval between retransmissions to the TACACS+ server. The default timeout is 5 seconds.
Page 465
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Tacacs key: Secret_TACACS_key Tacacs login attempts: 5 Tacacs timeout: 30 seconds Tacacs direct request: disabled Tacacs-Server Status ---------------------------------------- ------- 172.20.52.3 172.20.52.2 primary 172.20.52.10 Console> (enable) Enabling TACACS+ Directed Request When TACACS+ directed request is enabled, you must specify the host name of a configured TACACS+ server (in the form username@server_hostname) or the authentication request will fail.
Page 466
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Clearing TACACS+ Servers To clear one or more TACACS+ servers, perform this task in privileged mode: Task Command Step 1 Specify the IP address of the TACACS+ server to clear tacacs server [ip_addr | all] clear from the configuration.
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication To disable TACACS+ authentication, perform this task in privileged mode: Task Command Step 1 Disable TACACS+ authentication for normal login set authentication login tacacs disable [all | mode. Use the console or telnet keywords if you console | http | telnet] want to disable TACACS+ only for console port or Telnet connection attempts.
Page 468
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication This example shows how to specify a RADIUS server and verify the configuration: Console> (enable) set radius server 172.20.52.3 172.20.52.3 with auth-port 1812 added to radius server table as primary server. Console>...
Page 469
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Note To use RADIUS authentication for enable mode, you need to create a user with the name $enab15$ on the RADIUS server, and assign a password to that user. This user needs to be created in addition to your assigned username and password on the RADIUS server (example: username john, password hello.) After you log in to the Catalyst 4500 series switch with your assigned username and password (john/hello), you can enter enable mode using the password that is assigned to the $enab15$ user.
Page 471
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication Setting the RADIUS Retransmit Count You can set the number of times the switch will attempt to contact a RADIUS server before the next configured server is tried. By default, each RADIUS server will be tried two times. To set the RADIUS retransmit count, perform this task in privileged mode: Task Command...
Page 472
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication To set the RADIUS dead time, perform this task in privileged mode: Task Command Step 1 Set the RADIUS server dead time interval. set radius deadtime minutes Step 2 Verify the RADIUS configuration. show radius This example shows how to set the RADIUS dead time interval and verify the configuration: Console>...
Page 473
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication This example shows how to specify and enable the framed-IP address attribute by number: Console> (enable) set radius attribute 8 include-in-access-req enable Transmission of Framed-ip address in access-request packet is enabled. Console>...
Page 474
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication This example shows how to clear the RADIUS key and verify the configuration: Console> (enable) clear radius key Radius key cleared. Console> (enable) show radius Login Authentication: Console Session Telnet Session --------------------- ---------------- ----------------...
Step 1 KDC will use. In the following example, a database called CISCO.EDU is created: /usr/local/sbin/kdb5_util create -r CISCO.EDU -s Add the switch to the database. The following example adds a switch called Cat4012 to the CISCO.EDU Step 2 database: ank host/Cat4012.cisco.edu@CISCO.EDU...
Page 476
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication This example shows how to enable Kerberos as the login authentication method for Telnet and verify the configuration: Console> (enable) set authentication login kerberos enable telnet kerberos login authentication set to enable for telnet session. Console>...
Page 477
This example shows how to define a local realm and how to verify the configuration: Console> (enable) set kerberos local-realm CISCO.COM Kerberos local realm for this switch set to CISCO.COM. Console> (enable) show kerberos Kerberos Local Realm:CISCO.COM Kerberos server entries: Realm:CISCO.COM,...
Page 478
Clear the Kerberos realm domain or host mapping entry. clear kerberos realm {dns-domain | host} kerberos-realm This example shows how to map a Kerberos realm, called CISCO.COM, to a DNS domain and how to clear the entry: Console> (enable) set kerberos realm CISCO CISCO.COM Kerberos DnsDomain-Realm entry set to CISCO - CISCO.COM...
Page 479
This example shows how to retrieve an SRVTAB file from the KDC, enter an SRVTAB directly into the switch, and verify the configuration: Console> (enable) set kerberos srvtab remote 187.20.32.10 /users/jdoe/krb5/ninerskeytab Console> (enable) Console> (enable) set kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0 Kerberos SRVTAB entry set to Principal:host/niners.cisco.com@CISCO.COM...
Page 480
Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/aspen-niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 00?91:107:423=:;9 Console> (enable) This example shows how to configure the switch so that Kerberos clients are mandatory for users to authenticate to other network services: Console>...
Page 481
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication This example shows how to disable the credentials forwarding configuration and verify the change: Console> (enable) clear kerberos credentials forward Kerberos credentials forwarding disabled Console> (enable) show kerberos Kerberos Local Realm not configured Kerberos server entries: Kerberos Domain<->Realm entries: Kerberos Clients NOT Mandatory...
Page 482
Kerberos Credentials Forwarding Disabled Kerberos Pre Authentication Method set to Encrypted Unix Time Stamp Kerberos config key:abcd Kerberos SRVTAB Entries Srvtab Entry 1:host/aspen-niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 12151><88?=>>3>11 Console> (enable) To clear the DES key, perform this task in privileged mode: Task Command Clear a DES key from the switch.
