Cisco Systems Doc 7814982 Users Manual
DOC-7814982 to the manual 456e1f0f-e59c-4a87-a713-d4c6b7bb83a9
2015-01-05
: Cisco-Systems Cisco-Systems-Doc-7814982-Users-Manual-203253 cisco-systems-doc-7814982-users-manual-203253 cisco-systems pdf
Open the PDF directly: View PDF 
.
Page Count: 648
Catalyst 2950 Desktop Switch Software
Configuration Guide
Cisco IOS Release 12.1(11)EA1 and 12.1(11)YJ
November 2002
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7814982=
Text Part Number: 78-14982-01
�THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCIP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Breakthrough, iQ Expertise,
iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.;
Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco
Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo,
Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step,
GigaStack, Internet Quotient, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar,
SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship
Catalyst 2950 Desktop Switch Software Configuration Guide
Copyright © 2001-2002, Cisco Systems, Inc.
All rights reserved.
�C O N T E N T S
Preface
xxv
Audience
Purpose
xxv
xxv
Organization
xxvi
Conventions
xxviii
Related Publications
xxix
Obtaining Documentation xxix
World Wide Web xxix
Documentation CD-ROM xxx
Ordering Documentation xxx
Documentation Feedback xxx
Obtaining Technical Assistance xxx
Cisco.com xxxi
Technical Assistance Center xxxi
Cisco TAC Website xxxi
Cisco TAC Escalation Center xxxii
CHAPTER
1
Overview
Features
1-1
1-1
Management Options 1-7
Management Interface Options 1-7
Advantages of Using CMS and Clustering Switches
1-7
Network Configuration Examples 1-8
Design Concepts for Using the Switch 1-8
Small to Medium-Sized Network Configuration 1-11
Collapsed Backbone and Switch Cluster Configuration 1-13
Large Campus Configuration 1-14
Hotel Network Configuration 1-16
Multidwelling Network Using Catalyst 2950 Switches 1-18
Long-Distance, High-Bandwidth Transport Configuration 1-20
Where to Go Next
1-21
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
iii
�Contents
CHAPTER
2
Using the Command-Line Interface
IOS Command Modes
Getting Help
2-1
2-1
2-3
Specifying Ports in Interface Configuration Mode
Abbreviating Commands
2-4
2-5
Using no and default Forms of Commands
Understanding CLI Messages
2-5
2-5
Using Command History 2-6
Changing the Command History Buffer Size 2-6
Recalling Commands 2-6
Disabling the Command History Feature 2-7
Using Editing Features 2-7
Enabling and Disabling Editing Features 2-7
Editing Commands through Keystrokes 2-8
Editing Command Lines that Wrap 2-9
Searching and Filtering Output of show and more Commands
Accessing the CLI
2-10
Accessing the CLI from a Browser
CHAPTER
3
Getting Started with CMS
Features
2-10
2-11
3-1
3-2
Front Panel View 3-4
Cluster Tree 3-6
Front-Panel Images 3-7
Redundant Power System LED 3-8
Port Modes and LEDs 3-8
VLAN Membership Modes 3-9
Topology View 3-10
Topology Icons 3-12
Device and Link Labels 3-13
Colors in the Topology View 3-14
Topology Display Options 3-15
Menus and Toolbar 3-15
Menu Bar 3-15
Toolbar 3-20
Front Panel View Popup Menus
Device Popup Menu 3-21
Port Popup Menu 3-21
3-21
Catalyst 2950 Desktop Switch Software Configuration Guide
iv
78-14982-01
�Contents
Topology View Popup Menus 3-22
Link Popup Menu 3-22
Device Popup Menus 3-23
Interaction Modes 3-25
Guide Mode 3-25
Expert Mode 3-25
Wizards
3-26
Tool Tips
Online Help
3-26
3-26
CMS Window Components 3-28
Host Name List 3-28
Tabs, Lists, and Tables 3-29
Filter Editor 3-29
Icons Used in Windows 3-29
Buttons 3-30
Accessing CMS 3-30
Access Modes in CMS 3-31
HTTP Access to CMS 3-32
Verifying Your Changes 3-32
Change Notification 3-32
Error Checking 3-32
Saving Your Configuration
Restoring Your Configuration
CMS Preferences
3-33
3-33
3-33
Using Different Versions of CMS
Where to Go Next
CHAPTER
4
3-34
3-34
Assigning the Switch IP Address and Default Gateway
Understanding the Boot Process
4-1
4-1
Assigning Switch Information 4-2
Default Switch Information 4-3
Understanding DHCP-Based Autoconfiguration
DHCP Client Request Process 4-4
Configuring the DHCP Server 4-5
Configuring the TFTP Server 4-5
Configuring the DNS 4-6
Configuring the Relay Device 4-6
Obtaining Configuration Files 4-7
4-3
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
v
�Contents
Example Configuration 4-8
Manually Assigning IP Information
4-10
Checking and Saving the Running Configuration
CHAPTER
5
Configuring IE2100 CNS Agents
4-10
5-1
Understanding IE2100 Series Configuration Registrar Software 5-1
CNS Configuration Service 5-2
CNS Event Service 5-3
NameSpace Mapper 5-3
What You Should Know About ConfigID, DeviceID, and Host Name
ConfigID 5-3
DeviceID 5-4
Host Name and DeviceID 5-4
Using Host Name, DeviceID, and ConfigID 5-4
5-3
Understanding CNS Embedded Agents 5-5
Initial Configuration 5-5
Incremental (Partial) Configuration 5-6
Synchronized Configuration 5-6
Configuring CNS Embedded Agents 5-6
Enabling Automated CNS Configuration 5-6
Enabling the CNS Event Agent 5-8
Enabling the CNS Configuration Agent 5-9
Enabling an Initial Configuration 5-9
Enabling a Partial Configuration 5-12
Displaying CNS Configuration
CHAPTER
6
Clustering Switches
5-13
6-1
Understanding Switch Clusters 6-2
Command Switch Characteristics 6-3
Standby Command Switch Characteristics 6-3
Candidate Switch and Member Switch Characteristics
6-4
Planning a Switch Cluster 6-5
Automatic Discovery of Cluster Candidates and Members 6-5
Discovery through CDP Hops 6-6
Discovery through Non-CDP-Capable and Noncluster-Capable Devices
Discovery through the Same Management VLAN 6-8
Discovery through Different Management VLANs 6-9
Discovery of Newly Installed Switches 6-10
HSRP and Standby Command Switches 6-12
6-7
Catalyst 2950 Desktop Switch Software Configuration Guide
vi
78-14982-01
�Contents
Virtual IP Addresses 6-13
Other Considerations for Cluster Standby Groups 6-13
Automatic Recovery of Cluster Configuration 6-15
IP Addresses 6-15
Host Names 6-16
Passwords 6-16
SNMP Community Strings 6-16
TACACS+ and RADIUS 6-17
Access Modes in CMS 6-17
Management VLAN 6-18
LRE Profiles
6-18
Availability of Switch-Specific Features in Switch Clusters 6-19
Creating a Switch Cluster 6-19
Enabling a Command Switch 6-19
Adding Member Switches 6-20
Creating a Cluster Standby Group 6-22
Verifying a Switch Cluster 6-24
Using the CLI to Manage Switch Clusters 6-25
Catalyst 1900 and Catalyst 2820 CLI Considerations
Using SNMP to Manage Switch Clusters
CHAPTER
7
Administering the Switch
6-25
6-26
7-1
Preventing Unauthorized Access to Your Switch
7-1
Protecting Access to Privileged EXEC Commands 7-2
Default Password and Privilege Level Configuration 7-2
Setting or Changing a Static Enable Password 7-3
Protecting Enable and Enable Secret Passwords with Encryption
Disabling Password Recovery 7-5
Setting a Telnet Password for a Terminal Line 7-6
Configuring Username and Password Pairs 7-7
Configuring Multiple Privilege Levels 7-8
Setting the Privilege Level for a Command 7-8
Changing the Default Privilege Level for Lines 7-9
Logging into and Exiting a Privilege Level 7-10
7-4
Controlling Switch Access with TACACS+ 7-10
Understanding TACACS+ 7-10
TACACS+ Operation 7-12
Configuring TACACS+ 7-12
Default TACACS+ Configuration 7-13
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
vii
�Contents
Identifying the TACACS+ Server Host and Setting the Authentication Key 7-13
Configuring TACACS+ Login Authentication 7-14
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services
Starting TACACS+ Accounting 7-17
Displaying the TACACS+ Configuration 7-17
7-16
Controlling Switch Access with RADIUS 7-18
Understanding RADIUS 7-18
RADIUS Operation 7-19
Configuring RADIUS 7-20
Default RADIUS Configuration 7-20
Identifying the RADIUS Server Host 7-20
Configuring RADIUS Login Authentication 7-23
Defining AAA Server Groups 7-25
Configuring RADIUS Authorization for User Privileged Access and Network Services 7-27
Starting RADIUS Accounting 7-28
Configuring Settings for All RADIUS Servers 7-29
Configuring the Switch to Use Vendor-Specific RADIUS Attributes 7-29
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 7-30
Displaying the RADIUS Configuration 7-31
Configuring the Switch for Local Authentication and Authorization
Configuring the Switch for Secure Shell
Understanding SSH 7-33
Configuring SSH 7-33
7-32
7-33
Managing the System Time and Date 7-34
Understanding the System Clock 7-34
Understanding Network Time Protocol 7-34
Configuring NTP 7-36
Default NTP Configuration 7-37
Configuring NTP Authentication 7-37
Configuring NTP Associations 7-38
Configuring NTP Broadcast Service 7-39
Configuring NTP Access Restrictions 7-40
Configuring the Source IP Address for NTP Packets 7-42
Displaying the NTP Configuration 7-43
Configuring Time and Date Manually 7-43
Setting the System Clock 7-44
Displaying the Time and Date Configuration 7-44
Configuring the Time Zone 7-45
Configuring Summer Time (Daylight Saving Time) 7-46
Catalyst 2950 Desktop Switch Software Configuration Guide
viii
78-14982-01
�Contents
Configuring a System Name and Prompt 7-48
Default System Name and Prompt Configuration
Configuring a System Name 7-48
Configuring a System Prompt 7-49
Understanding DNS 7-49
Default DNS Configuration 7-50
Setting Up DNS 7-50
Displaying the DNS Configuration 7-51
Creating a Banner 7-51
Default Banner Configuration 7-51
Configuring a Message-of-the-Day Login Banner
Configuring a Login Banner 7-53
7-48
7-52
Managing the MAC Address Table 7-54
Building the Address Table 7-54
MAC Addresses and VLANs 7-55
Default MAC Address Table Configuration 7-55
Changing the Address Aging Time 7-55
Removing Dynamic Address Entries 7-56
Configuring MAC Address Notification Traps 7-56
Adding and Removing Static Address Entries 7-58
Adding and Removing Secure Addresses 7-59
Displaying Address Table Entries 7-60
Managing the ARP Table
Switch Software Releases
CHAPTER
8
7-61
7-61
Configuring 802.1X Port-Based Authentication
8-1
Understanding 802.1X Port-Based Authentication 8-1
Device Roles 8-2
Authentication Initiation and Message Exchange 8-3
Ports in Authorized and Unauthorized States 8-4
Supported Topologies 8-5
Configuring 802.1X Authentication 8-5
Default 802.1X Configuration 8-6
802.1X Configuration Guidelines 8-7
Enabling 802.1X Authentication 8-8
Configuring the Switch-to-RADIUS-Server Communication 8-9
Enabling Periodic Re-Authentication 8-10
Manually Re-Authenticating a Client Connected to a Port 8-11
Changing the Quiet Period 8-11
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
ix
�Contents
Changing the Switch-to-Client Retransmission Time 8-12
Setting the Switch-to-Client Frame-Retransmission Number 8-13
Enabling Multiple Hosts 8-13
Resetting the 802.1X Configuration to the Default Values 8-14
Displaying 802.1X Statistics and Status
CHAPTER
Configuring the Switch Interfaces
9
8-14
9-1
Understanding Interface Types 9-1
Access Ports 9-2
Trunk Ports 9-2
Port-Based VLANs 9-3
EtherChannel Port Groups 9-3
Connecting Interfaces 9-3
Using the Interface Command 9-4
Procedures for Configuring Interfaces 9-4
Configuring a Range of Interfaces 9-6
Configuring and Using Interface-Range Macros
9-8
Configuring Switch Interfaces 9-9
Default Ethernet Interface Configuration 9-10
SFP Configuration 9-10
Configuring Interface Speed and Duplex Mode 9-11
Configuration Guidelines 9-12
Setting the Interface Speed and Duplex Parameters 9-13
Configuring Media Types for Gigabit Interfaces 9-14
Configuring IEEE 802.3X Flow Control on Gigabit Ethernet Ports
Adding a Description for an Interface 9-16
9-14
Monitoring and Maintaining the Interfaces 9-16
Monitoring Interface and Controller Status 9-16
Clearing and Resetting Interfaces and Counters 9-19
Shutting Down and Restarting the Interface 9-19
CHAPTER
10
Configuring LRE
10-1
Ports on the 2950 LRE
10-1
LRE Links and LRE Profiles 10-2
LRE Profiles 10-2
LRE Sequences 10-4
CPE Ethernet Links 10-5
Configuring LRE Ports 10-5
Environmental Guidelines for LRE Links
10-6
Catalyst 2950 Desktop Switch Software Configuration Guide
x
78-14982-01
�Contents
Guidelines for Using LRE Profiles 10-7
CPE Ethernet Link Guidelines 10-7
Considerations for Connected Cisco 575 LRE CPEs 10-7
Considerations for Connected Cisco 585 LRE CPEs 10-8
Assigning a Global Profile to All LRE Ports 10-8
Assigning a Profile to a Specific LRE Port 10-9
Assigning a Global Sequence to All LRE Ports 10-9
Assigning a Sequence to a Specific LRE Port 10-10
Using Rate Selection to Automatically Assign Profiles 10-10
Precedence 10-11
Profile Locking 10-11
Link Qualification and SNR Margins 10-12
LRE Link Persistence 10-14
LRE Link Monitor 10-14
Upgrading LRE Switch Firmware 10-15
Configuring for an LRE Upgrade 10-15
Performing an LRE Upgrade 10-16
Global Configuration of LRE Upgrades 10-17
Controller Configuration of LRE Upgrades 10-17
LRE Upgrade Behavior Details 10-18
LRE Upgrade Example 10-18
CHAPTER
11
Configuring STP
11-1
Understanding Spanning-Tree Features 11-1
STP Overview 11-2
Supported Spanning-Tree Instances 11-2
Bridge Protocol Data Units 11-2
Election of the Root Switch 11-3
Bridge ID, Switch Priority, and Extended System ID
Spanning-Tree Timers 11-4
Creating the Spanning-Tree Topology 11-5
Spanning-Tree Interface States 11-5
Blocking State 11-7
Listening State 11-7
Learning State 11-7
Forwarding State 11-7
Disabled State 11-8
Spanning-Tree Address Management 11-8
STP and IEEE 802.1Q Trunks 11-8
11-4
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
xi
�Contents
Spanning Tree and Redundant Connectivity 11-8
Accelerated Aging to Retain Connectivity 11-9
Configuring Spanning-Tree Features 11-9
Default STP Configuration 11-10
STP Configuration Guidelines 11-10
Disabling STP 11-12
Configuring the Root Switch 11-12
Configuring a Secondary Root Switch 11-14
Configuring the Port Priority 11-15
Configuring the Path Cost 11-16
Configuring the Switch Priority of a VLAN 11-18
Configuring the Hello Time 11-19
Configuring the Forwarding-Delay Time for a VLAN 11-19
Configuring the Maximum-Aging Time for a VLAN 11-20
Configuring STP for Use in a Cascaded Stack 11-20
Displaying the Spanning-Tree Status
CHAPTER
12
Configuring RSTP and MSTP
11-21
12-1
Understanding RSTP 12-2
Port Roles and the Active Topology 12-2
Rapid Convergence 12-3
Synchronization of Port Roles 12-4
Bridge Protocol Data Unit Format and Processing 12-5
Processing Superior BPDU Information 12-6
Processing Inferior BPDU Information 12-6
Topology Changes 12-6
Understanding MSTP 12-7
Multiple Spanning-Tree Regions 12-7
IST, CIST, and CST 12-8
Operations Within an MST Region
Operations Between MST Regions
Hop Count 12-10
Boundary Ports 12-10
Interoperability with 802.1D STP
12-8
12-9
12-11
Configuring RSTP and MSTP Features 12-11
Default RSTP and MSTP Configuration 12-12
RSTP and MSTP Configuration Guidelines 12-12
Specifying the MST Region Configuration and Enabling MSTP
Configuring the Root Switch 12-14
12-13
Catalyst 2950 Desktop Switch Software Configuration Guide
xii
78-14982-01
�Contents
Configuring a Secondary Root Switch 12-16
Configuring the Port Priority 12-17
Configuring the Path Cost 12-18
Configuring the Switch Priority 12-19
Configuring the Hello Time 12-19
Configuring the Forwarding-Delay Time 12-20
Configuring the Maximum-Aging Time 12-21
Configuring the Maximum-Hop Count 12-21
Specifying the Link Type to Ensure Rapid Transitions
Restarting the Protocol Migration Process 12-22
Displaying the MST Configuration and Status
CHAPTER
13
Configuring Optional Spanning-Tree Features
12-22
12-23
13-1
Understanding Optional Spanning-Tree Features 13-1
Understanding Port Fast 13-2
Understanding BPDU Guard 13-3
Understanding BPDU Filtering 13-3
Understanding UplinkFast 13-4
Understanding Cross-Stack UplinkFast 13-5
How CSUF Works 13-6
Events That Cause Fast Convergence 13-7
Limitations 13-8
Connecting the Stack Ports 13-8
Understanding BackboneFast 13-10
Understanding Root Guard 13-12
Understanding Loop Guard 13-13
Configuring Optional Spanning-Tree Features 13-13
Default Optional Spanning-Tree Configuration 13-14
Enabling Port Fast 13-14
Enabling BPDU Guard 13-15
Enabling BPDU Filtering 13-16
Enabling UplinkFast for Use with Redundant Links 13-17
Enabling Cross-Stack UplinkFast 13-18
Enabling BackboneFast 13-19
Enabling Root Guard 13-19
Enabling Loop Guard 13-20
Displaying the Spanning-Tree Status
13-21
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
xiii
�Contents
CHAPTER
14
Configuring VLANs
14-1
Understanding VLANs 14-1
Supported VLANs 14-2
VLAN Port Membership Modes
14-3
Configuring Normal-Range VLANs 14-4
Token Ring VLANs 14-5
Normal-Range VLAN Configuration Guidelines 14-5
VLAN Configuration Mode Options 14-6
VLAN Configuration in config-vlan Mode 14-6
VLAN Configuration in VLAN Configuration Mode
Saving VLAN Configuration 14-7
Default Ethernet VLAN Configuration 14-8
Creating or Modifying an Ethernet VLAN 14-8
Deleting a VLAN 14-10
Assigning Static-Access Ports to a VLAN 14-11
Configuring Extended-Range VLANs 14-12
Default VLAN Configuration 14-12
Extended-Range VLAN Configuration Guidelines
Creating an Extended-Range VLAN 14-13
Displaying VLANs
14-6
14-12
14-14
Configuring VLAN Trunks 14-15
Trunking Overview 14-15
802.1Q Configuration Considerations 14-16
Default Layer 2 Ethernet Interface VLAN Configuration 14-17
Configuring an Ethernet Interface as a Trunk Port 14-17
Interaction with Other Features 14-17
Configuring a Trunk Port 14-18
Defining the Allowed VLANs on a Trunk 14-19
Changing the Pruning-Eligible List 14-20
Configuring the Native VLAN for Untagged Traffic 14-20
Load Sharing Using STP 14-21
Load Sharing Using STP Port Priorities 14-21
Load Sharing Using STP Path Cost 14-23
Configuring VMPS 14-24
Understanding VMPS 14-25
Dynamic Port VLAN Membership 14-25
VMPS Database Configuration File 14-26
Default VMPS Configuration 14-27
VMPS Configuration Guidelines 14-28
Catalyst 2950 Desktop Switch Software Configuration Guide
xiv
78-14982-01
�Contents
Configuring the VMPS Client 14-28
Entering the IP Address of the VMPS 14-28
Configuring Dynamic Access Ports on VMPS Clients 14-29
Reconfirming VLAN Memberships 14-30
Changing the Reconfirmation Interval 14-30
Changing the Retry Count 14-30
Monitoring the VMPS 14-31
Troubleshooting Dynamic Port VLAN Membership 14-31
VMPS Configuration Example 14-32
CHAPTER
15
Configuring VTP
15-1
Understanding VTP 15-1
The VTP Domain 15-2
VTP Modes 15-3
VTP Advertisements 15-3
VTP Version 2 15-4
VTP Pruning 15-4
Configuring VTP 15-6
Default VTP Configuration 15-6
VTP Configuration Options 15-7
VTP Configuration in Global Configuration Modes 15-7
VTP Configuration in VLAN Configuration Mode 15-7
VTP Configuration Guidelines 15-8
Domain Names 15-8
Passwords 15-8
Upgrading from Previous Software Releases 15-8
VTP Version 15-9
Configuration Requirements 15-9
Configuring a VTP Server 15-9
Configuring a VTP Client 15-11
Disabling VTP (VTP Transparent Mode) 15-12
Enabling VTP Version 2 15-13
Enabling VTP Pruning 15-14
Adding a VTP Client Switch to a VTP Domain 15-15
Monitoring VTP
CHAPTER
16
15-16
Configuring Voice VLAN
16-1
Understanding Voice VLAN
Configuring Voice VLAN
16-1
16-2
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
xv
�Contents
Default Voice VLAN Configuration 16-2
Voice VLAN Configuration Guidelines 16-3
Configuring a Port to Connect to a Cisco 7960 IP Phone 16-3
Configuring Ports to Carry Voice Traffic in 802.1Q Frames 16-4
Configuring Ports to Carry Voice Traffic in 802.1P Priority Tagged Frames 16-4
Overriding the CoS Priority of Incoming Data Frames 16-5
Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames 16-6
Displaying Voice VLAN
CHAPTER
17
16-6
Configuring IGMP Snooping and MVR
17-1
Understanding IGMP Snooping 17-1
Joining a Multicast Group 17-2
Leaving a Multicast Group 17-4
Immediate-Leave Processing 17-4
Configuring IGMP Snooping 17-5
Default IGMP Snooping Configuration 17-5
Enabling or Disabling IGMP Snooping 17-5
Setting the Snooping Method 17-6
Configuring a Multicast Router Port 17-7
Configuring a Host Statically to Join a Group 17-8
Enabling IGMP Immediate-Leave Processing 17-9
Disabling IP Multicast-Source-Only Learning 17-9
Displaying IGMP Snooping Information
17-11
Understanding Multicast VLAN Registration 17-13
Using MVR in a Multicast Television Application
Configuring MVR 17-15
Default MVR Configuration 17-15
MVR Configuration Guidelines and Limitations
Configuring MVR Global Parameters 17-16
Configuring MVR Interfaces 17-17
Displaying MVR Information
17-13
17-16
17-19
Configuring IGMP Filtering 17-20
Default IGMP Filtering Configuration 17-21
Configuring IGMP Profiles 17-21
Applying IGMP Profiles 17-22
Setting the Maximum Number of IGMP Groups
Displaying IGMP Filtering Configuration
17-23
17-24
Catalyst 2950 Desktop Switch Software Configuration Guide
xvi
78-14982-01
�Contents
CHAPTER
18
Configuring Port-Based Traffic Control
Configuring Storm Control 18-1
Understanding Storm Control 18-1
Default Storm Control Configuration
Enabling Storm Control 18-2
Disabling Storm Control 18-3
Configuring Protected Ports
18-1
18-2
18-3
Configuring Port Security 18-4
Understanding Port Security 18-5
Secure MAC Addresses 18-5
Security Violations 18-6
Default Port Security Configuration 18-7
Port Security Configuration Guidelines 18-7
Enabling and Configuring Port Security 18-7
Enabling and Configuring Port Security Aging 18-10
Displaying Port-Based Traffic Control Settings
CHAPTER
19
Configuring UDLD
18-12
19-1
Understanding UDLD
19-1
Configuring UDLD 19-3
Default UDLD Configuration 19-3
Enabling UDLD Globally 19-4
Enabling UDLD on an Interface 19-4
Resetting an Interface Shut Down by UDLD
Displaying UDLD Status
CHAPTER
20
Configuring CDP
19-6
20-1
Understanding CDP
20-1
Configuring CDP 20-2
Default CDP Configuration 20-2
Configuring the CDP Characteristics 20-2
Disabling and Enabling CDP 20-3
Disabling and Enabling CDP on an Interface
Monitoring and Maintaining CDP
CHAPTER
21
19-5
Configuring SPAN and RSPAN
20-4
20-5
21-1
Understanding SPAN and RSPAN 21-1
SPAN and RSPAN Concepts and Terminology
21-3
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
xvii
�Contents
SPAN Session 21-3
Traffic Types 21-3
Source Port 21-4
Destination Port 21-5
Reflector Port 21-5
VLAN-Based SPAN 21-6
SPAN Traffic 21-6
SPAN and RSPAN Interaction with Other Features
SPAN and RSPAN Session Limits 21-8
Default SPAN and RSPAN Configuration 21-8
21-7
Configuring SPAN 21-8
SPAN Configuration Guidelines 21-8
Creating a SPAN Session and Specifying Ports to Monitor
Removing Ports from a SPAN Session 21-11
Specifying VLANs to Monitor 21-12
Specifying VLANs to Filter 21-13
21-9
Configuring RSPAN 21-14
RSPAN Configuration Guidelines 21-14
Creating an RSPAN Session 21-15
Creating an RSPAN Destination Session 21-16
Removing Ports from an RSPAN Session 21-17
Specifying VLANs to Monitor 21-18
Specifying VLANs to Filter 21-19
Displaying SPAN and RSPAN Status
CHAPTER
22
Configuring RMON
21-20
22-1
Understanding RMON
22-1
Configuring RMON 22-2
Default RMON Configuration 22-3
Configuring RMON Alarms and Events 22-3
Configuring RMON Collection on an Interface
Displaying RMON Status
CHAPTER
23
22-5
22-6
Configuring System Message Logging
23-1
Understanding System Message Logging
23-1
Configuring System Message Logging 23-2
System Log Message Format 23-2
Default System Message Logging Configuration
Disabling and Enabling Message Logging 23-4
23-3
Catalyst 2950 Desktop Switch Software Configuration Guide
xviii
78-14982-01
�Contents
Setting the Message Display Destination Device 23-4
Synchronizing Log Messages 23-6
Enabling and Disabling Timestamps on Log Messages 23-7
Enabling and Disabling Sequence Numbers in Log Messages 23-8
Defining the Message Severity Level 23-8
Limiting Syslog Messages Sent to the History Table and to SNMP 23-10
Configuring UNIX Syslog Servers 23-10
Logging Messages to a UNIX Syslog Daemon 23-11
Configuring the UNIX System Logging Facility 23-11
Displaying the Logging Configuration
CHAPTER
24
Configuring SNMP
23-12
24-1
Understanding SNMP 24-1
SNMP Versions 24-2
SNMP Manager Functions 24-3
SNMP Agent Functions 24-3
SNMP Community Strings 24-4
Using SNMP to Access MIB Variables
SNMP Notifications 24-5
24-4
Configuring SNMP 24-5
Default SNMP Configuration 24-6
SNMP Configuration Guidelines 24-6
Disabling the SNMP Agent 24-7
Configuring Community Strings 24-7
Configuring SNMP Groups and Users 24-8
Configuring SNMP Notifications 24-10
Setting the Agent Contact and Location Information
Limiting TFTP Servers Used Through SNMP 24-13
SNMP Examples 24-14
Displaying SNMP Status
CHAPTER
25
24-13
24-15
Configuring Network Security with ACLs
25-1
Understanding ACLs 25-2
Handling Fragmented and Unfragmented Traffic 25-3
Understanding Access Control Parameters 25-4
Guidelines for Applying ACLs to Physical Interfaces 25-6
Configuring ACLs 25-6
Unsupported Features 25-7
Creating Standard and Extended IP ACLs
25-7
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
xix
�Contents
ACL Numbers 25-8
Creating a Numbered Standard ACL 25-9
Creating a Numbered Extended ACL 25-10
Creating Named Standard and Extended ACLs 25-13
Applying Time Ranges to ACLs 25-15
Including Comments About Entries in ACLs 25-17
Creating Named MAC Extended ACLs 25-18
Creating MAC Access Groups 25-19
Applying ACLs to Terminal Lines or Physical Interfaces
Applying ACLs to a Terminal Line 25-20
Applying ACLs to a Physical Interface 25-21
25-20
Displaying ACL Information 25-21
Displaying ACLs 25-22
Displaying Access Groups 25-23
Examples for Compiling ACLs 25-23
Numbered ACL Examples 25-25
Extended ACL Examples 25-25
Named ACL Example 25-25
Commented IP ACL Entry Examples
CHAPTER
26
Configuring QoS
25-25
26-1
Understanding QoS 26-2
Basic QoS Model 26-3
Classification 26-4
Classification Based on QoS ACLs 26-5
Classification Based on Class Maps and Policy Maps
Policing and Marking 26-6
Mapping Tables 26-7
Queueing and Scheduling 26-7
How Class of Service Works 26-7
Port Priority 26-8
Port Scheduling 26-8
CoS and WRR 26-8
26-6
Configuring QoS 26-9
Default QoS Configuration 26-9
Configuration Guidelines 26-10
Configuring Classification Using Port Trust States 26-10
Configuring the Trust State on Ports within the QoS Domain
Configuring the CoS Value for an Interface 26-13
26-11
Catalyst 2950 Desktop Switch Software Configuration Guide
xx
78-14982-01
�Contents
Configuring Trusted Boundary 26-13
Enabling Pass-Through Mode 26-15
Configuring a QoS Policy 26-16
Classifying Traffic by Using ACLs 26-16
Classifying Traffic by Using Class Maps 26-20
Classifying, Policing, and Marking Traffic by Using Policy Maps
Configuring CoS Maps 26-24
Configuring the CoS-to-DSCP Map 26-25
Configuring the DSCP-to-CoS Map 26-26
Configuring CoS and WRR 26-27
Configuring CoS Priority Queues 26-27
Configuring WRR 26-27
Displaying QoS Information
26-21
26-28
QoS Configuration Examples 26-29
QoS Configuration for the Existing Wiring Closet 26-30
QoS Configuration for the Intelligent Wiring Closet 26-30
CHAPTER
27
Configuring EtherChannels
27-1
Understanding EtherChannels 27-1
Understanding Port-Channel Interfaces 27-2
Understanding the Port Aggregation Protocol 27-3
PAgP Modes 27-4
Physical Learners and Aggregate-Port Learners 27-5
PAgP Interaction with Other Features 27-5
Understanding Load Balancing and Forwarding Methods 27-5
Configuring EtherChannels 27-7
Default EtherChannel Configuration 27-7
EtherChannel Configuration Guidelines 27-8
Configuring Layer 2 EtherChannels 27-8
Configuring EtherChannel Load Balancing 27-10
Configuring the PAgP Learn Method and Priority 27-11
Displaying EtherChannel and PAgP Status
CHAPTER
28
Troubleshooting
28-1
LRE Statistics
28-1
27-11
Using Recovery Procedures 28-6
Recovering from Corrupted Software 28-6
Recovering from a Lost or Forgotten Password 28-6
Recovering from a Command Switch Failure 28-8
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
xxi
�Contents
Replacing a Failed Command Switch with a Cluster Member 28-9
Replacing a Failed Command Switch with Another Switch 28-10
Recovering from Lost Member Connectivity 28-11
Preventing Autonegotiation Mismatches
Troubleshooting LRE Port Configuration
28-12
28-12
GBIC and SFP Module Security and Identification
28-13
Using Debug Commands 28-14
Enabling Debugging on a Specific Feature 28-14
Enabling All-System Diagnostics 28-15
Redirecting Debug and Error Message Output 28-15
Using the crashinfo File
APPENDIX
A
Supported MIBs
MIB List
28-15
A-1
A-1
Using FTP to Access the MIB Files
APPENDIX
B
A-2
Working with the IOS File System, Configuration Files, and Software Images
Working with the Flash File System B-1
Displaying Available File Systems B-2
Setting the Default File System B-3
Displaying Information about Files on a File System B-3
Changing Directories and Displaying the Working Directory
Creating and Removing Directories B-4
Copying Files B-5
Deleting Files B-5
Creating, Displaying, and Extracting tar Files B-6
Creating a tar File B-6
Displaying the Contents of a tar File B-7
Extracting a tar File B-7
Displaying the Contents of a File B-8
B-1
B-4
Working with Configuration Files B-8
Guidelines for Creating and Using Configuration Files B-9
Configuration File Types and Location B-10
Creating a Configuration File By Using a Text Editor B-10
Copying Configuration Files By Using TFTP B-11
Preparing to Download or Upload a Configuration File By Using TFTP
Downloading the Configuration File By Using TFTP B-12
Uploading the Configuration File By Using TFTP B-12
B-11
Catalyst 2950 Desktop Switch Software Configuration Guide
xxii
78-14982-01
�Contents
Copying Configuration Files By Using FTP B-13
Preparing to Download or Upload a Configuration File By Using FTP B-13
Downloading a Configuration File By Using FTP B-14
Uploading a Configuration File By Using FTP B-15
Copying Configuration Files By Using RCP B-16
Preparing to Download or Upload a Configuration File By Using RCP B-17
Downloading a Configuration File By Using RCP B-17
Uploading a Configuration File By Using RCP B-18
Clearing Configuration Information B-19
Clearing the Startup Configuration File B-19
Deleting a Stored Configuration File B-20
Working with Software Images B-20
Image Location on the Switch B-20
tar File Format of Images on a Server or Cisco.com B-21
Copying Image Files By Using TFTP B-22
Preparing to Download or Upload an Image File By Using TFTP B-22
Downloading an Image File By Using TFTP B-23
Uploading an Image File By Using TFTP B-24
Copying Image Files By Using FTP B-25
Preparing to Download or Upload an Image File By Using FTP B-25
Downloading an Image File By Using FTP B-26
Uploading an Image File By Using FTP B-28
Copying Image Files By Using RCP B-29
Preparing to Download or Upload an Image File By Using RCP B-29
Downloading an Image File By Using RCP B-30
Uploading an Image File By Using RCP B-32
INDEX
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
xxiii
�Contents
Catalyst 2950 Desktop Switch Software Configuration Guide
xxiv
78-14982-01
�Preface
Audience
The Catalyst 2950 Desktop Switch Software Configuration Guide is for the network manager
responsible for configuring the Catalyst 2950 switches, hereafter referred to as the switches. Before
using this guide, you should be familiar with the concepts and terminology of Ethernet and local area
networking.
Purpose
This guide provides information about configuring and troubleshooting a Catalyst 2950 or Catalyst 2950
Long-Reach Ethernet (LRE) switch or switch clusters. It includes descriptions of the management
interface options and the features supported by the switch software. The non-LRE switch is supported by
either the standard software image (SI) or the enhanced software image (EI). The EI provides a richer set of
features, including access control lists (ACLs), enhanced quality of service (QoS) features, the Secure Shell
Protocol, extended-range VLANs, and Remote Switch Port Analyzer (RSPAN). For a list of switches that
support the SI and the EI, see Table 1-1 on page 1. The 2950 LRE switch is supported by an a variation of the
enhanced software image [12.1(11)LRE].
Use this guide with other documents for information about these topics:
•
Requirements—This guide assumes that you have met the hardware and software requirements and
cluster compatibility requirements described in the release notes.
•
Start-up information—This guide assumes that you have assigned switch IP information and
passwords by using the setup program described in the release notes.
•
Cluster Management Suite (CMS) information—This guide provides an overview of the CMS
web-based, switch management interface. For information about CMS requirements and the
procedures for browser and plug-in configuration and accessing CMS, refer to the release notes. For
CMS field-level window descriptions and procedures, refer to the CMS online help.
•
Cluster configuration—This guide provides information about planning for, creating, and
maintaining switch clusters. Because configuring switch clusters is most easily performed through
CMS, this guide does not provide the command-line interface (CLI) procedures. For the cluster
commands, refer to the command reference for this release.
•
CLI command information—This guide provides an overview for using the CLI. For complete
syntax and usage information about the commands that have been specifically created or changed
for the switches, refer to the command reference for this release.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
xxv
�Preface
Organization
This guide does not describe system messages you might encounter or how to install your switch. For
more information, refer to the Catalyst 2950 Desktop Switch System Message Guide for this release and
to the Catalyst 2950 Desktop Switch Hardware Installation Guide.
Note
This guide does not repeat the concepts and CLI procedures provided in the standard Cisco IOS
Release 12.1 documentation. For information about the standard IOS Release 12.1 commands, refer to
the IOS documentation set available from the Cisco.com home page at Service and Support >
Technical Documents. On the Cisco Product Documentation home page, select Release 12.1 from the Cisco
IOS Software drop-down list.
Note
This guide describes the features for Catalyst 2950 switches. Cisco IOS Release 12.1(11)EA1 is not for
use with the Long-Reach Ethernet (LRE) switches. Do not install release 12.1(11)EA1 on Catalyst 2950
LRE switches, and do not install release 12.1(11)YJ on non-LRE switches.
Organization
This guide is organized into these chapters:
Chapter 1, “Overview,” lists the software features of this release and provides examples of how the
switch can be deployed in a network.
Chapter 2, “Using the Command-Line Interface,” describes how to access the command modes, use the
CLI, and describes CLI messages that you might receive. It also describes how to get help, abbreviate
commands, use no and default forms of commands, use command history and editing features, and how
to search and filter the output of show and more commands.
Chapter 3, “Getting Started with CMS,” describes the CMS web-based, switch management interface.
For information about configuring your web browser and accessing CMS, refer to the release notes. For
field-level descriptions of all CMS windows and procedures for using the CMS windows, refer to the
online help.
Chapter 4, “Assigning the Switch IP Address and Default Gateway,” describes how to create the initial
switch configuration (for example, assign the switch IP address and default gateway information) by
using a variety of automatic and manual methods.
Chapter 5, “Configuring IE2100 CNS Agents,” describes how to configure Cisco Intelligence Engine 2100
(IE2100) Series Cisco Networking Services (CNS) embedded agents on your switch. By using the
IE2100 Series Configuration Registrar network management application, you can automate initial
configurations and configuration updates by generating switch-specific configuration changes, sending them
to the switch, executing the configuration change, and logging the results.
Chapter 6, “Clustering Switches,” describes switch clusters and the considerations for creating and
maintaining them. The online help provides the CMS procedures for configuring switch clusters.
Configuring switch clusters is most easily performed through CMS; therefore, CLI procedures are not
provided. Cluster commands are described in the Catalyst 2950 Desktop Switch Command Reference.
Chapter 7, “Administering the Switch,” describes how to perform one-time operations to administer
your switch. It describes how to prevent unauthorized access to your switch through the use of
passwords, privilege levels, the Terminal Access Controller Access Control System Plus (TACACS+),
and the Remote Authentication Dial-In User Service (RADIUS) and the Secure Shell (SSH) Protocol. It
also describes how to set the system date and time, set system name and prompt, create a login banner,
and how to manage the MAC address and Address Resolution Protocol (ARP) tables.