Page 483
Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0 Srvtab Entry 2:host/niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 00?58:127:223=:;9 Console> (enable) To display the Kerberos credentials, perform this task in privileged mode:...
Chapter 30 Configuring Switch Access Using AAA Authentication Example This example shows how to clear all credentials from the switch: Console> (enable) clear kerberos creds Console> (enable) Authentication Example Figure 30-3 shows a simple network topology using TACACS+. In this example, TACACS+ authentication is enabled and local authentication is disabled for both login and enable access to the switch for all Telnet connections.
Chapter 30 Configuring Switch Access Using AAA Understanding How Authorization Works Console> (enable) set authentication enable local disable telnet local enable authentication set to disable for telnet session. Console> (enable) show tacacs Tacacs key: tintin_et_milou Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server Status...
Chapter 30 Configuring Switch Access Using AAA Understanding How Authorization Works TACACS+ Command Authorization You can require authorization for all commands or for configuration (enable mode) commands only. Configuration commands include the following: • copy • clear • commit • configure •...
Chapter 30 Configuring Switch Access Using AAA Configuring Authorization Configuring Authorization The following sections describe how to configure authorization. Authorization Default Configuration Table 30-3 shows the default authorization configuration. Table 30-3 Default Authorization Configuration Feature Default TACACS+ login authorization (console and Telnet) Disabled TACACS+ EXEC authorization (console and Telnet) Disabled...
Page 488
Chapter 30 Configuring Switch Access Using AAA Configuring Authorization Enabling TACACS+ Authorization To enable TACACS+ authorization on the switch, perform this task in privileged mode: Task Command Step 1 Enable authorization for normal login mode. set authorization exec enable {option} Enter the console or telnet keywords if you want {fallbackoption} [console | telnet | both] to enable authorization only for console port or...
Page 489
Chapter 30 Configuring Switch Access Using AAA Configuring Authorization config: tacacs+ deny all: Console: -------- Primary Fallback ------- -------- exec: tacacs+ deny enable: tacacs+ deny commands: config: tacacs+ deny all: Console> (enable) Disabling TACACS+ Authorization To disable TACACS+ authorization on the switch, perform this task in privileged mode: Task Command Step 1...
Chapter 30 Configuring Switch Access Using AAA Authorization Example This example shows how to disable TACACS+ command authorization for both console and Telnet connections and how to verify the configuration: Console> (enable) set authorization commands disable both Successfully disabled commands authorization. Console>...
Chapter 30 Configuring Switch Access Using AAA Understanding How Accounting Works Figure 30-4 Example of a TACACS+ Network Topology TACACS+ server 172.20.52.10 Switch Console port connection Terminal Workstation A This example shows that TACACS+ authorization is enabled for enable mode access to the switch for both Telnet and console connections, authorizing configuration commands: Console>...
Chapter 30 Configuring Switch Access Using AAA Understanding How Accounting Works Accounting Overview You can configure these accounting methods to monitor access to the switch: • TACACS+ accounting • RADIUS accounting Accounting allows you to track user activity to a specified host, suspicious connection attempts in the network, and unauthorized changes to the NAS configuration.
Chapter 30 Configuring Switch Access Using AAA Understanding How Accounting Works Accounting records are created and sent to the server at two events: • Start-stop—Accounting records are sent at both the start and stop of an action if the action has duration.
Chapter 30 Configuring Switch Access Using AAA Configuring Accounting Updating the Server You can configure the switch to send accounting information to the TACACS+ server. There are two options: • Newinfo—Sends accounting information to the server only when new accounting information becomes available.
Chapter 30 Configuring Switch Access Using AAA Configuring Accounting Note The amount of DRAM that is allocated for one accounting event is approximately 500 bytes. The total amount of DRAM that is used by accounting depends on the number of concurrent accountable events occurring in the system.
Page 496
Chapter 30 Configuring Switch Access Using AAA Configuring Accounting This example shows how to periodically update the server: Console> (enable) set accounting update periodic 120 Accounting updates will be periodic at 120 minute intervals. Console> (enable) This example shows how to verify the configuration: Console>...
Chapter 30 Configuring Switch Access Using AAA Accounting Example Console> (enable) set accounting system disable Accounting set to disable for system events. Console> (enable) Console> (enable) set accounting commands disable Accounting set to disable for commands-all events. Console> (enable) This example shows how to disable suppression of unknown users: Console>...
Page 498
Chapter 30 Configuring Switch Access Using AAA Accounting Example Figure 30-5 Example of a TACACS+ Network Topology TACACS+ server 172.20.52.10 Switch Console port connection Terminal Workstation A This example shows that TACACS+ accounting is enabled for connection, EXEC, system, and all command accounting: Console>...
C H A P T E R Configuring 802.1x Authentication This chapter describes how to configure 802.1x authentication on the Catalyst 4000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference publication.
In this release, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Chapter 31 Configuring 802.1x Authentication Understanding How 802.1x Authentication Works Authentication Initiation and Message Exchange The switch or the host can initiate authentication. If you enable authentication on a port by using the set port dot1x mod/port port-control auto command, the switch must initiate authentication when it determines that the port link state transitions from down to up.
Chapter 31 Configuring 802.1x Authentication Understanding How 802.1x Authentication Works Ports in Authorized and Unauthorized States The switch port state determines if the host is granted access to the network. The port starts in the unauthorized state. In this state, the port disallows all ingress and egress traffic except for 802.1x protocol packets.
Chapter 31 Configuring 802.1x Authentication Understanding How 802.1x Authentication Works Table 31-1 802.1x Terminology Term Definition Authenticator PAE (Referred to as the “authenticator”) entity at one end of a point-to-point LAN segment that enforces host authentication. The authenticator is independent of the actual authentication method and functions only as a pass-through for the authentication exchange.
Chapter 31 Configuring 802.1x Authentication Understanding How 802.1x Authentication Works 802.1x Parameters Configurable on the Switch With 802.1x, you can do the following: • Specify force-authorized port control, force-unauthorized port control, or automatic 802.1x port control • Enable or disable multiple hosts on a specific port •...
NVRAM-configured VLAN. In order for the 802.1x VLAN assignment using a RADIUS server to successfully complete, the RADIUS server must return the following three RFC 2868 attributes back to the authenticator (the Cisco switch to which the host attaches): [64] Tunnel-Type = VLAN •...
Chapter 31 Configuring 802.1x Authentication Authentication Configuration Guidelines Authentication Configuration Guidelines This section provides the guidelines for configuring 802.1x authentication on the switch: • 802.1x will work with other protocols, but we recommend that you use RADIUS with a remotely located authentication server.
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch To globally disable 802.1x authentication, perform this task in privileged mode: Task Command Globally disable 802.1x. set dot1x system-auth-control disable This example shows how to globally disable 802.1x authentication: Console>...
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch Setting and Enabling Automatic Reauthentication of the Host You can specify how often 802.1x authentication reauthenticates the host if you do so prior to enabling automatic 802.1x host reauthentication. If you do not specify a time period prior to enabling host reauthentication, 802.1x defaults to 3600 seconds (the valid values are from 1–65,535 seconds).
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch Enabling Multiple Hosts You can enable a specific port to allow multiple-user access. When a port is enabled for multiple users, and a host that is connected to that port is authorized successfully, any host (with any MAC address) is allowed to send and receive traffic on that port.
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch Setting the Authenticator-to-Host Retransmission Time for EAP-Request/Identity Frames The host notifies the authenticator that it received the EAP-request/identity frame. When the authenticator does not receive this notification, the authenticator waits a set period of time and then retransmits the frame.
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch Setting the Back-End Authenticator-to-Authentication-Server Retransmission Time for Transport Layer Packets The authentication server notifies the back-end authenticator each time it receives a transport layer packet. When the back-end authenticator does not receive a notification after sending a packet, the back-end authenticator waits a set period of time, and then retransmits the packet.
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch To set the period of time that a port will be disabled after a security violation, perform this task in privileged mode: Task Command Set the shutdown timeout period. set dot1x shutdown-timeout 1- 65535 seconds This example shows how to set the shutdown timeout period:...
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch This example shows how to set the number of retransmitted frames that are sent from the back-end authenticator to the host to 4: Console> (enable) set dot1x max-req 4 dot1x max-req set to 4.
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch Using the show Commands You can use these show commands to access information about 802.1x authentication and its configuration: • show port dot1x help • show port dot1x • show port dot1x statistics •...
Page 515
Chapter 31 Configuring 802.1x Authentication Configuring 802.1x Authentication on the Switch This example shows how to display the statistics for the different types of EAP frames that are transmitted and received by the authenticator on port 1 on module 4: Console>...
C H A P T E R Modifying the Switch Boot Configuration This chapter describes how to modify the switch boot configuration, including the BOOT environment variable and the configuration register on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 32 Modifying the Switch Boot Configuration Understanding How the Switch Boot Configuration Works Understanding the ROM Monitor The ROM monitor code executes upon switch power-up, reset, or when a fatal exception occurs. The system enters ROM-monitor mode if the switch does not find a valid system image, if the NVRAM configuration is corrupted, or if the configuration register is set to enter ROM-monitor mode.
Chapter 32 Modifying the Switch Boot Configuration Understanding How the Switch Boot Configuration Works • Bit 8 (0x0100): Disables break. • Bit 9 (0x0200): Uses secondary bootstrap (not used by the ROM monitor). • Bit 10 (0x0400): Provides IP broadcast with all zeros (not used). •...
Chapter 32 Modifying the Switch Boot Configuration Default Switch Boot Configuration If any specified file is not a valid configuration file, the entry is skipped and subsequent files are tried until there are no additional images specified. If no valid configuration file is specified, the system retains the last configuration stored in NVRAM.