Catalyst 2950 Desktop Switch Software Configuration Guide
xxvi
78-14982-01
�Preface
Organization
Chapter 8, “Configuring 802.1X Port-Based Authentication,” describes how to configure 802.1X
port-based authentication to prevent unauthorized devices (clients) from gaining access to the network.
As LANs extend to hotels, airports, and corporate lobbies, insecure environments could be created.
Chapter 9, “Configuring the Switch Interfaces,” defines the types of interfaces on the switch. It describes
the interface global configuration command and provides procedures for configuring physical
interfaces.
Chapter 10, “Configuring LRE,” describes how to configure LRE-specific features on your switch.
Chapter 11, “Configuring STP,” describes how to configure the Spanning Tree Protocol (STP) on your
switch.
Chapter 12, “Configuring RSTP and MSTP,” describes how to configure the Cisco implementation of
the IEEE 802.1W Rapid STP (RSTP) and the IEEE 802.1S Multiple STP (MSTP) on your switch. RSTP
provides rapid convergence, and MSTP enables VLANs to be grouped into a spanning-tree instance.
Chapter 13, “Configuring Optional Spanning-Tree Features,” describes how to configure optional
spanning-tree features that can be used when your switch is running the per-VLAN spanning-tree
(PVST) or the MSTP.
Chapter 14, “Configuring VLANs,” describes how to create and maintain VLANs. It includes
information about the VLAN database, VLAN configuration modes, extended-range VLANs, VLAN
trunks, and the VLAN Membership Policy Server (VMPS).
Chapter 15, “Configuring VTP,” describes how to use the VLAN Trunking Protocol (VTP) VLAN
database for managing VLANs. It includes VTP characteristics and configuration.
Chapter 16, “Configuring Voice VLAN,” describes how to configure voice VLANs on the switch for a
connection to an IP phone.
Chapter 17, “Configuring IGMP Snooping and MVR,” describes how to configure Internet Group
Management Protocol (IGMP) snooping. It also describes Multicast VLAN Registration (MVR), a local
IGMP snooping feature available on the switch, and how to use IGMP filtering to control multicast
group membership.
Chapter 18, “Configuring Port-Based Traffic Control,” describes how to reduce traffic storms by setting
broadcast, multicast, and unicast storm-control threshold levels; how to protect ports from receiving
traffic from other ports on a switch; how to configure port security by using secure MAC addresses; and
how to set the aging time for all secure addresses.
Chapter 20, “Configuring CDP,” describes how to configure Cisco Discovery Protocol (CDP) on your
switch.
Chapter 21, “Configuring SPAN and RSPAN,” describes how to configure Switched Port Analyzer
(SPAN) and Remote SPAN (RSPAN), which select network traffic for analysis by a network analyzer
such as a SwitchProbe device or other Remote Monitoring (RMON) probe.
Chapter 22, “Configuring RMON,” describes how to configure remote monitoring (RMON). The
RMON feature, which is used with the Simple Network Management Protocol (SNMP) agent in the
switch, means that you can monitor all the traffic flowing among switches on all connected LAN
segments.
Chapter 23, “Configuring System Message Logging,” describes how to configure system message
logging. It describes the message format and how to change the message display destination device, limit
the type of messages sent, configure the UNIX server syslog daemon, and define the UNIX system
logging facility and timestamp messages.
Chapter 24, “Configuring SNMP,” describes how to configure the Simple Network Management
Protocol (SNMP). It describes how to configure community strings, enable trap managers and traps, set
the agent contact and location information, and how to limit TFTP servers used through SNMP.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
xxvii
�Preface
Conventions
Chapter 25, “Configuring Network Security with ACLs,” describes how to configure network security
by using access control lists (ACLs).
Chapter 26, “Configuring QoS,” describes how to configure quality of service (QoS) on your switch.
With this feature, you can provide preferential treatment to certain types traffic.
Chapter 27, “Configuring EtherChannels,” describes how to bundle a set of individual ports into a single
logical link on the interfaces.
Chapter 28, “Troubleshooting,” describes how to identify and resolve software problems related to the
IOS software.
Appendix A, “Supported MIBs,” lists the supported MIBs for this release and how to use FTP to access
the MIB files.
Conventions
This guide uses these conventions to convey instructions and information:
Command descriptions use these conventions:
•
Commands and keywords are in boldface text.
•
Arguments for which you supply values are in italic.
•
Square brackets ([ ]) indicate optional elements.
•
Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
•
Braces and vertical bars within square brackets ([{ | }]) indicate a required choice within an optional
element.
Interactive examples use these conventions:
•
Terminal sessions and system displays are in screen font.
•
Information you enter is in boldface
•
Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).
screen
font.
Notes, cautions, and tips use these conventions and symbols:
Note
Caution
Tip
Means reader take note. Notes contain helpful suggestions or references to materials not contained in
this manual.
Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Means the following will help you solve a problem. The tips information might not be troubleshooting
or even an action, but could be useful information.
Catalyst 2950 Desktop Switch Software Configuration Guide
xxviii
78-14982-01
�Preface
Related Publications
Related Publications
These documents provide complete information about the switch and are available from this
Cisco.com site:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/index.htm
You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and
from the telephone numbers listed in the “Obtaining Documentation” section on page xxix.
•
•
Note
Release Notes for the Catalyst 2950 Switch (not orderable but is available on Cisco.com)
Release Notes for the Catalyst 2900 Series and Catalyst 3500 Series XL Switches (not orderable but
is available on Cisco.com)
Switch requirements and procedures for initial configurations and software upgrades tend to change and
therefore appear only in the release notes. Before installing, configuring, or upgrading the switch, refer
to the release notes on Cisco.com for the latest information.
•
Catalyst 2950 Desktop Switch Command Reference (order number DOC-7811381=)
•
Catalyst 2950 Desktop Switch System Message Guide (order number DOC-7814233=)
•
Catalyst 2950 Desktop Switch Hardware Installation Guide (order number DOC-7811157=)
•
Catalyst GigaStack Gigabit Interface Converter Hardware Installation Guide
(order number DOC-786460=)
•
CWDM Passive Optical System Installation Note (not orderable but is available on Cisco.com)
•
1000BASE-T GBIC Installation Notes (not orderable but is available on Cisco.com)
•
Cisco LRE CPE Hardware Installation Guide (order number DOC-7811469=)
•
Installation Notes for the Cisco LRE 48 POTS Splitter (not orderable but is available on Cisco.com)
•
Release Notes for the Catalyst 2950 Desktop Switch, 12.1(11)YJ (not orderable but is available on
Cisco.com)
Obtaining Documentation
These sections explain how to obtain documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com
Translated documentation is available at this URL:
http://www.cisco.com/public/countries_languages.shtml
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
xxix
�Preface
Obtaining Technical Assistance
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM
package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may
be more current than printed documentation. The CD-ROM package is available as a single unit or
through an annual subscription.
Ordering Documentation
You can order Cisco documentation in these ways:
•
Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from
the Networking Products MarketPlace:
http://www.cisco.com/cgi-bin/order/order_root.pl
•
Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription
Store:
http://www.cisco.com/go/subscription
•
Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere
in North America, by calling 800 553-NETS (6387).
Documentation Feedback
If you are reading Cisco product documentation on the World Wide Web, you can send us your comments
by completing the online survey. When you display the document listing for this platform, click Give
Us Your Feedback. After you display the survey, select the manual that you wish to comment on. Click
Submit to send your comments to the Cisco documentation group.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front cover of your document, or
write to the following address:
Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can
obtain online documentation, troubleshooting tips, and sample configurations from online tools by using
the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete
access to the technical support resources on the Cisco TAC Web Site.
Catalyst 2950 Desktop Switch Software Configuration Guide
xxx
78-14982-01
�Preface
Obtaining Technical Assistance
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open
access to Cisco information, networking solutions, services, programs, and resources at any time, from
anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a
broad range of features and services to help you with these tasks:
•
Streamline business processes and improve productivity
•
Resolve technical issues with online support
•
Download and test software packages
•
Order Cisco learning materials and merchandise
•
Register for online skill assessment, training, and certification programs
If you want to obtain customized information and service, you can self-register on Cisco.com. To access
Cisco.com, go to this URL:
http://www.cisco.com
Technical Assistance Center
The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance
with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC
Web Site and the Cisco TAC Escalation Center.
Cisco TAC inquiries are categorized according to the urgency of the issue:
•
Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities,
product installation, or basic product configuration.
•
Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably
impaired, but most business operations continue.
•
Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects
of business operations. No workaround is available.
•
Priority level 1 (P1)—Your production network is down, and a critical impact to business operations
will occur if service is not restored quickly. No workaround is available.
The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of
service contracts, when applicable.
Cisco TAC Website
You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time.
The site provides around-the-clock access to online tools, knowledge bases, and software. To access the
Cisco TAC Web Site, go to this URL:
http://www.cisco.com/tac
All customers, partners, and resellers who have a valid Cisco service contract have complete access to
the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a
Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or
password, go to this URL to register:
http://www.cisco.com/register/
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
xxxi
�Preface
Obtaining Technical Assistance
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco
TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC
Web Site.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These
classifications are assigned when severe network degradation significantly impacts business operations.
When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer
automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the level of Cisco support
services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network
Supported Accounts (NSA). When you call the center, please have available your service agreement
number and your product serial number.
Catalyst 2950 Desktop Switch Software Configuration Guide
xxxii
78-14982-01
�C H A P T E R
1
Overview
This chapter provides these topics about the Catalyst 2950 switch software:
•
Features, page 1-1
•
Management Options, page 1-7
•
Network Configuration Examples, page 1-8
•
Where to Go Next, page 1-21
Features
The Catalyst 2950 software supports the switches listed in Table 1-1 and in the release notes.
Table 1-1
Switches Supported
Switch
Software
Image
Catalyst 2950-12
SI1
Catalyst 2950-24
SI
Catalyst 2950C-24
EI 2
Catalyst 2950G-12-EI
EI
Catalyst 2950G-24-EI
EI
Catalyst 2950G-24-EI-DC
EI
Catalyst 2950G-48-EI
EI
Catalyst 2950SX-24
SI
Catalyst 2950T-24
EI
Catalyst 2950ST-24-LRE
YJ 3
Catalyst 2950ST-8-LRE
YJ
1. SI = standard software image
2. EI = enhanced software image
3. YJ = enhanced software image for LRE switches
Note
The SI and EI images are for non-LRE switches only; use the YJ release for LRE switches.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
1-1
�Chapter 1
Overview
Features
This section describes the features supported in this release:
Note
Some features require that you have the EI installed on your switch. For a list of the switches that support
the EI, see Table 1-1, or refer to the release notes for this release.
LRE Switch-Specific Support
The Long-Reach Ethernet (LRE) switches support all of these listed EI features in addition to some
specific features for LRE.
•
Data, voice, and video transmission through categorized and noncategorized unshielded
twisted-pair cable (Category 1, 2, and 3 structured and unstructured cable, such as existing
telephone lines) in multi-unit, multidwelling, and multitenant buildings
•
Up to 15 Mbps of bandwidth to remote Ethernet devices at distances of up to 4921 feet (1500 m) on
each switch LRE port
•
Compliance with American National Standards Institute (ANSI) and European Telecommunication
Standards Institute (ETSI) standards for spectral-mode compatibility with asymmetric digital
subscriber line (ADSL), Integrated Services Digital Network (ISDN), and digital telephone
networks
•
Configuration and monitoring of connections between:
– Switch LRE ports and the Ethernet ports on remote LRE customer premises equipment (CPE)
devices, such as the Cisco 575 LRE CPE and Cisco 585 LRE CPE
– CPE Ethernet ports and remote Ethernet devices, such as a PC
Note
•
Support for connecting to the public switched telephone network (PSTN) through plain old
telephone service (POTS) splitters such as the Cisco LRE 48 POTS Splitter
•
Support for the rate selection, a utility that allows for automatic selection of transmission rates
through profiles and profile sequences
•
A set of additional rate profiles
•
Support for Reed-Solomon error correction
•
Additional MIB support
•
Support for the secure shell (SSH) and SNMPv3 crypto, with a protected port on 585 CPE devices
•
Support for small form-factor pluggable (SFP) devices instead of gigabit interface converters
(GBIC); GigaStack is not supported on the 2950 LRE
Most Catalyst 2950 features also work on the Catalyst 2950 LRE switch, with the difference that LRE
switches use Long-Reach Ethernet rather than Fast Ethernet and Gigabit for the Gigabit ports.
For information about the Cisco LRE CPE devices, refer to the Cisco LRE CPE Hardware Installation
Guide. For information about the nonhomologated Cisco LRE POTS splitter, refer to the Installation
Notes for the Cisco LRE 48 POTS Splitter.
Ease of Use and Ease of Deployment
•
Cluster Management Suite (CMS) software for simplifying switch and switch cluster management
through a web browser, such as Netscape Communicator or Microsoft Internet Explorer, from
anywhere in your intranet
Catalyst 2950 Desktop Switch Software Configuration Guide
1-2
78-14982-01
�Chapter 1
Overview
Features
•
Switch clustering technology used with CMS for
– Unified configuration, monitoring, authentication, and software upgrade of multiple switches
(refer to the release notes for a list of eligible cluster members).
– Automatic discovery of candidate switches and creation of clusters of up to 16 switches that can
be managed through a single IP address.
– Extended discovery of cluster candidates that are not directly connected to the command switch.
•
Note
Hot Standby Router Protocol (HSRP) for command-switch redundancy. The redundant command
switches used for HSRP must have compatible software releases.
See the “Advantages of Using CMS and Clustering Switches” section on page 1-7. Refer to the
release notes for the CMS, cluster hardware, software, and browser requirements.
Performance
•
Autosensing of speed on the 10/100 and 10/100/1000 ports and autonegotiation of duplex mode on
the 10/100 ports for optimizing bandwidth
•
IEEE 802.3X flow control on Gigabit Ethernet ports operating in full-duplex mode
•
Fast EtherChannel and Gigabit EtherChannel for enhanced fault tolerance and for providing up
to 2 Gbps of bandwidth between switches, routers, and servers
•
Support for frames larger than 1500 bytes. The Catalyst 2950G-12-EI, 2950G-24-EI, 2950G-24-EI-DC,
and 2950G-48-EI switches running Cisco IOS Release 12.1(6)EA2 or later support frame sizes from
1500 to 1530 bytes
•
Per-port broadcast storm control for preventing faulty end stations from degrading overall system
performance with broadcast storms
•
Port Aggregation Protocol (PAgP) for automatic creation of EtherChannel links
•
Internet Group Management Protocol (IGMP) snooping support to limit flooding of IP multicast
traffic
•
Multicast VLAN registration (MVR) to continuously send multicast streams in a multicast VLAN
while isolating the streams from subscriber VLANs for bandwidth and security reasons
•
IGMP filtering for controlling the set of multicast groups to which hosts on a switch port can belong
•
Protected port (private VLAN edge port) option for restricting the forwarding of traffic to
designated ports on the same switch
•
Dynamic address learning for enhanced security
Manageability
•
Cisco Intelligence Engine 2100 (IE2100) Series Cisco Networking Services (CNS) embedded
agents for automating switch management, configuration storage and delivery (available only with
the EI)
•
Dynamic Host Configuration Protocol (DHCP)-based autoconfiguration for automatically
configuring the switch during startup with IP address information and a configuration file that it
receives during DHCP-based autoconfiguration
Note
DHCP replaces the Bootstrap Protocol (BOOTP) feature autoconfiguration to ensure retrieval of
configuration files by unicast TFTP messages. BOOTP is available in earlier software releases
for this switch.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
1-3
�Chapter 1
Overview
Features
•
Address Resolution Protocol (ARP) for identifying a switch through its IP address and its
corresponding MAC address
•
Cisco Discovery Protocol (CDP) versions 1 and 2 for network topology discovery and mapping
between the switch and other Cisco devices on the network
•
Network Time Protocol (NTP) for providing a consistent timestamp to all switches from an external
source
•
Directed unicast requests to a Trivial File Transfer Protocol (TFTP) server for obtaining software
upgrades from a TFTP server
•
Default configuration storage in Flash memory to ensure that the switch can be connected to a
network and can forward traffic with minimal user intervention
•
In-band management access through a CMS web-based session
•
In-band management access through up to 16 simultaneous Telnet connections for multiple
command-line interface (CLI)-based sessions over the network
•
In-band management access through Simple Network Management Protocol (SNMP) versions 1, 2c,
and 3 get and set requests
•
Out-of-band management access through the switch console port to a directly-attached terminal or
to a remote terminal through a serial connection and a modem
Note
For additional descriptions of the management interfaces, see the “Management Options”
section on page 1-7.
Redundancy
•
HSRP for command-switch redundancy
•
UniDirectional link detection (UDLD) on all Ethernet ports for detecting and disabling
unidirectional links on fiber-optic interfaces caused by incorrect fiber-optic wiring or port faults
•
IEEE 802.1D Spanning Tree Protocol (STP) for redundant backbone connections and loop-free
networks. STP has these features:
– Per-VLAN Spanning Tree (PVST) for balancing load across VLANs
– UplinkFast, cross-stack UplinkFast, and BackboneFast for fast convergence after a
spanning-tree topology change and for achieving load balancing between redundant uplinks,
including Gigabit uplinks and cross-stack Gigabit uplinks
•
IEEE 802.1S Multiple STP (MSTP) for grouping VLANs into a spanning-tree instance, and
providing for multiple forwarding paths for data traffic and load balancing (available only with
the EI)
•
IEEE 802.1W Rapid STP (RSTP) for rapid convergence of the spanning tree by immediately
transitioning root and designated ports to the forwarding state (available only with the EI)
•
Optional spanning-tree features available:
– Port Fast for eliminating the forwarding delay by enabling a port to immediately transition from
the blocking state to the forwarding state
– BPDU guard for shutting down Port Fast-enabled ports that receive BPDUs
– BPDU filtering for preventing a Port Fast-enabled port from sending or receiving BPDUs
– Root guard for preventing switches outside the network core from becoming the spanning-tree
root
Catalyst 2950 Desktop Switch Software Configuration Guide
1-4
78-14982-01
�Chapter 1
Overview
Features
– Loop guard for preventing alternate or root ports from becoming designated ports because of a
failure that leads to a unidirectional link
The switch supports up to 64 spanning-tree instances.
Note
VLAN Support
•
The switches support 250 port-based VLANs for assigning users to VLANs associated with
appropriate network resources, traffic patterns, and bandwidth
Note
The Catalyst 2950-12, Catalyst 2950-24, and Catalyst 2950SX-24 switches support only 64
port-based VLANs.
•
The switch supports up to 4094 VLAN IDs to allow service provider networks to support the number of
VLANs allowed by the IEEE 802.1Q standard (available only with the EI)
•
IEEE 802.1Q trunking protocol on all ports for network moves, adds, and changes; management and
control of broadcast and multicast traffic; and network security by establishing VLAN groups for
high-security users and network resources
•
VLAN Membership Policy Server (VMPS) for dynamic VLAN membership
•
VLAN Trunking Protocol (VTP) pruning for reducing network traffic by restricting flooded traffic
to links destined for stations receiving the traffic
•
Dynamic Trunking Protocol (DTP) for negotiating trunking on a link between two devices and for
negotiating the type of trunking encapsulation (802.1Q) to be used
•
Voice VLAN for creating subnets for voice traffic from Cisco IP Phones
Security
•
Bridge protocol data unit (BPDU) guard for shutting down a Port Fast-configured port when an
invalid configuration occurs
•
Protected port option for restricting the forwarding of traffic to designated ports on the same switch
•
Password-protected access (read-only and read-write access) to management interfaces (CMS and
CLI) for protection against unauthorized configuration changes
•
Port security option for limiting and identifying MAC addresses of the stations allowed to access
the port
•
Port security aging to set the aging time for secure addresses on a port
•
Multilevel security for a choice of security level, notification, and resulting actions
•
MAC-based port-level security for restricting the use of a switch port to a specific group of source
addresses and preventing switch access from unauthorized stations (available only with the EI)
•
Terminal Access Controller Access Control System Plus (TACACS+), a proprietary feature for
managing network security through a TACACS server
•
IEEE 802.1X port-based authentication to prevent unauthorized devices from gaining access to the
network
•
Standard and extended IP access control lists (ACLs) for defining security policies (available only
with the EI)
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
1-5
�Chapter 1
Overview
Features
Quality of Service and Class of Service
•
Classification
– IEEE 802.1P class of service (CoS) with four priority queues on the switch 10/100 and LRE
ports and eight priority queues on the Gigabit ports for prioritizing mission-critical and
time-sensitive traffic from data, voice, and telephony applications
– IP Differentiated Services Code Point (IP DSCP) and class of service (CoS) marking priorities
on a per-port basis for protecting the performance of mission-critical applications (only
available with the EI)
– Flow-based packet classification (classification based on information in the MAC, IP, and
TCP/UDP headers) for high-performance quality of service at the network edge, allowing for
differentiated service levels for different types of network traffic and for prioritizing
mission-critical traffic in the network (only available in the EI)
– Support for IEEE 802.1P CoS scheduling for classification and preferential treatment of
high-priority voice traffic
– Trusted boundary (detect the presence of a Cisco IP phone, trust the CoS value received, and
ensure port security. If the IP phone is not detected, disable the trusted setting on the port and
prevent misuse of a high-priority queue.)
•
Policing
– Traffic-policing policies on the switch port for allocating the amount of the port bandwidth to
a specific traffic flow
– Policing traffic flows to restrict specific applications or traffic flows to metered, predefined
rates
– Up to 60 policers on ingress Gigabit-capable Ethernet ports
Up to six policers on ingress 10/100 ports
Granularity of 1 Mbps on 10/100 ports and 8 Mbps on 10/100/1000 ports
– Out-of-profile markdown for packets that exceed bandwidth utilization limits
Note
•
Policing is available only in the EI.
Egress Policing and Scheduling of Egress Queues—Four egress queues on all switch ports. Support
for strict priority and weighted round-robin (WRR) CoS policies
Monitoring
•
Switch LEDs that provide visual port and switch status
•
Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) for traffic monitoring on any port or
VLAN
Note
RSPAN is available only in the EI.
•
Four groups (history, statistics, alarms, and events) of embedded remote monitoring (RMON) agents
for network monitoring and traffic analysis
•
MAC address notification for tracking the MAC addresses that the switch has learned or removed
•
Syslog facility for logging system messages about authentication or authorization errors, resource
issues, and time-out events
Catalyst 2950 Desktop Switch Software Configuration Guide
1-6
78-14982-01
�Chapter 1
Overview
Management Options
Management Options
The switches are designed for plug-and-play operation: you only need to assign basic IP information to
the switch and connect it to the other devices in your network. If you have specific network needs, you
can configure and monitor the switch—on an individual basis or as part of a switch cluster—through its
various management interfaces.
This section discusses these topics:
•
Management Interface Options, page 1-7
•
Advantages of Using CMS and Clustering Switches, page 1-7
Management Interface Options
You can configure and monitor individual switches and switch clusters by using these interfaces:
•
CMS—CMS is a graphical user interface that can be launched from anywhere in your network
through a web browser such as Netscape Communicator or Microsoft Internet Explorer. CMS is
already installed on the switch. Using CMS, you can configure and monitor a standalone switch, a
specific cluster member, or an entire switch cluster. You can also display network topologies to
gather link information and display switch images to modify switch and port level settings.
For more information about CMS, see Chapter 3, “Getting Started with CMS.”
•
CLI—The switch IOS CLI software is enhanced to support desktop-switching features. You can
configure and monitor the switch and switch cluster members from the CLI. You can access the CLI
either by connecting your management station directly to the switch console port or by using Telnet
from a remote management station.
For more information about the CLI, see Chapter 2, “Using the Command-Line Interface.”
•
IE2100—Cisco Intelligence Engine 2100 Series Configuration Registrar is a network management
device that works with embedded CNS Agents in the switch software. You can automate initial
configurations and configuration updates by generating switch-specific configuration changes,
sending them to the switch, executing the configuration change, and logging the results.
For more information about IE2100, see Chapter 5, “Configuring IE2100 CNS Agents.”
•
SNMP—SNMP provides a means to monitor and control the switch and switch cluster members.
You can manage switch configuration settings, performance, and security and collect statistics by
using SNMP management applications such as CiscoWorks2000 LAN Management Suite (LMS)
and HP OpenView.
You can manage the switch from an SNMP-compatible management station that is running
platforms such as HP OpenView or SunNet Manager. The switch supports a comprehensive set of
MIB extensions and four RMON groups.
For more information about using SNMP, see the Chapter 24, “Configuring SNMP.”
Advantages of Using CMS and Clustering Switches
Using CMS and switch clusters can simplify and minimize your configuration and monitoring tasks. You
can use Cisco switch clustering technology to manage up to 16 interconnected and supported Catalyst
switches through one IP address as if they were a single entity. This can conserve IP addresses if you
have a limited number of them. CMS is the easiest interface to use and makes switch and switch cluster
management accessible to authorized users from any PC on your network.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
1-7
�Chapter 1
Overview
Network Configuration Examples
By using switch clusters and CMS, you can:
•
Manage and monitor interconnected Catalyst switches (refer to the release notes for a list of
supported switches), regardless of their geographic proximity and interconnection media, including
Ethernet, Fast Ethernet, Fast EtherChannel, Cisco GigaStack Gigabit Interface Converter (GBIC),
Gigabit Ethernet, and Gigabit EtherChannel connections.
•
Accomplish multiple configuration tasks from a single CMS window without needing to remember
CLI commands to accomplish specific tasks.
•
Apply actions from CMS to multiple ports and multiple switches at the same time to avoid
re-entering the same commands for each individual port or switch. Here are some examples of
globally setting and managing multiple ports and switches:
– Port configuration such as speed and duplex settings
– Port and console port security settings
– NTP, STP, VLAN, and quality of service (QoS) configurations
– Inventory and statistic reporting and link and switch-level monitoring and troubleshooting
– Group software upgrades
•
View a topology of interconnected devices to identify existing switch clusters and eligible switches
that can join a cluster. You can also use the topology to quickly identify link information between
switches.
•
Monitor real-time status of a switch or multiple switches from the LEDs on the front-panel images.
The system, redundant power system (RPS), and port LED colors on the images are similar to those
on the physical LEDs.
•
Use an interactive mode that takes you step-by-step through configuring complex features such as
VLANs, ACLs, and QoS.
•
Use a wizard that prompts you to provide the minimum required information to configure complex
features such as QoS priorities for video traffic, priority levels for data applications, and security.
For more information about CMS, see Chapter 3, “Getting Started with CMS.” For more information
about switch clusters, see Chapter 6, “Clustering Switches.”
Network Configuration Examples
This section provides network configuration concepts and includes examples of using the switch to
create dedicated network segments and interconnecting the segments through Fast Ethernet and Gigabit
Ethernet connections.
Design Concepts for Using the Switch
As your network users compete for network bandwidth, it takes longer to send and receive data. When
you configure your network, consider the bandwidth required by your network users and the relative
priority of the network applications they use.
Table 1-2 describes what can cause network performance to degrade and how you can configure your
network to increase the bandwidth available to your network users.
Catalyst 2950 Desktop Switch Software Configuration Guide
1-8
78-14982-01
�Chapter 1
Overview
Network Configuration Examples
Table 1-2
Increasing Network Performance
Network Demands
Suggested Design Methods
Too many users on a single network segment
and a growing number of users accessing the
Internet
•
Increased power of new PCs,
workstations, and servers
•
High demand from networked
applications (such as e-mail with large
attached files) and from
bandwidth-intensive applications (such
as multimedia)
•
Create smaller network segments so that fewer users share the
bandwidth, and use VLANs and IP subnets to place the network
resources in the same logical network as the users who access those
resources most.
•
Use full-duplex operation between the switch and its connected
workstations.
•
Connect global resources—such as servers and routers to which network
users require equal access—directly to the Fast Ethernet or Gigabit
Ethernet switch ports so that they have their own Fast Ethernet or
Gigabit Ethernet segment.
•
Use the Fast EtherChannel or Gigabit EtherChannel feature between the
switch and its connected servers and routers.
Bandwidth alone is not the only consideration when designing your network. As your network traffic
profiles evolve, consider providing network services that can support applications such as voice and data
integration and security.
Table 1-3 describes some network demands and how you can meet those demands.
Table 1-3
Providing Network Services
Network Demands
Suggested Design Methods
High demand for multimedia support
•
Use IGMP and MVR to efficiently forward multicast traffic.
High demand for protecting mission-critical
applications
•
Use VLANs and protected ports to provide security and port isolation.
•
Use VLAN trunks, cross-stack UplinkFast, and BackboneFast for
traffic-load balancing on the uplink ports so that the uplink port with a
lower relative port cost is selected to carry the VLAN traffic.
An evolving demand for IP telephony
•
Use QoS to prioritize applications such as IP telephony during
congestion and to help control both delay and jitter within the network.
•
Use switches that support at least two queues per port to prioritize voice
and data traffic as either high- or low-priority, based on 802.1P/Q.
•
Use the Catalyst 2950 LRE switches to provide up to 15 Mb of IP
connectivity over existing infrastructure (existing telephone lines).
A growing demand for using existing
infrastructure to transport data and voice from
a home or office to the Internet or an intranet at
higher speeds
Figure 1-1 shows configuration examples of using the Catalyst switches to create these networks:
•
Cost-effective wiring closet—A cost-effective way to connect many users to the wiring closet is to
connect up to nine Catalyst 2900 XL, Catalyst 2950, Catalyst 3500 XL, and Catalyst 3550 switches
through GigaStack GBIC connections. When you use a stack of Catalyst 2950G-48 switches, you
can connect up to 432 users. To preserve switch connectivity if one switch in the stack fails, connect
the bottom switch to the top switch to create a GigaStack loopback, and enable cross-stack
UplinkFast on the cross-stack Gigabit uplinks.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
1-9
�Chapter 1
Overview
Network Configuration Examples
You can create backup paths by using Fast Ethernet, Gigabit, Fast EtherChannel, or Gigabit
EtherChannel links. Using Gigabit modules on two of the switches, you can have redundant uplink
connections to a Gigabit backbone switch such as the Catalyst 3550-12G switch. If one of the
redundant connections fails, the other can serve as a backup path. You can configure the stack
members and the Catalyst 3550-12G switch as a switch cluster to manage them through a single IP
address.
•
High-performance workgroup—For users who require high-speed access to network resources, use
Gigabit modules to connect the switches directly to a backbone switch in a star configuration. Each
switch in this configuration provides users with a dedicated 1-Gbps connection to network resources
in the backbone. Compare this with the switches in a GigaStack configuration, where the 1-Gbps
connection is shared among the switches. With the high speed uplink to the distribution server, the
user can efficiently obtain and store data from servers. Using these Gigabit modules also provides
flexibility in media and distance options:
– 1000BASE-T GBIC: copper connections of up to 328 feet (100 meters)
– 1000BASE-SX GBIC: fiber-optic connections of up to 1804 feet (550 meters)
– 1000BASE-LX/LH GBIC: fiber-optic connections of up to 32,808 feet (10 kilometers)
– 1000BASE-ZX GBIC: fiber-optic connections of up to 328,084 feet (100 kilometers)
– GigaStack GBIC module for creating a 1-Gbps stack configuration of up to nine supported
switches. The GigaStack GBIC supports one full-duplex link (in a point-to-point configuration)
or up to nine half-duplex links (in a stack configuration) to other Gigabit Ethernet devices.
Using the required Cisco proprietary signaling and cabling, the GigaStack GBIC-to-GigaStack
GBIC connection cannot exceed 3 feet (1 meter).
– Catalyst 2950 LRE switches support SFP GBIC as well as 10/100/1000 copper connections
•
Redundant Gigabit backbone—Using HSRP, you can create backup paths between
Catalyst 3550-12T-L3 switches. To enhance network reliability and load balancing for different
VLANs and subnets, you can connect the Catalyst 2950 switches, again in a star configuration, to
two backbone switches. If one of the backbone switches fails, the second backbone switch preserves
connectivity between the switches and network resources.
Catalyst 2950 Desktop Switch Software Configuration Guide
1-10
78-14982-01
�Chapter 1
Overview
Network Configuration Examples
Figure 1-1
Example Configurations
Catalyst 2950 switch
Cost-Effective
Wiring Closet
Catalyst 2900,
Catalyst 2950,
Catalyst 3500,
and Catalyst 3550
GigaStack cluster
Catalyst 3550-12T or
Catalyst 3550-12G switch
Si
Gigabit
server
High-Performance
Workgroup
Catalyst 2900, Catalyst 2950,
Catalyst 3500, and Catalyst 3550 cluster
Catalyst 3550-12T or
Catalyst 3550-12T or
Catalyst 3550-12G switch
Catalyst 3550-12G switch
1-Gbps HSRP
Si
Si
Catalyst 2900, Catalyst 2950,
Catalyst 3500, and Catalyst 3550 cluster
81633
Redundant Gigabit
Backbone
Small to Medium-Sized Network Configuration
Figure 1-2 shows a configuration for a network that has up to 250 users. Users in this network require
e-mail, file-sharing, database, and Internet access.
You optimize network performance by placing workstations on the same logical segment as the servers
they access most often. This divides the network into smaller segments (or workgroups) and reduces the
amount of traffic that travels over a network backbone, thereby increasing the bandwidth available to
each user and improving server response time.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
1-11
�Chapter 1
Overview
Network Configuration Examples
A network backbone is a high-bandwidth connection (such as Fast Ethernet or Gigabit Ethernet) that
interconnects segments and network resources. It is required if numerous segments require access to the
servers. The Catalyst 2900, Catalyst 2950, Catalyst 3500, and Catalyst 3550 switches in this network are
connected through a GigaStack GBIC on each switch to form a 1-Gbps network backbone. This
GigaStack can also be configured as a switch cluster, with primary and secondary command switches for
redundant cluster management.
Workstations are connected directly to the 10/100 switch ports for their own 10- or 100-Mbps access to
network resources (such as web and mail servers). When a workstation is configured for full-duplex
operation, it receives up to 200 Mbps of dedicated bandwidth from the switch.
Servers are connected to the GBIC module ports on the switches, allowing 1-Gbps throughput to users
when needed. When the switch and server ports are configured for full-duplex operation, the links
provide 2 Gbps of bandwidth. For networks that do not require Gigabit performance from a server,
connect the server to a Fast Ethernet or Fast EtherChannel switch port.
Connecting a router to a Fast Ethernet switch port provides multiple, simultaneous access to the Internet
through one line.
Figure 1-2
Small to Medium-Sized Network Configuration
Cisco 2600 router
100 Mbps
(200 Mbps full duplex)
Gigabit
server
1 Gbps
(2 Gbps full duplex)
Catalyst 2900,
Catalyst 2950,
Catalyst 3550,
and Catalyst 3500
GigaStack cluster
Gigabit
server
Single workstations
81634
10/100 Mbps
(20/200 Mbps full duplex)
Catalyst 2950 Desktop Switch Software Configuration Guide
1-12
78-14982-01
�Chapter 1
Overview
Network Configuration Examples
Collapsed Backbone and Switch Cluster Configuration
Figure 1-3 shows a configuration for a network of approximately 500 employees. This network uses a
collapsed backbone and switch clusters. A collapsed backbone has high-bandwidth uplinks from all
segments and subnetworks to a single device, such as a Gigabit switch, that serves as a single point for
monitoring and controlling the network. You can use a Catalyst 3550-12T-L3 switch, as shown, or a
Catalyst 3508G XL switch to create a Gigabit backbone. A Catalyst 3550-12T-L3 backbone switch
provides the benefits of inter-VLAN routing and allows the router to focus on WAN access.
The workgroups are created by clustering all the Catalyst switches except the Catalyst 4908G-L3 switch.
Using CMS and Cisco switch clustering technology, you can group the switches into multiple clusters,
as shown, or into a single cluster. You can manage a cluster through the IP address of its active and
standby command switches, regardless of the geographic location of the cluster members.
This network uses VLANs to segment the network logically into well-defined broadcast groups and for
security management. Data and multimedia traffic are configured on the same VLAN. Voice traffic from
the Cisco IP Phones are configured on separate voice VLAN IDs (VVIDs). You can have up to
four VVIDs per wiring closet. If data, multimedia, and voice traffic are assigned to the same VLAN, only
one VLAN can be configured per wiring closet. For any switch port connected to Cisco IP Phones,
802.1P/Q QoS gives forwarding priority to voice traffic over data traffic.
Grouping servers in a centralized location provides benefits such as security and easier maintenance.
The Gigabit connections to a server farm provide the workgroups full access to the network resources
(such as a call-processing server running Cisco CallManager software, a DHCP server, or an IP/TV
multicast server).
Cisco IP Phones are connected—using standard straight-through, twisted-pair cable with RJ-45
connectors—to the 10/100 inline-power ports on the Catalyst 3524-PWR XL switches and to the
10/100 ports on the Catalyst 2950 switches. These multiservice switch ports automatically detect if an
IP phone is connected. Cisco CallManager controls call processing, routing, and IP phone features and
configuration. Users with workstations running Cisco SoftPhone software can place, receive, and control
calls from their PCs. Using Cisco IP Phones, Cisco CallManager software, and Cisco SoftPhone
software integrates telephony and IP networks, and the IP network supports both voice and data.
Each 10/100 inline-power port on the Catalyst 3524-PWR XL switches provides –48 VDC power to the
Cisco IP Phone. The IP phone can receive redundant power when it also is connected to an AC power
source. IP phones not connected to the Catalyst 3524-PWR XL switches receive power from an AC
power source.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
1-13
�Chapter 1
Overview
Network Configuration Examples
Figure 1-3
Collapsed Backbone and Switch Cluster Configuration
Gigabit
servers
Cisco
CallManager
Catalyst 3550-12T or
Catalyst 3550-12G switch
Cisco 2600 router
Si
200 Mbps
Fast EtherChannel
(400-Mbps full-duplex
Fast EtherChannel)
1 Gbps
(2 Gbps full duplex)
Catalyst 2950, 2900,
3550, and 3500
GigaStack cluster
Catalyst
2950, 2900,
3550, and 3500
GigaStack cluster
Catalyst
3524-PWR
GigaStack cluster
IP
IP
Cisco
IP Phones
Workstations running
Cisco SoftPhone software
IP
IP
Cisco IP Phones
81635
IP
Large Campus Configuration
Figure 1-4 shows a configuration for a network of more than 1000 users. Because it can aggregate up to
130 Gigabit connections, a Catalyst 6500 multilayer switch is used as the backbone switch.
You can use the workgroup configurations shown in previous examples to create workgroups with
Gigabit uplinks to the Catalyst 6500 switch. For example, you can use switch clusters that have a mix
of Catalyst 2950 switches.
The Catalyst 6500 switch provides the workgroups with Gigabit access to core resources:
•
Cisco 7000 series router for access to the WAN and the Internet.
•
Server farm that includes a call-processing server running Cisco CallManager software. Cisco
CallManager controls call processing, routing, and IP phone features and configuration.
•
Cisco Access gateway (such as Cisco Access Digital Trunk Gateway or Cisco Access Analog Trunk
Gateway) that connects the IP network to the Public Switched Telephone Network (PSTN) or to
users in an IP telephony network.
Catalyst 2950 Desktop Switch Software Configuration Guide
1-14
78-14982-01
�Chapter 1
Overview
Network Configuration Examples
Figure 1-4
Large Campus Configuration
IP telephony
network or
PSTN
WAN
Cisco
CallManager
Cisco 7200 Cisco access
or 7500 router gateway
Servers
Catalyst
6500 switch
Catalyst 2950, 2900,
3500, and 3550
GigaStack cluster
1 Gbps
(2 Gbps
full duplex)
Catalyst 3524-PWR
GigaStack cluster
IP
IP
Cisco IP Phones
IP
IP
Cisco IP Phones
81636
Workstations running
Cisco SoftPhone software
IP
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
1-15
�Chapter 1
Overview
Network Configuration Examples
Hotel Network Configuration
Figure 1-5 shows the Catalyst 2950 LRE switches in a hotel network environment with approximately
200 rooms. This network includes a PBX switchboard, a router, and high-speed servers.
Connected to the telephone line in each hotel room is an LRE CPE device, such as a Cisco LRE CPE
device. The LRE CPE device provides:
•
Two RJ-11 ports, one for connecting to the telephone jack on the wall and one for connecting to a
POTS telephone.
•
One or more RJ-45 Ethernet ports for connecting to devices such as a customer’s laptop, the room’s
IP phone, the television set-top box, or a room environmental control device. A Cisco 575 LRE CPE
provides one Ethernet connection; a Cisco 585 LRE CPE provides four.
When connected to the CPE device, the Ethernet devices and room telephone share the same telephone
line.
Note
All telephones not directly connected to the hotel room CPE device require microfilters with a 300-ohm
termination. Microfilters improve voice call quality when voice and data equipment are using the same
telephone line. They also prevent nonfiltered telephone rings and nonfiltered telephone transitions (such
as on-hook to off-hook) from interrupting the Ethernet connection.
Through a patch panel, the telephone line from each room connects to a nonhomologated POTS splitter,
such as the Cisco LRE 48 POTS Splitter. The splitter routes data (high-frequency) and voice
(low-frequency) traffic from the telephone line to a Catalyst 2950 LRE switch and digital private branch
exchange (PBX). The PBX routes voice traffic to the PSTN.
If a PBX is not on-site, a homologated POTS splitter is required to connect directly to the PSTN.
Note
Consult the regulations for connecting to the PSTN in your area.
If a connection to a phone network is not required at all, a splitter is not needed, and the switch can
connect directly to the patch panel.
Note
Cisco LRE products can share lines with analog telephones, Integrated Services Digital Network (ISDN)
telephone network, and PBX switches that use the 0 to 700 kHz frequency range.
Data to and from the room devices (such as e-mail for the laptop and IP multicast traffic for the
television) are transferred through the LRE link, which is established between the CPE RJ-11 wall port
and the LRE port on an LRE switch. The upstream and downstream rates on the LRE link are controlled
by a profile configured on each LRE port. If the LRE switch was connected to the PSTN through a
homologated POTS splitter, all LRE ports would use an ANSI-compliant LRE profile named
LRE-998-15-4.
The Catalyst 2950 LRE switches are cascaded through their 10/100/1000 switch ports. Each switch also
has a 10/100/1000 connection to an aggregation switch, such as a 3550-12G switch. The aggregation
switch can connect to:
•
Accounting, billing, and provisioning servers.
•
A router that provides Internet access to the premises.
Catalyst 2950 Desktop Switch Software Configuration Guide
1-16
78-14982-01
�Chapter 1
Overview
Network Configuration Examples
You can manage the switches as a switch cluster and through the cluster management suite (CMS). You
can also manage and monitor the individual CPE devices from the LRE switches to which they are
connected. The Catalyst 2950 LRE switch ports support the same software features as 10/100/1000
switch ports. For example, you can configure port-based VLANs on the LRE ports to provide individual
port security and protected ports to further prevent unwanted broadcasts within the VLANs.
Figure 1-5
Hotel Network Configuration
Set-top
box
Laptop
TV
Rooms
and
users
IP
phone
Laptop
POTS telephones
IP
Environmental
controls
POTS telephone
Required
microfilter
Cisco 575
LRE CPE
Cisco 585
LRE CPE
Required
microfilter
Floor 4
Laptop
POTS telephones
Set-top
box
Laptop
TV
Rooms
and
users
IP
phone
IP
Environmental
controls
Required
microfilter
Cisco 575
LRE CPE
POTS telephone
Required
microfilter
Cisco 585
LRE CPE
Floor 3
Patch panel
Cisco
LRE 48
POTS
splitters
Catalyst 2950 LRE switches
PSTN
PBX
Catalyst 2900 XL
or Catalyst 3500 XL switch
Cisco 2600 router
74051
Servers
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
1-17
�Chapter 1
Overview
Network Configuration Examples
Multidwelling Network Using Catalyst 2950 Switches
A growing segment of residential and commercial customers are requiring high-speed access to Ethernet
metropolitan-area networks (MANs). Figure 1-6 shows a configuration for a Gigabit Ethernet MAN ring
using Catalyst 3550 multilayer switches as aggregation switches in the mini-point-of-presence (POP)
location. These switches are connected through 1000BASE-X GBIC ports.
The resident switches can be Catalyst 2950 switches, providing customers with high-speed connections
to the MAN. Catalyst LRE Layer 2 only switches also can be used as residential switches for customers
requiring connectivity through existing telephone lines. The Catalyst LRE switches can then be
connected to another residential switch or to an aggregation switch. For more information about the LRE
switches, refer to the Catalyst 2950 Series Hardware Installation Guide.
All ports on the residential Catalyst 2950 switches (and Catalyst LRE switches if they are included) are
configured as 802.1Q trunks with protected port and STP root guard features enabled. The protected port
feature provides security and isolation between ports on the switch, ensuring that subscribers cannot
view packets destined for other subscribers. STP root guard prevents unauthorized devices from
becoming the STP root switch. All ports have IGMP snooping or CGMP enabled for multicast traffic
management. ACLs on the uplink ports to the aggregating Catalyst 3550 multilayer switches provide
security and bandwidth management.
The aggregating switches and routers provide services such as those described in the previous examples,
“Small to Medium-Sized Network Configuration” and “Large Campus Configuration.”
Catalyst 2950 Desktop Switch Software Configuration Guide
1-18
78-14982-01
�Chapter 1
Overview
Network Configuration Examples
Figure 1-6
Catalyst 2950 Switches in a MAN Configuration
Cisco 12000
Gigabit switch routers
Catalyst 6500
switches
Catalyst 3550
multilayer
switches
Service
Provider
POP
Si
Si
Si
Si
Si
Si
Si
Mini-POP
Gigabit MAN
Si
Catalyst
switches
Residential
location
Set-top box
Residential
gateway (hub)
Set-top box
50833
TV
PC
TV
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
1-19
�Chapter 1
Overview
Network Configuration Examples
Long-Distance, High-Bandwidth Transport Configuration
Note
To use the feature described in this section, you must have the EI installed on your Catalyst 2950 switch.
This feature does not apply to the Catalyst 2950 LRE switches.
Figure 1-7 shows a configuration for transporting Gigabits of data from one location to an off-site
backup facility over a single fiber-optic cable. The Catalyst switches have Coarse Wave Division
Multiplexer (CWDM) fiber-optic GBIC modules installed. The CWDM GBIC modules can connect to
distances of up to 393,701 feet (74.5 miles or 120 kilometers). Depending on the CWDM GBIC module,
data is sent at wavelengths from 1470 to 1610 nanometers (nm). The higher the wavelength, the farther
the transmission can travel. A common wavelength for long-distance transmissions is 1550 nm.
Up to eight CWDM GBIC modules, with any combination of wavelengths, can connect to a Cisco
CWDM Passive Optical System. It combines (or multiplexes) the different CWDM wavelengths,
allowing them to travel simultaneously on the same fiber-optic cable. The Cisco CWDM Passive Optical
System on the receiving end separates (or demultiplexes) the different wavelengths.
Using CWDM technology with the switches translates to farther data transmission and an increased
bandwidth capacity (up to 8 Gbps) on a single fiber-optic cable.
For more information about the CWDM GBIC modules and CWDM Passive Optical System, refer to the
CWDM Passive Optical System Installation Note.
Figure 1-7
Long-Distance, High-Bandwidth Transport Configuration
CWDM
OADM
modules
Eight
1-Gbps
connections
CWDM
OADM
modules
Catalyst 4000
multilayer
switches
Aggregation layer
74089
8 Gbps
Catalyst 2900 XL,
Catalyst 2950,
Catalyst 3500 XL, and
Catalyst 3550 switches
Access layer
Catalyst 2950 Desktop Switch Software Configuration Guide
1-20
78-14982-01
�Chapter 1
Overview
Where to Go Next
Where to Go Next
Before configuring the switch, review these sections for start up information:
•
Chapter 2, “Using the Command-Line Interface”
•
Chapter 3, “Getting Started with CMS”
•
Chapter 4, “Assigning the Switch IP Address and Default Gateway”
•
Chapter 5, “Configuring IE2100 CNS Agents”
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
1-21
�Chapter 1
Overview
Where to Go Next
Catalyst 2950 Desktop Switch Software Configuration Guide
1-22
78-14982-01
�C H A P T E R
2
Using the Command-Line Interface
This chapter describes the IOS command-line interface (CLI) that you can use to configure your
switches. It contains these sections:
•
IOS Command Modes, page 2-1
•
Getting Help, page 2-3
•
Abbreviating Commands, page 2-5
•
Using no and default Forms of Commands, page 2-5
•
Understanding CLI Messages, page 2-5
•
Using Command History, page 2-6
•
Using Editing Features, page 2-7
•
Searching and Filtering Output of show and more Commands, page 2-10
•
Accessing the CLI, page 2-10
IOS Command Modes
The Cisco IOS user interface is divided into many different modes. The commands available to you
depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a
list of commands available for each command mode.
When you start a session on the switch, you begin in user mode, often called user EXEC mode. Only a
limited subset of the commands are available in user EXEC mode. For example, most of the user EXEC
commands are one-time commands, such as show commands, which show the current configuration
status, and clear commands, which clear counters or interfaces. The user EXEC commands are not saved
when the switch reboots.
To have access to all commands, you must enter privileged EXEC mode. Normally, you must enter a
password to enter privileged EXEC mode. From this mode, you can enter any privileged EXEC
command or enter global configuration mode.
Using the configuration modes (global, interface, and line), you can make changes to the running
configuration. If you save the configuration, these commands are stored and used when the switch
reboots. To access the various configuration modes, you must start at global configuration mode. From
global configuration mode, you can enter interface configuration mode and line configuration mode.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
2-1
�Chapter 2
Using the Command-Line Interface
IOS Command Modes
Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode,
and how to exit the mode. The examples in the table use the host name Switch.
Table 2-1
Command Mode Summary
Mode
Access Method
Prompt
Exit Method
About This Mode
User EXEC
Begin a session with
your switch.
Switch>
Enter logout or quit.
Use this mode to
•
Change terminal
settings.
•
Perform basic tests.
•
Display system
information.
Privileged EXEC
While in user EXEC
mode, enter the
enable command.
Switch#
Enter disable to exit.
Use this mode to verify
commands that you have
entered. Use a password to
protect access to this mode.
Global configuration
While in privileged
EXEC mode, enter
the configure
command.
Switch(config)#
To exit to privileged
EXEC mode, enter
exit or end, or press
Ctrl-Z.
Use this mode to configure
parameters that apply to the
entire switch.
Config-vlan
While in global
configuration mode,
enter the
vlan vlan-id
command.
Switch(config-vlan)#
To exit to global
configuration mode,
enter the exit
command.
Config-lre-sequence
While in global
configuration mode
enter lre sequence
config-seq#
To exit to global
configuration mode,
enter the exit
command.
Use this mode to configure
VLAN parameters. When
VTP mode is transparent,
you can create
extended-range VLANs
To return to
(VLAN IDs greater than
privileged EXEC
1005) and save
mode, press Ctrl-Z or
configurations in the switch
enter end.
startup configuration file.
Use this mode to create new
sequences or to add or delete
profiles in a user-defined
sequence.
To return to
privileged EXEC
mode, press Ctrl-Z or
enter end.
Config-lre-controller
While in global
configuration mode
enter lre
config-controller#
controller
To exit to global
configuration mode,
enter the exit
command.
To return to
privileged EXEC
mode, press Ctrl-Z or
enter end.
Use this mode for all
upgrade related commands
(for further information on
upgrading, see the
“Upgrading LRE Switch
Firmware” section on
page 10-15).
Catalyst 2950 Desktop Switch Software Configuration Guide
2-2
78-14982-01
�Chapter 2
Using the Command-Line Interface
Getting Help
Table 2-1
Command Mode Summary (continued)
Mode
Access Method
Prompt
Exit Method
About This Mode
VLAN configuration
While in privileged
EXEC mode, enter
the vlan database
command.
Switch(vlan)#
To exit to privileged
EXEC mode, enter
exit.
Use this mode to configure
VLAN parameters for
VLANs 1 to 1005 in the
VLAN database.
Interface
configuration
While in global
configuration mode,
enter the interface
command (with a
specific interface).
Switch(config-if)#
To exit to global
configuration mode,
enter exit.
Use this mode to configure
parameters for the switch
and LRE CPE Ethernet
interfaces.
While in global
configuration mode,
specify a line with
the line vty or line
console command.
Switch(config-line)#
Line configuration
To return to
To configure multiple
privileged EXEC
mode, press Ctrl-Z or interfaces with the same
parameters, see the
enter end.
“Configuring a Range of
Interfaces” section on
page 9-6.
To exit to global
configuration mode,
enter exit.
Use this mode to configure
parameters for the terminal
line.
To return to
privileged EXEC
mode, press Ctrl-Z or
enter end.
Getting Help
You can enter a question mark (?) at the system prompt to display a list of commands available for each
command mode. You can also obtain a list of associated keywords and arguments for any command, as
shown in Table 2-2.
Table 2-2
Help Summary
Command
Purpose
help
Obtain a brief description of the help system in any command mode.
abbreviated-command-entry?
Obtain a list of commands that begin with a particular character string.
For example:
Switch# di?
dir disable
abbreviated-command-entry
disconnect
Complete a partial command name.
For example:
Switch# sh conf
Switch# show configuration
?
List all commands available for a particular command mode.
For example:
Switch> ?
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
2-3
�Chapter 2
Using the Command-Line Interface
Specifying Ports in Interface Configuration Mode
Table 2-2
Help Summary (continued)
Command
Purpose
command ?
List the associated keywords for a command.
For example:
Switch> show ?
command keyword ?
List the associated arguments for a keyword.
For example:
Switch(config)# cdp holdtime ?
<10-255> Length of time (in sec) that receiver must keep this packet
Specifying Ports in Interface Configuration Mode
To configure a port, you need to specify the interface type, slot, and switch-port number with the
interface configuration command. For example, to configure port 4 on a switch, you enter:
switch(config)#interface fa 0/4
To configure port 4 on a 10/100 module in the first module slot on the switch, you enter:
switch(config)#interface fa 1/4
•
Interface type—Each switch in the Catalyst 2950 and Catalyst 3550 platform supports different
types of interfaces. To display a complete list of the interface types supported on your switch, enter
the interface ? global configuration command. This example shows what the interface ? command
displays on a Catalyst 2950 LRE switch:
lreswitch(config)#interface ?
Async
Async interface
BVI
Bridge-Group Virtual Interface
Dialer
Dialer interface
GE-WAN
GigabitEthernetWAN IEEE 802.3z
GigabitEthernet
GigabitEthernet IEEE 802.3z
Group-Async
Async Group interface
Lex
Lex interface
LongReachEthernet Long Reach Ethernet
Loopback
Loopback interface
Multilink
Multilink-group interface
Null
Null interface
Port-channel
Ethernet Channel of interfaces
Transparent
Transparent interface
Tunnel
Tunnel interface
Virtual-Template
Virtual Template interface
Virtual-TokenRing Virtual TokenRing
Vlan
Catalyst Vlans
fcpa
Fiber Channel
range
interface range command
Note
The multilink and virtual-TokenRing interface types are not supported on the Catalyst 2950 LRE
switches.
•
Slot number—The slot number on the switch. On the modular Catalyst 2900 XL switches, the slot
number is 1 or 2. On non-modular Catalyst 2950 LRE and Catalyst 3500 XL switches, the slot
number is 0.
Catalyst 2950 Desktop Switch Software Configuration Guide
2-4
78-14982-01
�Chapter 2
Using the Command-Line Interface
Abbreviating Commands
•
Port number—The number of the physical port on the switch. Refer to your switch for the port
numbers.
Abbreviating Commands
You have to enter only enough characters for the switch to recognize the command as unique. This
example shows how to enter the show configuration privileged EXEC command:
Switch# show conf
Using no and default Forms of Commands
Almost every configuration command also has a no form. In general, use the no form to disable a feature
or function or reverse the action of a command. For example, the no shutdown interface configuration
command reverses the shutdown of an interface. Use the command without the keyword no to re-enable
a disabled feature or to enable a feature that is disabled by default.
Configuration commands can also have a default form. The default form of a command returns the
command setting to its default. Most commands are disabled by default, so the default form is the same
as the no form. However, some commands are enabled by default and have variables set to certain default
values. In these cases, the default command enables the command and sets variables to their default
values.
Understanding CLI Messages
Table 2-3 lists some error messages that you might encounter while using the CLI to configure your
switch.
Table 2-3
Common CLI Error Messages
Error Message
Meaning
How to Get Help
% Ambiguous command:
"show con"
You did not enter enough characters
for your switch to recognize the
command.
Re-enter the command followed by a question mark (?)
with a space between the command and the question
mark.
The possible keywords that you can enter with the
command are displayed.
% Incomplete command.
You did not enter all the keywords or Re-enter the command followed by a question mark (?)
values required by this command.
with a space between the command and the question
mark.
The possible keywords that you can enter with the
command are displayed.
% Invalid input detected
at ‘^’ marker.
You entered the command
incorrectly. The caret (^) marks the
point of the error.
Enter a question mark (?) to display all the commands
that are available in this command mode.
The possible keywords that you can enter with the
command are displayed.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
2-5
�Chapter 2
Using the Command-Line Interface
Using Command History
Using Command History
The IOS provides a history or record of commands that you have entered. This feature is particularly
useful for recalling long or complex commands or entries, including access lists. You can customize the
command history feature to suit your needs as described in these sections:
•
Changing the Command History Buffer Size, page 2-6
•
Recalling Commands, page 2-6
•
Disabling the Command History Feature, page 2-7
Changing the Command History Buffer Size
By default, the switch records ten command lines in its history buffer. Beginning in privileged EXEC
mode, enter this command to change the number of command lines that the switch records during the
current terminal session:
Switch# terminal history [size number-of-lines]
The range is from 0 to 256.
Beginning in line configuration mode, enter this command to configure the number of command lines
the switch records for all sessions on a particular line:
Switch(config-line)# history
[size
number-of-lines]
The range is from 0 to 256.
Recalling Commands
To recall commands from the history buffer, perform one of the actions listed in Table 2-4:
Table 2-4
Recalling Commands
Action1
Result
Press Ctrl-P or the up arrow key.
Recall commands in the history buffer, beginning with the most recent command.
Repeat the key sequence to recall successively older commands.
Press Ctrl-N or the down arrow key.
Return to more recent commands in the history buffer after recalling commands
with Ctrl-P or the up arrow key. Repeat the key sequence to recall successively
more recent commands.
show history
While in privileged EXEC mode, list the last several commands that you just
entered. The number of commands that are displayed is determined by the setting
of the terminal history global configuration command and history line
configuration command.
1. The arrow keys function only on ANSI-compatible terminals such as VT100s.
Catalyst 2950 Desktop Switch Software Configuration Guide
2-6
78-14982-01
�Chapter 2
Using the Command-Line Interface
Using Editing Features
Disabling the Command History Feature
The command history feature is automatically enabled.
To disable the feature during the current terminal session, enter the terminal no history privileged
EXEC command.
To disable command history for the line, enter the no history line configuration command.
Using Editing Features
This section describes the editing features that can help you manipulate the command line. It contains
these sections:
•
Enabling and Disabling Editing Features, page 2-7
•
Editing Commands through Keystrokes, page 2-8
•
Editing Command Lines that Wrap, page 2-9
Enabling and Disabling Editing Features
Although enhanced editing mode is automatically enabled, you can disable it.
To re-enable the enhanced editing mode for the current terminal session, enter this command in
privileged EXEC mode:
Switch# terminal editing
To reconfigure a specific line to have enhanced editing mode, enter this command in line configuration
mode:
Switch(config-line)# editing
To globally disable enhanced editing mode, enter this command in line configuration mode:
Switch(config-line)# no editing
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
2-7
�Chapter 2
Using the Command-Line Interface
Using Editing Features
Editing Commands through Keystrokes
Table 2-5 shows the keystrokes that you need to edit command lines.
Table 2-5
Editing Commands through Keystrokes
Capability
Keystroke1
Move around the command line to
make changes or corrections.
Press Ctrl-B, or press the Move the cursor back one character.
left arrow key.
Purpose
Press Ctrl-F, or press the
right arrow key.
Move the cursor forward one character.
Press Ctrl-A.
Move the cursor to the beginning of the command line.
Press Ctrl-E.
Move the cursor to the end of the command line.
Press Esc B.
Move the cursor back one word.
Press Esc F.
Move the cursor forward one word.
Press Ctrl-T.
Transpose the character to the left of the cursor with the
character located at the cursor.
Press Ctrl-Y.
Recall commands from the buffer
and paste them in the command line.
The switch provides a buffer with the
last ten items that you deleted.
Press Esc Y.
Recall the most recent entry in the buffer.
Recall the next buffer entry.
The buffer contains only the last 10 items that you have
deleted or cut. If you press Esc Y more than ten times, you
cycle to the first buffer entry.
Delete entries if you make a mistake Press the Delete or
or change your mind.
Backspace key.
Capitalize or lowercase words or
capitalize a set of letters.
Erase the character to the left of the cursor.
Press Ctrl-D.
Delete the character at the cursor.
Press Ctrl-K.
Delete all characters from the cursor to the end of the
command line.
Press Ctrl-U or Ctrl-X.
Delete all characters from the cursor to the beginning of
the command line.
Press Ctrl-W.
Delete the word to the left of the cursor.
Press Esc D.
Delete from the cursor to the end of the word.
Press Esc C.
Capitalize at the cursor.
Press Esc L.
Change the word at the cursor to lowercase.
Press Esc U.
Capitalize letters from the cursor to the end of the word.
Designate a particular keystroke as
Press Ctrl-V or Esc Q.
an executable command, perhaps as a
shortcut.
Catalyst 2950 Desktop Switch Software Configuration Guide
2-8
78-14982-01
�Chapter 2
Using the Command-Line Interface
Using Editing Features
Table 2-5
Editing Commands through Keystrokes (continued)
Capability
Keystroke1
Purpose
Scroll down a line or screen on
displays that are longer than the
terminal screen can display.
Press the Return key.
Scroll down one line.
Press the Space bar.
Scroll down one screen.
Press Ctrl-L or Ctrl-R.
Redisplay the current command line.
Note
The More prompt is used for
any output that has more
lines than can be displayed
on the terminal screen,
including show command
output. You can use the
Return and Space bar
keystrokes whenever you see
the More prompt.
Redisplay the current command line
if the switch suddenly sends a
message to your screen.
1. The arrow keys function only on ANSI-compatible terminals such as VT100s.
Editing Command Lines that Wrap
You can use a wraparound feature for commands that extend beyond a single line on the screen. When
the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the
first ten characters of the line, but you can scroll back and check the syntax at the beginning of the
command.
To scroll back to the beginning of the command entry, press Ctrl-B or the left arrow key repeatedly. You
can also press Ctrl-A to immediately move to the beginning of the line.
Note
The arrow keys function only on ANSI-compatible terminals such as VT100s.
In this example, the access-list global configuration command entry extends beyond one line. When the
cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar
sign ($) shows that the line has been scrolled to the left. Each time the cursor reaches the end of the line,
the line is again shifted ten spaces to the left.
Switch(config)#
Switch(config)#
Switch(config)#
Switch(config)#
access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1
$ 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.25
$t tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq
$108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq 45
After you complete the entry, press Ctrl-A to check the complete syntax before pressing the Return key
to execute the command. The dollar sign ($) appears at the end of the line to show that the line has been
scrolled to the right:
Switch(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$
The software assumes you have a terminal screen that is 80 columns wide. If you have a width other than
that, use the terminal width privileged EXEC command to set the width of your terminal.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
2-9
�Chapter 2
Using the Command-Line Interface
Searching and Filtering Output of show and more Commands
Use line wrapping with the command history feature to recall and modify previous complex command
entries. For information about recalling previous command entries, see the “Editing Commands through
Keystrokes” section on page 2-8.
Searching and Filtering Output of show and more Commands
You can search and filter the output for show and more commands. This is useful when you need to sort
through large amounts of output or if you want to exclude output that you do not need to see.
To use this functionality, enter a show or more command followed by the pipe character (|), one of the
keywords begin, include, or exclude, and an expression that you want to search for or filter out:
command | {begin | include | exclude} regular-expression
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output
are not displayed, but the lines that contain Output are displayed.
This example shows how to include in the output display only lines where the expression protocol
appears:
Switch# show interfaces | include protocol
Vlan1 is up, line protocol is up
Vlan10 is up, line protocol is down
GigabitEthernet0/1 is up, line protocol is down
GigabitEthernet0/2 is up, line protocol is up
Accessing the CLI
Before you can access the CLI, you need to connect a terminal or PC to the switch console port and
power on the switch as described in the hardware installation guide that shipped with your switch. Then,
to understand the boot process and the options available for assigning IP information, see Chapter 4,
“Assigning the Switch IP Address and Default Gateway.”
If your switch is already configured, you can access the CLI through a local console connection or
through a remote Telnet session, but your switch must first be configured for this type of access. For
more information, see the “Setting a Telnet Password for a Terminal Line” section on page 7-6.
You can establish a connection with the switch in one of two ways:
•
Connecting the switch console port to a management station or dial-up modem. For information
about connecting to the console port, refer to the switch hardware installation guide.
•
Using any Telnet TCP/IP package from a remote management station. The switch must have
network connectivity with the Telnet client, and the switch must have an enable secret password
configured.
For information about configuring the switch for Telnet access, see the “Setting a Telnet Password
for a Terminal Line” section on page 7-6. The switch supports up to 16 simultaneous Telnet sessions.
Changes made by one Telnet user are reflected in all other Telnet sessions.
After you connect through the console port or through a Telnet session, the user EXEC prompt appears
on the management station.
Catalyst 2950 Desktop Switch Software Configuration Guide
2-10
78-14982-01
�Chapter 2
Using the Command-Line Interface
Accessing the CLI from a Browser
Accessing the CLI from a Browser
This procedure assumes you have met the software requirements (including browser and Java plug-in
configurations) and have assigned IP information and a Telnet password to the switch or command
switch, as described in the release notes.
To access the CLI from a web browser, follow these steps:
Step 1
Start one of the supported browsers.
Step 2
In the URL field, enter the IP address of the command switch.
Step 3
When the Cisco Systems Access page appears, click Telnet to start a Telnet session.
You can also access the CLI by clicking Monitor the router- HTML access to the command line
interface from the Cisco Systems Access page. For information about the Cisco Systems Access page,
see the “Accessing CMS” section in the release notes.
Step 4
Enter the switch password.
The user EXEC prompt appears on the management station.
Note
Copies of the CMS pages that you display are saved in your browser memory cache until you exit the
browser session. A password is not required to redisplay these pages, including the Cisco Systems
Access page. You can access the CLI by clicking Web Console - HTML access to the command line
interface from a cached copy of the Cisco Systems Access page. To prevent unauthorized access to CMS
and the CLI, exit your browser to end the browser session.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
2-11
�Chapter 2
Using the Command-Line Interface
Accessing the CLI from a Browser
Catalyst 2950 Desktop Switch Software Configuration Guide
2-12
78-14982-01
�C H A P T E R
3
Getting Started with CMS
This chapter provides these topics about the Cluster Management Suite (CMS) software:
Note
Note
•
Features, page 3-2
•
Front Panel View, page 3-4
•
Topology View, page 3-10
•
Menus and Toolbar, page 3-15
•
Interaction Modes, page 3-25
•
Wizards, page 3-26
•
Online Help, page 3-26
•
CMS Window Components, page 3-28
•
Accessing CMS, page 3-30
•
Verifying Your Changes, page 3-32
•
Saving Your Configuration, page 3-33
•
Restoring Your Configuration, page 3-33
•
CMS Preferences, page 3-33
•
Using Different Versions of CMS, page 3-34
•
Where to Go Next, page 3-34
•
For system requirements and for browser and Java plug-in configuration procedures, refer to the
release notes.
•
For procedures for using CMS, refer to the online help.
This chapter describes CMS on the Catalyst 2950 and Catalyst 2950 LRE switches. Refer to the
appropriate switch documentation for descriptions of the web-based management software used on other
Catalyst switches.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-1
�Chapter 3
Getting Started with CMS
Features
Features
CMS provides these features (see Figure 3-1) for managing switch clusters and individual switches from
Web browsers such as Netscape Communicator or Microsoft Internet Explorer:
•
Two views of your network that can be displayed at the same time:
– The Front Panel view displays the front-panel image of a specific switch or the front-panel
images of all switches in a cluster. From this view, you can select multiple ports or multiple
switches and configure them with the same settings.
When CMS is launched from a command switch, the Front Panel view displays the front-panel
images of all switches in the cluster. When CMS is launched from a noncommand switch, the
Front Panel view displays only the front panel of the specific switch.
Note
CMS from a standalone switch or from a noncommand switch is referred to as Device
Manager (also referred to as Switch Manager). Device Manager is for configuring an
individual switch. When you select Device Manager for a specific switch in the cluster,
you launch a separate CMS session. The Device Manager interface can vary between
the Catalyst switch platforms.
– The Topology view displays a network map that uses icons that represent switch clusters, cluster
members, cluster candidates, neighboring devices that are not eligible to join a cluster, and link
types. From this view, you can select multiple switches and configure them to run with the same
settings. You can also display link information in the form of link reports and link graphs.
This view is available only when CMS is launched from a command switch.
•
Menus and toolbar to access configuration and management options:
– The menu bar provides the complete list of options for managing a single switch and switch
clusters.
– The toolbar provides buttons for commonly used switch and cluster configuration options and
information windows such as legends and online help.
– The port popup menu, in the Front Panel view, provides options specific for configuring and
monitoring switch ports.
– The device popup menu, in either the Front Panel or the Topology views, provides switch and
cluster configuration and monitoring options.
– The candidate, member, and link popup menus provide options for configuring and monitoring
devices and links in the Topology view.
The toolbar and popup menus provide quick ways to access frequently used menu-bar options.
•
Tools to simplify configuration tasks:
– Interactive modes—guide mode and expert mode—that control the presentation of some
complex configuration options.
– Wizards that require minimal information from you to configure some complex features.
– Comprehensive online help that provides high-level concepts and procedures for performing
tasks from the window.
Catalyst 2950 Desktop Switch Software Configuration Guide
3-2
78-14982-01
�Chapter 3
Getting Started with CMS
Features
•
Two levels of access to the configuration options: read-write access for users allowed to change
switch settings; read-only access for users allowed to only view switch settings.
•
Consistent set of GUI components (such as tabs, buttons, drop-down lists, tables, and so on) for a
uniform approach to viewing and setting configuration parameters (see Figure 3-1).
CMS Features
Toolbar
Move the cursor over
the icon to display the
tool tip. For example,
the
button displays
the legend of icons
and color codes.
Menu bar
Click Guide or
Expert interaction
mode to change how
some configuration
options are presented
to you.
65282
Figure 3-1
Front Panel view of
the cluster.
65717
cluster1
Topology view of
the cluster.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-3
�Chapter 3
Getting Started with CMS
Front Panel View
Front Panel View
When CMS is launched from a command switch, the Front Panel view displays the front-panel images
of all the switches in the cluster (see Figure 3-2 for an 2950 LRE switch and Figure 3-3 for a 2950
non-LRE switch). You can use the cursor to re-arrange the order of the switches in this window.
Figure 3-2
Front Panel View from a 2950 LRE Command Switch
10.1.1.2
cluster1
Right-click a member
switch image to display
the device pop-up
menu, and select an
option to view or change
system-related settings.
Right-click the
command switch
image to display the
cluster pop-up menu,
and select a clusterrelated option.
86458
Cluster tree.
Catalyst 2950 Desktop Switch Software Configuration Guide
3-4
78-14982-01
�Chapter 3
Getting Started with CMS
Front Panel View
Front Panel View from a 2950 Command Switch
cluster1
10.1.1.2
Cluster tree.
Right-click a member
switch image to display
the device pop-up
menu, and select an
option to view or change
system-related settings.
Right-click the
command switch
image to display the
cluster pop-up menu,
and select a clusterrelated option.
65718
Figure 3-3
When CMS is launched from a standalone or noncommand member switch, the Front Panel view
displays only the front panel of the specific switch (see Figure 3-5 for a 2950 switch and Figure 3-4 for
a 2950 LRE switch).
Figure 3-4
Front Panel View from a Standalone 2950 LRE Switch
2950-24
86459
2950-24
Left-click the Mode
button to change
the meaning of the
port LEDs.
LEDs display the
current port mode
and the status of the
switch and
connected RPS.
Right-click a port to
display the port pop-up
menu, and select an
option to view or change
port-related settings.
Press Ctrl, and then
left-click ports to select
multiple ports. The color
of the port LED reflects
port or link status.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-5
�Chapter 3
Getting Started with CMS
Front Panel View
Figure 3-5
Front Panel View from a 2950 non-LRE Standalone Switch
2950-24
2950-24
Press Ctrl, and then
left-click ports to select
multiple ports. The color
of the port LED reflects
port or link status.
65719
Left-click the Mode LEDs display the
Right-click a port to
button to change
current port mode display the port pop-up
the meaning of the and the status of the menu, and select an
port LEDs.
switch and
option to view or change
connected RPS.
port-related settings.
Cluster Tree
The cluster tree (see Figure 3-2 for LRE switches and Figure 3-3 for non-LRE switches) appears in the
left frame of the Front Panel view and shows the name of the cluster and a list of its members. The
sequence of the cluster-tree icons (see Figure 3-6) mirror the sequence of the Front-Panel images. You
can change the sequence by selecting View > Arrange Front Panel. The colors of the devices in the
cluster tree show the status of the devices (see Table 3-1).
If you want to configure switch or cluster settings on one or more switches, select the appropriate
Front-Panel image.
•
To select a front-panel image, click either the cluster-tree icon or the corresponding front-panel
image. The front-panel image is then highlighted with a yellow outline.
•
To select multiple front-panel images, press the Ctrl key, and left-click the cluster-tree icons or the
front-panel images. To deselect an icon or image, press the Ctrl key, and left-click the icon or image.
If the cluster has many switches, you might need to scroll down the window to display the rest of the
front-panel images. Instead of scrolling, you can click an icon in the cluster tree, and CMS then scrolls
and displays the corresponding front-panel image.
Figure 3-6
Table 3-1
Cluster-Tree Icons
Cluster Tree Icon Colors
Color
Device Status
Green
Switch is operating normally.
Yellow
The internal fan of the switch is not operating, or the switch is receiving power from an RPS.
Red
Switch is not powered up, has lost power, or the command switch is unable to communicate
with the member switch.
Catalyst 2950 Desktop Switch Software Configuration Guide
3-6
78-14982-01
�Chapter 3
Getting Started with CMS
Front Panel View
Front-Panel Images
You can manage the switch from a remote station by using the front-panel images. The front-panel
images are updated based on the network polling interval that you set from CMS > Preferences.
This section includes descriptions of the LED images. Similar descriptions of the switch LEDs are
provided in the switch hardware installation guide.
Note
The Preferences window is not available if your switch access level is read-only. For more information
about the read-only access mode, see the “Access Modes in CMS” section on page 3-31.
Figure 3-7 shows the port icons as they appear in the Front Panel. To select a port, click the port on the
Front Panel. The port is then highlighted with a yellow outline. To select multiple ports, you can:
•
Press the left mouse button, drag the pointer over the group of ports that you want to select, and then
release the mouse button.
•
Press the Ctrl key, and click the ports that you want to select.
•
Right-click a port, and select Select All Ports from the port popup menu.
Figure 3-7
Port Icons
Table 3-2 describes the colors representing the wavelengths on the CWDM GBIC modules. For port
status LED information, see the “Port Modes and LEDs” section on page 3-8.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-7
�Chapter 3
Getting Started with CMS
Front Panel View
Table 3-2
Port Icon Colors for the CWDM GBIC Module Ports
Wavelength
Color
1470 nanometers (nm)
Gray
1490 nm
Violet
1510 nm
Blue
1530 nm
Green
1550 nm
Yellow
1570 nm
Orange
1590 nm
Red
1610 nm
Brown
Redundant Power System LED
The Redundant Power System (RPS) LED shows the RPS status (see Table 3-3). Certain switches in the
switch cluster use a specific RPS model:
•
Cisco RPS 300 (model PWR300-AC-RPS-N1)—Catalyst 2900 LRE XL, Catalyst 2950,
Catalyst 3524-PWR XL, and Catalyst 3550 switches
•
Cisco RPS 600 (model PWR600-AC-RPS)—Catalyst 2900 XL and Catalyst 3500 XL switches,
except the Catalyst 2900 LRE XL and Catalyst 3524-PWR XL switches
Refer to the appropriate switch hardware documentation for RPS descriptions specific for the switch.
Table 3-3
RPS LED
Color
RPS Status
Black (off)
RPS is off or is not installed.
Green
RPS is connected and operational.
Blinking green
RPS is providing power to another switch in the stack.
Amber
RPS is connected but not functioning.
The RPS could be in standby mode. To put the RPS in Active mode, press the Standby/Active button on the
RPS, and the LED should turn green. If it does not, one of these conditions could exist:
•
One of the RPS power supplies could be down. Contact Cisco Systems.
•
The RPS fan could have failed. Contact Cisco Systems.
Blinking amber Internal power supply of the switch is down, and redundancy is lost. The switch is operating on the RPS.
Port Modes and LEDs
The port modes (see Table 3-4) determine the type of information displayed through the port LEDs.
When you change port modes, the meanings of the port LED colors (see Table 3-5) also change.
Note
The bandwidth utilization mode (UTIL LED) does not appear on the front-panel images. Select
Reports > Bandwidth Graphs to display the total bandwidth in use by the switch. Refer to the switch
hardware installation guide for information about using the UTIL LED.
Catalyst 2950 Desktop Switch Software Configuration Guide
3-8
78-14982-01
�Chapter 3
Getting Started with CMS
Front Panel View
To select or change a mode, click the Mode button until the desired mode LED is green.
Table 3-4
Port Modes
Mode LED
Description
STAT
Link status of the ports or the Ethernet link status on the remote customer premises equipment
(CPE) device. This is the default mode except for the Catalyst 2950 LRE switches.