Chapter 32 Modifying the Switch Boot Configuration Setting the Configuration Register To set the configuration register boot field, perform this task in privileged mode: Task Command Specify the boot field in the configuration set boot config-register boot {rommon | register. bootflash | system} [mod_num] This example shows how to force the switch to enter ROM-monitor mode at the next startup: Console>...
Chapter 32 Modifying the Switch Boot Configuration Setting the BOOT Environment Variable Setting the Switch to Ignore the NVRAM Configuration You can cause the system software to ignore the configuration information that is stored in NVRAM when the switch is restarted. This command affects only the configuration register bits that control whether the switch ignores the NVRAM configuration and leaves the remaining bits unaltered.
Chapter 32 Modifying the Switch Boot Configuration Setting and Clearing the CONFIG_FILE Environment Variable Clearing the BOOT Environment Variable Settings To clear entries from the BOOT environment variable, perform one of these tasks in privileged mode: Task Command Clear a specific image from the BOOT clear boot system flash device:[filename] environment variable.
Chapter 32 Modifying the Switch Boot Configuration Displaying the Switch Boot Configuration This example shows how to add a list of configuration files to the CONFIG_FILE environment variable: Console> (enable) set boot auto-config bootflash:generic.cfg;bootflash:4003_1_noc.cfg CONFIG_FILE variable = bootflash:generic.cfg;bootflash:4003_1_noc.cfg WARNING: nvram configuration may be lost during next bootup, and re-configured using the file(s) specified.
C H A P T E R Working with System Software Images This chapter describes how to work with system software image files on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 33 Working with System Software Images Downloading System Software Images to the Switch Using TFTP Understanding How TFTP Software Image Downloads Work You can download system software images to the switch using the Trivial File Transfer Protocol (TFTP). TFTP allows you to download system image files over the network from a TFTP server. When you download a software image, the image file is downloaded to the supervisor engine Flash memory.
This command will reset the system. Do you want to continue (y/n) [n]? y Console> (enable) 07/21/2000,13:51:39:SYS-5:System reset from Console// System Bootstrap, Version 3.1(2) Copyright (c) 1994-1997 by cisco Systems, Inc. Presto processor with 32768 Kbytes of main memory Autoboot executing command: "boot bootflash:cat4000.6-1-1.bin" CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...
EARL RAM Test ....Passed EARL Serial Prom Test ..Passed Level2 Cache ....Present Level2 Cache test....Passed Boot image: bootflash:cat4000.6-1-1.bin Cisco Systems Console Enter password: 07/21/2000,13:52:51:SYS-5:Module 1 is online 07/21/2000,13:53:11:SYS-5:Module 4 is online 07/21/2000,13:53:11:SYS-5:Module 5 is online 07/21/2000,13:53:14:PAGP-5:Port 1/1 joined bridge port 1/1.
Chapter 33 Working with System Software Images Downloading System Software Images to the Switch Using rcp Preparing to Upload an Image to a TFTP Server Before you attempt to upload a software image to a TFTP server, do the following: •...
Chapter 33 Working with System Software Images Downloading System Software Images to the Switch Using rcp Understanding How rcp Software Image Downloads Work You can download system software images to the switch using the remote copy protocol (rcp); rcp allows you to download system image files over the network from an rcp server.
This command will reset the system. Do you want to continue (y/n) [n]? y Console> (enable) 07/21/2000,13:51:39:SYS-5:System reset from Console// System Bootstrap, Version 3.1(2) Copyright (c) 1994-1997 by cisco Systems, Inc. Presto processor with 32768 Kbytes of main memory Autoboot executing command: "boot bootflash:cat4000.6-1-1.bin" CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...
EARL RAM Test ....Passed EARL Serial Prom Test ..Passed Level2 Cache ....Present Level2 Cache test....Passed Boot image: bootflash:cat4000.6-1-1.bin Cisco Systems Console Enter password: 07/21/2000,13:52:51:SYS-5:Module 1 is online 07/21/2000,13:53:11:SYS-5:Module 4 is online 07/21/2000,13:53:11:SYS-5:Module 5 is online 07/21/2000,13:53:14:PAGP-5:Port 1/1 joined bridge port 1/1.
You can do this procedure entirely over a Telnet connection, but if something fails, you will need to have access to the console serial port. If done improperly, the system can be rendered unbootable. It will then have to be returned to Cisco for repair. —...
Page 534
ROMMON versions, but you will have to substitute appropriate version numbers in the upgrade image names. To upgrade the ROMMON follow these steps: Download the promupgrade program from Cisco.com and place it on a TFTP server in a directory that Step 1 is accessible from the switch to be upgraded.
Page 535
OIR of the supervisor engine,and so on, for at least 5 minutes. If the process is not allowed to complete, you might damage the switch and have to return it to Cisco for repair. Upgrading the ROMMON may require up to 5 minutes because the switch boots the promupgrade image.
Page 536
The ROMMON version number is listed as the System Bootstrap Version. For example, the following system is running ROMMON version 6.1(4): Console> (enable) show version WS-C4003 Software, Version NmpSW:5.5(8) Copyright (c) 1995-2001 by Cisco Systems, Inc. — Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide Release 8.1...