DUPLX
Duplex setting on the ports. The default setting on the 10/100 ports is auto. The default setting
on the 10/100/1000 ports is full.
SPEED
Speed setting on the ports. The default setting on the 10/100 and 10/100/1000 ports is auto.
Table 3-5
Port LEDs
Port Mode
Port LED Color
Description
STAT
Cyan (off)
No link.
Green
Link present.
Amber
Link fault. Error frames can affect connectivity, and errors such as excessive
collisions, CRC errors, and alignment and jabber errors are monitored for a link-fault
indication.
Port is not forwarding. Port was disabled by management, by an address violation,
or by Spanning Tree Protocol (STP).
Note
DUPLX
SPEED
After a port is reconfigured, the port LED can remain amber for up to
30 seconds as STP checks the switch for possible loops.
Brown
No link and port is administratively shut down.
Cyan (off)
Port is operating in half-duplex mode.
Green
Port is operating in full-duplex mode.
Cyan (off)
Port is operating at 10 Mbps (10/100 ports) or no link (10/100/1000 ports and GBIC
module ports).
Green
Port is operating at 100 Mbps (10/100 ports) or 1000 Mbps (GBIC module ports).
Blinking green
Port is operating at 1000 Mbps (10/100/1000 ports).
VLAN Membership Modes
Ports in the Front Panel view are outlined by colors (see Table 3-6) when you click Highlight VLAN
Port Membership Modes on the Configure VLANs tab on the VLAN window
(VLAN > VLAN > Configure VLANs). The colors show the VLAN membership mode of each port.
The VLAN membership mode determines the kind of traffic the port carries and the number of VLANs
it can belong to. For more information about these modes, see the “VLAN Port Membership Modes”
section on page 14-3.
Note
This feature is not supported on the Catalyst 1900 and Catalyst 2820 switches.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-9
�Chapter 3
Getting Started with CMS
Topology View
Table 3-6
VLAN Membership Modes
Mode
Color
Static access
Light green
Dynamic access
Pink
802.1Q trunk
Peach
Negotiate trunk
White
Topology View
The Topology view displays how the devices within a switch cluster are connected and how the switch
cluster is connected to other clusters and devices. From this view, you can add and remove cluster
members. This view provides two levels of detail of the network topology:
Note
•
When you right-click a cluster icon and select Expand Cluster, the Topology view displays the
switch cluster in detail. This view shows the command switch and member switches in a cluster. It
also shows candidate switches that can join the cluster. This view does not display the details of any
neighboring switch clusters. (See Figure 3-8).
•
When you right-click a command-switch icon and select Collapse Cluster, the cluster is collapsed
and represented by a single icon. The view shows how the cluster is connected to other clusters,
candidate switches, and devices that are not eligible to join the cluster (such as routers, access
points, IP phones, and so on). (See Figure 3-9).
The Topology view displays only the switch cluster and network neighborhood of the specific command
or member switch that you access. To display a different switch cluster, you need to access the command
switch or member switch of that cluster.
You can arrange the device icons in this view. To move a device icon, click and drag the icon. To select
multiple device icons, you can either:
•
Press the left mouse button, drag the pointer over the group of device icons that you want to select,
and then release the mouse button.
•
Press the Ctrl key, and click the device icons that you want to select.
After selecting the icons, drag the icons to any area in the view.
Catalyst 2950 Desktop Switch Software Configuration Guide
3-10
78-14982-01
�Chapter 3
Getting Started with CMS
Topology View
Figure 3-8
Expand Cluster View
Cluster members of
cluster1 and other
devices connected
to cluster1.
Figure 3-9
Right-click a
device icon to display
a device popup menu.
65722
Right-click a
link icon to display
a link popup menu.
Collapse Cluster View
Neighboring cluster
connected to
cluster1.
cluster1
65723
Devices connected
to cluster1 that are
not eligible to join
the cluster.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-11
�Chapter 3
Getting Started with CMS
Topology View
Topology Icons
The Topology view and the cluster tree use the same set of device icons to represent clusters, command
and standby command switches, and member switches (see Figure 3-10). The Topology view also uses
additional icons to represent these types of neighboring devices:
•
Customer premises equipment (CPE) devices that are connected to Long-Reach Ethernet (LRE)
switches
•
Devices that are not eligible to join the cluster, such as Cisco IP phones, Cisco access points, and
Cisco Discovery Protocol (CDP)-capable hubs and routers
Note
•
The System Switch Processor (SSP) card in the Cisco Integrated Communications System
(ICS) 7750 appears as a Layer 2 switch. SSP cards are not eligible to join switch clusters.
Devices that are identified as unknown devices, such as some Cisco devices and third-party devices
Tip
Neighboring devices are only displayed if they are connected to cluster members. To display
neighboring devices in the Topology view, either add the switch to which they are connected to a cluster,
or enable that switch as a command switch.
Note
Candidate switches are distinguished by the color of their device label. Device labels and their colors
are described in the “Colors in the Topology View” section on page 3-14.
To select a device, click the icon. The icon is then highlighted. To select multiple devices, you can either:
•
Press the left mouse button, drag the pointer over the group of icons that you want to select, and then
release the mouse button.
•
Press the Ctrl key, and click the icons that you want to select.
Figure 3-10 Topology-View Device Icons
The Topology view also uses a set of link icons (see Figure 3-11) to show the link type and status
between two devices. To select a link, click the link that you want to select. To select multiple links,
press the Ctrl key, and click the links that you want to select.
Catalyst 2950 Desktop Switch Software Configuration Guide
3-12
78-14982-01
�Chapter 3
Getting Started with CMS
Topology View
Figure 3-11 Topology-View Link Icons
Device and Link Labels
The Topology view displays device and link information by using these labels:
•
Cluster and switch names
•
Switch MAC and IP addresses
•
Link type between the devices
•
Link speed and IDs of the interfaces on both ends of the link
When using these labels, keep these considerations in mind:
•
The IP address displays only in the labels for the command switch and member switches.
•
The label of a neighboring cluster icon only displays the IP address of the command-switch IP
address.
•
The displayed link speeds are the actual link speeds except on the LRE links, which display the
administratively assigned speed settings.
You can change the label settings from the Topology Options window, which is displayed by selecting
View > Topology Options.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-13
�Chapter 3
Getting Started with CMS
Topology View
Colors in the Topology View
The colors of the Topology view icons show the status of the devices and links (see Table 3-7, Table 3-8,
and Table 3-9).
Table 3-7
Device Icon Colors
Icon Color Color Meaning
Green
Yellow
The device is operating.
1
Red1
The internal fan of the switch is not operating, or the switch is receiving power from an
RPS.
The device is not operating.
1. Available only on the cluster members.
Table 3-8
Single Link Icon Colors
Link Color
Color Meaning
Green
Active link
Red
Down or blocked link
Table 3-9
Multiple Link Icon Colors
Link Color
Color Meaning
Both green
All links are active.
One green; one red At least one link is active, and at least one other link is down
or blocked.
Both red
All links are down or blocked.
The color of a device label shows the cluster membership of the device (see Table 3-10).
Table 3-10 Device Label Colors
Label
Color
Color Meaning
Green
A cluster member, either a member switch or the command switch
Cyan
A candidate switch that is eligible to join the cluster
Yellow
An unknown device or a device that is not eligible to join the cluster
Catalyst 2950 Desktop Switch Software Configuration Guide
3-14
78-14982-01
�Chapter 3
Getting Started with CMS
Menus and Toolbar
Topology Display Options
You can set the type of information displayed in the Topology view by changing the settings in the
Topology Options window. To display this window, select View > Topology Options. From this
window, you can select:
•
Device icons (including IP Phones, CPE devices, Neighbors, Access Points, and Candidates) that
you want displayed in or filtered from the Topology View window
•
Interface IDs and Actual Speed values that you want displayed in the Link window
•
Host Names, IP addresses, and MAC address labels that you want displayed in the Node window
Menus and Toolbar
The configuration and monitoring options for configuring switches and switch clusters are available
from menus and a toolbar.
Menu Bar
The menu bar provides the complete list of options for managing a single switch and switch cluster.
Options displayed from the menu bar can vary:
Note
The menu-bar options on a Catalyst 2950 switch change depending on whether the switch is running the
enhanced software image (EI) or the standard image (SI). The footnotes in Table 3-11 list the options
available if the switch is running the EI. The Catalyst 2950 LRE switch has only one software image
available, and it contains both standard and enhanced functionality.
•
Access modes affect the availability of features from CMS. The footnotes in Table 3-11 describe the
availability of an option based on your access mode in CMS: read-only (access level 1–14) and
read-write (access level 15). For more information about how access modes affect CMS, see the
“Access Modes in CMS” section on page 3-31.
•
The option for enabling a command switch is only available from a CMS session launched from a
command-capable switch.
•
Cluster management tasks, such as upgrading the software of groups of switches, are available only
from a CMS session launched from a command switch.
•
If you launch CMS from a specific switch, the menu bar displays the features supported only by that
switch.
•
If you launch CMS from a command switch, the menu bar displays the features supported on the
switches in the cluster, with these exceptions:
– If the command switch is a Layer 3 switch, such as a Catalyst 3550 switch, the menu bar
displays the features of all Layer 3 and Layer 2 switches in the cluster.
– If the command switch is a Layer 2 switch, such as a Catalyst 2950 or Catalyst 3500 XL switch,
the menu bar displays the features of all Layer 2 switches in the cluster. The menu bar does not
display Layer 3 features even if the cluster has Catalyst 3550 Layer 3 member switches.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-15
�Chapter 3
Getting Started with CMS
Menus and Toolbar
Note
•
We strongly recommend that the highest-end, command-capable switch in the cluster be the
command switch:
– If your switch cluster has a Catalyst 3550 switch, that switch should be the command switch.
– If your switch cluster has Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches, the
Catalyst 2950 should be the command switch.
– If your switch cluster has Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, and
Catalyst 3500 XL switches, either the Catalyst 2900 XL or Catalyst 3500 XL should be the
command switch.
•
Standby command switches must meet these requirements:
– When the command switch is a Catalyst 3550 switch, all standby command switches must be
Catalyst 3550 switches.
– When the command switch is a Catalyst 2950 switch running Release 12.1(9)EA1 or later, all
standby command switches must be Catalyst 2950 switches running Release 12.1(9)EA1 or
later.
– When the command switch is a Catalyst 2950 switch running Release 12.1(6)EA2 or later, all
standby command switches must be Catalyst 2950 switches running Release 12.1(6)EA2 or
later.
– When the command switch is running Release 12.0(5)WC2 or earlier, the standby command
switches can be these switches: Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL
switches.
We strongly recommend that the command switch and standby command switches are of the same
switch platform and that both are running the same level of software (SI or EI). In the event of a
failover, the standby command switch must support the same configuration and services that are
running on the command switch.
– If you have a Catalyst 3550 command switch, the standby command switches should be
Catalyst 3550 switches.
– If you have a Catalyst 2950 command switch, the standby command switches should be
Catalyst 2950 switches.
– If you have a Catalyst 2900 XL or Catalyst 3500 XL command switch, the standby command
switches should be Catalyst 2900 XL and Catalyst 3500 XL switches.
Refer to the release notes for the Catalyst switches that can be part of a switch cluster.
Note
Unless noted otherwise, Table 3-11 lists the menu-bar options available from a Catalyst 2950 command
switch when the cluster contains only Catalyst 2950 member switches. The menu bar of the command
switch displays all menu-bar options available from the cluster, including options from member switches
from other cluster-capable switch platforms.
Catalyst 2950 Desktop Switch Software Configuration Guide
3-16
78-14982-01
�Chapter 3
Getting Started with CMS
Menus and Toolbar
Table 3-11 Menu Bar
Menu-Bar Options
Task
CMS
Page Setup
Set default document printer properties to be used when printing from CMS.
Print Preview
View the way the CMS window or help file will appear when printed.
Print
Print a CMS window or help file.
Guide Mode/Expert Mode
Preferences
1
Select which interaction mode to use when you select a configuration option.
2
Set CMS display properties, such as polling intervals, the default views to open at
startup, and the color of administratively shutdown ports.
Administration
IP Addresses2
Configure IP information for a switch.
SNMP2
Enable and disable Simple Network Management Protocol (SNMP), enter community
strings, and configure end stations as trap managers.
System Time2
HTTP Port
Configure the system time or configure the Network Time Protocol (NTP).
2
Configure the Hypertext Transfer Protocol (HTTP) port number.
Users and Passwords
Console Baud Rate
MAC Addresses
Configure usernames and passwords for privilege levels 0 to 15.
2
Change the baud rate for the switch console port.
2
Enter dynamic, secure, and static addresses in a switch address table. You can also define
the forwarding behavior of static addresses.
ARP2
Display the device Address Resolution Protocol (ARP) table, and configure the ARP
cache timeout setting.
Save Configuration1
Restore Configuration
Save the configuration for the cluster or switch to Flash memory.
Restore the configuration file to one or more switches in the cluster.
Software Upgrade1
Upgrade the software for the cluster or a switch.
LRE Software Upgrade
Upgrade the binary on the switch.
System Reload
1
Reboot the switch with the latest installed software.
Event Notification
Create notification IDs that generate e-mail notifications when system events occur.
Cluster
Cluster Manager3
Launch a CMS session from the member switch.
Create Cluster
14
Designate a command switch, and name a cluster.
Delete Cluster
15
Delete a cluster.
15
Add a candidate to a cluster.
Add to Cluster
Remove from Cluster 1 5
Standby Command Switches
Hop Count2 5
Remove a member from the cluster.
25
Create a Hot Standby Router Protocol (HSRP) standby group to provide
command-switch redundancy.
Enter the number of hops away that a command switch looks for members and for
candidate switches.
Device
Device Manager5
Host Name
1
Launch Device Manager for a specific switch.
Change the host name of a switch.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-17
�Chapter 3
Getting Started with CMS
Menus and Toolbar
Table 3-11 Menu Bar (continued)
Menu-Bar Options
STP
2
Task
Display and configure STP parameters for a switch.
IGMP Snooping
2
Enable and disable Internet Group Management Protocol (IGMP) snooping and IGMP
Immediate-Leave processing on the switch. Join or leave multicast groups, and configure
multicast routers.
802.1X1
Configure 802.1X authentication of devices as they are attached to LAN ports in a
point-to-point infrastructure.
ACL2
(guide mode available1)
Create and maintain access control lists (ACLs), and attach ACLs to specific ports.
Security Wizard1
Filter certain traffic, such as HTTP traffic, to certain networks or devices. Restrict access
to servers, networks, or application data from certain networks or devices.
QoS2
(guide mode available on some
options1)
Display submenu options to enable and disable quality of service (QoS) and to configure
or modify these parameters:
AVVID Wizards 1
•
Trust settings2
•
Queues2
•
Maps2
•
Classes2 (guide mode available1)
•
Policies2 (guide mode available1)
•
Voice Wizard1—Configure a port to send or receive voice traffic.
•
Video Wizard1—Optimize multiple video servers for sending video traffic.
•
Data Wizard1—Provide a higher priority to specific applications.
LRE Profiles
Set profiles for a switch.
LRE Rate Selection
Set rate selection parameters for automatically assigning profiles, setting signal-to-noise
(SNR) margins, locking profiles, and qualifying links.
Port
Port Settings2
Display and configure port parameters on a switch.
Port Search
Search for a port through its description.
Port Security
1
Enable port security on a port.
EtherChannels
2
SPAN2
Group ports into logical units for high-speed links between switches.
Enable Switch Port Analyzer (SPAN) port monitoring.
Protected Port
2
Flooding Control2
Configure a port to prevent it from receiving bridged traffic from another port on the
same switch.
Block the normal flooding of unicast and multicast packets, and enable the switch to
block packet storms.
VLAN
VLAN2
(guide mode available1)
Display VLAN membership, assign ports to VLANs, and configure 802.1Q trunks.
Display and configure the VLAN Trunking Protocol (VTP) for interswitch VLAN
membership.
Management VLAN2
Change the management VLAN on the switch.
VMPS
2
Configure the VLAN Membership Policy Server (VMPS).
Catalyst 2950 Desktop Switch Software Configuration Guide
3-18
78-14982-01
�Chapter 3
Getting Started with CMS
Menus and Toolbar
Table 3-11 Menu Bar (continued)
Menu-Bar Options
Voice VLAN
Task
2
Configure a port to use a voice VLAN for voice traffic, separating it from the VLANs for
data traffic.
Reports
Inventory
Display the device type, software version, IP address, and other information about a
switch.
Port Statistics
Display port statistics.
Bandwidth Graphs
Display graphs that plot the total bandwidth in use by the switch.
Link Graphs
Display a graph showing the bandwidth being used for the selected link.
Link Reports
Display the link report for two connected devices. If one device is an unknown device or
a candidate, only the cluster-member side of the link displays.
ACL Reports
Display a report about ACL statistics.
Multicast
Display reports about multicast or IGMP statistics.
Resource Monitor
Display masks for ACL and QoS policy maps.
System Messages
Display the most recent system messages (IOS messages and switch-specific messages)
sent by the switch software.
This option is available on the Catalyst 2950 or Catalyst 3550 switches. It is not available
from the Catalyst 2900 XL and Catalyst 3500 XL switches. You can display the system
messages of the Catalyst 2900 XL and Catalyst 3500 XL switches when they are in a
cluster where the command switch is a Catalyst 2950 switch running
Release 12.1(6)EA2 or later or a Catalyst 3550 switch running Release 12.1(8)EA1 or
later. For more information about system messages, refer to the switch system message
guide.
Tools
Ping and Trace
Perform a ping, Layer 2 traceroute, or Layer 3 traceroute operation on or to a specific
address.
Note
If you perform a Layer 3 traceroute operation, information about Layer 2 devices
in the path are not displayed.
View
Refresh
Update the views with the latest status.
Front Panel
Display the Front Panel view.
Arrange Front Panel1 5ppp
Rearrange the order in which switches appear in the Front Panel view.
Topology
5
Topology Options
Display the Topology view.
5
Select the information to be displayed in the Topology view.
Automatic Topology Layout
Save Topology Layout
Window
15
5
Request CMS to rearrange the topology layout.
Save the presentation of the cluster icons that you arranged in the Topology view to Flash
memory.
List the open windows in your CMS session.
Help
Overview
Obtain an overview of the CMS interface.
What’s New
Obtain a description of the new CMS features.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-19
�Chapter 3
Getting Started with CMS
Menus and Toolbar
Table 3-11 Menu Bar (continued)
Menu-Bar Options
Task
Help For Active Window
Display the help for the active open window. This is the same as clicking Help from the
active window.
Contents
List all of the available online help topics.
Legend
Display the legend that describes the icons, labels, and links.
About
Display the CMS version number.
1. Not available in read-only mode. For more information about the read-only and read-write access modes, see the “Access Modes in CMS” section on
page 3-31.
2. Some options from this menu option are not available in read-only mode.
3. Available only from a Device Manager session on a cluster member.
4. Available only from a Device Manager session on a command-capable switch that is not a cluster member.
5. Available only from a cluster management session.
Toolbar
The toolbar buttons display commonly-used switch and cluster configuration options and information
windows such as legends and online help. Hover the cursor over an icon to display the feature.
Table 3-12 describes the toolbar options, from left to right on the toolbar.
Table 3-12 Toolbar Buttons
Toolbar Option
Keyboard
Shortcut
Task
Print
Ctrl-P
Print a CMS window or help file.
Ctrl-R
Set CMS display properties, such as polling intervals, the views to open at CMS
startup, and the color of administratively shutdown ports.
Save Configuration2
Ctrl-S
Save the configuration for the cluster or switch to Flash memory.
Software Upgrade2
Ctrl-U
Upgrade the software for the cluster or a switch.
–
Display and configure port parameters on a switch.
–
Display VLAN membership, assign ports to VLANs, and configure 802.1Q
trunks.
Inventory
–
Display the device type, the software version, the IP address, and other
information about a switch.
Refresh
–
Update the views with the latest status.
Preferences
1
Port Settings
VLAN
1
1
Front Panel
–
Display the Front Panel view.
3
–
Display the Topology view.
Topology Options3
–
Select the information to be displayed in the Topology view.
Save Topology Layout2 3
–
Save the presentation of the cluster icons that you arranged in the Topology
view to Flash memory.
Legend
–
Display the legend that describes the icons, labels, and links.
Help For Active Window
F1 key
Display the help for the active open window. This is the same as clicking Help
from the active window.
Topology
Catalyst 2950 Desktop Switch Software Configuration Guide
3-20
78-14982-01
�Chapter 3
Getting Started with CMS
Menus and Toolbar
1. Not available in read-only mode. For more information about the read-only and read-write access modes, see the “Access Modes in CMS” section
on page 3-31.
2.
Some options from this menu option are not available in read-only mode.
3. Available only from a cluster-management session.
Front Panel View Popup Menus
These popup menus are available in the Front Panel view.
Device Popup Menu
You can display all switch and cluster configuration windows from the menu bar, or you can display
commonly used configuration windows from the device popup menu (see Table 3-13). To display the
device popup menu, click the switch icon from the cluster tree or the front-panel image itself, and
right-click.
Table 3-13 Device Popup Menu
Popup Menu Option
Device Manager
Host Name
Task
1
Launch Device Manager for the switch.
2
Change the name of the switch.
Delete Cluster
23 4
Delete a cluster.
Remove from Cluster2 4
Remove a member from the cluster.
Bandwidth Graphs
Display graphs that plot the total bandwidth in use.
Properties
Display information about the device and port on either end of the link and
the state of the link.
1. Available from a cluster member switch but not from the command switch.
2. Not available in read-only mode. For more information about the read-only mode, see the “Access Modes in CMS” section
on page 3-31.
3. Available only from the command switch.
4.
Available only from a cluster-management session.
Port Popup Menu
You can display all port configuration windows from the Port menu on the menu bar, or you can display
commonly used port configuration windows from the port popup menu (see Table 3-14). To display the
port popup menu, click a specific port image, and right-click.
Table 3-14 Port Popup Menu
Popup Menu Option
Port Settings
VLAN
1
1
Port Security1 2
Task
Display and configure port settings.
Define the VLAN mode for a port or ports and add ports to VLANs. Not
available for the Catalyst 1900 and Catalyst 2820 switches.
Enable port security on a port.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-21
�Chapter 3
Getting Started with CMS
Menus and Toolbar
Table 3-14 Port Popup Menu (continued)
Popup Menu Option
Link Graphs
3
Select All Ports
Task
Display a graph showing the bandwidth used by the selected link.
Select all ports on the switch for global configuration.
1. Some options from this menu option are not available in read-only mode.
2. Available on switches that support the Port Security feature.
3. Available only when there is an active link on the port (that is, the port LED is green when in port status mode).
Topology View Popup Menus
These popup menus are available in the Topology view.
Link Popup Menu
You can display reports and graphs for a specific link displayed in the Topology view (see Table 3-15).
To display the link popup menu, click the link icon, and right-click.
Table 3-15 Link Popup Menu
Popup Menu Option
Task
Link Report
Display the link report for two connected devices. If one device is an unknown
device or a candidate, only the cluster member side of the link displays.
Link Graph
Display a graph showing the current bandwidth used by the selected link. You
can change the graph polling interval by selecting CMS > Preferences.
Properties
Display information about the device and port on either end of the link and the
state of the link.
The Link Report and Link Graph options are not available if at both ends of the link are
•
Candidate switches
•
Catalyst 1900 and Catalyst 2820 switches
•
Devices that are not eligible to join the cluster
If multiple links are configured between two devices, when you click the link icon and right-click, the
Multilink Content window appears (see Figure 3-12). Click the link icon in this window, and right-click
to display the link popup menu specific for that link.
Catalyst 2950 Desktop Switch Software Configuration Guide
3-22
78-14982-01
�Chapter 3
Getting Started with CMS
Menus and Toolbar
Figure 3-12 Multilink Decomposer Window
Device Popup Menus
Specific devices in the Topology view display a specific popup menu:
Note
•
Cluster (see Table 3-16)
•
Command switch (see Table 3-17)
•
Member or standby command switch (see Table 3-18)
•
Candidate switch with an IP address (see Table 3-19)
•
Candidate switch without an IP address (see Table 3-20)
•
Neighboring devices (see Table 3-21)
The Device Manager option in these popup menus is available in read-only mode on Catalyst 2900 XL
and Catalyst 3500 XL switches running Release 12.0(5)WC2 and later. It is also available on
Catalyst 2950 switches running Release 12.1(6)EA2 and later and on Catalyst 3550 switch running
Release 12.1(8)EA1 or later. It is not available on the Catalyst 1900 and Catalyst 2820 switches.
To display a device popup menu, click an icon, and right-click.
Table 3-16 Device Popup Menu of a Cluster Icon
Popup Menu Option
Task
Expand cluster
View a cluster-specific topology view.
Properties
Display information about the device.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-23
�Chapter 3
Getting Started with CMS
Menus and Toolbar
Table 3-17 Device Popup Menu of a Command-Switch Icon
Popup Menu Option
Task
Collapse cluster
View the neighborhood outside a specific cluster.
Host Name
1
Change the host name of a switch.
Bandwidth Graphs
Display graphs that plot the total bandwidth in use by the switch.
Properties
Display information about the device.
1. Not available in read-only mode. For more information about the read-only and read-write access modes, see the “Access
Modes in CMS” section on page 3-31.
Table 3-18 Device Popup Menu of a Member or Standby Command-Switch Icon
Popup Menu Option
Remove from Cluster
Host Name
1
Task
1
Remove a member from the cluster.
Change the host name of a switch.
Device Manager
2
Launch Device Manager for a switch.
Bandwidth Graphs
Display graphs that plot the total bandwidth in use by the switch.
Properties
Display information about the device.
1. Available only from a cluster-management session.
2. Available from a cluster member switch but not from the command switch.
Table 3-19 Device Popup Menu of a Candidate-Switch Icon (When the Candidate Switch Has an
IP Address)
Popup Menu Option
Task
Add to Cluster1
Add a candidate to a cluster.
Device Manager
2
Properties
Launch Device Manager for a switch.
Display information about the device.
1. Not available in read-only mode. For more information about the read-only and read-write access modes, see the “Access
Modes in CMS” section on page 3-31.
2. Available from a cluster member switch but not from the command switch.
Table 3-20 Device Popup Menu of a Candidate-Switch Icon (When the Candidate Switch Does Not
Have an IP Address)
Popup Menu Option
Add to Cluster
Properties
1
Task
Add a candidate to a cluster.
Display information about the device.
1. Not available in read-only mode. For more information about the read-only and read-write access modes, see the “Access
Modes in CMS” section on page 3-31.
Catalyst 2950 Desktop Switch Software Configuration Guide
3-24
78-14982-01
�Chapter 3
Getting Started with CMS
Interaction Modes
Table 3-21 Device Popup Menu of a Neighboring-Device Icon
Popup Menu Option
Device Manager
1
Task
Access the web management interface of the device.
Note
This option is available on Cisco access points, but not on Cisco IP
phones, hubs, routers and on unknown devices such as some Cisco
devices and third-party devices.
Disqualification Code
Display the reason why the device could not join the cluster.
Properties
Display information about the device.
1. Available from a cluster member switch but not from the command switch.
Interaction Modes
You can change the interaction mode of CMS to either guide or expert mode. Guide mode steps you
through each feature option and provides information about the parameter. Expert mode displays a
configuration window in which you configure the feature options.
Guide Mode
Note
Guide mode is not available if your switch access level is read-only. For more information about the
read-only access mode, see the “Access Modes in CMS” section on page 3-31.
Guide mode is for users who want a step-by-step approach for completing a specific configuration task.
This mode is not available for all features. A menu-bar option that has a person icon means that guide
mode is available for that option.
When you click Guide Mode and then select a menu-bar option that supports guide mode, CMS displays
a specific parameter of the feature with information about the parameter field. To configure the feature,
you provide the information that CMS requests in each step until you click Finish in the last step.
Clicking Cancel at any time closes and ends the configuration task without applying any changes.
If Expert Mode is selected and you want to use guide mode, you must click Guide Mode before
selecting an option from the menu bar, tool bar, or popup menu. If you change the interaction mode after
selecting a configuration option, the mode change does not take effect until you select another
configuration option.
Expert Mode
Expert mode is for users who prefer to display all the parameter fields of a feature in a single CMS
window. Information about the parameter fields is available by clicking the Help button.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-25
�Chapter 3
Getting Started with CMS
Wizards
Wizards
Note
Wizards are not available if your switch access level is read-only. For more information about the
read-only access mode, see the “Access Modes in CMS” section on page 3-31.
Wizards simplify some configuration tasks on the switch. Similar to the guide mode, wizards provide a
step-by-step approach for completing a specific configuration task. Unlike guide mode, a wizard does
not prompt you to provide information for all of the feature options. Instead, it prompts you to provide
minimal information and then uses the default settings of the remaining options to set up default
configurations.
Wizards are not available for all features. A menu-bar option that has wizard means that selecting that
option launches the wizard for that feature.
Tool Tips
CMS displays a popup message when you move your mouse over these devices:
•
A yellow device icon in the cluster tree or in Topology view—A popup displays a fault message,
such as that the RPS is faulty or that the switch is unavailable because you are in read-only mode.
•
A red device icon in the cluster tree or in Topology view—A popup displays a message that the
switch is down.
If you move your mouse over a table column heading, a popup displays the full heading.
Online Help
CMS provides comprehensive online help to assist you in understanding and performing configuration
and monitoring tasks from the CMS windows (see Figure 3-13Figure 3-14).
•
Feature help, available from the menu bar by selecting Help > Contents, provides background
information and concepts on the features.
•
Dialog-specific help, available from Help on the CMS windows, provides procedures for
performing tasks.
•
Index of help topics.
•
Glossary of terms used in the online help.
You can send us feedback about the information provided in the online help. Click Feedback to display
an online form. After completing the form, click Submit to send your comments to Cisco. We appreciate
and value your comments.
Catalyst 2950 Desktop Switch Software Configuration Guide
3-26
78-14982-01
�Chapter 3
Getting Started with CMS
Online Help
Glossary of terms used in the online help.
Enter the first Click Back and Forward to redisplay
Legend of icons and color codes.
letters of the topic, previously displayed pages. Click
and click Find to
Feedback to send us your
Feature help, such as concepts.
search the index.
comments about the online help.
Information about the CMS interface.
65283
Figure 3-13 Help Contents and Index
Figure 3-14 Help Contents and Index
Feature help, such as concepts.
Information about the CMS interface.
Enter the first
letters of the topic,
and click Find to
search the index.
Click Back and Forward
to redisplay previously
displayed pages. Click
Feedback to send us
your comments about
the online help.
81677
Supplemental help information.
Glossary of terms used in the online help.
Legend of icons and color codes.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-27
�Chapter 3
Getting Started with CMS
CMS Window Components
CMS Window Components
CMS windows consistently present configuration information. Figure 3-15 shows the components of a
typical CMS window.
65580
Figure 3-15 CMS Window Components
OK saves your changes and
closes the window.
Modify displays a secondary
window from which you can
change settings.
Click a row to select it. Press Shift,
and left-click another row to select
contiguous multiple rows. Press Ctrl,
and left-click rows to select noncontiguous rows.
Click a tab to display more
information.
Apply saves your changes and leaves
the window open.
Refresh refreshes the window to display
the latest information.
Cancel closes the window without saving
the changes.
Help displays help for the window and the
menu of Help topics.
Select a cluster member from the
Host Name list to display its settings.
Host Name List
To display or change the configuration of a cluster member, you need to select the specific switch from
the Host Name drop-down list. The list appears in the configuration window of each feature and lists
only the cluster members that support that feature. For example, the Host Name list on the VLAN
window does not include Catalyst 1900 and Catalyst 2820 switches even though they are part of the
cluster. Similarly, the Host Name list on the LRE Profiles window only lists the LRE switches in the
cluster.
Catalyst 2950 Desktop Switch Software Configuration Guide
3-28
78-14982-01
�Chapter 3
Getting Started with CMS
CMS Window Components
Tabs, Lists, and Tables
Some CMS windows have tabs that present different sets of information. Tabs are arranged like folder
headings across the top of the window. Click the tab to display its information.
Listed information can often be changed by selecting an item from a list. To change the information,
select one or more items, and click Modify. Changing multiple items is limited to those items that apply
to at least one of the selections.
Some CMS windows present information in a table format. You can edit the information in these tables.
Note
You can resize the width of the columns to display the column headings, or you can hover your cursor
over the heading to display a popup description of the column.
Filter Editor
When you click Filter in a CMS window that contains a table, the Filter Editor window appears. The
column names in the table become the field names in this window. You can enter selection criteria in
these field names to filter out table rows that you do not want displayed. For procedures on using the
Filter Editor, refer to the online help.
Icons Used in Windows
Some window have icons for sorting information in tables, for showing which cells in a table are
editable, and for displaying further information from Cisco.com (see Figure 3-16).
Figure 3-16 Window Icons
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-29
�Chapter 3
Getting Started with CMS
Accessing CMS
Buttons
These are the most common buttons that you use to change the information in a CMS window:
•
OK—Save any changes and close the window. If you made no changes, the window closes. If CMS
detects errors in your entry, the window remains open. For more information about error detection,
see the “Error Checking” section on page 3-32.
•
Apply—Save any changes made in the window and leave the window open. If you made no changes,
the Apply button is disabled.
•
Refresh—Update the CMS window with the latest status of the device. Unsaved changes are lost.
•
Cancel—Do not save any changes made in the window and close the window.
•
Help—Display procedures on performing tasks from the window.
•
Modify—Display the secondary window for changing information on the selected item or items.
You usually select an item from a list or table and click Modify.
Accessing CMS
This section assumes the following:
•
You know the IP address and password of the command switch or a specific switch. This information
is either:
– Assigned to the switch by following the setup program, as described in the release notes.
– Changed on the switch by following the information in the “Assigning Switch Information”
section on page 4-2 and “Preventing Unauthorized Access to Your Switch” section on page 7-1.
Considerations for assigning IP addresses and passwords to a command switch and cluster
members are described in the “IP Addresses” section on page 6-15 and the “Passwords” section
on page 6-16.
Caution
Note
•
You know your access privilege level to the switch.
•
You have referred to the release notes for system requirements and have followed the procedures for
installing the required Java plug-ins and configuring your browser.
Copies of the CMS pages you display are saved in your browser memory cache until you exit the browser
session. A password is not required to redisplay these pages, including the Cisco Systems Access page.
You can access the CLI by clicking Monitor the router - HTML access to the command line interface
from a cached copy of the Cisco Systems Access page. To prevent unauthorized access to CMS and the
CLI, exit your browser to end the browser session.
If you have configured the Terminal Access Controller Access Control System Plus (TACACS+) or
Remote Authentication Dial-In User Service (RADIUS) feature on the switch, you can still access the
switch through CMS. For information about how inconsistent authentication configurations in switch
clusters can affect access through CMS, see the “TACACS+ and RADIUS” section on page 6-17.
Catalyst 2950 Desktop Switch Software Configuration Guide
3-30
78-14982-01
�Chapter 3
Getting Started with CMS
Accessing CMS
To access CMS, follow these steps:
Step 1
Enter the switch IP address and your privilege level in the browser Location field (Netscape
Communicator) or Address field (Microsoft Internet Explorer). For example:
http://10.1.126.45:184/level/14/
where 10.1.126.45 is the switch IP address, 184 is the HTTP port, and level/14 is the privilege level.
You do not need to enter the HTTP port if the switch is using HTTP port 80 (the default) or enter the
privilege level if you have read-write access to the switch (privilege level is 15). For information about
the HTTP port, see the “HTTP Access to CMS” section on page 3-32. For information about privilege
levels, see the “Access Modes in CMS” section on page 3-31.
Step 2
When prompted for a username and password, enter only the switch enable password. CMS prompts you
a second time for a username and password. Enter only the enable password again.
If you configure a local username and password, make sure you enable it by using the ip http
authentication global configuration command. Enter your username and password when prompted.
Step 3
Click Web Console.
If you access CMS from a standalone or member switch, Device Manager appears. If you access CMS
from a command switch, you can display the Front Panel and Topology views.
Access Modes in CMS
CMS provides two levels of access to the configuration options: read-write access and read-only access.
Privilege levels 0 to 15 are supported.
•
Privilege level 15 provides you with read-write access to CMS.
•
Privilege levels 1 to 14 provide you with read-only access to CMS. Any options in the CMS
windows, menu bar, toolbar, and popup menus that change the switch or cluster configuration are
not shown in read-only mode.
•
Privilege level 0 denies access to CMS.
If you do not include a privilege level when you access CMS, the switch verifies if you have
privilege-level 15. If you do not, you are denied access to CMS. If you do have privilege-level 15, you
are granted read-write access. Therefore, you do not need to include the privilege level if it is 15.
Entering zero denies access to CMS. For more information about privilege levels, see the “Preventing
Unauthorized Access to Your Switch” section on page 7-1.
Note
•
If your cluster has these member switches running earlier software releases and if you have
read-only access to these member switches, some configuration windows for those switches display
incomplete information:
– Catalyst 2900 XL or Catalyst 3500 XL member switches running Release 12.0(5)WC2 or
earlier
– Catalyst 2950 member switches running Release 12.0(5)WC2 or earlier
– Catalyst 3550 member switches running Release 12.1(6)EA1 or earlier
For more information about this limitation, refer to the release notes.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-31
�Chapter 3
Getting Started with CMS
Verifying Your Changes
•
These switches do not support read-only mode on CMS:
– Catalyst 1900 and Catalyst 2820
– Catalyst 2900 XL switches with 4-MB CPU DRAM
In read-only mode, these switches appear as unavailable devices and cannot be configured from
CMS.
HTTP Access to CMS
CMS uses Hypertext Transfer Protocol (HTTP), which is an in-band form of communication with the
switch through any one of its Ethernet ports and that allows switch management from a standard web
browser. The default HTTP port is 80.
If you change the HTTP port, you must include the new port number when you enter the IP address in
the browser Location or Address field (for example, http://10.1.126.45:184 where 184 is the new HTTP
port number).
Do not disable or otherwise misconfigure the port through which your management station is
communicating with the switch. You might want to write down the port number to which you are
connected. Changes to the switch IP information should be done with care.
For information about connecting to a switch port, refer to the switch hardware installation guide.
Verifying Your Changes
CMS provides notification cues to help you track and confirm the changes you make.
Change Notification
A green border around a field or table cell means that you made an unsaved change to the field or table
cell. Previous information in that field or table cell is displayed in the window status bar. When you save
the changes or if you cancel the change, the green border disappears.
Error Checking
A red border around a field means that you entered invalid data in the field. An error message also
displays in the window status bar. When you enter valid data in the field, a green border replaces the red
border until you either save or cancel the change.
If there is an error in communicating with the switch or if you make an error while performing an action,
a message notifies you about the error.
Catalyst 2950 Desktop Switch Software Configuration Guide
3-32
78-14982-01
�Chapter 3
Getting Started with CMS
Saving Your Configuration
Saving Your Configuration
Note
The Save Configuration option is not available if your switch access level is read-only. For more
information about the read-only access mode, see the “Access Modes in CMS” section on page 3-31.
Tip
As you make cluster configuration changes (except for changes to the Topology view and in the
Preferences window), make sure that you periodically save the configuration from the command switch.
The configuration is saved on the command and member switches.
The front-panel images and CMS windows always display the running configuration of the switch.
When you make a configuration change to a switch or switch cluster, the change becomes part of the
running configuration. The change does not automatically become part of the configuration file in Flash
memory, which is the startup configuration used each time the switch restarts. If you do not save your
changes to Flash memory, they are lost when the switch restarts.
Note
Catalyst 1900 and Catalyst 2820 switches automatically save configuration changes to Flash memory as
they occur.
To save all configuration changes, you must select Administration > Save Configuration.For CMS
procedures for saving your switch configuration, refer to the online help.
Restoring Your Configuration
After you save a switch configuration, you can restore the configuration to one or more switches for
these reasons:
•
You made an incorrect change to the current running configuration and want to reload a saved
configuration.
•
You need to reload a switch after a switch failure or power failure.
•
You want to copy the configuration of a switch to other switches.
For CMS procedures for restoring a switch configuration, refer to the online help.
CMS Preferences
When you exit from CMS, your CMS preferences are saved to your PC in a file called .cms_properties.
You can copy this file to other PCs. The file is stored in a default configuration directory, such as
C:\Documents and Settings\username. If you cannot locate the CMS preferences file, select
Start > Search > For Files or Folders..., and search for .cms_properties.
Note
In previous CMS versions, the preferences were saved in Flash memory when you exited from CMS.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
3-33
�Chapter 3
Getting Started with CMS
Using Different Versions of CMS
Using Different Versions of CMS
When managing switch clusters through CMS, remember that clusters can have a mix of switch models
using different IOS releases and that CMS in earlier IOS releases and on different switch platforms might
look and function differently from CMS in this IOS release.
When you select Device > Device Manager for a cluster member, a new browser session is launched,
and the CMS version for that switch is displayed.
Here are examples of how CMS can differ between IOS releases and switch platforms:
•
On Catalyst switches running Release 12.0(5)WC2 or earlier or Release 12.1(6)EA1 or earlier, the
CMS versions in those software releases might appear similar but are not the same as this release.
For example, the Topology view in this release is not the same as the Topology view or Cluster View
in those earlier software releases.
•
CMS on the Catalyst 1900 and Catalyst 2820 switches is referred to as Switch Manager. Cluster
management options are not available on these switches. This is the earliest version of CMS.
Refer to the documentation specific to the switch and its IOS release for descriptions of the CMS version
you are using.
Where to Go Next
Before configuring the switch, refer to these places for start-up information:
•
Switch release notes on Cisco.com:
– CMS software requirements
– Procedures for running the setup program
– Procedures for browser configuration
– Procedures for accessing CMS
•
Chapter 4, “Assigning the Switch IP Address and Default Gateway”
•
Chapter 7, “Administering the Switch”
The rest of this guide provides information about and CLI procedures for the software features supported
in this release. For CMS procedures and window descriptions, refer to the online help.
Catalyst 2950 Desktop Switch Software Configuration Guide
3-34
78-14982-01
�C H A P T E R
4
Assigning the Switch IP Address and Default
Gateway
This chapter describes how to create the initial switch configuration (for example, assign the switch IP
address and default gateway information) by using a variety of automatic and manual methods.
Note
For complete syntax and usage information for the commands used in this chapter, refer to the command
reference for this release.
This chapter consists of these sections:
•
Understanding the Boot Process, page 4-1
•
Assigning Switch Information, page 4-2
•
Checking and Saving the Running Configuration, page 4-10
Understanding the Boot Process
Before you can assign switch information (IP address, subnet mask, default gateway, secret and Telnet
passwords, and so forth), you need to install and power on the switch as described in the hardware
installation guide that shipped with your switch.
The normal boot process involves the operation of the boot loader software, which performs these
activities:
•
Performs low-level CPU initialization. It initializes the CPU registers, which control where physical
memory is mapped, its quantity, its speed, and so forth.
•
Performs power-on self-test (POST) for the CPU subsystem. It tests the CPU DRAM and the portion
of the Flash device that makes up the Flash file system.
•
Initializes the Flash file system on the system board.
•
Loads a default operating system software image into memory and boots the switch.
The boot loader provides access to the Flash file system before the operating system is loaded. Normally,
the boot loader is used only to load, uncompress, and launch the operating system. After the boot loader
gives the operating system control of the CPU, the boot loader is not active until the next system reset
or power-on.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
4-1
�Chapter 4
Assigning the Switch IP Address and Default Gateway
Assigning Switch Information
The boot loader also provides trap-door access into the system if the operating system has problems
serious enough that it cannot be used. The trap-door mechanism provides enough access to the system
so that if it is necessary, you can format the Flash file system, reinstall the operating system software
image by using the XMODEM Protocol, recover from a lost or forgotten password, and finally restart
the operating system. For more information, see the “Recovering from Corrupted Software” section on
page 28-6 and the “Recovering from a Lost or Forgotten Password” section on page 28-6.
Before you can assign switch information, make sure you have connected a PC or terminal to the console
port, and configured the PC or terminal-emulation software baud rate and character format to match
those of the switch console port. For more information, refer to the hardware installation guide that
shipped with your switch.
Assigning Switch Information
You can assign IP information through the switch setup program, through a Dynamic Host Configuration
Protocol (DHCP) server, or manually.
Use the switch setup program if you are a new user and want to be prompted for specific IP information.
With this program, you can also configure a host name and an enable secret password. It gives you the
option of assigning a Telnet password (to provide security during remote management) and configuring
your switch as a command or member switch of a cluster or as a standalone switch. For more information
about the setup program, refer to the release notes on Cisco.com.
Use a DHCP server for centralized control and automatic assignment of IP information once the server
is configured.
Note
If you are using DHCP, do not respond to any of the questions in the setup program until the switch
receives the dynamically-assigned IP address and reads the configuration file.
Use the manual method of configuration if you are an experienced user familiar with the switch
configuration steps; otherwise, use the setup program described earlier.
This section contains this configuration information:
•
Default Switch Information, page 4-3
•
Understanding DHCP-Based Autoconfiguration, page 4-3
•
Manually Assigning IP Information, page 4-10
Catalyst 2950 Desktop Switch Software Configuration Guide
4-2
78-14982-01
�Chapter 4
Assigning the Switch IP Address and Default Gateway
Assigning Switch Information
Default Switch Information
Table 4-1 shows the default switch information.
Table 4-1
Default Switch Information
Feature
Default Setting
IP address and subnet mask
No IP address or subnet mask are defined.
Default gateway
No default gateway is defined.
Enable secret password
No password is defined.
Host name
The factory-assigned default host name is Switch.
Telnet password
No password is defined.
Cluster command switch functionality
Disabled.
Cluster name
No cluster name is defined.
Understanding DHCP-Based Autoconfiguration
The DHCP provides configuration information to Internet hosts and internetworking devices. This
protocol consists of two components: one for delivering configuration parameters from a DHCP server
to a device and a mechanism for allocating network addresses to devices. DHCP is built on a
client-server model, in which designated DHCP servers allocate network addresses and deliver
configuration parameters to dynamically configured devices.
During DHCP-based autoconfiguration, your switch (DHCP client) is automatically configured at
startup with IP address information and a configuration file.
With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch.
However, you need to configure the DHCP server for various lease options associated with IP addresses.
If you are using DHCP to relay the configuration file location on the network, you might also need to
configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server.
The DHCP server can be on the same LAN or on a different LAN than the switch. If the DHCP server
is running on a different LAN, you should configure a DHCP relay. A relay device forwards broadcast
traffic between two directly connected LANs. A router does not forward broadcast packets, but it
forwards packets based on the destination IP address in the received packet.
DHCP-based autoconfiguration replaces the BOOTP client functionality on your switch.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
4-3
�Chapter 4
Assigning the Switch IP Address and Default Gateway
Assigning Switch Information
DHCP Client Request Process
When you boot your switch, the switch automatically requests configuration information from a DHCP
server only if a configuration file is not present on the switch.
DHCP autoconfiguration does not occur under these conditions:
•
When a configuration file is present and the service config global configuration command is
disabled on the switch.
•
When a configuration file is present and the service config global configuration command is
enabled on the switch. In this case, the switch broadcasts TFTP requests for the configuration file.
Figure 4-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP
server.
Figure 4-1
DHCP Client and Server Message Exchange
DHCPDISCOVER (broadcast)
Switch A
DHCPOFFER (unicast)
DHCP server
DHCPACK (unicast)
51807
DHCPREQUEST (broadcast)
The client, Switch A, broadcasts a DHCPDISCOVER message to locate a DHCP server. The DHCP
server offers configuration parameters (such as an IP address, subnet mask, gateway IP address, DNS IP
address, a lease for the IP address, and so forth) to the client in a DHCPOFFER unicast message.
In a DHCPREQUEST broadcast message, the client returns a formal request for the offered
configuration information to the DHCP server. The formal request is broadcast so that all other DHCP
servers that received the DHCPDISCOVER broadcast message from the client can reclaim the IP
addresses that they offered to the client.
The DHCP server confirms that the IP address has been allocated to the client by returning a DHCPACK
unicast message to the client. With this message, the client and server are bound, and the client uses
configuration information received from the server. The amount of information the switch receives
depends on how you configure the DHCP server. For more information, see the “Configuring the DHCP
Server” section on page 4-5.
If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid (a
configuration error exists), the client returns a DHCPDECLINE broadcast message to the DHCP server.
The DHCP server sends the client a DHCPNAK denial broadcast message, which means that the offered
configuration parameters have not been assigned, that an error has occurred during the negotiation of the
parameters, or that the client has been slow in responding to the DHCPOFFER message (the DHCP
server assigned the parameters to another client).
A DHCP client might receive offers from multiple DHCP or BOOTP servers and can accept any of the
offers; however, the client usually accepts the first offer it receives. The offer from the DHCP server is
not a guarantee that the IP address is allocated to the client; however, the server usually reserves the
address until the client has had a chance to formally request the address. If the switch accepts replies
from a BOOTP server and configures itself, the switch broadcasts, instead of unicasts, TFTP requests to
obtain the switch configuration file.
Catalyst 2950 Desktop Switch Software Configuration Guide
4-4
78-14982-01
�Chapter 4
Assigning the Switch IP Address and Default Gateway
Assigning Switch Information
Configuring the DHCP Server
You should configure the DHCP server with reserved leases that are bound to each switch by the switch
hardware address.
If you want the switch to receive IP address information, you must configure the DHCP server with these
lease options:
•
IP address of the client (required)
•
Subnet mask of the client (required)
•
DNS server IP address (optional)
•
Router IP address (default gateway address to be used by the switch) (required)
If you want the switch to receive the configuration file from a TFTP server, you must configure the
DHCP server with these lease options:
•
TFTP server name (required)
•
Boot filename (the name of the configuration file that the client needs) (recommended)
•
Host name (optional)
Depending on the settings of the DHCP server, the switch can receive IP address information, the
configuration file, or both.
If you do not configure the DHCP server with the lease options described earlier, it replies to client
requests with only those parameters that are configured. If the IP address and subnet mask are not in the
reply, the switch is not configured. If the router IP address or TFTP server name are not found, the switch
might send broadcast, instead of unicast, TFTP requests. Unavailability of other lease options does not
affect autoconfiguration.
The DHCP server can be on the same LAN or on a different LAN than the switch. If the DHCP server
is running on a different LAN, you should configure a DHCP relay. For more information, see the
“Configuring the Relay Device” section on page 4-6. If your DHCP server is a Cisco device, refer to the
“IP Addressing and Services” section in the Cisco IOS IP and IP Routing Configuration Guide for
Release 12.1.
Configuring the TFTP Server
Based on the DHCP server configuration, the switch attempts to download one or more configuration
files from the TFTP server. If you configured the DHCP server to respond to the switch with all the
options required for IP connectivity to the TFTP server, and if you configured the DHCP server with a
TFTP server name, address, and configuration filename, the switch attempts to download the specified
configuration file from the specified TFTP server.
If you did not specify the configuration filename, the TFTP server, or if the configuration file could not
be downloaded, the switch attempts to download a configuration file by using various combinations of
filenames and TFTP server addresses. The files include the specified configuration filename (if any) and
these files: network-config, cisconet.cfg, hostname.config, or hostname.cfg, where hostname is the
switch’s current hostname. The TFTP server addresses used include the specified TFTP server address
(if any) and the broadcast address (255.255.255.255).
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
4-5
�Chapter 4
Assigning the Switch IP Address and Default Gateway
Assigning Switch Information
For the switch to successfully download a configuration file, the TFTP server must contain one or more
configuration files in its base directory. The files can include these files:
•
The configuration file named in the DHCP reply (the actual switch configuration file).
•
The network-confg or the cisconet.cfg file (known as the default configuration files).
•
The router-confg or the ciscortr.cfg file (These files contain commands common to all switches.
Normally, if the DHCP and TFTP servers are properly configured, these files are not accessed.)
If you specify the TFTP server name in the DHCP server-lease database, you must also configure the
TFTP server name-to-IP-address mapping in the DNS-server database.
If the TFTP server to be used is on a different LAN from the switch, or if it is to be accessed by the
switch through the broadcast address (which occurs if the DHCP server response does not contain all the
required information described earlier), a relay must be configured to forward the TFTP packets to the
TFTP server. For more information, see the “Configuring the Relay Device” section on page 4-6. The
preferred solution is to configure the DHCP server with all the required information.
Configuring the DNS
The DHCP server uses the DNS server to resolve the TFTP server name to an IP address. You must
configure the TFTP server name-to-IP address map on the DNS server. The TFTP server contains the
configuration files for the switch.
You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from
where the DHCP replies will retrieve them. You can enter up to two DNS server IP addresses in the lease
database.
The DNS server can be on the same or on a different LAN as the switch. If it is on a different LAN, the
switch must be able to access it through a router.
Configuring the Relay Device
You must configure a relay device when a switch sends broadcast packets that need to be responded to
by a host on a different LAN. Examples of broadcast packets that the switch might send are DHCP, DNS,
and in some cases, TFTP packets. You must configure this relay device to forward received broadcast
packets on an interface to the destination host.
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and
configure helper addresses by using the ip helper-address interface configuration command.
For example, in Figure 4-2, configure the router interfaces as follows:
On interface 10.0.0.2:
router(config-if)# ip helper-address 20.0.0.2
router(config-if)# ip helper-address 20.0.0.3
router(config-if)# ip helper-address 20.0.0.4
On interface 20.0.0.1
router(config-if)# ip helper-address 10.0.0.1
Catalyst 2950 Desktop Switch Software Configuration Guide
4-6
78-14982-01
�Chapter 4
Assigning the Switch IP Address and Default Gateway
Assigning Switch Information
Figure 4-2
Relay Device Used in Autoconfiguration
Switch
(DHCP client)
Cisco router
(Relay)
10.0.0.2
10.0.0.1
DHCP server
20.0.0.3
TFTP server
20.0.0.4
DNS server
49068
20.0.0.2
20.0.0.1
Obtaining Configuration Files
Depending on the availability of the IP address and the configuration filename in the DHCP reserved
lease, the switch obtains its configuration information in these ways:
•
The IP address and the configuration filename is reserved for the switch and provided in the DHCP
reply (one-file read method).
The switch receives its IP address, subnet mask, TFTP server address, and the configuration
filename from the DHCP server. The switch sends a unicast message to the TFTP server to retrieve
the named configuration file from the base directory of the server, and upon receipt, completes its
boot-up process.
•
The IP address and the configuration filename is reserved for the switch, but the TFTP server
address is not provided in the DHCP reply (one-file read method).
The switch receives its IP address, subnet mask, and the configuration filename from the DHCP
server. The switch sends a broadcast message to a TFTP server to retrieve the named configuration
file from the base directory of the server, and upon receipt, completes its boot-up process.
•
Only the IP address is reserved for the switch and provided in the DHCP reply. The configuration
filename is not provided (two-file read method).
The switch receives its IP address, subnet mask, and the TFTP server address from the DHCP server.
The switch sends a unicast message to the TFTP server to retrieve the network-confg or cisconet.cfg
default configuration file. (If the network-confg file cannot be read, the switch reads the cisconet.cfg
file.)
The default configuration file contains the host names-to-IP-address mapping for the switch. The
switch fills its host table with the information in the file and obtains its host name. If the host name
is not found in the file, the switch uses the host name in the DHCP reply. If the host name is not
specified in the DHCP reply, the switch uses the default Switch as its host name.
After obtaining its host name from the default configuration file or the DHCP reply, the switch reads
the configuration file that has the same name as its host name (hostname-confg or hostname.cfg,
depending on whether network-confg or cisconet.cfg was read earlier) from the TFTP server. If the
cisconet.cfg file is read, the filename of the host is truncated to eight characters.
If the switch cannot read the network-confg, cisconet.cfg, or the hostname file, it reads the
router-confg file. If the switch cannot read the router-confg file, it reads the ciscortr.cfg file.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
4-7
�Chapter 4
Assigning the Switch IP Address and Default Gateway
Assigning Switch Information
Note
The switch broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies,
if all attempts to read the configuration file through unicast transmissions fail, or if the TFTP server
name cannot be resolved to an IP address.
Example Configuration
Figure 4-3 shows a sample network for retrieving IP information by using DHCP-based autoconfiguration.
Figure 4-3
DHCP-Based Autoconfiguration Network Example
Switch 1
Switch 2
Switch 3
Switch 4
00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004
Cisco router
10.0.0.10
DHCP server
10.0.0.2
DNS server
10.0.0.3
TFTP server
(maritsu)
49066
10.0.0.1
Table 4-2 shows the configuration of the reserved leases on the DHCP server.
Table 4-2
DHCP Server Configuration
Switch-1
Switch-2
Switch-3
Switch-4
Binding key
(hardware address)
00e0.9f1e.2001
00e0.9f1e.2002
00e0.9f1e.2003
00e0.9f1e.2004
IP address
10.0.0.21
10.0.0.22
10.0.0.23
10.0.0.24
Subnet mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Router address
10.0.0.10
10.0.0.10
10.0.0.10
10.0.0.10
DNS server address
10.0.0.2
10.0.0.2
10.0.0.2
10.0.0.2
TFTP server name
maritsu or 10.0.0.3
maritsu or 10.0.0.3
maritsu or 10.0.0.3
maritsu or 10.0.0.3
Boot filename
(configuration file)
(optional)
switch1-confg
switch2-confg
switch3-confg
switch4-confg
Host name (optional)
switch1
switch2
switch3
switch4
Catalyst 2950 Desktop Switch Software Configuration Guide
4-8
78-14982-01
�Chapter 4
Assigning the Switch IP Address and Default Gateway
Assigning Switch Information
DNS Server Configuration
The DNS server maps the TFTP server name maritsu to IP address 10.0.0.3.
TFTP Server Configuration (on UNIX)
The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file
used in the two-file read method. This file contains the host name to be assigned to the switch based on
its IP address. The base directory also contains a configuration file for each switch (switch1-confg,
switch2-confg, and so forth) as shown in this display:
prompt> cd /tftpserver/work/
prompt> ls
network-confg
switch1-confg
switch2-confg
switch3-confg
switch4-confg
prompt> cat network-confg
ip host switch1 10.0.0.21
ip host switch2 10.0.0.22
ip host switch3 10.0.0.23
ip host switch4 10.0.0.24
DHCP Client Configuration
No configuration file is present on Switch 1 through Switch 4.
Configuration Explanation
In Figure 4-3, Switch 1 reads its configuration file as follows:
•
It obtains its IP address 10.0.0.21 from the DHCP server.
•
If no configuration filename is given in the DHCP server reply, Switch 1 reads the network-confg
file from the base directory of the TFTP server.
•
It adds the contents of the network-confg file to its host table.
•
It reads its host table by indexing its IP address 10.0.0.21 to its host name (switch1).
•
It reads the configuration file that corresponds to its host name; for example, it reads switch1-confg
from the TFTP server.
Switches 2 through 4 retrieve their configuration files and IP addresses in the same way.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
4-9
�Chapter 4
Assigning the Switch IP Address and Default Gateway
Checking and Saving the Running Configuration
Manually Assigning IP Information
Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple
switched virtual interfaces (SVIs) or ports:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface vlan vlan-id
Enter interface configuration mode, and enter the VLAN to which the IP
information is assigned. The range is 1 to 4094 when the enhanced
software image is installed and 1 to 1001 when the standard software
image is installed; do not enter leading zeros.
Step 3
ip address ip-address subnet-mask
Enter the IP address and subnet mask.
Step 4
exit
Return to global configuration mode.
Step 5
ip default-gateway ip-address
Enter the IP address of the next-hop router interface that is directly
connected to the switch where a default gateway is being configured. The
default gateway receives IP packets with unresolved destination IP
addresses from the switch.
Once the default gateway is configured, the switch has connectivity to the
remote networks with which a host needs to communicate.
Note
When your switch is configured to route with IP, it does not need
to have a default gateway set.
Step 6
end
Return to privileged EXEC mode.
Step 7
show running-config
Verify your entries.
Step 8
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To remove the switch IP address, use the no ip address interface configuration command. If you are
removing the address through a Telnet session, your connection to the switch will be lost. To remove the
default gateway address, use the no ip default-gateway global configuration command.
For information on setting the switch system name, protecting access to privileged EXEC commands,
and setting time and calendar services, see Chapter 7, “Administering the Switch.”
Checking and Saving the Running Configuration
You can check the configuration settings you entered or changes you made by entering this privileged
EXEC command:
Switch# show running-config
Building configuration...
Current configuration : 2081 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
Catalyst 2950 Desktop Switch Software Configuration Guide
4-10
78-14982-01
�Chapter 4
Assigning the Switch IP Address and Default Gateway
Checking and Saving the Running Configuration
!
hostname Switch
!
enable secret 5 $1$ej9.$DMUvAUnZOAmvmgqBEzIxE0
!
ip subnet-zero
!
vlan 3020
cluster enable Test 0
cluster member 1 mac-address 0030.9439.0900
cluster member 2 mac-address 0001.425b.4d80
!
spanning-tree extend system-id
!
!
interface Port-channel1
no ip address
!
interface FastEthernet0/1
switchport mode access
switchport voice vlan 400
switchport priority extend cos 5
no ip address
spanning-tree portfast trunk
!
interface FastEthernet0/2
switchport mode access
no ip address
!
...
interface FastEthernet0/8
switchport mode access
switchport voice vlan 350
no ip address
spanning-tree portfast trunk
!
interface FastEthernet0/9
switchport mode access
no ip address
shutdown
!
interface FastEthernet0/10
switchport trunk native vlan 2
no ip address
speed 100
!
interface FastEthernet0/11
switchport voice vlan 4046
no ip address
shutdown
spanning-tree portfast trunk
!
interface FastEthernet0/12
switchport mode access
switchport voice vlan 4011
no ip address
shutdown
spanning-tree portfast trunk
!
interface GigabitEthernet0/1
no ip address
shutdown
!
interface GigabitEthernet0/2
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
4-11
�Chapter 4
Assigning the Switch IP Address and Default Gateway
Checking and Saving the Running Configuration
no ip address
shutdown
!
interface Vlan1
ip address 172.20.139.133 255.255.255.224
no ip route-cache
!
ip default-gateway 172.20.139.129
ip http server
!
ip access-list extended CMP-NAT-ACL
!
snmp-server engineID local 8000000903000005742809C1
snmp-server community public RO
snmp-server community public@es0 RO
snmp-server enable traps MAC-Notification
!
line con 0
password letmein
line vty 0 4
password letmein
login
line vty 5 15
password letmein
login
!
end
To store the configuration or changes you have made to your startup configuration in Flash memory,
enter this privileged EXEC command:
Switch# copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
This command saves the configuration settings that you made. If you fail to do this, your configuration
will be lost the next time you reload the system. To display information stored in the NVRAM section
of Flash memory, use the show startup-config or more startup-config privileged EXEC command.
Catalyst 2950 Desktop Switch Software Configuration Guide
4-12
78-14982-01
�C H A P T E R
5
Configuring IE2100 CNS Agents
This chapter describes how to configure the Intelligence Engine 2100 (IE2100) Series Cisco Networking
Services (CNS) embedded agents on your switch. To use the feature described in this chapter, you must
have the enhanced software image (EI) installed on your switch.
Note
For complete syntax and usage information for the commands used in this section, refer to the Cisco
Intelligence Engine 2100 Series Configuration Registrar Manual, and select Cisco IOS Software
Release 12.2 > New Feature Documentation > 12.2(2)T on Cisco.com.
This chapter consists of these sections:
•
Understanding IE2100 Series Configuration Registrar Software, page 5-1
•
Understanding CNS Embedded Agents, page 5-5
•
Configuring CNS Embedded Agents, page 5-6
•
Displaying CNS Configuration, page 5-13
Understanding IE2100 Series Configuration Registrar Software
The IE2100 Series Configuration Registrar is a network management device that acts as a configuration
service for automating the deployment and management of network devices and services
(see Figure 5-1). Each Configuration Registrar manages a group of Cisco IOS devices (switches and
routers) and the services that they deliver, storing their configurations and delivering them as needed.
The Configuration Registrar automates initial configurations and configuration updates by generating
device-specific configuration changes, sending them to the device, executing the configuration change,
and logging the results.
The Configuration Registrar supports standalone and server modes and has these CNS components:
•
Configuration service (web server, file manager, and namespace mapping server)
•
Event service (event gateway)
•
Data service directory (data models and schema)
In standalone mode, the Configuration Registrar supports an embedded CNS Directory Service. In this
mode, no external directory or other data store is required. In server mode, the Configuration Registrar
supports the use of a user-defined external directory.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
5-1
�Chapter 5
Configuring IE2100 CNS Agents
Understanding IE2100 Series Configuration Registrar Software
Figure 5-1
Configuration Registrar Architectural Overview
Service provider network
Configuration
registrar
Data service
directory
Configuration server
Event service
71444
Web-based
user interface
Order entry
configuration management
These sections contain this conceptual information:
•
CNS Configuration Service, page 5-2
•
CNS Event Service, page 5-3
•
What You Should Know About ConfigID, DeviceID, and Host Name, page 5-3
CNS Configuration Service
The CNS Configuration Service is the core component of the Configuration Registrar. It consists of a
configuration server that works with CNS configuration agents located on the switch. The CNS
Configuration Service delivers device and service configurations to the switch for initial configuration
and mass reconfiguration by logical groups. Switches receive their initial configuration from the CNS
Configuration Service when they start up on the network for the first time.
The CNS Configuration Service uses the CNS Event Service to send and receive configuration change
events and to send success and failure notifications.
The configuration server is a web server that uses configuration templates and the device-specific
configuration information stored in the embedded (standalone mode) or remote (server mode) directory.
Configuration templates are text files containing static configuration information in the form of CLI
commands. In the templates, variables are specified using lightweight directory access protocol (LDAP)
URLs that reference the device-specific configuration information stored in a directory.
The configuration agent can perform a syntax check on received configuration files and publish events
to indicate the success or failure of the syntax check. The configuration agent can either apply
configurations immediately or delay the application until receipt of a synchronization event from the
configuration server.
Catalyst 2950 Desktop Switch Software Configuration Guide
5-2
78-14982-01
�Chapter 5
Configuring IE2100 CNS Agents
Understanding IE2100 Series Configuration Registrar Software
CNS Event Service
The Configuration Registrar uses the CNS Event Service for receipt and generation of configuration
events. The CNS event agent resides on the switch and facilitates the communication between the switch
and the event gateway on the Configuration Registrar.
The CNS Event Service is a highly-scalable publish-and-subscribe communication method. The CNS
Event Service uses subject-based addressing to send messages to their destinations. Subject-based
addressing conventions define a simple, uniform namespace for messages and their destinations.
NameSpace Mapper
The Configuration Registrar includes the NameSpace Mapper (NSM) that provides a lookup service for
managing logical groups of devices based on application, device ID or group ID, and event.
Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS
software; for example, cisco.cns.config.load. You can use the namespace mapping service to designate
events by using any desired naming convention. When you have populated your data store with your
subject names, NSM resolves your event subject-name strings to those known by IOS.
For a subscriber, when given a unique device ID and event, the namespace mapping service returns a set
of events to which to subscribe. Similarly, for a publisher, when given a unique group ID, device ID, and
event, the mapping service returns a set of events on which to publish.
What You Should Know About ConfigID, DeviceID, and Host Name
The Configuration Registrar assumes that a unique identifier is associated with each configured switch.
This unique identifier can take on multiple synonyms, where each synonym is unique within a particular
namespace. The event service uses namespace content for subject-based addressing of messages.
The Configuration Registrar intersects two namespaces, one for the event bus and the other for the
configuration server. Within the scope of the configuration server namespace, the term configID is the
unique identifier for a device. Within the scope of the event bus namespace, the term deviceID is the
CNS unique identifier for a device.
Because the Configuration Registrar uses both the event bus and the configuration server to provide
configurations to devices, you must define both configID and deviceID for each configured switch.
Within the scope of a single instance of the configuration server, no two configured switches can share
the same value for configID. Within the scope of a single instance of the event bus, no two configured
switches can share the same value for deviceID.
ConfigID
Each configured switch has a unique configID, which serves as the key into the Configuration Registrar
directory for the corresponding set of switch CLI attributes. The configID defined on the switch must
match the configID for the corresponding switch definition on the Configuration Registrar.
The configID is fixed at boot time and cannot be changed until reboot, even when the switch host name
is reconfigured.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
5-3
�Chapter 5
Configuring IE2100 CNS Agents
Understanding IE2100 Series Configuration Registrar Software
DeviceID
Each configured switch participating on the event bus has a unique deviceID, which is analogous to the
switch source address so that the switch can be targeted as a specific destination on the bus. All switches
configured with the cns config partial global configuration command must access the event bus.
Therefore, the deviceID, as originated on the switch, must match the deviceID of the corresponding
switch definition in the Configuration Registrar.
The origin of the deviceID is defined by the Cisco IOS host name of the switch. However, the deviceID
variable and its usage reside within the event gateway, which is adjacent to the switch.
The logical Cisco IOS termination point on the event bus is embedded in the event gateway, which in
turn functions as a proxy on behalf of the switch. The event gateway represents the switch and its
corresponding deviceID to the event bus.
The switch declares its host name to the event gateway immediately after the successful connection to
the event gateway. The event gateway couples the deviceID value to the Cisco IOS host name each time
this connection is established. The event gateway caches this deviceID value for the duration of its
connection to the switch.
Host Name and DeviceID
The deviceID is fixed at the time of the connection to the event gateway and does not change even when
the switch host name is reconfigured.
When changing the switch host name on the switch, the only way to refresh the deviceID is to break the
connection between the switch and the event gateway. Enter the no cns event global configuration
command followed by the cns event global configuration command.
When the connection is re-established, the switch sends its modified host name to the event gateway. The
event gateway redefines the deviceID to the new value.
Caution
When using the Configuration Registrar user interface, you must first set the deviceID field to the host
name value that the switch acquires after–not before–you use the cns config initial global configuration
command at the switch. Otherwise, subsequent cns config partial global configuration command
operations malfunction.
Using Host Name, DeviceID, and ConfigID
In standalone mode, when a host name value is set for a switch, the configuration server uses the host
name as the deviceID when an event is sent on host name. If the host name has not been set, the event is
sent on the cn= of the device.
In server mode, the host name is not used. In this mode, the unique deviceID attribute is always used for
sending an event on the bus. If this attribute is not set, you cannot update the switch.
These and other associated attributes (tag value pairs) are set when you run Setup on the Configuration
Registrar.
Note
For more information about running the setup program on the Configuration Registrar, refer to the Cisco
Intelligence Engine 2100 Series Configuration Registrar Manual.
Catalyst 2950 Desktop Switch Software Configuration Guide
5-4
78-14982-01
�Chapter 5
Configuring IE2100 CNS Agents
Understanding CNS Embedded Agents
Understanding CNS Embedded Agents
The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and
works with the CNS configuration agent. The CNS configuration agent feature supports the switch by
providing:
•
Initial configurations
•
Incremental (partial) configurations
•
Synchronized configuration updates
Initial Configuration
When the switch first comes up, it attempts to get an IP address by broadcasting a Dynamic Host
Configuration Protocol (DHCP) request on the network. Assuming there is no DHCP server on the
subnet, the distribution switch acts as a DHCP relay agent and forwards the request to the DHCP server.
Upon receiving the request, the DHCP server assigns an IP address to the new switch and includes the
Trivial File Transfer Protocol (TFTP) server IP address, the path to the bootstrap configuration file, and
the default gateway IP address in a unicast reply to the DHCP relay agent. The DHCP relay agent
forwards the reply to the switch.
The switch automatically configures the assigned IP address on interface VLAN 1 (the default) and
downloads the bootstrap configuration file from the TFTP server. Upon successful download of the
bootstrap configuration file, the switch loads the file in its running configuration.
The embedded CNS agents initiate communication with the IE2100 Configuration Registrar by using the
appropriate configID and eventID. The Configuration Registrar maps the configID to a template and
downloads the full configuration file to the switch.
Figure 5-2 shows a sample network configuration for retrieving the initial bootstrap configuration file
by using DHCP-based autoconfiguration.
Figure 5-2
Initial Configuration Overview
IE2100
Configuration
Registrar
TFTP
server
WAN
V
DHCP
server
Access layer
switches
DHCP relay agent
default gateway
71445
Distribution layer
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
5-5
�Chapter 5
Configuring IE2100 CNS Agents
Configuring CNS Embedded Agents
Incremental (Partial) Configuration
After the network is running, new services can be added by using the CNS configuration agent.
Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an
event payload by way of the event gateway (push operation) or as a signal event that triggers the switch
to initiate a pull operation.
The switch can check the syntax of the configuration before applying it. If the syntax is correct, the
switch applies the incremental configuration and publishes an event that signals success to the
configuration server. If the switch does not apply the incremental configuration, it publishes an event
showing an error status. When the switch has applied the incremental configuration, it can write it to
nonvolatile RAM (NVRAM) or wait until signaled to do so.
Synchronized Configuration
When the switch receives a configuration, it can defer application of the configuration upon receipt of a
write-signal event. The write-signal event tells the switch not to save the updated configuration into its
NVRAM. The switch uses the updated configuration as its running configuration. This ensures that the
switch configuration is synchronized with other network activities before saving the configuration in
NVRAM for use at the next reboot.
Configuring CNS Embedded Agents
The CNS agents embedded in the switch IOS software allow the switch to be connected and
automatically configured as described in the “Enabling Automated CNS Configuration” section on
page 5-6. If you want to change the configuration or install a custom configuration, see these sections
for instructions:
•
Enabling the CNS Event Agent, page 5-8
•
Enabling the CNS Configuration Agent, page 5-9
Enabling Automated CNS Configuration
To enable automated CNS configuration of the switch, you must first complete the prerequisites in
Table 5-1. When you complet them, power on the switch. At the setup prompt, do nothing: The switch
begins the initial configuration as described in the “Initial Configuration” section on page 5-5. When the
full configuration file is loaded on your switch, you need to do nothing else.
Catalyst 2950 Desktop Switch Software Configuration Guide
5-6
78-14982-01
�Chapter 5
Configuring IE2100 CNS Agents
Configuring CNS Embedded Agents
Table 5-1
Prerequisites for Enabling Automatic Configuration
Device
Required Configuration
Access switch
Factory default (no configuration file)
Distribution switch
DHCP server
TFTP server
IE2100 Configuration Registrar
Note
•
IP helper address
•
Enable DHCP relay agent
•
IP routing (if used as default gateway)
•
IP address assignment
•
TFTP server IP address
•
Path to bootstrap configuration file on the TFTP server
•
Default gateway IP address
•
Create a bootstrap configuration file that includes the CNS
configuration commands that enable the switch to
communicate with the IE2100 Configuration Registrar.
•
Configure the switch to use either the switch MAC address or
the serial number (instead of the default host name) to
generate the configID and eventID.
•
Configure the CNS event agent to push the configuration file
to the switch.
Create one or more templates for each type of device, and map the
configID of the device to the template.
For more information about running the setup program and creating templates on the Configuration
Registrar, refer to the Cisco Intelligence Engine 2100 Series Configuration Registrar Manual.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
5-7
�Chapter 5
Configuring IE2100 CNS Agents
Configuring CNS Embedded Agents
Enabling the CNS Event Agent
Note
You must enable the CNS event agent on the switch before you enable the CNS configuration agent.
Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
cns event {ip-address | hostname} [port-number] [backup] Enable the event agent, and enter the gateway
[init-retry retry-count] [keepalive seconds retry-count]
parameters.
[source ip-address]
• For {ip-address | hostname}, enter either the
IP address or the host name of the event gateway.
•
(Optional) For port number, enter the port
number for the event gateway. The default port
number is 11011.
•
(Optional) Enter backup to show that this is the
backup gateway. (If omitted, this is the primary
gateway.)
•
(Optional) For init-retry retry-count, enter the
number of initial retries before switching to
backup. The default is 3.
•
(Optional) For keepalive seconds, enter how
often the switch sends keepalive messages. For
retry-count, enter the number of unanswered
keepalive messages that the switch sends before
the connection is terminated. The default for
each is 0.
•
(Optional) For source ip-address, enter the
source IP address of this device.
Note
Though visible in the command-line help
string, the encrypt and force-fmt1 keywords
are not supported.
Step 3
end
Return to privileged EXEC mode.
Step 4
show cns event connections
Verify information about the event agent.
Step 5
show running-config
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Catalyst 2950 Desktop Switch Software Configuration Guide
5-8
78-14982-01
�Chapter 5
Configuring IE2100 CNS Agents
Configuring CNS Embedded Agents
To disable the CNS event agent, use the no cns event {ip-address | hostname} global configuration
command.
This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set
120 seconds as the keepalive interval, and set 10 as the retry count.
Switch(config)# cns event 10.180.1.27 keepalive 120 10
Enabling the CNS Configuration Agent
After enabling the CNS event agent, start the CNS configuration agent on the switch. You can enable the
configuration agent with these commands:
•
the cns config initial global configuration command enables the configuration agent and initiates
an initial configuration on the switch.
•
the cns config partial global configuration command enables the configuration agent and initiates
a partial configuration on the switch. You can then remotely send incremental configurations to the
switch from the Configuration Registrar.
Enabling an Initial Configuration
Beginning in privileged EXEC mode, follow these steps to enable the CNS configuration agent and
initiate an initial configuration on the switch:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
cns config connect-intf interface-prefix [ping-interval
seconds] [retries num]
Enter the connect-interface-config submode, and
specify the interface for connecting to the
Configuration Registrar.
•
Enter the interface-prefix for the connecting
interface. You must specify the interface type
but need not specify the interface number.
•
(Optional) For ping-interval seconds, enter the
interval between successive ping attempts. The
range is 1 to 30 seconds. The default is 10
seconds.
•
(Optional) For retries num, enter the number of
ping retries. The range is 1 to 30. The default
is 5.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
5-9
�Chapter 5
Configuring IE2100 CNS Agents
Configuring CNS Embedded Agents
Step 3
Command
Purpose
config-cli
or
line-cli
Enter config-cli to connect to the Configuration
Registrar through the interface defined in cns config
connect-intf. Enter line-cli to connect to the
Registrar through modem dialup lines.