Page 537
Chapter 33 Working with System Software Images Upgrading the ROM Monitor NMP S/W compiled on May 24 2001, 21:12:09 GSP S/W compiled on May 24 2001, 18:39:50 System Bootstrap Version:6.1(4) Hardware Version:1.0 Model:WS-C4003 Serial #:xxxxxxxxx Console > (enable) Step 10 Enter the clear boot system flash promupgrade_image command to remove the promupgrade program from the autoboot string.
Page 538
Chapter 33 Working with System Software Images Upgrading the ROM Monitor — Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide Release 8.1 33-14 78-15486-01...
C H A P T E R Working With the Flash File System This chapter describes how to use the Flash file system on the Catalyst enterprise LAN switches. For complete syntax and usage information for the commands used in this chapter, see Note Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch Setting the Text File Configuration Mode When you configure the switch to use text file configuration mode, the switch stores its configuration as a text file in nonvolatile storage, either in NVRAM or Flash memory.
Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch Task Command Display a list of all files on a Flash device, including dir [[m/]device:][filename] all deleted files. Display a detailed list of files on a Flash device. dir [[m/]device:][filename] long This example shows how to list the files on the default Flash device: Console>...
Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch Copying Files Enter the copy command to perform these tasks: • Download a system image or configuration file from a TFTP or rcp server to a Flash device •...
Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch This example shows how to copy the running configuration to Flash memory: Console> (enable) copy config flash Flash device [bootflash]? bootflash: Name of file to copy to []? 4012_config.cfg Upload configuration to bootflash:4012_config.cfg 9942096 bytes available on device bootflash, proceed (y/n) [n]? y ..
Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch To delete files from a Flash device, perform this task in privileged mode: Task Command Step 1 Delete a file from a Flash device. delete [[m/]device:]filename Step 2 If desired, permanently remove all deleted files on the Flash device...
Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch Verifying a File Checksum To verify the checksum of a file on a Flash device, perform this task in privileged mode: Task Command Verify the checksum of a file on a Flash device.
Page 546
Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch — Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide Release 8.1 34-8 78-15486-01...
C H A P T E R Working with Configuration Files This chapter describes how to work with switch configuration files on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 35 Working with Configuration Files Creating a Configuration File If passwords already exist, you cannot enter the set password and set enablepass commands because the password verification will fail. If you enter passwords in the configuration file, the switch mistakenly attempts to execute the passwords as commands as it executes the file. Some commands must be followed by a blank line in the configuration file.
Chapter 35 Working with Configuration Files Copying Configuration Files Using TFTP To configure a switch using a configuration file stored on a Flash device in the Flash file system, follow these steps: Log in to the switch through the console port or a Telnet session. Step 1 Locate the configuration file using the cd and dir commands (for more information, see the“Listing the...
Chapter 35 Working with Configuration Files Copying Configuration Files Using TFTP Preparing to Download a Configuration File Using TFTP Before you begin downloading a configuration file using TFTP, do the following: Ensure that the workstation acting as the TFTP server is configured properly. •...
Chapter 35 Working with Configuration Files Copying Configuration Files Using rcp Preparing to Upload a Configuration File to a TFTP Server Before you attempt to upload a configuration file to a TFTP server, do the following: Ensure that the workstation acting as the TFTP server is configured properly. •...
Chapter 35 Working with Configuration Files Copying Configuration Files Using rcp have access to a server that supports rsh. (Most UNIX systems support rsh.) Because you are copying a file from one place to another, you must have read permission on the source file and write permission on the destination file.
Chapter 35 Working with Configuration Files Copying Configuration Files Using rcp DNS is enabled >> set ip dns domain corp.com Default DNS domain name set to corp.com Console> (enable) Uploading Configuration Files to an rcp Server The next two sections describe how to upload the running configuration or a configuration file stored on a Flash device to an rcp server.
Chapter 35 Working with Configuration Files Clearing the Configuration Clearing the Configuration To clear the configuration on the entire switch, perform this task in privileged mode: Task Command Clear the switch configuration. clear config all This example shows how to clear the configuration for the entire switch: Console>...
C H A P T E R Configuring Switch Acceleration This chapter describes the Backplane Channel Module and the switch acceleration feature that are supported on the Catalyst 4000 family supervisor engine. This chapter consists of these sections: • Understanding How Switch Acceleration Works, page 36-1 Configuring Switch Acceleration on the Switch, page 36-2 •...
Chapter 36 Configuring Switch Acceleration Configuring Switch Acceleration on the Switch Switch acceleration is supported in different configuration modes. Supervisor Engine II supports a mesh configuration with no uplink connections. With the Backplane Channel Module installed, two additional modes are supported. Figure 36-1 shows the possible configurations.
Chapter 36 Configuring Switch Acceleration Backplane Channel Module Enabling Switch Acceleration To enable switch acceleration, perform this task in privileged mode: Task Command Step 1 Disable front-panel Gigabit Ethernet ports. set port disable mod_num/port_num Step 2 Enable switch acceleration. set switchacceleration {enable | disable}mod-num This example shows how to the enable switch acceleration on the switch: Console>...