Note
The config-cli interface configuration
command accepts the special directive
character & that acts as a placeholder for the
interface name. When the configuration is
applied, the & is replaced with the interface
name. For example, to connect through
FastEthernet0/0, the command config-cli
ip route 0.0.0.0 0.0.0.0 & generates the
command ip route 0.0.0.0 0.0.0.0
FastEthernet0/0.
Step 4
exit
Return to global configuration mode.
Step 5
hostname name
Enter the host name for the switch.
Step 6
ip route network-number
Establish a static route to the Configuration Registrar
whose IP address is network-number.
Step 7
Set the unique eventID or configID used by the
cns id interface num {dns-reverse | ipaddress |
Configuration Registrar.
mac-address} [event]
or
• For interface num, enter the type of interface–for
cns id {hardware-serial | hostname | string string} [event]
example, Ethernet, Group-Async, Loopback, or
Virtual-Template. This setting specifies from
which interface the IP or MAC address should be
retrieved to define the unique ID.
•
For {dns-reverse | ipaddress | mac-address}
enter dns-reverse to retrieve the host name and
assign it as the unique ID, enter ipaddress to use
the IP address, or enter mac-address to use the
MAC address as the unique ID.
•
(Optional) Enter event to set the ID to be the
event-id value used to identify the switch.
•
For {hardware-serial | hostname|
string string}, enter hardware-serial to set the
switch serial number as the unique ID, enter
hostname (the default) to select the switch host
name as the unique ID, or enter an arbitrary text
string for string string as the unique ID.
Catalyst 2950 Desktop Switch Software Configuration Guide
5-10
78-14982-01
�Chapter 5
Configuring IE2100 CNS Agents
Configuring CNS Embedded Agents
Step 8
Command
Purpose
cns config initial {ip-address | hostname} [port-number]
[event] [no-persist] [page page] [source ip-address]
[syntax-check]
Enable the configuration agent, and initiate an initial
configuration.
•
For {ip-address | hostname}, enter the
IP address or the host name of the configuration
server.
•
(Optional) For port-number, enter the port
number of the configuration server. The default
port number is 80.
•
(Optional) Enable event for configuration
success, failure, or warning messages when the
configuration is finished.
•
(Optional) Enable no-persist to suppress the
automatic writing to NVRAM of the
configuration pulled as a result of entering the
cns config initial global configuration
command. If the no-persist keyword is not
entered, using the cns config initial command
causes the resultant configuration to be
automatically written to NVRAM.
•
(Optional) For page page, enter the web page of
the initial configuration. The default is
/Config/config/asp.
•
(Optional) Enter source ip-address to use for
source IP address.
•
(Optional) Enable syntax-check to check the
syntax when this parameter is entered.
Note
Though visible in the command-line help
string, the encrypt keyword is not supported.
Step 9
end
Return to privileged EXEC mode.
Step 10
show cns config connections
Verify information about the configuration agent.
Step 11
show running-config
Verify your entries.
To disable the CNS configuration agent, use the no cns config initial {ip-address | hostname} global
configuration command.
This example shows how to configure an initial configuration on a remote switch. The switch host name
is the unique ID. The CNS Configuration Registrar IP address is 172.28.129.22.
Switch(config)# cns config connect-intf serial ping-interval 1 retries 1
Switch(config-cns-conn-if)# config-cli ip address negotiated
Switch(config-cns-conn-if)# config-cli encapsulation ppp
Switch(config-cns-conn-if)# config-cli ip directed-broadcast
Switch(config-cns-conn-if)# config-cli no keepalive
Switch(config-cns-conn-if)# config-cli no shutdown
Switch(config-cns-conn-if)# exit
Switch(config)# hostname RemoteSwitch
RemoteSwitch(config)# ip route 10.1.1.1 255.255.255.255 11.11.11.1
RemoteSwitch(config)# cns id Ethernet 0 ipaddress
RemoteSwitch(config)# cns config initial 10.1.1.1 no-persist
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
5-11
�Chapter 5
Configuring IE2100 CNS Agents
Configuring CNS Embedded Agents
Enabling a Partial Configuration
Beginning in privileged EXEC mode, follow these steps to enable the CNS configuration agent and to
initiate a partial configuration on the switch:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
cns config partial {ip-address | hostname} [port-number]
[source ip-address]
Enable the configuration agent, and initiate a partial
configuration.
•
For {ip-address | hostname}, enter the
IP address or the host name of the configuration
server.
•
(Optional) For port-number, enter the port
number of the configuration server. The default
port number is 80.
•
(Optional) Enter source ip-address to use for the
source IP address.
Note
Though visible in the command-line help
string, the encrypt keyword is not supported.
Step 3
end
Return to privileged EXEC mode.
Step 4
show cns config stats
or
show cns config outstanding
Verify information about the configuration agent.
Step 5
show running-config
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable the CNS configuration agent, use the no cns config partial {ip-address | hostname} global
configuration command. To cancel a partial configuration, use the cns config cancel privileged EXEC
command.
Catalyst 2950 Desktop Switch Software Configuration Guide
5-12
78-14982-01
�Chapter 5
Configuring IE2100 CNS Agents
Displaying CNS Configuration
Displaying CNS Configuration
You can use the privileged EXEC commands in Table 5-2 to display CNS Configuration information.
Table 5-2
Displaying CNS Configuration
Command
Purpose
show cns config connections
Displays the status of the CNS configuration agent connections.
show cns config outstanding
Displays information about incremental (partial) CNS
configurations that have started but are not yet completed.
show cns config stats
Displays statistics about the CNS configuration agent.
show cns event connections
Displays the status of the CNS event agent connections.
show cns event stats
Displays statistics about the CNS event agent.
show cns event subject
Displays a list of event agent subjects that are subscribed to by
applications.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
5-13
�Chapter 5
Configuring IE2100 CNS Agents
Displaying CNS Configuration
Catalyst 2950 Desktop Switch Software Configuration Guide
5-14
78-14982-01
�C H A P T E R
6
Clustering Switches
This chapter provides these topics to help you get started with switch clustering:
•
Understanding Switch Clusters, page 6-2
•
Planning a Switch Cluster, page 6-5
•
Creating a Switch Cluster, page 6-19
•
Using the CLI to Manage Switch Clusters, page 6-25
•
Using SNMP to Manage Switch Clusters, page 6-26
Configuring switch clusters is more easily done from the Cluster Management Suite (CMS) web-based
interface than through the command-line interface (CLI). Therefore, information in this chapter focuses
on using CMS to create a cluster. See Chapter 3, “Getting Started with CMS,” for additional information
about switch clusters and the clustering options. For complete procedures about using CMS to configure
switch clusters, refer to the online help.
For the CLI cluster commands, refer to the switch command reference.
Refer to the release notes for the list of Catalyst switches eligible for switch clustering, including which
ones can be command switches and which ones can only be member switches, and for the required
software versions and browser and Java plug-in configurations.
Note
This chapter focuses on Catalyst 2950 switch clusters. It also includes guidelines and limitations for
clusters mixed with other cluster-capable Catalyst switches, but it does not provide complete
descriptions of the cluster features for these other switches. For complete cluster information for a
specific Catalyst platform, refer to the software configuration guide for that switch.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
6-1
�Chapter 6
Clustering Switches
Understanding Switch Clusters
Understanding Switch Clusters
A switch cluster is a group of connected Catalyst switches that are managed as a single entity. In a switch
cluster, 1 switch must be the command switch and up to 15 switches can be member switches. The total
number of switches in a cluster cannot exceed 16 switches. The command switch is the single point of
access used to configure, manage, and monitor the member switches. Cluster members can belong to
only one cluster at a time.
The benefits of clustering switches include:
•
Management of Catalyst switches regardless of their interconnection media and their physical
locations. The switches can be in the same location, or they can be distributed across a Layer 2 or
Layer 3 (if your cluster is using a Catalyst 3550 multilayer switch as a Layer 3 router between the
Layer 2 switches in the cluster) network.
Cluster members are connected to the command switch according to the connectivity guidelines
described in the “Automatic Discovery of Cluster Candidates and Members” section on page 6-5.
•
Command-switch redundancy if a command switch fails. One or more switches can be designated
as standby command switches to avoid loss of contact with cluster members. A cluster standby
group is a group of standby command switches.
•
Management of a variety of Catalyst switches through a single IP address. This conserves on IP
addresses, especially if you have a limited number of them. All communication with the switch
cluster is through the command switch IP address.
For other clustering benefits, see the “Advantages of Using CMS and Clustering Switches” section on
page 1-7.
Refer to the release notes for the list of Catalyst switches eligible for switch clustering, including which
ones can be command switches and which ones can only be member switches, and the required software
versions.
These sections describe:
•
Command Switch Characteristics, page 6-3
•
Standby Command Switch Characteristics, page 6-3
•
Candidate Switch and Member Switch Characteristics, page 6-4
Catalyst 2950 Desktop Switch Software Configuration Guide
6-2
78-14982-01
�Chapter 6
Clustering Switches
Understanding Switch Clusters
Command Switch Characteristics
A Catalyst 2950 command switch must meet these requirements:
Note
Note
•
It is running Release 12.0(5.2)WC(1) or later.
•
It has an IP address.
•
It has Cisco Discovery Protocol (CDP) version 2 enabled (the default).
•
It is not a command or member switch of another cluster.
•
If the Catalyst 2950 command switch is running Release 12.1(9)EA1 or later, it is connected to the
standby command switches through the management VLAN and to the member switches through a
common VLAN.
•
If the Catalyst 2950 command switch is running a release earlier than Release 12.1(9)EA1, it is
connected to the standby command switches and member switches through its management VLAN.
The CMP-NAT-ACL access list is created when a device is configured as the command switch.
Configuring any other access list on the switch can restrict access to it and affect the discovery of
member and candidate switches.
•
We strongly recommend that the highest-end, command-capable switch in the cluster be the
command switch:
– If your switch cluster has a Catalyst 3550 switch, that switch should be the command switch.
– If your switch cluster has Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches, the
Catalyst 2950 should be the command switch. (The Catalyst 2950 LRE switches can be the
command switch of Catalyst 2950 member switches running IOS version 12.1(11) or earlier.
– If your switch cluster has Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, and
Catalyst 3500 XL switches, either the Catalyst 2900 XL or Catalyst 3500 XL should be the
command switch.
Standby Command Switch Characteristics
A Catalyst 2950 standby command switch must meet these requirements:
•
It is running Release 12.0(5.2)WC(1) or later.
•
It has an IP address.
•
It has CDP version 2 enabled.
•
If the Catalyst 2950 standby command switch is running Release 12.1(9)EA1 or later, it is connected
to other standby switches through its management VLAN and to all member switches through a
common VLAN.
•
If the Catalyst 2950 standby command switch is running a release earlier than Release 12.1(9)EA1,
it is connected to the command switch and to other standby command switches and member switches
through its management VLAN.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
6-3
�Chapter 6
Clustering Switches
Understanding Switch Clusters
Note
Note
Catalyst 2950 command switches running Release 12.1(9)EA1 or later can connect to standby command
switches in the management VLAN.
•
It is redundantly connected to the cluster so that connectivity to member switches is maintained.
•
It is not a command or member switch of another cluster.
•
Standby command switches must meet these requirements:
– When the command switch is a Catalyst 3550 switch, all standby command switches must be
Catalyst 3550 switches.
– When the command switch is a Catalyst 2950 switch running Release 12.1(9)EA1 or later, all
standby command switches must be Catalyst 2950 switches running Release 12.1(9)EA1 or
later.
– When the command switch is a Catalyst 2950 switch running Release 12.1(6)EA2 or later, all
standby command switches must be Catalyst 2950 switches running Release 12.1(6)EA2 or
later.
– When the command switch is running Release 12.0(5)WC2 or earlier, the standby command
switches can be these switches: Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL
switches.
•
We strongly recommend that the command switch and standby command switches are of the same
switch platform.
– If you have a Catalyst 3550 command switch, the standby command switches should be
Catalyst 3550 switches.
– If you have a Catalyst 2950 command switch, the standby command switches should be
Catalyst 2950 switches.
– If you have a Catalyst 2900 XL or Catalyst 3500 XL command switch, the standby command
switches should be Catalyst 2900 XL and Catalyst 3500 XL switches.
Candidate Switch and Member Switch Characteristics
Candidate switches are cluster-capable switches that have not yet been added to a cluster. Member
switches are switches that have actually been added to a switch cluster. Although not required, a
candidate or member switch can have its own IP address and password (for related considerations, see
the “IP Addresses” section on page 6-15 and “Passwords” section on page 6-16).
To join a cluster, a candidate switch must meet these requirements:
•
It is running cluster-capable software.
•
It has CDP version 2 enabled.
•
It is not a command or member switch of another cluster.
•
If the Catalyst 2950 member or candidate switch is running Release 12.1(9)EA1 or later, it is
connected to the command switch through at least one common VLAN.
•
If the Catalyst 2950 member or candidate switch is running a release earlier than
Release 12.1(9)EA1, it is connected to the command switch through the command-switch
management VLAN.
Catalyst 2950 Desktop Switch Software Configuration Guide
6-4
78-14982-01
�Chapter 6
Clustering Switches
Planning a Switch Cluster
Note
Catalyst 2950 standby command switches running Release 12.1(9)EA1 or later can connect to candidate
and member switches in VLANs different from their management VLANs.
Planning a Switch Cluster
Anticipating conflicts and compatibility issues is a high priority when you manage several switches
through a cluster. This section describes these guidelines, requirements, and caveats that you should
understand before you create the cluster:
•
Automatic Discovery of Cluster Candidates and Members, page 6-5
•
HSRP and Standby Command Switches, page 6-12
•
IP Addresses, page 6-15
•
Host Names, page 6-16
•
Passwords, page 6-16
•
SNMP Community Strings, page 6-16
•
TACACS+ and RADIUS, page 6-17
•
Access Modes in CMS, page 6-17
•
Management VLAN, page 6-18
•
LRE Profiles, page 6-18
•
Availability of Switch-Specific Features in Switch Clusters, page 6-19
Refer to the release notes for the list of Catalyst switches eligible for switch clustering, including which
ones can be command switches and which ones can only be member switches, and for the required
software versions and browser and Java plug-in configurations.
Automatic Discovery of Cluster Candidates and Members
The command switch uses Cisco Discovery Protocol (CDP) to discover member switches, candidate
switches, neighboring switch clusters, and edge devices in star or cascaded topologies.
Note
Do not disable CDP on the command switch, on cluster members, or on any cluster-capable switches
that you might want a command switch to discover. For more information about CDP, see Chapter 20,
“Configuring CDP.”
Following these connectivity guidelines ensures automatic discovery of the switch cluster, cluster
candidates, connected switch clusters, and neighboring edge devices:
•
Discovery through CDP Hops, page 6-6
•
Discovery through Non-CDP-Capable and Noncluster-Capable Devices, page 6-7
•
Discovery through the Same Management VLAN, page 6-8
•
Discovery through Different Management VLANs, page 6-9
•
Discovery of Newly Installed Switches, page 6-10
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
6-5
�Chapter 6
Clustering Switches
Planning a Switch Cluster
Discovery through CDP Hops
By using CDP, a command switch can discover switches up to seven CDP hops away (the default is
three hops) from the edge of the cluster. The edge of the cluster is where the last member switches are
connected to the cluster and to candidate switches. For example, member switches 9 and 10 in Figure 6-1
are at the edge of the cluster.
You can set the number of hops the command switch searches for candidate and member switches by
selecting Cluster > Hop Count. When new candidate switches are added to the network, the command
switch discovers them and adds them to the list of candidate switches.
In Figure 6-1, the command switch is running a release earlier than Release 12.1(9)EA1 and has ports
assigned to management VLAN 16. In Figure 6-2, the command switch is running Release 12.1(9)EA1
or later and has ports assigned to VLANs 16 and 62. The CDP hop count is three. Each command switch
discovers switches 11, 12, 13, and 14 because they are within three hops from the edge of the cluster. It
does not discover switch 15 because it is four hops from the edge of the cluster.
Figure 6-1
Discovery through CDP Hops (Command Switch Running a Release Earlier than
Release 12.1(9)EA1)
Command switch
Management
VLAN 16
Member
switch 8
Member
switch 10
Member
switch 9
Switch 12
Switch 11
candidate
switch
Switch 13
Edge of
cluster
Candidate
switches
Switch 14
Switch 15
65281
Management
VLAN 16
Catalyst 2950 Desktop Switch Software Configuration Guide
6-6
78-14982-01
�Chapter 6
Clustering Switches
Planning a Switch Cluster
Figure 6-2
Discovery through CDP Hops (Command Switch Running Release 12.1(9)EA1 or Later)
Command switch
VLAN 16
VLAN 62
Member
switch 8
Member
switch 10
Member
switch 9
Switch 12
Switch 11
candidate
switch
Switch 13
Edge of
cluster
Candidate
switches
Switch 15
74047
Switch 14
Discovery through Non-CDP-Capable and Noncluster-Capable Devices
If a command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it
can discover cluster-enabled devices connected to that third-party hub. However, if the command switch
is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected
beyond the noncluster-capable Cisco device.
Figure 6-3 shows that the command switch discovers the Catalyst 3500 XL switch, which is connected
to a third-party hub. However, the command switch does not discover the Catalyst 2950 switch that is
connected to a Catalyst 5000 switch.
Refer to the release notes for the Catalyst switches that can be part of a switch cluster.
Figure 6-3
Discovery through Non-CDP-Capable and Noncluster-Capable Devices
Command switch
Catalyst 3500 XL
candidate switch
Catalyst 5000 switch
(noncluster-capable)
Catalyst 2950
candidate switch
65290
Third-party hub
(non-CDP-capable)
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
6-7
�Chapter 6
Clustering Switches
Planning a Switch Cluster
Discovery through the Same Management VLAN
A Catalyst 2900 XL command switch, a Catalyst 2950 command switch running a release earlier than
Release 12.1(9)EA1, or a Catalyst 3500 XL command switch must connect to all cluster members
through its management VLAN. The default management VLAN is VLAN 1. For more information
about management VLANs, see the “Management VLAN” section on page 6-18.
Note
You can avoid this limitation by using, whenever possible, a Catalyst 3550 command switch or a
Catalyst 2950 command switch running Release 12.1(9)EA1 or later. These command switches can
manage cluster members even if they belong to different management VLANs. See the “Discovery
through Different Management VLANs” section on page 6-9.
The command switch in Figure 6-4 has ports assigned to management VLAN 9. It discovers all but these
switches:
•
Switches 7 and 10 because their management VLAN (VLAN 4) is different from the
command-switch management VLAN (VLAN 9)
•
Switch 9 because automatic discovery does not extend beyond a noncandidate device, which is
switch 7
Discovery through the Same Management VLAN
Command switch
Catalyst 2900 XL, Catalyst 2950,
or Catalyst 3500 XL command
and standby command switches
Switch 3
(management
VLAN 9)
Catalyst 1900,
Catalyst 2820,
Catalyst 2900 XL,
Catalyst 2950, and
Catalyst 3500 XL
switches
VLAN 9
VLAN 9
Switch 4
(management
VLAN 9)
Standby command switch
VLAN 9
VLAN 9
Switch 5
(management
VLAN 9)
VLAN trunk 4, 9
Switch 7
(management
VLAN 4)
VLAN 9
Switch 9
(management
VLAN 9)
VLAN 9
Switch 6
(management
VLAN 9)
VLAN 9
Switch 8
(management
VLAN 9)
VLAN 4
Switch 10
(management
VLAN 4)
65277
Figure 6-4
Catalyst 2950 Desktop Switch Software Configuration Guide
6-8
78-14982-01
�Chapter 6
Clustering Switches
Planning a Switch Cluster
Discovery through Different Management VLANs
We recommend using a Catalyst 3550 command switch or a Catalyst 2950 command switch running
Release 12.1(9)EA1 or later. These command switches can discover and manage member switches in
different VLANs and different management VLANs. Catalyst 3550 member switches and Catalyst 2950
member switches running Release 12.1(9)EA1 or later must be connected through at least one VLAN in
common with the command switch. All other member switches must be connected to the command
switch through their management VLAN.
In contrast, a Catalyst 2900 XL command switch, a Catalyst 2950 command switch running a release
earlier than Release 12.1(9)EA1, or a Catalyst 3500 XL command switch must connect to all cluster
members through its management VLAN. The default management VLAN is VLAN 1. For information
about discovery through the same management VLAN on these switches, see the “Discovery through the
Same Management VLAN” section on page 6-8.
The Catalyst 2950 command switch (running Release 12.1(9)EA1 or later) in Figure 6-5 and the
Catalyst 3550 command switch in Figure 6-6 have ports assigned to VLANs 9, 16, and 62. The
management VLAN on the Catalyst 2950 command switch is VLAN 9. Each command switch discovers
the switches in the different management VLANs except these:
•
Switches 7 and 10 (switches in management VLAN 4) because they are not connected through a
common VLAN (meaning VLANs 62 and 9) with the command switch
•
Switch 9 because automatic discovery does not extend beyond a noncandidate device, which is
switch 7
Discovery through Different Management VLANs with a Layer 2 Command Switch
Catalyst 2950
command switch
Switch 3
(management
VLAN 16)
VLAN 16
VLAN 16
Catalyst 1900,
Catalyst 2820,
Catalyst 2900 XL,
Catalyst 2950, and
Catalyst 3500 XL
switches
Switch 4
(management
VLAN 16)
Catalyst 2950
standby command switch
(management
VLAN 9)
VLAN 62
Switch 5
(management
VLAN 62)
VLAN trunk 4, 62
Switch 7
(management
VLAN 4)
VLAN 62
Switch 9
(management
VLAN 62)
VLAN 9
Switch 6
(management
VLAN 9)
VLAN 9
Switch 8
(management
VLAN 9)
VLAN 4
Switch 10
(management
VLAN 4)
74049
Figure 6-5
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
6-9
�Chapter 6
Clustering Switches
Planning a Switch Cluster
Discovery through Different Management VLANs with a Layer 3 Command Switch
Catalyst 3550
command switch
VLAN 9
Si
Switch 3
(management
VLAN 16)
VLAN 16
VLAN 16
Catalyst 1900,
Catalyst 2820,
Catalyst 2900 XL,
Catalyst 2950, and
Catalyst 3500 XL
switches
Switch 4
(management
VLAN 16)
Catalyst 3550
standby command switch
VLAN 62
Switch 5
(management
VLAN 62)
VLAN trunk 4, 62
Switch 7
(management
VLAN 4)
VLAN 62
Switch 9
(management
VLAN 62)
Si
VLAN 9
Switch 6
(management
VLAN 9)
VLAN 9
Switch 8
(management
VLAN 9)
VLAN 4
Switch 10
(management
VLAN 4)
54983
Figure 6-6
Discovery of Newly Installed Switches
To join a cluster, the new, out-of-the-box switch must be connected to the cluster through one of its
access ports. An access port (AP) carries the traffic of and belongs to the management VLAN. By
default, the new switch and its access ports are assigned to management VLAN 1.
When the new switch joins a cluster, its default management VLAN changes to the VLAN of the
immediately upstream neighbor. The new switch also configures its access port to belong to the VLAN
of the immediately upstream neighbor.
The command switch (running a release earlier than Release 12.1(9)EA1) in Figure 6-7 belongs to
management VLAN 16. When the new Catalyst 2900 LRE XL and Catalyst 2950 switches join the
cluster, their management VLAN and access ports change from VLAN 1 to VLAN 16.
The command switch (running Release 12.1(9)EA1 or later) in Figure 6-8 belongs to VLANs 9 and 16.
When the new Catalyst 3550 and Catalyst 2950 switches join the cluster:
•
The Catalyst 3550 switch and its access port are assigned to VLAN 9.
•
The Catalyst 2950 switch and its access port are assigned to management VLAN 16.
Catalyst 2950 Desktop Switch Software Configuration Guide
6-10
78-14982-01
�Chapter 6
Clustering Switches
Planning a Switch Cluster
Figure 6-7
Discovery of Newly Installed Switches in the Same Management VLAN
Command switch
VLAN 16
AP
Catalyst 3500 XL
switch
(Management
VLAN 16)
AP
VLAN 16
VLAN 16
New (out-of-box)
Catalyst 2900 LRE XL
switch
Figure 6-8
New (out-of-box)
Catalyst 2950
switch
65581
Catalyst 2950
switch
(Management
VLAN 16)
VLAN 16
Discovery of Newly Installed Switches in Different Management VLANs
Command switch
Catalyst 2950
switch
(Management
VLAN 9)
VLAN 9
New (out-of-box)
Catalyst 3550
switch
AP
VLAN 16
AP
Catalyst 3500 XL
switch
(Management
VLAN 16)
VLAN 16
New (out-of-box)
Catalyst 2950
switch
74050
VLAN 9
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
6-11
�Chapter 6
Clustering Switches
Planning a Switch Cluster
HSRP and Standby Command Switches
The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby
command switches. Because a command switch manages the forwarding of all communication and
configuration information to all the member switches, we strongly recommend that you configure a
cluster standby command switch to take over if the primary command switch fails.
A cluster standby group is a group of command-capable switches that meet the requirements described
in the “Standby Command Switch Characteristics” section on page 6-3. Only one cluster standby group
can be assigned per cluster.
Note
Note
•
When the command switch is a Catalyst 3550 switch, all standby command switches must be
Catalyst 3550 switches.
•
When the command switch is a Catalyst 2950 switch running Release 12.1(9)EA1 or later, all
standby command switches must be Catalyst 2950 switches running Release 12.1(9)EA1 or later.
•
When the command switch is a Catalyst 2950 switch running Release 12.1(6)EA2 or later, all
standby command switches must be Catalyst 2950 switches running Release 12.1(6)EA2 or later.
•
When the command switch is running Release 12.0(5)WC2 or earlier, the standby command
switches can be these switches: Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches.
The cluster standby group is an HSRP group. Disabling HSRP disables the cluster standby group.
The switches in the cluster standby group are ranked according to HSRP priorities. The switch with the
highest priority in the group is the active command switch (AC). The switch with the next highest
priority is the standby command switch (SC). The other switches in the cluster standby group are the
passive command switches (PC). If the active command switch and the standby command switch become
disabled at the same time, the passive command switch with the highest priority becomes the active
command switch. For the limitations to automatic discovery, see the “Automatic Recovery of Cluster
Configuration” section on page 6-15. For information about changing HSRP priority values, refer to the
standby priority interface configuration mode command in the IOS Release 12.1 documentation set.
The HSRP commands are the same for changing the priority of cluster standby group members and
router-redundancy group members.
Note
The HSRP standby hold time interval should be greater than or equal to 3 times the hello time interval.
The default HSRP standby hold time interval is 10 seconds. The default HSRP standby hello time
interval is 3 seconds. For more information about the standby hold time and hello time intervals, refer
to the Release 12.1 documentation set on Cisco.com.
These connectivity guidelines ensure automatic discovery of the switch cluster, cluster candidates,
connected switch clusters, and neighboring edge devices. These topics also provide more detail about
standby command switches:
•
Virtual IP Addresses, page 6-13
•
Other Considerations for Cluster Standby Groups, page 6-13
•
Automatic Recovery of Cluster Configuration, page 6-15
Catalyst 2950 Desktop Switch Software Configuration Guide
6-12
78-14982-01
�Chapter 6
Clustering Switches
Planning a Switch Cluster
Virtual IP Addresses
You need to assign a unique virtual IP address and group number and name to the cluster standby group.
This information must be configured on the management VLAN on the active command switch. The
active command switch receives traffic destined for the virtual IP address. To manage the cluster, you
must access the active command switch through the virtual IP address, not through the command-switch
IP address. This is in case the IP address of the active command switch is different from the virtual IP
address of the cluster standby group.
If the active command switch fails, the standby command switch assumes ownership of the virtual IP
address and becomes the active command switch. The passive switches in the cluster standby group
compare their assigned priorities to determine the new standby command switch. The passive standby
switch with the highest priority then becomes the standby command switch. When the previously active
command switch becomes active again, it resumes its role as the active command switch, and the current
active command switch becomes the standby command switch again. For more information about IP
address in switch clusters, see the “IP Addresses” section on page 6-15.
Other Considerations for Cluster Standby Groups
These requirements also apply:
•
Standby command switches must meet these requirements:
– When the command switch is a Catalyst 3550 switch, all standby command switches must be
Catalyst 3550 switches.
– When the command switch is a Catalyst 2950 switch running Release 12.1(9)EA1 or later, all
standby command switches must be Catalyst 2950 switches running Release 12.1(9)EA1 or
later.
– When the command switch is a Catalyst 2950 switch running Release 12.1(6)EA2 or later, all
standby command switches must be Catalyst 2950 switches running Release 12.1(6)EA2 or
later.
– When the command switch is running Release 12.0(5)WC2 or earlier, the standby command
switches can be these switches: Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL
switches.
We strongly recommend that the command switch and standby command switches are of the same
switch platform.
– If you have a Catalyst 3550 command switch, the standby command switches should be
Catalyst 3550 switches.
– If you have a Catalyst 2950 command switch, the standby command switches should be
Catalyst 2950 switches.
– If you have a Catalyst 2900 XL or Catalyst 3500 XL command switch, the standby command
switches should be Catalyst 2900 XL and Catalyst 3500 XL switches.
•
Only one cluster standby group can be assigned to a cluster.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
6-13
�Chapter 6
Clustering Switches
Planning a Switch Cluster
•
All standby-group members must be members of the cluster.
Note
•
There is no limit to the number of switches that you can assign as standby command
switches. However, the total number of switches in the cluster—which would include the
active command switch, standby-group members, and member switches—cannot be more
than 16.
Each standby-group member (see Figure 6-9) must be connected to the command switch through its
management VLAN. Each standby-group member must also be redundantly connected to each other
through the management VLAN.
Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL member
switches must be connected to the cluster standby group through their management VLANs.
Note
Catalyst 2950 standby command switches running Release 12.1(9)EA1 or later can connect to
candidate and member switches in VLANs different from their management VLANs.
For more information about VLANs in switch clusters, see these sections:
– “Discovery through the Same Management VLAN” section on page 6-8
– “Discovery through Different Management VLANs” section on page 6-9
VLAN Connectivity between Standby-Group Members and Cluster Members
Catalyst 3550 active
command switch
Si
VLAN 9
Catalyst 3550
switch
Catalyst 3550 passive
command switch
VLANs 9,16
Si
Catalyst 3550 standby
command switch
VLANs 9,16
Si
Management
VLAN 16
VLAN 9
Catalyst 2900 XL or
Catalyst 3500 XL
switch
VLAN 9
Management
VLAN 9
Management
VLAN 16
Catalyst 2950
switch
VLAN 16
Si
Member switches
Catalyst 3550
multilayer switch
65280
Figure 6-9
Catalyst 2950 Desktop Switch Software Configuration Guide
6-14
78-14982-01
�Chapter 6
Clustering Switches
Planning a Switch Cluster
Automatic Recovery of Cluster Configuration
The active command switch continually forwards cluster-configuration information (but not
device-configuration information) to the standby command switch. This ensures that the standby
command switch can take over the cluster immediately after the active command switch fails.
Automatic discovery has these limitations:
•
This limitation applies only to clusters that have Catalyst 2950 and Catalyst 3550 command and
standby command switches: If the active command switch and standby command switch become
disabled at the same time, the passive command switch with the highest priority becomes the active
command switch. However, because it was a passive standby command switch, the previous
command switch did not forward cluster-configuration information to it. The active command
switch only forwards cluster-configuration information to the standby command switch. You must
therefore rebuild the cluster.
•
This limitation applies to all clusters: If the active command switch fails and there are more than
two switches in the cluster standby group, the new command switch does not discover any
Catalyst 1900, Catalyst 2820, and Catalyst 2916M XL member switches. You must re-add these
member switches to the cluster.
•
This limitation applies to all clusters: If the active command switch fails and becomes active again,
it does not discover any Catalyst 1900, Catalyst 2820, and Catalyst 2916M XL member switches.
You must again add these member switches to the cluster.
When the previously active command switch resumes its active role, it receives a copy of the latest
cluster configuration from the active command switch, including members that were added while it was
down. The active command switch sends a copy of the cluster configuration to the cluster standby group.
IP Addresses
You must assign IP information to a command switch. You can access the cluster through the
command-switch IP address. If you configure a cluster standby group, you must use the standby-group
virtual IP address to manage the cluster from the active command switch. Using the virtual IP address
ensures that you retain connectivity to the cluster if the active command switch fails and that a standby
command switch becomes the active command switch.
If the active command switch fails and the standby command switch takes over, you must either use the
standby-group virtual IP address or the IP address available on the new active command switch to access
the cluster.
You can assign an IP address to a cluster-capable switch, but it is not necessary. A member switch is
managed and communicates with other member switches through the command-switch IP address. If the
member switch leaves the cluster and it does not have its own IP address, you then must assign IP
information to it to manage it as a standalone switch.
Note
Changing the command switch IP address ends your CMS session on the switch. Restart your CMS
session by entering the new IP address in the browser Location field (Netscape Communicator) or
Address field (Internet Explorer), as described in the release notes.
For more information about IP addresses, see Chapter 4, “Assigning the Switch IP Address and Default
Gateway.”
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
6-15
�Chapter 6
Clustering Switches
Planning a Switch Cluster
Host Names
You do not need to assign a host name to either a command switch or an eligible cluster member.
However, a host name assigned to the command switch can help to identify the switch cluster. The
default host name for the switch is Switch.
If a switch joins a cluster and it does not have a host name, the command switch appends a unique
member number to its own host name and assigns it sequentially as each switch joins the cluster. The
number means the order in which the switch was added to the cluster. For example, a command switch
named eng-cluster could name the fifth cluster member eng-cluster-5.
If a switch has a host name, it retains that name when it joins a cluster. It retains that host name even
after it leaves the cluster.
If a switch received its host name from the command switch, was removed from a cluster, was then added
to a new cluster, and kept the same member number (such as 5), the old host name (such as eng-cluster-5)
is overwritten with the host name of the command switch in the new cluster (such as mkg-cluster-5). If
the switch member number changes in the new cluster (such as 3), the switch retains the previous name
(eng-cluster-5).
Passwords
You do not need to assign passwords to an individual switch if it will be a cluster member. When a switch
joins a cluster, it inherits the command-switch password and retains it when it leaves the cluster. If no
command-switch password is configured, the member switch inherits a null password. Member switches
only inherit the command-switch password.
If you change the member-switch password to be different from the command-switch password and save
the change, the switch is not manageable by the command switch until you change the member-switch
password to match the command-switch password. Rebooting the member switch does not revert the
password back to the command-switch password. We recommend that you do not change the
member-switch password after it joins a cluster.
For more information about passwords, see the “Preventing Unauthorized Access to Your Switch”
section on page 7-1.
For password considerations specific to the Catalyst 1900 and Catalyst 2820 switches, refer to the
installation and configuration guides for those switches.
SNMP Community Strings
A member switch inherits the command-switch first read-only (RO) and read-write (RW) community
strings with @esN appended to the community strings:
•
command-switch-readonly-community-string@esN, where N is the member-switch number.
•
command-switch-readwrite-community-string@esN, where N is the member-switch number.
If the command switch has multiple read-only or read-write community strings, only the first read-only
and read-write strings are propagated to the member switch.
The switches support an unlimited number of community strings and string lengths. For more
information about SNMP and community strings, see Chapter 24, “Configuring SNMP.”
For SNMP considerations specific to the Catalyst 1900 and Catalyst 2820 switches, refer to the
installation and configuration guides specific to those switches.
Catalyst 2950 Desktop Switch Software Configuration Guide
6-16
78-14982-01
�Chapter 6
Clustering Switches
Planning a Switch Cluster
TACACS+ and RADIUS
Inconsistent authentication configurations in switch clusters cause CMS to continually prompt for a user
name and password. If Terminal Access Controller Access Control System Plus (TACACS+) is
configured on a cluster member, it must be configured on all cluster members. Similarly, if Remote
Authentication Dial-In User Service (RADIUS) is configured on a cluster member, it must be configured
on all cluster members. Further, the same switch cluster cannot have some members configured with
TACACS+ and other members configured with RADIUS.
For more information about TACACS+, see the “Controlling Switch Access with TACACS+” section on
page 7-10. For more information about RADIUS, see the “Controlling Switch Access with RADIUS”
section on page 7-18.
Access Modes in CMS
CMS provides two levels of access to the configuration options: read-write access and read-only access.
Privilege levels 0 to 15 are supported.
•
Privilege level 15 provides you with read-write access to CMS.
•
Privilege levels 1 to 14 provide you with read-only access to CMS. Any options in the CMS
windows, menu bar, toolbar, and popup menus that change the switch or cluster configuration are
not shown in read-only mode.
•
Privilege level 0 denies access to CMS.
For more information about CMS access modes, see the “Access Modes in CMS” section on page 3-31.
Note
•
If your cluster has these member switches running earlier software releases and if you have
read-only access to these member switches, some configuration windows for those switches display
incomplete information:
– Catalyst 2900 XL or Catalyst 3500 XL member switches running Release 12.0(5)WC2 or
earlier
– Catalyst 2950 member switches running Release 12.0(5)WC2 or earlier
– Catalyst 3550 member switches running Release 12.1(6)EA1 or earlier
For more information about this limitation, refer to the release notes.
•
These switches do not support read-only mode on CMS:
– Catalyst 1900 and Catalyst 2820
– Catalyst 2900 XL switches with 4-MB CPU DRAM
In read-only mode, these switches appear as unavailable devices and cannot be configured from
CMS.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
6-17
�Chapter 6
Clustering Switches
Planning a Switch Cluster
Management VLAN
Communication with the switch management interfaces is through the command-switch IP address. The
IP address is associated with the management VLAN, which by default is VLAN 1. To manage switches
in a cluster, the command switch, member switches, and candidate switches must be connected through
ports assigned to the command-switch management VLAN.
Note
•
If the command switch is a Catalyst 2950 running Release 12.1(9)EA1 or later, candidate and
member switches can belong to different management VLANs. However, they must connect to the
command switch through their management VLAN.
•
Catalyst 2950 standby command switches running Release 12.1(9)EA1 or later can connect to
candidate and member switches in VLANs different from their management VLANs.
•
This section applies Catalyst 2900 LRE XL switches only and is not applicable for the Catalyst 2950
LRE switch.
If you add a new, out-of-box switch to a cluster and the cluster is using a management VLAN other than
the default VLAN 1, the command switch automatically senses that the new switch has a different
management VLAN and has not been configured. The command switch issues commands to change the
management VLAN of the new switch to the one the cluster is using. This automatic VLAN change only
occurs for new, out-of-box switches that do not have a config.text file and that have no changes to the
running configuration. For more information, see the “Discovery of Newly Installed Switches” section
on page 6-10.
You can change the management VLAN of a member switch (not the command switch). However, the
command switch will not be able to communicate with it. In this case, you will need to manage the switch
as a standalone switch.
You can globally change the management VLAN for the cluster as long as each member switch has either
a trunk connection or a connection to the new command-switch management VLAN. From the command
switch, use the cluster management vlan global configuration command to change the cluster
management VLAN to a different management VLAN.