Page 558
Chapter 36 Configuring Switch Acceleration Backplane Channel Module The Backplane Channel Module provides the following benefits in the default configuration mode: • Full-mesh connection between all three switch engines • Multilink load balancing between SE1 and SE2 and between SE2 and SE3 •...
C H A P T E R Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Page 560
Understanding How System Message Logging Works Table 37-1 describes the facility types that are supported by the system message logs. Table 37-1 System Message Log Facilities Facility Name Definition Cisco Discovery Protocol Dynamic Trunking Protocol drip Dual Ring Protocol dvlan Dynamic VLAN...
Chapter 37 Configuring System Message Logging System Log Message Format Table 37-2 describes the severity levels that are supported by the system message logs. Table 37-2 Definitions of System Message Log Severity Levels Severity Level Keyword Description emergencies System unusable alerts Immediate action required critical...
Chapter 37 Configuring System Message Logging Default System Message Logging Configuration Default System Message Logging Configuration Table 37-4 describes the severity levels that are supported by the system message logs. Table 37-4 Definitions of System Message Log Severity Levels Severity Level Keyword Description...
Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch Configuring System Message Logging on the Switch The following sections describe how to configure system message logging on the switch. Configuring Session Logging Settings By default, system logging messages are sent to console and Telnet sessions based on the default logging facility and severity values.
Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch This example shows how to disable logging to the current Telnet session: Console> (enable) set logging session disable System logging messages will not be sent to the current login session. Console>...
Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch Setting the Logging Buffer Size To set the number of messages to log to the logging buffer, perform this task in privileged mode: Task Command Step 1 Set the number of messages to log to the logging set logging buffer buffer_size buffer.
Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch The switch sends messages according to specified facility types and severity levels. The user keyword specifies the UNIX logging facility that is used. The messages from the switch are generated by user processes.
Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch To delete a syslog server from the syslog server table, perform this task in privileged mode: Task Command Delete a syslog server from the syslog server table. clear logging server ip_addr This example shows how to delete a syslog server from the syslog server table: Console>...
Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch fddi filesys gvrp kernel mcast mgmt pagp protfilt pruning radius security snmp spantree telnet tftp udld vmps 0(emergencies) 1(alerts) 2(critical) 3(errors) 4(warnings) 5(notifications) 6(information) 7(debugging) Console> (enable) Displaying System Messages Use the show logging buffer command to display the messages in the switch logging buffer.
Page 569
Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch This example shows how to display the last five messages in the buffer: Console> (enable) show logging buffer -5 %PAGP-5-PORTFROMSTP:Port 3/1 left bridge port 3/1 %SPANTREE-5-PORTDEL_SUCCESS:3/2 deleted from vlan 1 (PAgP_Group_Rx) %PAGP-5-PORTFROMSTP:Port 3/2 left bridge port 3/2 %PAGP-5-PORTTOSTP:Port 3/1 joined bridge port 3/1-2 %PAGP-5-PORTTOSTP:Port 3/2 joined bridge port 3/1-2...
Page 570
Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch — Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide Release 8.1 37-12 78-15486-01...
C H A P T E R Configuring DNS This chapter describes how to configure the Domain Name System (DNS) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Chapter 38 Configuring DNS Configuring DNS on the Switch Table 38-1 Default DNS Configuration (continued) Feature Default Value DNS default domain name Null DNS servers None specified Configuring DNS on the Switch The following sections describe how to configure DNS: •...
Chapter 38 Configuring DNS Configuring DNS on the Switch Clearing a DNS Server To clear DNS servers from the DNS server table, perform this task in privileged mode: Task Command Step 1 Clear one or all of the DNS servers from the table. clear ip dns server [ip_addr | all] Step 2 Verify the DNS configuration.
Page 574
Chapter 38 Configuring DNS Configuring DNS on the Switch — Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide Release 8.1 38-4 78-15486-01...
C H A P T E R Configuring NTP This chapter describes how to configure the Network Time Protocol (NTP) on the Catalyst enterprise LAN switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference.
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that you obtain the time service for your network from the public NTP servers available on the IP Internet.
Chapter 39 Configuring NTP Configuring NTP on the Switch To enable NTP broadcast-client mode on the switch, perform this task in privileged mode: Task Command Step 1 Enable NTP broadcast-client mode. set ntp broadcastclient enable Step 2 (Optional) Set the estimated NTP broadcast packet delay. set ntp broadcast delay microseconds Step 3 Verify the NTP configuration.
Chapter 39 Configuring NTP Configuring NTP on the Switch This example shows how to configure the NTP server address, enable NTP client mode on the switch, and verify the configuration: Console> (enable) set ntp server 172.20.52.65 NTP server 172.20.52.65 added. Console>...
Chapter 39 Configuring NTP Configuring NTP on the Switch Console> (enable) set ntp client enable NTP Client mode enabled Console> (enable) set ntp authentication enable NTP authentication feature enabled Console> (enable) show ntp Current time: Tue Jun 23 1998, 20:29:25 Timezone: '', offset from UTC is 0 hours Summertime: '', disabled Last NTP update: Tue Jun 23 1998, 20:29:07...
Page 580
Chapter 39 Configuring NTP Configuring NTP on the Switch To enable the daylight saving time clock adjustment following the U.S. standards, perform this task in privileged mode: Task Command Step 1 Enable the daylight saving time clock adjustment. set summertime enable [zone_name] set summertime recurring Step 2 Verify the configuration.
Chapter 39 Configuring NTP Configuring NTP on the Switch Offset: 1440 minutes (1 day) Recurring: no Console> (enable) Disabling the Daylight Saving Time Adjustment To disable the daylight saving time clock adjustment, perform this task in privileged mode: Task Command Step 1 Disable the daylight saving time clock adjustment.
Chapter 39 Configuring NTP Configuring NTP on the Switch Disabling NTP To disable NTP broadcast-client mode on the switch, perform this task in privileged mode: Task Command Step 1 Disable NTP broadcast-client mode. set ntp broadcastclient disable Step 2 Verify the NTP configuration. show ntp [noalias] This example shows how to disable NTP broadcast-client mode on the switch: Console>...
A P P E N D I X Acronyms ATM adaptation layer access control entry add-drop multiplexer Authority and Format Identifier active monitor present automated packet recognition/translation APaRT Address Resolution Protocol ATM switch processor Asynchronous Transfer Mode BDPU bridge protocol data unit Bridge Relay Function broadcast and unknown server content-addressable memory...
Page 584
Appendix A Acronyms Copper Distributed Data Interface CDDI Cisco Discovery Protocol Cisco Group Management Protocol CGMP command-line interface Common Open Policy Service COPS class of service Cyclic Redundancy Check Concentrator Relay Function Data Country Code Digital Equipment Corporation domain-specific part format identifier...
Appendix A Acronyms emulated local area network ELAN end-system identifier frame check sequence Fiber Distributed Data Interface FDDI full duplex Fast Simple Server Redundancy Protocol FSSRP foil twisted-pair fiber to the home FTTH General Attribute Registration Protocol GARP Gigabit Interface Converter GBIC GARP Multicast Registration Protocol GMRP...
Page 586
Appendix A Acronyms Internet Protocol interprocessor communication Internetwork Packet Exchange Inter-Switch Link International Organization of Standardization key distribution center local-area network LAN Emulation LANE local-area transport Link Control Protocol LAN Emulation Client LAN Emulation Configuration Server LECS link error monitor link error rate LAN Emulation Server logical link control...
Page 587
Appendix A Acronyms Multilayer Switching Multilayer Switching Protocol MLSP multilayer switching-route processor MLS-RP multi-mode Maintenance Operation Protocol message-of-the-day MOTD Multiprotocol over ATM client multiprotocol over ATM MPOA multiprotocol over ATM server maximum transmission unit nearest available upstream neighbor NAUN non-broadcast multi-access NBMA non-bused spare NetFlow Data Export...
Page 588
Appendix A Acronyms Operation, Administration, and Maintenance out-of-band Open System Interconnection One-Time-Password Port Aggregation Protocol PAgP port adapter module pulse code modulation Personal Computer Memory Card International Association PCMCIA peak cell rate protocol data unit physical sublayer protocol independent multicast physical layer convergence procedure PLCP physical layer interface module...
Page 589
Appendix A Acronyms remote copy protocol Router Group Management Protocol RGMP routing information field remote monitoring RMON read-only memory route processor Route Switch Module Security Association Identifier SAID synergy advanced multipurpose bus arbiter SAMBA service access point segmentation and reassembly Serial Control Protocol sustainable cell rate Session Description Protocol...
Page 590
Appendix A Acronyms Simple Server Redundancy Protocol SSRP 1) Spanning Tree Protocol 2) shielded twisted-pair Spanning Tree Protocol Extensions (MIB) STPX switched virtual circuit Terminal Access Controller Access Control System Plus TACACS+ Transmission Control Protocol/Internet Protocol TCP/IP Trivial File Transfer Protocol TFTP ticket granting ticket Telecommunications Industry Association...
Page 591
Appendix A Acronyms variable bit rate virtual circuit virtual channel connection Virtual Channel Descriptor 1) virtual channel identifier; 2) virtual connection identifier Virtual Configuration Register virtual LAN VLAN VLAN Membership Policy Server VMPS virtual path identifier VLAN Query Protocol VLAN Trunking Protocol weighted random early detect WRED Weighted Round Robin...
I N D E X administration Numerics switch 27-1, 38-1 10/100 port speed, setting administrative groups, EtherChannel 1400W DC power supply 28-5 advertisements, VTP 802.1Q aliases example 11-9, 11-19 See command aliases; IP aliases mapping VLANs to ISL 10-11 aliases, command overview 11-1 restrictions...
Page 594
7-22 27-9 bridge identifiers Cisco Discovery Protocol MAC addresses 7-13 See CDP PVST+ 7-23 Cisco Group Management Protocol bridge protocol data unit See CGMP See BPDU Cisco IP Phones sound quality 29-2 CiscoWorks2000 24-17 CIST 7-15...