Caution
You can change the management VLAN through a console connection without interrupting the console
connection. However, changing the management VLAN ends your CMS session. Restart your CMS
session by entering the new IP address in the browser Location field (Netscape Communicator) or
Address field (Microsoft Internet Explorer), as described in the release notes.
For more information about changing the management VLAN, see the “Management VLAN” section on
page 6-18.
LRE Profiles
A configuration conflict occurs if a switch cluster has Long-Reach Ethernet (LRE) switches that use both
private and public profiles. If one LRE switch in a cluster is assigned a public profile, all LRE switches
in that cluster must have that same public profile. Before you add an LRE switch to a cluster, make sure
that you assign it the same public profile used by other LRE switches in the cluster.
A cluster can have a mix of LRE switches that use different private profiles.
Catalyst 2950 Desktop Switch Software Configuration Guide
6-18
78-14982-01
�Chapter 6
Clustering Switches
Creating a Switch Cluster
Availability of Switch-Specific Features in Switch Clusters
The menu bar on the command switch displays all options available from the switch cluster. Therefore,
features specific to a member switch are available from the command-switch menu bar. For example,
Device > LRE Profile appears in the command-switch menu bar when at least one
Catalyst 2900 LRE XL switch is in the cluster.
Creating a Switch Cluster
Using CMS to create a cluster is easier than using the CLI commands. This section provides this
information:
•
Enabling a Command Switch, page 6-19
•
Adding Member Switches, page 6-20
•
Creating a Cluster Standby Group, page 6-22
•
Verifying a Switch Cluster, page 6-24
This section assumes you have already cabled the switches, as described in the switch hardware
installation guide, and followed the guidelines described in the “Planning a Switch Cluster” section on
page 6-5.
Note
Refer to the release notes for the list of Catalyst switches eligible for switch clustering, including which
ones can be command switches and which ones can only be member switches, and for the required
software versions and browser and Java plug-in configurations.
Enabling a Command Switch
The switch you designate as the command switch must meet the requirements described in the
“Command Switch Characteristics” section on page 6-3, the “Planning a Switch Cluster” section on
page 6-5, and the release notes.
Note
•
We strongly recommend that the highest-end, command-capable switch in the cluster be the
command switch:
– If your switch cluster has a Catalyst 3550 switch, that switch should be the command switch.
– If your switch cluster has Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches, the
Catalyst 2950 should be the command switch.
– If your switch cluster has Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, and
Catalyst 3500 XL switches, either the Catalyst 2900 XL or Catalyst 3500 XL should be the
command switch.
You can enable a command switch, name the cluster, and assign an IP address and a password to the
command switch when you run the setup program during initial switch setup. For information about
using the setup program, refer to the release notes.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
6-19
�Chapter 6
Clustering Switches
Creating a Switch Cluster
If you did not enable a command switch during initial switch setup, launch Device Manager from a
command-capable switch, and select Cluster > Create Cluster. Enter a cluster number (the default is 0),
and use up to 31 characters to name the cluster (see Figure 6-10). Instead of using CMS to enable a
command switch, you can use the cluster enable global configuration command.
Figure 6-10 Create Cluster Window
C3550-12T
56520
Enter up to 31 characters
to name the cluster.
Adding Member Switches
As explained in the “Automatic Discovery of Cluster Candidates and Members” section on page 6-5, the
command switch automatically discovers candidate switches. When you add new cluster-capable
switches to the network, the command switch discovers them and adds them to a list of candidate
switches. To display an updated cluster candidates list from the Add to Cluster window (Figure 6-11),
either relaunch CMS and redisplay this window, or follow these steps:
1.
Close the Add to Cluster window.
2.
Select View > Refresh.
3.
Select Cluster > Add to Cluster to redisplay the Add to Cluster window.
From CMS, there are two ways to add switches to a cluster:
•
Select Cluster > Add to Cluster, select a candidate switch from the list, click Add, and click OK.
To add more than one candidate switch, press Ctrl, and make your choices, or press Shift, and
choose the first and last switch in a range.
•
Display the Topology view, right-click a candidate-switch icon, and select Add to Cluster (see
Figure 6-12). In the Topology view, candidate switches are cyan, and member switches are green.
To add more than one candidate switch, press Ctrl, and left-click the candidates that you want to
add.
Instead of using CMS to add members to the cluster, you can use the cluster member global
configuration command from the command switch. Use the password option in this command if the
candidate switch has a password.
You can select 1 or more switches as long as the total number of switches in the cluster does not
exceed 16 (this includes the command switch). When a cluster has 16 members, the Add to Cluster
option is not available for that cluster. In this case, you must remove a member switch before adding a
new one.
If a password has been configured on a candidate switch, you are prompted to enter it before it can be
added it to the cluster. If the candidate switch does not have a password, any entry is ignored.
If multiple candidates switches have the same password, you can select them as a group, and add them
at the same time.
Catalyst 2950 Desktop Switch Software Configuration Guide
6-20
78-14982-01
�Chapter 6
Clustering Switches
Creating a Switch Cluster
If a candidate switch in the group has a password different from the group, only that specific candidate
switch is not added to the cluster.
When a candidate switch joins a cluster, it inherits the command-switch password. For more information
about setting passwords, see the “Passwords” section on page 6-16.
For additional authentication considerations in switch clusters, see the “TACACS+ and RADIUS”
section on page 6-17.
Figure 6-11 Add to Cluster Window
Select a switch, and click
Add. Press Ctrl and leftclick to select more than
one switch.
65724
2900-LRE-24-1
Enter the password of
the candidate switch. If
no password exists for
the switch, leave this
field blank.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
6-21
�Chapter 6
Clustering Switches
Creating a Switch Cluster
Thin line means a
connection to a
candidate switch.
Right-click a candidate
switch to display the
pop-up menu, and select
Add to Cluster to add
the switch to the cluster.
65725
Figure 6-12 Using the Topology View to Add Member Switches
Creating a Cluster Standby Group
The cluster standby group members must meet the requirements described in the “Standby Command
Switch Characteristics” section on page 6-3 and “HSRP and Standby Command Switches” section on
page 6-12. To create a cluster standby group, select Cluster > Standby Command Switches (see
Figure 6-13).
Instead of using CMS to add switches to a standby group and to bind the standby group to a cluster, you
can use the standby ip, the standby name, and the standby priority interface configuration commands
and the cluster standby group global configuration command.
Note
•
When the command switch is a Catalyst 3550 switch, all standby command switches must be
Catalyst 3550 switches.
•
When the command switch is a Catalyst 2950 switch running Release 12.1(9)EA1 or later, all
standby command switches must be Catalyst 2950 switches running Release 12.1(9)EA1 or later.
•
When the command switch is a Catalyst 2950 switch running Release 12.1(6)EA2 or later, all
standby command switches must be Catalyst 2950 switches running Release 12.1(6)EA2 or later.
•
When the command switch is running Release 12.0(5)WC2 or earlier, the standby command
switches can be these switches: Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches.
Catalyst 2950 Desktop Switch Software Configuration Guide
6-22
78-14982-01
�Chapter 6
Clustering Switches
Creating a Switch Cluster
These abbreviations are appended to the switch host names in the Standby Command Group list to show
their eligibility or status in the cluster standby group:
•
AC—Active command switch
•
SC—Standby command switch
•
PC—Member of the cluster standby group but not the standby command switch
•
HC—Candidate switch that can be added to the cluster standby group
•
CC—Command switch when HSRP is disabled
You must enter a virtual IP address for the cluster standby group. This address must be in the same subnet
as the IP addresses of the switch. The group number must be unique within the IP subnet. It can be from
0 to 255, and the default is 0. The group name can have up to 31 characters.
The Standby Command Configuration window uses the default values for the preempt and name
commands that you have set by using the CLI. If you use this window to create the HSRP group, all
switches in the group have the preempt command enabled. You must also provide a name for the group.
Note
The HSRP standby hold time interval should be greater than or equal to 3 times the hello time interval.
The default HSRP standby hold time interval is 10 seconds. The default HSRP standby hello time
interval is 3 seconds. For more information about the standby hold time and hello time intervals, refer
to the Cisco IOS Release 12.1 documentation set on Cisco.com.
Figure 6-13 Standby Command Configuration Window
3550C (cisco WS-C3550-C-24, HC, ...
NMS-3550-12T-149 (cisco WS-C3550-1
3550-150 (cisco WS-C3550-12T, SC, ...
Active command switch.
Standby command
switch.
Must be a valid IP
address in the same
subnet as the active
command switch.
65726
Once entered, this
information cannot be
changed.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
6-23
�Chapter 6
Clustering Switches
Creating a Switch Cluster
Verifying a Switch Cluster
When you finish adding cluster members, follow these steps to verify the cluster:
Step 1
Enter the command switch IP address in the browser Location field (Netscape Communicator) or
Address field (Microsoft Internet Explorer) to access all switches in the cluster.
Step 2
Enter the command-switch password.
Step 3
Select View > Topology to display the cluster topology and to view link information (see Figure 3-8 on
page 3-11). For complete information about the Topology view, including descriptions of the icons,
links, and colors, see the “Topology View” section on page 3-10.
Step 4
Select Reports > Inventory to display an inventory of the switches in the cluster (see Figure 6-14).
The summary includes information such as switch model numbers, serial numbers, software versions,
IP information, and location.
You can also display port and switch statistics from Reports > Port Statistics and Port > Port Settings
> Runtime Status.
Instead of using CMS to verify the cluster, you can use the show cluster members user EXEC command
from the command switch or use the show cluster user EXEC command from the command switch or
from a member switch.
Figure 6-14 Inventory Window
12.1(4)EA1
10.10.10.6
10.10.10.7
12.0(5)WC2
10.1.1.2, 10.10.10.1, 10. 12.1(4)EA1
10.10.10.2
12.1(6)EA2
10.10.10.9
13.0(5)XU
65727
10.10.10.3
If you lose connectivity with a member switch or if a command switch fails, see the “Using Recovery
Procedures” section on page 28-6.
For more information about creating and managing clusters, refer to the online help. For information
about the cluster commands, refer to the switch command reference.
Catalyst 2950 Desktop Switch Software Configuration Guide
6-24
78-14982-01
�Chapter 6
Clustering Switches
Using the CLI to Manage Switch Clusters
Using the CLI to Manage Switch Clusters
You can configure member switches from the CLI by first logging into the command switch. Enter the
rcommand user EXEC command and the member switch number to start a Telnet session (through a
console or Telnet connection) and to access the member switch CLI. The command mode changes, and
the IOS commands operate as usual. Enter the exit privileged EXEC command on the member switch to
return to the command-switch CLI.
This example shows how to log into member-switch 3 from the command-switch CLI:
switch# rcommand 3
If you do not know the member-switch number, enter the show cluster members privileged EXEC
command on the command switch. For more information about the rcommand command and all other
cluster commands, refer to the switch command reference.
The Telnet session accesses the member-switch CLI at the same privilege level as on the command
switch. The IOS commands then operate as usual. For instructions on configuring the switch for a Telnet
session, see the “Disabling Password Recovery” section on page 7-5.
Catalyst 1900 and Catalyst 2820 CLI Considerations
If your switch cluster has Catalyst 1900 and Catalyst 2820 switches running standard edition software,
the Telnet session accesses the management console (a menu-driven interface) if the command switch is
at privilege level 15. If the command switch is at privilege level 1 to 14, you are prompted for the
password to access the menu console.
Command-switch privilege levels map to the Catalyst 1900 and Catalyst 2820 member switches running
standard and Enterprise Edition Software as follows:
Note
•
If the command-switch privilege level is 1 to 14, the member switch is accessed at privilege level 1.
•
If the command-switch privilege level is 15, the member switch is accessed at privilege level 15.
The Catalyst 1900 and Catalyst 2820 CLI is available only on switches running Enterprise Edition
Software.
For more information about the Catalyst 1900 and Catalyst 2820 switches, refer to the installation and
configuration guides for those switches.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
6-25
�Chapter 6
Clustering Switches
Using SNMP to Manage Switch Clusters
Using SNMP to Manage Switch Clusters
When you first power on the switch, SNMP is enabled if you enter the IP information by using the setup
program and accept its proposed configuration. If you did not use the setup program to enter the IP
information and SNMP was not enabled, you can enable it as described in the “Configuring SNMP”
section on page 24-5. On Catalyst 1900 and Catalyst 2820 switches, SNMP is enabled by default.
When you create a cluster, the command switch manages the exchange of messages between member
switches and an SNMP application. The cluster software on the command switch appends the member
switch number (@esN, where N is the switch number) to the first configured read-write and read-only
community strings on the command switch and propagates them to the member switch. The command
switch uses this community string to control the forwarding of gets, sets, and get-next messages between
the SNMP management station and the member switches.
Note
When a cluster standby group is configured, the command switch can change without your knowledge.
Use the first read-write and read-only community strings to communicate with the command switch if
there is a cluster standby group configured for the cluster.
If the member switch does not have an IP address, the command switch redirects traps from the member
switch to the management station, as shown in Figure 6-15. If a member switch has its own IP address
and community strings, the member switch can send traps directly to the management station, without
going through the command switch.
If a member switch has its own IP address and community strings, they can be used in addition to the
access provided by the command switch. For more information about SNMP and community strings, see
Chapter 24, “Configuring SNMP.”
Figure 6-15 SNMP Management for a Cluster
SNMP Manager
Command switch
Trap 1, Trap 2, Trap 3
33020
Tr
ap
Trap
ap
Tr
Member 1
Member 2
Member 3
Catalyst 2950 Desktop Switch Software Configuration Guide
6-26
78-14982-01
�C H A P T E R
7
Administering the Switch
This chapter describes how to perform one-time operations to administer your switch. This chapter
consists of these sections:
•
Preventing Unauthorized Access to Your Switch, page 7-1
•
Protecting Access to Privileged EXEC Commands, page 7-2
•
Controlling Switch Access with TACACS+, page 7-10
•
Controlling Switch Access with RADIUS, page 7-18
•
Configuring the Switch for Local Authentication and Authorization, page 7-32
•
Configuring the Switch for Secure Shell, page 7-33
•
Managing the System Time and Date, page 7-34
•
Configuring a System Name and Prompt, page 7-48
•
Creating a Banner, page 7-51
•
Managing the MAC Address Table, page 7-54
•
Managing the ARP Table, page 7-61
•
Switch Software Releases, page 7-61
Preventing Unauthorized Access to Your Switch
You can prevent unauthorized users from reconfiguring your switch and viewing configuration
information. Typically, you want network administrators to have access to your switch while you restrict
access to users who dial from outside the network through an asynchronous port, connect from outside
the network through a serial port, or connect through a terminal or workstation from within the local
network.
To prevent unauthorized access into your switch, you should configure one or more of these security
features:
•
At a minimum, you should configure passwords and privileges at each switch port. These passwords
are locally stored on the switch. When users attempt to access the switch through a port or line, they
must enter the password specified for the port or line before they can access the switch. For more
information, see the “Protecting Access to Privileged EXEC Commands” section on page 7-2.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-1
�Chapter 7
Administering the Switch
Protecting Access to Privileged EXEC Commands
•
For an additional layer of security, you can also configure username and password pairs, which are
locally stored on the switch. These pairs are assigned to lines or interfaces and authenticate each
user before that user can access the switch. If you have defined privilege levels, you can also assign
a specific privilege level (with associated rights and privileges) to each username and password pair.
For more information, see the “Configuring Username and Password Pairs” section on page 7-7.
•
If you want to use username and password pairs, but you want to store them centrally on a server
instead of locally, you can store them in a database on a security server. Multiple networking devices
can then use the same database to obtain user authentication (and, if necessary, authorization)
information. For more information, see the “Controlling Switch Access with TACACS+” section on
page 7-10.
Protecting Access to Privileged EXEC Commands
A simple way of providing terminal access control in your network is to use passwords and assign
privilege levels. Password protection restricts access to a network or network device. Privilege levels
define what commands users can enter after they have logged into a network device.
Note
For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS
Security Command Reference for Release 12.1.
This section describes how to control access to the configuration file and privileged EXEC commands.
It contains this configuration information:
•
Default Password and Privilege Level Configuration, page 7-2
•
Setting or Changing a Static Enable Password, page 7-3
•
Protecting Enable and Enable Secret Passwords with Encryption, page 7-4
•
Disabling Password Recovery, page 7-5
•
Setting a Telnet Password for a Terminal Line, page 7-6
•
Configuring Username and Password Pairs, page 7-7
•
Configuring Multiple Privilege Levels, page 7-8
Default Password and Privilege Level Configuration
Table 7-1 shows the default password and privilege level configuration.
Table 7-1
Default Password and Privilege Levels
Feature
Default Setting
Enable password and privilege level
No password is defined. The default is level 15 (privileged EXEC level).
The password is not encrypted in the configuration file.
Enable secret password and privilege level
No password is defined. The default is level 15 (privileged EXEC level).
The password is encrypted before it is written to the configuration file.
Line password
No password is defined.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-2
78-14982-01
�Chapter 7
Administering the Switch
Protecting Access to Privileged EXEC Commands
Setting or Changing a Static Enable Password
The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC
mode, follow these steps to set or change a static enable password:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
enable password password
Define a new password or change an existing password for access to
privileged EXEC mode.
By default, no password is defined.
For password, specify a string from 1 to 25 alphanumeric characters. The
string cannot start with a number, is case sensitive, and allows spaces but
ignores leading spaces. It can contain the question mark (?) character if
you precede the question mark with the key combination Crtl-v when you
create the password; for example, to create the password abc?123, do this:
Enter abc.
Enter Crtl-v.
Enter ?123.
When the system prompts you to enter the enable password, you need not
precede the question mark with the Ctrl-v; you can simply enter abc?123
at the password prompt.
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
The enable password is not encrypted and can be read in the switch
configuration file.
To remove the password, use the no enable password global configuration command.
This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted
and provides access to level 15 (traditional privileged EXEC mode access):
Switch(config)# enable password l1u2c3k4y5
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-3
�Chapter 7
Administering the Switch
Protecting Access to Privileged EXEC Commands
Protecting Enable and Enable Secret Passwords with Encryption
To provide an additional layer of security, particularly for passwords that cross the network or that are
stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or
enable secret global configuration commands. Both commands accomplish the same thing; that is, you
can establish an encrypted password that users must enter to access privileged EXEC mode (the default)
or any privilege level you specify.
We recommend that you use the enable secret command because it uses an improved encryption
algorithm.
If you configure the enable secret command, it takes precedence over the enable password command;
the two commands cannot be in effect simultaneously.
Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable
secret passwords:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
enable password [level level] {password |
encryption-type encrypted-password}
Define a new password or change an existing password for
access to privileged EXEC mode.
or
or
enable secret [level level] {password |
encryption-type encrypted-password}
Define a secret password, which is saved using a
nonreversible encryption method.
•
(Optional) For level, the range is from 0 to 15. Level 1
is normal user EXEC mode privileges. The default level
is 15 (privileged EXEC mode privileges).
•
For password, specify a string from 1 to 25
alphanumeric characters. The string cannot start with a
number, is case sensitive, and allows spaces but ignores
leading spaces. By default, no password is defined.
•
(Optional) For encryption-type, only type 5, a Cisco
proprietary encryption algorithm, is available. If you
specify an encryption type, you must provide an
encrypted password—an encrypted password you copy
from another Catalyst2950 switch configuration.
Note
Step 3
service password-encryption
If you specify an encryption type and then enter a
clear text password, you can not re-enter privileged
EXEC mode. You cannot recover a lost encrypted
password by any method.
(Optional) Encrypt the password when the password is
defined or when the configuration is written.
Encryption prevents the password from being readable in the
configuration file.
Step 4
end
Return to privileged EXEC mode.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-4
78-14982-01
�Chapter 7
Administering the Switch
Protecting Access to Privileged EXEC Commands
If both the enable and enable secret passwords are defined, users must enter the enable secret password.
Use the level keyword to define a password for a specific privilege level. After you specify the level and
set a password, give the password only to users who need to have access at this level. Use the privilege
level global configuration command to specify commands accessible at various levels. For more
information, see the “Configuring Multiple Privilege Levels” section on page 7-8.
If you enable password encryption, it applies to all passwords including username passwords,
authentication key passwords, the privileged command password, and console and virtual terminal line
passwords.
To remove a password and level, use the no enable password [level level] or no enable secret [level
level] global configuration command. To disable password encryption, use the no service
password-encryption global configuration command.
This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for
privilege level 2:
Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8
Disabling Password Recovery
The default configuration for Catalyst 2950 LRE switches allows an end user with physical access to the
switch to recover from a lost password by interrupting the start process while the switch is powering up
and then by entering a new password. The password recovery disable feature for Catalyst 2950 LRE
switches allows the system administrator to protect access to the switch password by disabling part of
this functionality and allowing the user to interrupt the start process only by agreeing to set the system
back to the default configuration. With password recovery disabled, you can still interrupt the start
process and change the password, but the configuration file (config.text) and the VLAN database file
(vlan.dat) are deleted.
Note
The password recovery disable feature is valid only on Catalyst 2950 LRE switches; it is not available
for Catalyst 2950 Gigabit Ethernet switches.
Note
If you disable password recovery, we recommend that you keep a backup copy of the configuration file
on a secure server in case the end user interrupts the start process and sets the system back to defaults.
Do not keep a backup copy of the configuration file on the switch. If the switch is operating in VTP
transparent mode, we recommend that you also keep a backup copy of the VLAN database file on a
secure server. When the switch is returned to the default system configuration, you can download the
saved files to the switch by using the XMODEM protocol. For more information, see the “Recovering
from a Lost or Forgotten Password” section on page 28-6.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-5
�Chapter 7
Administering the Switch
Protecting Access to Privileged EXEC Commands
Beginning in privileged EXEC mode, follow these steps to disable password recovery:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
no service password-recovery
Disable password recovery.
This setting is saved in an area of the Flash memory that is accessible by
the boot loader and the IOS image, but it is not part of the file system and
is not accessible by any user.
Step 3
end
Return to privileged EXEC mode.
Step 4
show version
Verify the configuration by checking the last few lines of the display.
To re-enable password recovery, use the service password-recovery global configuration command.
Note
Disabling password recovery does not work if you have set the switch to start manually by using the
boot manual global configuration command because this command allows the user to automatically see
the boot loader prompt (switch:) after power cycling the switch.
Setting a Telnet Password for a Terminal Line
When you power-up your switch for the first time, an automatic setup program runs to assign IP
information and to create a default configuration for continued use. The setup program also prompts you
to configure your switch for Telnet access through a password. If you neglected to configure this
password during the setup program, you can configure it now through the command-line interface (CLI).
Beginning in privileged EXEC mode, follow these steps to configure your switch for Telnet access:
Command
Step 1
Purpose
Attach a PC or workstation with emulation software to the switch console
port.
The default data characteristics of the console port are 9600, 8, 1, no
parity. You might need to press the Return key several times to see the
command-line prompt.
Step 2
enable password password
Enter privileged EXEC mode.
Step 3
configure terminal
Enter global configuration mode.
Step 4
line vty 0 15
Configure the number of Telnet sessions (lines), and enter line
configuration mode.
There are 16 possible sessions on a command-capable switch. The 0
and 15 mean that you are configuring all 16 possible Telnet sessions.
Step 5
password password
Enter a Telnet password for the line or lines.
For password, specify a string from 1 to 25 alphanumeric characters. The
string cannot start with a number, is case sensitive, and allows spaces but
ignores leading spaces. By default, no password is defined.
Step 6
end
Return to privileged EXEC mode.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-6
78-14982-01
�Chapter 7
Administering the Switch
Protecting Access to Privileged EXEC Commands
Step 7
Command
Purpose
show running-config
Verify your entries.
The password is listed under the command line vty 0 15.
Step 8
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To remove the password, use the no password global configuration command.
This example shows how to set the Telnet password to let45me67in89:
Switch(config)# line vty 10
Switch(config-line)# password let45me67in89
Configuring Username and Password Pairs
You can configure username and password pairs, which are locally stored on the switch. These pairs are
assigned to lines or interfaces and authenticate each user before that user can access the switch. If you
have defined privilege levels, you can also assign a specific privilege level (with associated rights and
privileges) to each username and password pair.
Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication
system that requests a login username and a password:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
username name [privilege level]
{password encryption-type password}
Enter the username, privilege level, and password for each user.
Step 3
line console 0
or
•
For name, specify the user ID as one word. Spaces and quotation
marks are not allowed.
•
(Optional) For level, specify the privilege level the user has after
gaining access. The range is 0 to 15. Level 15 gives privileged EXEC
mode access. Level 1 gives user EXEC mode access.
•
For encryption-type, enter 0 to specify that an unencrypted password
will follow. Enter 7 to specify that a hidden password will follow.
•
For password, specify the password the user must enter to gain access
to the switch. The password must be from 1 to 25 characters, can
contain embedded spaces, and must be the last option specified in the
username command.
Enter line configuration mode, and configure the console port (line 0) or
the VTY lines (line 0 to 15).
line vty 0 15
Step 4
login local
Enable local password checking at login time. Authentication is based on
the username specified in Step 2.
Step 5
end
Return to privileged EXEC mode.
Step 6
show running-config
Verify your entries.
Step 7
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-7
�Chapter 7
Administering the Switch
Protecting Access to Privileged EXEC Commands
To disable username authentication for a specific user, use the no username name global configuration
command. To disable password checking and allow connections without a password, use the no login
line configuration command.
Configuring Multiple Privilege Levels
By default, the IOS software has two modes of password security: user EXEC and privileged EXEC.
You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple
passwords, you can allow different sets of users to have access to specified commands.
For example, if you want many users to have access to the clear line command, you can assign it
level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access
to the configure command, you can assign it level 3 security and distribute that password to a more
restricted group of users.
This section includes this configuration information:
•
Setting the Privilege Level for a Command, page 7-8
•
Changing the Default Privilege Level for Lines, page 7-9
•
Logging into and Exiting a Privilege Level, page 7-10
Setting the Privilege Level for a Command
Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
privilege mode level level command
Set the privilege level for a command.
Step 3
Step 4
enable password level level password
end
•
For mode, enter configure for global configuration mode, exec for
EXEC mode, interface for interface configuration mode, or line for
line configuration mode.
•
For level, the range is from 0 to 15. Level 1 is for normal user EXEC
mode privileges. Level 15 is the level of access permitted by the
enable password.
•
For command, specify the command to which you want to restrict
access.
Specify the enable password for the privilege level.
•
For level, the range is from 0 to 15. Level 1 is for normal user EXEC
mode privileges.
•
For password, specify a string from 1 to 25 alphanumeric characters.
The string cannot start with a number, is case sensitive, and allows
spaces but ignores leading spaces. By default, no password is
defined.
Return to privileged EXEC mode.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-8
78-14982-01
�Chapter 7
Administering the Switch
Protecting Access to Privileged EXEC Commands
Step 5
Command
Purpose
show running-config
Verify your entries.
or
The first command displays the password and access level configuration.
The second command displays the privilege level configuration.
show privilege
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
When you set a command to a privilege level, all commands whose syntax is a subset of that command
are also set to that level. For example, if you set the show ip traffic command to level 15, the show
commands and show ip commands are automatically set to privilege level 15 unless you set them
individually to different levels.
To return to the default privilege for a given command, use the no privilege mode level level command
global configuration command.
This example shows how to set the configure command to privilege level 14 and define SecretPswd14
as the password users must enter to use level 14 commands:
Switch(config)# privilege exec level 14 configure
Switch(config)# enable password level 14 SecretPswd14
Changing the Default Privilege Level for Lines
Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
line vty line
Select the virtual terminal line on which to restrict access.
Step 3
privilege level level
Change the default privilege level for the line.
For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode
privileges. Level 15 is the level of access permitted by the enable
password.
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Verify your entries.
or
The first command displays the password and access level configuration.
The second command displays the privilege level configuration.
show privilege
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Users can override the privilege level you set using the privilege level line configuration command by
logging in to the line and enabling a different privilege level. They can lower the privilege level by using
the disable command. If users know the password to a higher privilege level, they can use that password
to enable the higher privilege level. You might specify a high level or privilege level for your console
line to restrict line usage.
To return to the default line privilege level, use the no privilege level line configuration command.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-9
�Chapter 7
Administering the Switch
Controlling Switch Access with TACACS+
Logging into and Exiting a Privilege Level
Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit
to a specified privilege level:
Step 1
Command
Purpose
enable level
Log in to a specified privilege level.
For level, the range is 0 to 15.
Step 2
disable level
Exit to a specified privilege level.
For level, the range is 0 to 15.
Controlling Switch Access with TACACS+
This section describes how to enable and configure Terminal Access Controller Access Control System
Plus (TACACS+), which provides detailed accounting information and flexible administrative control
over authentication and authorization processes. TACACS+ is facilitated through authentication,
authorization, accounting (AAA) and can be enabled only through AAA commands.
Note
For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS
Security Command Reference for Release 12.1.
This section contains this configuration information:
•
Understanding TACACS+, page 7-10
•
TACACS+ Operation, page 7-12
•
Configuring TACACS+, page 7-12
•
Displaying the TACACS+ Configuration, page 7-17
Understanding TACACS+
TACACS+ is a security application that provides centralized validation of users attempting to gain
access to your switch. TACACS+ services are maintained in a database on a TACACS+ daemon
typically running on a UNIX or Windows NT workstation. You should have access to and should
configure a TACACS+ server before the configuring TACACS+ features on your switch.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.
TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each
service—authentication, authorization, and accounting—independently. Each service can be tied into its
own database to take advantage of other services available on that server or on the network, depending
on the capabilities of the daemon.
The goal of TACACS+ is to provide a method for managing multiple network access points from a single
management service. Your switch can be a network access server along with other Cisco routers and
access servers. A network access server provides connections to a single user, to a network or
subnetwork, and to interconnected networks as shown in Figure 7-1.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-10
78-14982-01
�Chapter 7
Administering the Switch
Controlling Switch Access with TACACS+
Figure 7-1
Typical TACACS+ Network Configuration
UNIX workstation
(TACACS+
server 1)
Catalyst 6500
series switch
171.20.10.7
UNIX workstation
(TACACS+
server 2)
Catalyst 2950 or
3550 switches
171.20.10.8
74720
Configure the switches with the
TACACS+ server addresses.
Set an authentication key
(also configure the same key on
the TACACS+ servers).
Enable AAA.
Create a login authentication method list.
Apply the list to the terminal lines.
Create an authorization and accounting
Workstations
method list as required.
Workstations
TACACS+, administered through the AAA security services, can provide these services:
•
Authentication—Provides complete control of authentication through login and password dialog,
challenge and response, and messaging support.
The authentication facility can conduct a dialog with the user (for example, after a username and
password are provided, to challenge a user with several questions, such as home address, mother’s
maiden name, service type, and social security number). The TACACS+ authentication service can
also send messages to user screens. For example, a message could notify users that their passwords
must be changed because of the company’s password aging policy.
•
Authorization—Provides fine-grained control over user capabilities for the duration of the user’s
session, including but not limited to setting autocommands, access control, session duration, or
protocol support. You can also enforce restrictions on what commands a user can execute with the
TACACS+ authorization feature.
•
Accounting—Collects and sends information used for billing, auditing, and reporting to the
TACACS+ daemon. Network managers can use the accounting facility to track user activity for a
security audit or to provide information for user billing. Accounting records include user identities,
start and stop times, executed commands (such as PPP), number of packets, and number of bytes.
The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon, and it
ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon
are encrypted.
You need a system running the TACACS+ daemon software to use TACACS+ on your switch.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-11
�Chapter 7
Administering the Switch
Controlling Switch Access with TACACS+
TACACS+ Operation
When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process
occurs:
1.
When the connection is established, the switch contacts the TACACS+ daemon to obtain a username
prompt, which is then displayed to the user. The user enters a username, and the switch then contacts
the TACACS+ daemon to obtain a password prompt. The switch displays the password prompt to
the user, the user enters a password, and the password is then sent to the TACACS+ daemon.
TACACS+ allows a conversation to be held between the daemon and the user until the daemon
receives enough information to authenticate the user. The daemon prompts for a username and
password combination, but can include other items, such as the user’s mother’s maiden name.
2.
The switch eventually receives one of these responses from the TACACS+ daemon:
a. ACCEPT—The user is authenticated and service can begin. If the switch is configured to
require authorization, authorization begins at this time.
b. REJECT—The user is not authenticated. The user can be denied access or is prompted to retry
the login sequence, depending on the TACACS+ daemon.
c. ERROR—An error occurred at some time during authentication with the daemon or in the
network connection between the daemon and the switch. If an ERROR response is received, the
switch typically tries to use an alternative method for authenticating the user.
d. CONTINUE—The user is prompted for additional authentication information.
After authentication, the user undergoes an additional authorization phase if authorization has been
enabled on the switch. Users must first successfully complete TACACS+ authentication before
proceeding to TACACS+ authorization.
3.
If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an
ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response
contains data in the form of attributes that direct the EXEC or NETWORK session for that user,
determining the services that the user can access:
– Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services
– Connection parameters, including the host or client IP address, access list, and user timeouts
Configuring TACACS+
This section describes how to configure your switch to support TACACS+. At a minimum, you must
identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+
authentication. You can optionally define method lists for TACACS+ authorization and accounting. A
method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts
on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring
a backup system if the initial method fails. The software uses the first method listed to authenticate, to
authorize, or to keep accounts on users; if that method does not respond, the software selects the next
method in the list. This process continues until there is successful communication with a listed method
or the method list is exhausted.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-12
78-14982-01
�Chapter 7
Administering the Switch
Controlling Switch Access with TACACS+
This section contains this configuration information:
•
Default TACACS+ Configuration, page 7-13
•
Identifying the TACACS+ Server Host and Setting the Authentication Key, page 7-13
•
Configuring TACACS+ Login Authentication, page 7-14
•
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page
7-16
•
Starting TACACS+ Accounting, page 7-17
Default TACACS+ Configuration
TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management
application.When enabled, TACACS+ can authenticate users accessing the switch through the CLI.
Note
Although TACACS+ configuration is performed through the CLI, the TACACS+ server authenticates
HTTP connections that have been configured with a privilege level of 15.
Identifying the TACACS+ Server Host and Setting the Authentication Key
You can configure the switch to use a single server or AAA server groups to group existing server hosts
for authentication. You can group servers to select a subset of the configured server hosts and use them
for a particular service. The server group is used with a global server-host list and contains the list of IP
addresses of the selected server hosts.
Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining
TACACS+ server and optionally set the encryption key:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
tacacs-server host hostname [port
integer] [timeout integer] [key string]
Identify the IP host or hosts maintaining a TACACS+ server. Enter this
command multiple times to create a list of preferred hosts. The software
searches for hosts in the order in which you specify them.
Step 3
aaa new-model
•
For hostname, specify the name or IP address of the host.
•
(Optional) For port integer, specify a server port number. The default
is port 49. The range is 1 to 65535.
•
(Optional) For timeout integer, specify a time in seconds the switch
waits for a response from the daemon before it times out and declares
an error. The default is 5 seconds. The range is 1 to 1000 seconds.
•
(Optional) For key string, specify the encryption key for encrypting
and decrypting all traffic between the switch and the TACACS+
daemon. You must configure the same key on the TACACS+ daemon
for encryption to be successful.
Enable AAA.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-13
�Chapter 7
Administering the Switch
Controlling Switch Access with TACACS+
Step 4
Command
Purpose
aaa group server tacacs+ group-name
(Optional) Define the AAA server-group with a group name.
This command puts the switch in a server group subconfiguration mode.
Step 5
server ip-address
(Optional) Associate a particular TACACS+ server with the defined
server group. Repeat this step for each TACACS+ server in the AAA
server group.
Each server in the group must be previously defined in Step 2.
Step 6
end
Return to privileged EXEC mode.
Step 7
show tacacs
Verify your entries.
Step 8
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname
global configuration command. To remove a server group from the configuration list, use the no aaa
group server tacacs+ group-name global configuration command. To remove the IP address of a
TACACS+ server, use the no server ip-address server group subconfiguration command.
Configuring TACACS+ Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that
list to various interfaces. The method list defines the types of authentication to be performed and the
sequence in which they are performed; it must be applied to a specific interface before any of the defined
authentication methods are performed. The only exception is the default method list (which, by
coincidence, is named default). The default method list is automatically applied to all interfaces except
those that have a named method list explicitly defined. A defined method list overrides the default
method list.
A method list describes the sequence and authentication methods to be queried to authenticate a user.
You can designate one or more security protocols to be used for authentication, thus ensuring a backup
system for authentication in case the initial method fails. The software uses the first method listed to
authenticate users; if that method fails to respond, the software selects the next authentication method
in the method list. This process continues until there is successful communication with a listed
authentication method or until all defined methods are exhausted. If authentication fails at any point in
this cycle—meaning that the security server or local username database responds by denying the user
access—the authentication process stops, and no other authentication methods are attempted.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-14
78-14982-01
�Chapter 7
Administering the Switch
Controlling Switch Access with TACACS+
Beginning in privileged EXEC mode, follow these steps to configure login authentication:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa new-model
Enable AAA.
Step 3
aaa authentication login {default |
list-name} method1 [method2...]
Create a login authentication method list.
•
To create a default list that is used when a named list is not specified
in the login authentication command, use the default keyword
followed by the methods that are to be used in default situations. The
default method list is automatically applied to all interfaces.
•
For list-name, specify a character string to name the list you are
creating.
•
For method1..., specify the actual method the authentication
algorithm tries. The additional methods of authentication are used
only if the previous method returns an error, not if it fails.
Select one of these methods:
•
enable—Use the enable password for authentication. Before you can
use this authentication method, you must define an enable password
by using the enable password global configuration command.
•
group tacacs+—Uses TACACS+ authentication. Before you can use
this authentication method, you must configure the TACACS+ server.
For more information, see the “Identifying the TACACS+ Server
Host and Setting the Authentication Key” section on page 7-13.
•
line—Use the line password for authentication. Before you can use
this authentication method, you must define a line password. Use the
password password line configuration command.
•
local—Use the local username database for authentication. You must
enter username information in the database. Use the username
password global configuration command.
•
local-case—Use a case-sensitive local username database for
authentication. You must enter username information in the database
by using the username name password global configuration
command.
•
none—Do not use any authentication for login.
Step 4
line [console | tty | vty] line-number
[ending-line-number]
Enter line configuration mode, and configure the lines to which you want
to apply the authentication list.
Step 5
login authentication {default |
list-name}
Apply the authentication list to a line or set of lines.
•
If you specify default, use the default list created with the aaa
authentication login command.
•
For list-name, specify the list created with the aaa authentication
login command.
Step 6
end
Return to privileged EXEC mode.
Step 7
show running-config
Verify your entries.
Step 8
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-15
�Chapter 7
Administering the Switch
Controlling Switch Access with TACACS+
To disable AAA, use the no aaa new-model global configuration command. To disable AAA
authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global
configuration command. To either disable TACACS+ authentication for logins or to return to the default
value, use the no login authentication {default | list-name} line configuration command.
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the
switch uses information retrieved from the user’s profile, which is located either in the local user
database or on the security server, to configure the user’s session. The user is granted access to a
requested service only if the information in the user profile allows it.
You can use the aaa authorization global configuration command with the tacacs+ keyword to set
parameters that restrict a user’s network access to privileged EXEC mode.