Page 595
Index frames configuration 14-3 classless interdomain routing clearing the 35-8 See CIDR configuration files class of service creating 35-2 See CoS downloading via RCP 35-6 clear boot system flash command downloading via TFTP 32-7 35-4 guidelines 35-1 command aliases uploading preparation 35-5, 35-7 ROM monitor uploading to RCP server...
Page 596
39-5 drop thresholds default configurations CoS mapping 14-6 Ethernet transmit queue 14-3 Fast Ethernet TACACS+ accounting 30-50 non-Cisco devices and 11-3 default gateway, configuring overview 11-2 default IGMP filter configuration 15-18 duplex mode denying filter match-action 15-21 Fast Ethernet DHCP...
Page 597
Index See secure shell encryption examples, conventions xxvi environment variables extended-range VLANs See BOOT environment variables See VLANs errdisable timeout, configuring error messages system message logging (syslog) 37-1 VMPS (table) 12-11 Fast EtherChannel establishing multicast filter profiles 15-20 example 6-12 EtherChannel overview administrative groups...
Page 599
Inline power router ports and group entries 15-15 modes See also multicast groups; multicast routers 28-12 inline power IP permit lists configuring on Cisco IP phones 28-11, 29-3 adding addresses 18-2 interfaces clearing entries 18-4 me1 (out-of-band management) default configuration...
Page 600
30-10, 30-11 See RADIUS keys; TACACS+ keys overview 30-2 login banner clearing 27-5 configuring 27-4 LACP displaying or suppressing the "Cisco Systems Console" configuration parameters 6-17 login banner 27-5 configuration procedures 6-18 overview 27-4 modes 6-16 login passwords...
Page 601
Index disabling notification configuring supervisor engine 16-7 enabling notification 16-7 designating on command line port security and Ethernet 16-1 setting notification history log size configuring 16-7 setting notification interval 16-7 Fast Ethernet management interfaces configuring overview Gigabit Ethernet mapping VLANs 10-11 configuring match-action filtering...
Page 602
Index establishing and verifying extended VLAN support with VTP version 3 15-20 10-3, 10-4, 10-6, 10-9 removing 15-21 NFFC/NFFC II multicast filters IGMP snooping and 15-4 listing all 15-22 protocol filtering and 19-1 removing all 15-22 multicast groups SPAN, configuring 26-1 CGMP and 15-4...
Page 603
Index disabling displaying PAgP enabling displaying statistics 6-12 PortFast overview configuring passwords multiple spanning tree 7-15 recovering lost 30-14 PortFast BPDU guard setting enable 30-13 configuring 8-13 permit lists disabling 8-14 See IP permit lists port filter associations permitting and verifying 15-20 assigning and listing 15-22...
Page 604
Index MAC address notification deleting primary VLANs 16-7 10-22 monitoring MAC addresses 16-7 hardware interactions 10-18 specifying age time isolated VLAN 16-5 10-17 specifying secure MAC addresses overview 16-4 10-16 specifying security violation action 16-8 primary VLAN 10-17 specifying shutdown time software interactions 16-9 10-18...
Page 605
Index enabling clearing 14-5 30-29 frame classification 14-3 specifying 30-25 labels RADIUS servers 14-2 overview clearing 14-1 30-29 reverting to defaults 14-7 specifying 30-23, 30-49 traffic flow (figure) rapid-PVST+ 14-2 transmit queue configuring 7-28 overview 14-3 overview 7-12 quality of service rapid Spanning Tree Protocol See QoS See RSTP...
Page 606
Index viewing data configuring 25-2 ROM monitor DHCP and BOOT environment variables and overview 32-3 3-1, 3-4 boot process and RARP and 32-2 VLAN assignment 10-2 configuration register and secure ports 32-2 root guard disabling unicast flood blocking 16-6 disabling 7-43 enabling unicast flood blocking 16-6...
Page 607
Index supported RMON MIB objects 25-2 20-7 SNMPv3 configuring 20-7 configuring 24-14 7-15 definitions interoperability 24-14 7-17 overview 24-11 static route, configuring 27-9 software images status reports, system 27-12 downloading using rcp 33-6 downloading using TFTP 33-2 BPDUs and supervisor engine, description forward delay timer 7-44 uploading to rcp server...
Page 608
Index designating modules downloading using TFTP 33-2 designating ports switch designating VLANs specifying startup 32-1 help uploading 33-9 history substitution uploading 33-5 modes system location, setting 27-3 operating system message logging Switched Port Analyzer changing enable state timestamp 37-6 See SPAN configuring 37-5 switch management interfaces...
Page 609
Index disabling uploading configuration files 30-52 35-5 enabling 30-51 uploading software images 33-5 overview time, setting 30-48 27-4 sample configuration time-exceeded messages 30-53 20-12 suppressing accounting 30-50 timers updating the server configuring forward delay 30-50 7-44 TACACS+ authentication configuring hello time 7-44 configuration guidelines 30-9...