The aaa authorization exec tacacs+ local command sets these authorization parameters:
Note
•
Use TACACS+ for privileged EXEC access authorization if authentication was performed by using
TACACS+.
•
Use the local database if authentication was not performed by using TACACS+.
Authorization is bypassed for authenticated users who log in through the CLI even if authorization has
been configured.
Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for
privileged EXEC access and network services:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa authorization network tacacs+
Configure the switch for user TACACS+ authorization for all
network-related service requests.
Step 3
aaa authorization exec tacacs+
Configure the switch for user TACACS+ authorization to determine if the
user has privileged EXEC access.
The exec keyword might return user profile information (such as
autocommand information).
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable authorization, use the no aaa authorization {network | exec} method1 global configuration
command.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-16
78-14982-01
�Chapter 7
Administering the Switch
Controlling Switch Access with TACACS+
Starting TACACS+ Accounting
The AAA accounting feature tracks the services that users are accessing and the amount of network
resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to
the TACACS+ security server in the form of accounting records. Each accounting record contains
accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed
for network management, client billing, or auditing.
Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco
IOS privilege level and for network services:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa accounting network start-stop
tacacs+
Enable TACACS+ accounting for all network-related service requests.
Step 3
aaa accounting exec start-stop tacacs+
Enable TACACS+ accounting to send a start-record accounting notice
at the beginning of a privileged EXEC process and a stop-record at the
end.
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable accounting, use the no aaa accounting {network | exec} {start-stop} method1... global
configuration command.
Displaying the TACACS+ Configuration
To display TACACS+ server statistics, use the show tacacs privileged EXEC command.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-17
�Chapter 7
Administering the Switch
Controlling Switch Access with RADIUS
Controlling Switch Access with RADIUS
This section describes how to enable and configure the Remote Authentication Dial-In User Service
(RADIUS), which provides detailed accounting information and flexible administrative control over
authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only
through AAA commands.
Note
For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS
Security Command Reference for Release 12.1.
This section contains this configuration information:
•
Understanding RADIUS, page 7-18
•
RADIUS Operation, page 7-19
•
Configuring RADIUS, page 7-20
•
Displaying the RADIUS Configuration, page 7-31
Understanding RADIUS
RADIUS is a distributed client/server system that secures networks against unauthorized access.
RADIUS clients run on supported Cisco routers and switches, including Catalyst 3550 multilayer
switches and Catalyst 2950 series switches. Clients send authentication requests to a central RADIUS
server, which contains all user authentication and network service access information. The RADIUS host
is normally a multiuser system running RADIUS server software from Cisco (Cisco Secure Access
Control Server version 3.0), Livingston, Merit, Microsoft, or another software provider. For more
information, refer to the RADIUS server documentation.
Use RADIUS in these network environments that require access security:
•
Networks with multiple-vendor access servers, each supporting RADIUS. For example, access
servers from several vendors use a single RADIUS server-based security database. In an IP-based
network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS
server that has been customized to work with the Kerberos security system.
•
Turnkey network security environments in which applications support the RADIUS protocol, such
as in an access environment that uses a smart card access control system. In one case, RADIUS has
been used with Enigma’s security cards to validates users and to grant access to network resources.
•
Networks already using RADIUS. You can add a Cisco switch containing a RADIUS client to the
network. This might be the first step when you make a transition to a TACACS+ server. See
Figure 7-2 on page 7-19.
•
Network in which the user must only access a single service. Using RADIUS, you can control user
access to a single host, to a single utility such as Telnet, or to the network through a protocol such
as IEEE 802.1X. For more information about this protocol, see Chapter 8, “Configuring 802.1X
Port-Based Authentication.”
•
Networks that require resource accounting. You can use RADIUS accounting independently of
RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent
at the start and end of services, showing the amount of resources (such as time, packets, bytes, and
so forth) used during the session. An Internet service provider might use a freeware-based version
of RADIUS access control and accounting software to meet special security and billing needs.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-18
78-14982-01
�Chapter 7
Administering the Switch
Controlling Switch Access with RADIUS
RADIUS is not suitable in these network security situations:
•
Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA),
NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or
X.25 PAD connections.
•
Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication.
RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device
requires authentication.
•
Networks using a variety of services. RADIUS generally binds a user to one service model.
Remote
PC
Transitioning from RADIUS to TACACS+ Services
Catalyst 2950 or
3550 switch
R1
RADIUS
server
R2
RADIUS
server
T1
TACACS+
server
T2
TACACS+
server
Workstation
74721
Figure 7-2
RADIUS Operation
When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server,
these events occur:
1.
The user is prompted to enter a username and password.
2.
The username and encrypted password are sent over the network to the RADIUS server.
3.
The user receives one of these responses from the RADIUS server:
a. ACCEPT—The user is authenticated.
b. REJECT—The user is either not authenticated and is prompted to re-enter the username and
password, or access is denied.
c. CHALLENGE—A challenge requires additional data from the user.
d. CHALLENGE PASSWORD—A response requests the user to select a new password.
The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or
network authorization. Users must first successfully complete RADIUS authentication before
proceeding to RADIUS authorization, if it is enabled. The additional data included with the ACCEPT or
REJECT packets includes these items:
•
Telnet, SSH, rlogin, or privileged EXEC services
•
Connection parameters, including the host or client IP address, access list, and user timeouts
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-19
�Chapter 7
Administering the Switch
Controlling Switch Access with RADIUS
Configuring RADIUS
This section describes how to configure your switch to support RADIUS. At a minimum, you must
identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS
authentication. You can optionally define method lists for RADIUS authorization and accounting.
A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep
accounts on a user. You can use method lists to designate one or more security protocols to be used (such
as TACACS+ or local username lookup), thus ensuring a backup system if the initial method fails. The
software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that
method does not respond, the software selects the next method in the list. This process continues until
there is successful communication with a listed method or the method list is exhausted.
You should have access to and should configure a RADIUS server before configuring RADIUS features
on your switch.
This section contains this configuration information:
•
Default RADIUS Configuration, page 7-20
•
Identifying the RADIUS Server Host, page 7-20 (required)
•
Configuring RADIUS Login Authentication, page 7-23 (required)
•
Defining AAA Server Groups, page 7-25 (optional)
•
Configuring RADIUS Authorization for User Privileged Access and Network Services, page 7-27
(optional)
•
Starting RADIUS Accounting, page 7-28 (optional)
•
Configuring Settings for All RADIUS Servers, page 7-29 (optional)
•
Configuring the Switch to Use Vendor-Specific RADIUS Attributes, page 7-29 (optional)
•
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication, page 7-30
(optional)
Default RADIUS Configuration
RADIUS and AAA are disabled by default.
To prevent a lapse in security, you cannot configure RADIUS through a network management
application. When enabled, RADIUS can authenticate users accessing the switch through the CLI.
Identifying the RADIUS Server Host
Switch-to-RADIUS-server communication involves several components:
•
Host name or IP address
•
Authentication destination port
•
Accounting destination port
•
Key string
•
Timeout period
•
Retransmission value
Catalyst 2950 Desktop Switch Software Configuration Guide
7-20
78-14982-01
�Chapter 7
Administering the Switch
Controlling Switch Access with RADIUS
You identify RADIUS security servers by their host name or IP address, host name and specific UDP
port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and
the UDP port number creates a unique identifier, allowing different ports to be individually defined as
RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be
sent to multiple UDP ports on a server at the same IP address.
If two different host entries on the same RADIUS server are configured for the same service—for
example, accounting—the second host entry configured acts as a fail-over backup to the first one. Using
this example, if the first host entry fails to provide accounting services, the switch tries the second host
entry configured on the same device for accounting services. (The RADIUS host entries are tried in the
order that they are configured.)
A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange
responses. To configure RADIUS to use the AAA security commands, you must specify the host running
the RADIUS server daemon and a secret text (key) string that it shares with the switch.
The timeout, retransmission, and encryption key values can be configured globally for all RADIUS
servers, on a per-server basis, or in some combination of global and per-server settings. To apply these
settings globally to all RADIUS servers communicating with the switch, use the three unique global
configuration commands: radius-server timeout, radius-server retransmit, and radius-server key.
To apply these values on a specific RADIUS server, use the radius-server host global configuration
command.
Note
If you configure both global and per-server functions (timeout, retransmission, and key
commands) on the switch, the per-server timer, retransmission, and key value commands
override global timer, retransmission, and key value commands. For information on
configuring these setting on all RADIUS servers, see the “Configuring Settings for All
RADIUS Servers” section on page 7-29.
You can configure the switch to use AAA server groups to group existing server hosts for authentication.
For more information, see the “Defining AAA Server Groups” section on page 7-25.
Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server
communication. This procedure is required.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-21
�Chapter 7
Administering the Switch
Controlling Switch Access with RADIUS
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
radius-server host {hostname |
ip-address} [auth-port port-number]
[acct-port port-number] [timeout
seconds] [retransmit retries] [key
string]
Specify the IP address or host name of the remote RADIUS server host.
•
(Optional) For auth-port port-number, specify the UDP destination
port for authentication requests.
•
(Optional) For acct-port port-number, specify the UDP destination
port for accounting requests.
•
(Optional) For timeout seconds, specify the time interval that the
switch waits for the RADIUS server to reply before resending. The
range is 1 to 1000. This setting overrides the radius-server timeout
global configuration command setting. If no timeout is set with the
radius-server host command, the setting of the radius-server
timeout command is used.
•
(Optional) For retransmit retries, specify the number of times a
RADIUS request is resent to a server if that server is not responding
or responding slowly. The range is 1 to 1000. If no retransmit value
is set with the radius-server host command, the setting of the
radius-server retransmit global configuration command is used.
•
(Optional) For key string, specify the authentication and encryption
key used between the switch and the RADIUS daemon running on the
RADIUS server.
Note
The key is a text string that must match the encryption key used
on the RADIUS server. Always configure the key as the last item
in the radius-server host command. Leading spaces are ignored,
but spaces within and at the end of the key are used. If you use
spaces in your key, do not enclose the key in quotation marks
unless the quotation marks are part of the key.
To configure the switch to recognize more than one host entry associated
with a single IP address, enter this command as many times as necessary,
making sure that each UDP port number is different. The switch software
searches for hosts in the order in which you specify them. Set the timeout,
retransmit, and encryption key values to use with the specific RADIUS
host.
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global
configuration command.
This example shows how to configure one RADIUS server to be used for authentication and another to
be used for accounting:
Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1
Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2
Catalyst 2950 Desktop Switch Software Configuration Guide
7-22
78-14982-01
�Chapter 7
Administering the Switch
Controlling Switch Access with RADIUS
This example shows how to configure host1 as the RADIUS server and to use the default ports for both
authentication and accounting:
Switch(config)# radius-server host host1
Note
You also need to configure some settings on the RADIUS server. These settings include the IP address
of the switch and the key string to be shared by both the server and the switch. For more information,
refer to the RADIUS server documentation.
Configuring RADIUS Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that
list to various interfaces. The method list defines the types of authentication to be performed and the
sequence in which they are performed; it must be applied to a specific interface before any of the defined
authentication methods are performed. The only exception is the default method list (which, by
coincidence, is named default). The default method list is automatically applied to all interfaces except
those that have a named method list explicitly defined.
A method list describes the sequence and authentication methods to be queried to authenticate a user.
You can designate one or more security protocols to be used for authentication, thus ensuring a backup
system for authentication in case the initial method fails. The software uses the first method listed to
authenticate users; if that method fails to respond, the software selects the next authentication method
in the method list. This process continues until there is successful communication with a listed
authentication method or until all defined methods are exhausted. If authentication fails at any point in
this cycle—meaning that the security server or local username database responds by denying the user
access—the authentication process stops, and no other authentication methods are attempted.
Beginning in privileged EXEC mode, follow these steps to configure login authentication. This
procedure is required.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-23
�Chapter 7
Administering the Switch
Controlling Switch Access with RADIUS
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa new-model
Enable AAA.
Step 3
aaa authentication login {default |
list-name} method1 [method2...]
Create a login authentication method list.
•
To create a default list that is used when a named list is not specified
in the login authentication command, use the default keyword
followed by the methods that are to be used in default situations. The
default method list is automatically applied to all interfaces.
•
For list-name, specify a character string to name the list you are
creating.
•
For method1..., specify the actual method the authentication
algorithm tries. The additional methods of authentication are used
only if the previous method returns an error, not if it fails.
Select one of these methods:
– enable—Use the enable password for authentication. Before you
can use this authentication method, you must define an enable
password by using the enable password global configuration
command.
– group radius—Use RADIUS authentication. Before you can use
this authentication method, you must configure the RADIUS
server. For more information, see the “Identifying the RADIUS
Server Host” section on page 7-20.
– line—Use the line password for authentication. Before you can
use this authentication method, you must define a line password.
Use the password password line configuration command.
– local—Use the local username database for authentication. You
must enter username information in the database. Use the
username name password global configuration command.
– local-case—Use a case-sensitive local username database for
authentication. You must enter username information in the
database by using the username password global configuration
command.
– none—Do not use any authentication for login.
Step 4
line [console | tty | vty] line-number
[ending-line-number]
Enter line configuration mode, and configure the lines to which you want
to apply the authentication list.
Step 5
login authentication {default |
list-name}
Apply the authentication list to a line or set of lines.
•
If you specify default, use the default list created with the aaa
authentication login command.
•
For list-name, specify the list created with the aaa authentication
login command.
Step 6
end
Return to privileged EXEC mode.
Step 7
show running-config
Verify your entries.
Step 8
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-24
78-14982-01
�Chapter 7
Administering the Switch
Controlling Switch Access with RADIUS
To disable AAA, use the no aaa new-model global configuration command. To disable AAA
authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global
configuration command. To either disable RADIUS authentication for logins or to return to the default
value, use the no login authentication {default | list-name} line configuration command.
Defining AAA Server Groups
You can configure the switch to use AAA server groups to group existing server hosts for authentication.
You select a subset of the configured server hosts and use them for a particular service. The server group
is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Server groups also can include multiple host entries for the same server if each entry has a unique
identifier (the combination of the IP address and UDP port number), allowing different ports to be
individually defined as RADIUS hosts providing a specific AAA service. If you configure two different
host entries on the same RADIUS server for the same service, (for example, accounting), the second
configured host entry acts as a fail-over backup to the first one.
You use the server group server configuration command to associate a particular server with a defined
group server. You can either identify the server by its IP address or identify multiple host instances or
entries by using the optional auth-port and acct-port keywords.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-25
�Chapter 7
Administering the Switch
Controlling Switch Access with RADIUS
Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate
a particular RADIUS server with it:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
radius-server host {hostname |
ip-address} [auth-port port-number]
[acct-port port-number] [timeout
seconds] [retransmit retries] [key
string]
Specify the IP address or host name of the remote RADIUS server host.
•
(Optional) For auth-port port-number, specify the UDP destination
port for authentication requests.
•
(Optional) For acct-port port-number, specify the UDP destination
port for accounting requests.
•
(Optional) For timeout seconds, specify the time interval that the
switch waits for the RADIUS server to reply before resending. The
range is 1 to 1000. This setting overrides the radius-server timeout
global configuration command setting. If no timeout is set with the
radius-server host command, the setting of the radius-server
timeout command is used.
•
(Optional) For retransmit retries, specify the number of times a
RADIUS request is resent to a server if that server is not responding
or responding slowly. The range is 1 to 1000. If no retransmit value
is set with the radius-server host command, the setting of the
radius-server retransmit global configuration command is used.
•
(Optional) For key string, specify the authentication and encryption
key used between the switch and the RADIUS daemon running on the
RADIUS server.
Note
The key is a text string that must match the encryption key used
on the RADIUS server. Always configure the key as the last item
in the radius-server host command. Leading spaces are ignored,
but spaces within and at the end of the key are used. If you use
spaces in your key, do not enclose the key in quotation marks
unless the quotation marks are part of the key.
To configure the switch to recognize more than one host entry associated
with a single IP address, enter this command as many times as necessary,
making sure that each UDP port number is different. The switch software
searches for hosts in the order in which you specify them. Set the timeout,
retransmit, and encryption key values to use with the specific RADIUS
host.
Step 3
aaa new-model
Enable AAA.
Step 4
aaa group server radius group-name
Define the AAA server-group with a group name.
This command puts the switch in a server group configuration mode.
Step 5
server ip-address
Associate a particular RADIUS server with the defined server group.
Repeat this step for each RADIUS server in the AAA server group.
Each server in the group must be previously defined in Step 2.
Step 6
end
Return to privileged EXEC mode.
Step 7
show running-config
Verify your entries.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-26
78-14982-01
�Chapter 7
Administering the Switch
Controlling Switch Access with RADIUS
Step 8
Command
Purpose
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Step 9
Enable RADIUS login authentication. See the “Configuring RADIUS
Login Authentication” section on page 7-23.
To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global
configuration command. To remove a server group from the configuration list, use the no aaa group
server radius group-name global configuration command. To remove the IP address of a RADIUS
server, use the no server ip-address server group configuration command.
In this example, the switch is configured to recognize two different RADIUS group servers (group1 and
group2). Group1 has two different host entries on the same RADIUS server configured for the same
services. The second host entry acts as a fail-over backup to the first entry.
Switch(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001
Switch(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646
Switch(config)# aaa new-model
Switch(config)# aaa group server radius group1
Switch(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001
Switch(config-sg-radius)# exit
Switch(config)# aaa group server radius group2
Switch(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001
Switch(config-sg-radius)# exit
Configuring RADIUS Authorization for User Privileged Access and Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the
switch uses information retrieved from the user’s profile, which is in the local user database or on the
security server, to configure the user’s session. The user is granted access to a requested service only if
the information in the user profile allows it.
You can use the aaa authorization global configuration command with the radius keyword to set
parameters that restrict a user’s network access to privileged EXEC mode.
The aaa authorization exec radius local command sets these authorization parameters:
Note
•
Use RADIUS for privileged EXEC access authorization if authentication was performed by using
RADIUS.
•
Use the local database if authentication was not performed by using RADIUS.
Authorization is bypassed for authenticated users who log in through the CLI even if authorization has
been configured.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-27
�Chapter 7
Administering the Switch
Controlling Switch Access with RADIUS
Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged
EXEC access and network services:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa authorization network radius
Configure the switch for user RADIUS authorization for all
network-related service requests.
Step 3
aaa authorization exec radius
Configure the switch for user RADIUS authorization to determine if the
user has privileged EXEC access.
The exec keyword might return user profile information (such as
autocommand information).
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable authorization, use the no aaa authorization {network | exec} method1 global configuration
command.
Starting RADIUS Accounting
The AAA accounting feature tracks the services that users are accessing and the amount of network
resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to
the RADIUS security server in the form of accounting records. Each accounting record contains
accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed
for network management, client billing, or auditing.
Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco
IOS privilege level and for network services:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa accounting network start-stop
radius
Enable RADIUS accounting for all network-related service requests.
Step 3
aaa accounting exec start-stop radius
Enable RADIUS accounting to send a start-record accounting notice at
the beginning of a privileged EXEC process and a stop-record at the
end.
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable accounting, use the no aaa accounting {network | exec} {start-stop} method1... global
configuration command.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-28
78-14982-01
�Chapter 7
Administering the Switch
Controlling Switch Access with RADIUS
Configuring Settings for All RADIUS Servers
Beginning in privileged EXEC mode, follow these steps to configure global communication settings
between the switch and all RADIUS servers:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
radius-server key string
Specify the shared secret text string used between the switch and all
RADIUS servers.
Note
The key is a text string that must match the encryption key used on
the RADIUS server. Leading spaces are ignored, but spaces within
and at the end of the key are used. If you use spaces in your key, do
not enclose the key in quotation marks unless the quotation marks
are part of the key.
Step 3
radius-server retransmit retries
Specify the number of times the switch sends each RADIUS request to the
server before giving up. The default is 3; the range 1 to 1000.
Step 4
radius-server timeout seconds
Specify the number of seconds a switch waits for a reply to a RADIUS
request before resending the request. The default is 5 seconds; the range is
1 to 1000.
Step 5
radius-server deadtime minutes
Specify the number of minutes a RADIUS server, which is not responding
to authentication requests, to be skipped, thus avoiding the wait for the
request to timeout before trying the next configured server. The default is
0; the range is 1 to 1440 minutes.
Step 6
end
Return to privileged EXEC mode.
Step 7
show running-config
Verify your settings.
Step 8
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To return to the default setting for the retransmit, timeout, and deadtime, use the no forms of these
commands.
Configuring the Switch to Use Vendor-Specific RADIUS Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific information between the switch and the RADIUS server by using the vendor-specific
attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended
attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific
option by using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported
option has vendor-type 1, which is named cisco-avpair. The value is a string with this format:
protocol : attribute sep value *
Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and
value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep
is = for mandatory attributes and * for optional attributes. This allows the full set of features available
for TACACS+ authorization to also be used for RADIUS.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-29
�Chapter 7
Administering the Switch
Controlling Switch Access with RADIUS
For example, the following AV pair activates Cisco’s multiple named ip address pools feature during IP
authorization (during PPP’s IPCP address assignment):
cisco-avpair= ”ip:addr-pool=first“
The following example shows how to provide a user logging in from a switch with immediate access to
privileged EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“
Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information
about vendor-IDs and VSAs, refer to RFC 2138, “Remote Authentication Dial-In User Service
(RADIUS).”
Beginning in privileged EXEC mode, follow these steps to configure the switch to recognize and use
VSAs:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
radius-server vsa send [accounting |
authentication]
Enable the switch to recognize and use VSAs as defined by RADIUS IETF
attribute 26.
•
(Optional) Use the accounting keyword to limit the set of recognized
vendor-specific attributes to only accounting attributes.
•
(Optional) Use the authentication keyword to limit the set of
recognized vendor-specific attributes to only authentication attributes.
If you enter this command without keywords, both accounting and
authentication vendor-specific attributes are used.
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your settings.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, refer
to the “RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide for Release 12.1.
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary
information between the switch and the RADIUS server, some vendors have extended the RADIUS
attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS
attributes.
As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you
must specify the host running the RADIUS server daemon and the secret text string it shares with the
switch. You specify the RADIUS host and secret text string by using the radius-server global
configuration commands.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-30
78-14982-01
�Chapter 7
Administering the Switch
Controlling Switch Access with RADIUS
Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server
host and a shared secret text string:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
radius-server host {hostname | ip-address} non-standard
Specify the IP address or host name of the remote
RADIUS server host and identify that it is using a
vendor-proprietary implementation of RADIUS.
Step 3
radius-server key string
Specify the shared secret text string used between the
switch and the vendor-proprietary RADIUS server.
The switch and the RADIUS server use this text
string to encrypt passwords and exchange responses.
Note
The key is a text string that must match the
encryption key used on the RADIUS server.
Leading spaces are ignored, but spaces within
and at the end of the key are used. If you use
spaces in your key, do not enclose the key in
quotation marks unless the quotation marks
are part of the key.
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Verify your settings.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To delete the vendor-proprietary RADIUS host, use the no radius-server host {hostname | ip-address}
non-standard global configuration command. To disable the key, use the no radius-server key global
configuration command.
This example shows how to specify a vendor-proprietary RADIUS host and to use a secret key of rad124
between the switch and the server:
Switch(config)# radius-server host 172.20.30.15 nonstandard
Switch(config)# radius-server key rad124
Displaying the RADIUS Configuration
To display the RADIUS configuration, use the show running-config privileged EXEC command.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-31
�Chapter 7
Administering the Switch
Configuring the Switch for Local Authentication and Authorization
Configuring the Switch for Local Authentication and
Authorization
You can configure AAA to operate without a server by setting the switch to implement AAA in local
mode. The switch then handles authentication and authorization. No accounting is available in this
configuration.
Beginning in privileged EXEC mode, follow these steps to configure the switch for local AAA:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa new-model
Enable AAA.
Step 3
aaa authentication login default local
Set the login authentication to use the local username database. The
default keyword applies the local user database authentication to all
interfaces.
Step 4
aaa authorization exec local
Configure user AAA authorization to determine if the user is allowed to
run an EXEC shell by checking the local database.
Step 5
aaa authorization network local
Configure user AAA authorization for all network-related service
requests.
Step 6
username name [privilege level]
{password encryption-type password}
Enter the local database, and establish a username-based authentication
system.
Repeat this command for each user.
•
For name, specify the user ID as one word. Spaces and quotation
marks are not allowed.
•
(Optional) For level, specify the privilege level the user has after
gaining access. The range is 0 to 15. Level 15 gives privileged EXEC
mode access. Level 0 gives user EXEC mode access.
•
For encryption-type, enter 0 to specify that an unencrypted password
follows. Enter 7 to specify that a hidden password follows.
•
For password, specify the password the user must enter to gain access
to the switch. The password must be from 1 to 25 characters, can
contain embedded spaces, and must be the last option specified in the
username command.
Step 7
end
Return to privileged EXEC mode.
Step 8
show running-config
Verify your entries.
Step 9
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable AAA, use the no aaa new-model global configuration command. To disable authorization,
use the no aaa authorization {network | exec} method1 global configuration command.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-32
78-14982-01
�Chapter 7
Administering the Switch
Configuring the Switch for Secure Shell
Configuring the Switch for Secure Shell
This section describes how to configure the Secure Shell (SSH) feature. To use this feature, the crypto
(encrypted) multilayer software image must be installed on your switch. You must download this
software image from Cisco.com. For more information, refer to the release notes for this release.
Note
For complete syntax and usage information for the commands used in this section, refer to the “Secure
Shell Commands” section in the Cisco IOS Security Command Reference for Release 12.1.
Understanding SSH
SSH is a protocol that provides a secure, remote connection to a Layer 2 or a Layer 3 device. There are
two versions of SSH: SSH version 1 and SSH version 2. This software release only supports SSH
version 1.
SSH provides more security for remote connections than Telnet by providing strong encryption when a
device is authenticated. The SSH feature has an SSH server and an SSH integrated client. The client
supports these user authentication methods:
•
TACACS+ (for more information, see the “Controlling Switch Access with TACACS+” section on
page 7-10)
•
RADIUS (for more information, see the “Controlling Switch Access with RADIUS” section on
page 7-18)
•
Local authentication and authorization (for more information, see the “Configuring the Switch for
Local Authentication and Authorization” section on page 7-32)
For more information about SSH, refer to the “Configuring Secure Shell” section in the Cisco IOS
Security Configuration Guide for Release 12.2.
Note
The SSH feature in this software release does not support IP Security (IPSec).
Configuring SSH
Before configuring SSH, download the crypto software image from Cisco.com. For more information,
refer to the release notes for this release.
For information about configuring SSH and displaying SSH settings, refer to the “Configuring Secure
Shell” section in the Cisco IOS Security Configuration Guide for Release 12.2.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-33
�Chapter 7
Administering the Switch
Managing the System Time and Date
Managing the System Time and Date
You can manage the system time and date on your switch using automatic configuration, such as the
Network Time Protocol (NTP), or manual configuration methods.
Note
For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS
Configuration Fundamentals Command Reference for Release 12.1.
This section contains this configuration information:
•
Understanding the System Clock, page 7-34
•
Understanding Network Time Protocol, page 7-34
•
Configuring NTP, page 7-36
•
Configuring Time and Date Manually, page 7-43
Understanding the System Clock
The heart of the time service is the system clock. This clock runs from the moment the system starts up
and keeps track of the date and time.
The system clock can then be set from these sources:
•
Network Time Protocol
•
Manual configuration
The system clock can provide time to these services:
•
User show commands
•
Logging and debugging messages
The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also
known as Greenwich Mean Time (GMT). You can configure information about the local time zone and
summer time (daylight saving time) so that the time is correctly displayed for the local time zone.
The system clock keeps track of whether the time is authoritative or not (that is, whether it has been set
by a time source considered to be authoritative). If it is not authoritative, the time is available only for
display purposes and is not redistributed. For configuration information, see the “Configuring Time and
Date Manually” section on page 7-43.
Understanding Network Time Protocol
The NTP is designed to time-synchronize a network of devices. NTP runs over User Datagram Protocol
(UDP), which runs over IP. NTP is documented in RFC 1305.
An NTP network usually gets its time from an authoritative time source, such as a radio clock or an
atomic clock attached to a time server. NTP then distributes this time across the network. NTP is
extremely efficient; no more than one packet per minute is necessary to synchronize two devices to
within a millisecond of one another.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-34
78-14982-01
�Chapter 7
Administering the Switch
Managing the System Time and Date
NTP uses the concept of a stratum to describe how many NTP hops away a device is from an
authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached, a
stratum 2 time server receives its time through NTP from a stratum 1 time server, and so on. A device
running NTP automatically chooses as its time source the device with the lowest stratum number with
which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP
speakers.
NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a
device that is not synchronized. NTP also compares the time reported by several devices and does not
synchronize to a device whose time is significantly different than the others, even if its stratum is lower.
The communications between devices running NTP (known as associations) are usually statically
configured; each device is given the IP address of all devices with which it should form associations.
Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an
association. However, in a LAN environment, NTP can be configured to use IP broadcast messages
instead. This alternative reduces configuration complexity because each device can simply be
configured to send or receive broadcast messages. However, in that case, information flow is one-way
only.
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the
accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based
restriction scheme and an encrypted authentication mechanism.
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio
or atomic clock. We recommend that the time service for your network be derived from the public NTP
servers available on the IP Internet. Figure 7-3 show a typical network example using NTP.
If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as
though it is synchronized through NTP, when in fact it has determined the time by using other means.
Other devices then synchronize to that device through NTP.
When multiple sources of time are available, NTP is always considered to be more authoritative. NTP
time overrides the time set by any other method.
Several manufacturers include NTP software for their host systems, and a publicly available version for
systems running UNIX and its various derivatives is also available. This software allows host systems
to be time-synchronized as well.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-35
�Chapter 7
Administering the Switch
Managing the System Time and Date
Figure 7-3
Typical NTP Network Configuration
Catalyst 6500
series switch
(NTP master)
Local
workgroup
servers
Catalyst 2950 or
3550 switch
Catalyst 2950 or
3550 switch
Catalyst 2950 or
3550 switch
These switches are configured in
NTP server mode (server association)
with the Catalyst 6500 series switch.
Catalyst 2950 or
3550 switch
This switch is configured as an NTP
peer to the upstream and downstream
Catalyst 3550 switches.
Workstations
Workstations
74722
Catalyst 2950 or
3550 switch
Configuring NTP
The Catalyst 2950 switches do not have a hardware-supported clock, and they cannot function as an NTP
master clock to which peers synchronize themselves when an external NTP source is not available.
These switches also have no hardware support for a calendar. As a result, the ntp update-calendar and
the ntp master global configuration commands are not available.
This section contains this configuration information:
•
Default NTP Configuration, page 7-37
•
Configuring NTP Authentication, page 7-37
•
Configuring NTP Associations, page 7-38
•
Configuring NTP Broadcast Service, page 7-39
•
Configuring NTP Access Restrictions, page 7-40
•
Configuring the Source IP Address for NTP Packets, page 7-42
•
Displaying the NTP Configuration, page 7-43
Catalyst 2950 Desktop Switch Software Configuration Guide
7-36
78-14982-01
�Chapter 7
Administering the Switch
Managing the System Time and Date
Default NTP Configuration
Table 7-2 shows the default NTP configuration.
Table 7-2
Default NTP Configuration
Feature
Default Setting
NTP authentication
Disabled. No authentication key is specified.
NTP peer or server associations
None configured.
NTP broadcast service
Disabled; no interface sends or receives NTP broadcast packets.
NTP access restrictions
No access control is specified.
NTP packet source IP address
The source address is determined by the outgoing interface.
NTP is enabled on all interfaces by default. All interfaces receive NTP packets.
Configuring NTP Authentication
This procedure must be coordinated with the administrator of the NTP server; the information you configure
in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server.
Beginning in privileged EXEC mode, follow these steps to authenticate the associations (communications
between devices running NTP that provide for accurate timekeeping) with other devices for security
purposes:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
ntp authenticate
Enable the NTP authentication feature, which is disabled by
default.
Step 3
ntp authentication-key number md5 value
Define the authentication keys. By default, none are defined.
•
For number, specify a key number. The range is 1 to
4294967295.
•
md5 specifies that message authentication support is provided
by using the message digest algorithm 5 (MD5).
•
For value, enter an arbitrary string of up to eight characters for
the key.
The switch does not synchronize to a device unless both have one
of these authentication keys, and the key number is specified by the
ntp trusted-key key-number command.
Step 4
ntp trusted-key key-number
Specify one or more key numbers (defined in Step 3) that a peer
NTP device must provide in its NTP packets for this switch to
synchronize to it.
By default, no trusted keys are defined.
For key-number, specify the key defined in Step 3.
This command provides protection against accidentally
synchronizing the switch to a device that is not trusted.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-37
�Chapter 7
Administering the Switch
Managing the System Time and Date
Command
Purpose
Step 5
end
Return to privileged EXEC mode.
Step 6
show running-config
Verify your entries.
Step 7
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable NTP authentication, use the no ntp authenticate global configuration command. To remove
an authentication key, use the no ntp authentication-key number global configuration command. To
disable authentication of the identity of a device, use the no ntp trusted-key key-number global
configuration command.
This example shows how to configure the switch to synchronize only to devices providing authentication
key 42 in the device’s NTP packets:
Switch(config)# ntp authenticate
Switch(config)# ntp authentication-key 42 md5 aNiceKey
Switch(config)# ntp trusted-key 42
Configuring NTP Associations
An NTP association can be a peer association (this switch can either synchronize to the other device or
allow the other device to synchronize to it), or it can be a server association (meaning that only this
switch synchronizes to the other device, and not the other way around).
Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
ntp peer ip-address [version number]
[key keyid] [source interface] [prefer]
Configure the switch system clock to synchronize a peer or to be
synchronized by a peer (peer association).
or
or
ntp server ip-address [version number] Configure the switch system clock to be synchronized by a time server
[key keyid] [source interface] [prefer] (server association).
No peer or server associations are defined by default.
•
For ip-address in a peer association, specify either the IP address of
the peer providing, or being provided, the clock synchronization. For
a server association, specify the IP address of the time server
providing the clock synchronization.
•
(Optional) For number, specify the NTP version number. The range is
1 to 3. By default, version 3 is selected.
•
(Optional) For keyid, enter the authentication key defined with the
ntp authentication-key global configuration command.
•
(Optional) For interface, specify the interface from which to pick the
IP source address. By default, the source IP address is taken from the
outgoing interface.
•
(Optional) Enter the prefer keyword to make this peer or server the
preferred one that provides synchronization. This keyword reduces
switching back and forth between peers and servers.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-38
78-14982-01
�Chapter 7
Administering the Switch
Managing the System Time and Date
Command
Purpose
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
You need to configure only one end of an association; the other device can automatically establish the
association. If you are using the default NTP version (version 3) and NTP synchronization does not
occur, try using NTP version 2. Many NTP servers on the Internet run version 2.
To remove a peer or server association, use the no ntp peer ip-address or the no ntp server ip-address
global configuration command.
This example shows how to configure the switch to synchronize its system clock with the clock of the
peer at IP address 172.16.22.44 using NTP version 2:
Switch(config)# ntp server 172.16.22.44 version 2
Configuring NTP Broadcast Service
The communications between devices running NTP (known as associations) are usually statically
configured; each device is given the IP addresses of all devices with which it should form associations.
Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an
association. However, in a LAN environment, NTP can be configured to use IP broadcast messages
instead. This alternative reduces configuration complexity because each device can simply be
configured to send or receive broadcast messages. However, the information flow is one-way only.
The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP
broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP
broadcast packets to a peer so that the peer can synchronize to it. The switch can also receive NTP broadcast
packets to synchronize its own clock. This section provides procedures for both sending and receiving NTP
broadcast packets.
Beginning in privileged EXEC mode, follow these steps to configure the switch to send NTP broadcast
packets to peers so that they can synchronize their clock to the switch:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Specify the interface to send NTP broadcast packets, and enter
interface configuration mode.
Step 3
ntp broadcast [version number] [key keyid] Enable the interface to send NTP broadcast packets to a peer.
[destination-address]
By default, this feature is disabled on all interfaces.
•
(Optional) For number, specify the NTP version number. The
range is 1 to 3. If you do not specify a version, version 3 is used.
•
(Optional) For keyid, specify the authentication key to use when
sending packets to the peer.
•
(Optional) For destination-address, specify the IP address of the
peer that is synchronizing its clock to this switch.
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Verify your entries.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-39
�Chapter 7
Administering the Switch
Managing the System Time and Date
Step 6
Command
Purpose
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Step 7
Configure the connected peers to receive NTP broadcast packets as
described in the next procedure.
To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface
configuration command.
This example shows how to configure an interface to send NTP version 2 packets:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ntp broadcast version 2
Beginning in privileged EXEC mode, follow these steps to configure the switch to receive NTP
broadcast packets from connected peers:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Specify the interface to receive NTP broadcast packets, and enter
interface configuration mode.
Step 3
ntp broadcast client
Enable the interface to receive NTP broadcast packets.
By default, no interfaces receive NTP broadcast packets.
Step 4
exit
Return to global configuration mode.
Step 5
ntp broadcastdelay microseconds
(Optional) Change the estimated round-trip delay between the switch and
the NTP broadcast server.
The default is 3000 microseconds; the range is 1 to 999999.
Step 6
end
Return to privileged EXEC mode.
Step 7
show running-config
Verify your entries.
Step 8
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable an interface from receiving NTP broadcast packets, use the no ntp broadcast client interface
configuration command. To change the estimated round-trip delay to the default, use the no ntp
broadcastdelay global configuration command.
This example shows how to configure an interface to receive NTP broadcast packets:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ntp broadcast client
Configuring NTP Access Restrictions
You can control NTP access on two levels as described in these sections:
•
Creating an Access Group and Assigning a Basic IP Access List, page 7-41
•
Disabling NTP Services on a Specific Interface, page 7-42
Catalyst 2950 Desktop Switch Software Configuration Guide
7-40
78-14982-01
�Chapter 7
Administering the Switch
Managing the System Time and Date
Creating an Access Group and Assigning a Basic IP Access List
Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using
access lists:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
ntp access-group {query-only |
serve-only | serve | peer}
access-list-number
Create an access group, and apply a basic IP access list.
The keywords have these meanings:
•
query-only—Allows only NTP control queries.
•
serve-only—Allows only time requests.
•
serve—Allows time requests and NTP control queries, but does not
allow the switch to synchronize to the remote device.
•
peer—Allows time requests and NTP control queries and allows the
switch to synchronize to the remote device.
For access-list-number, enter a standard IP access list number from 1
to 99.
Step 3
access-list access-list-number permit
source [source-wildcard]
Create the access list.
•
For access-list-number, enter the number specified in Step 2.
•
Enter the permit keyword to permit access if the conditions are
matched.
•
For source, enter the IP address of the device that is permitted access
to the switch.
•
(Optional) For source-wildcard, enter the wildcard bits to be applied
to the source.
Note
When creating an access list, remember that, by default, the end
of the access list contains an implicit deny statement for
everything if it did not find a match before reaching the end.
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
The access group keywords are scanned in this order, from least restrictive to most restrictive:
1.
peer—Allows time requests and NTP control queries and allows the switch to synchronize itself to
a device whose address passes the access list criteria.
2.
serve—Allows time requests and NTP control queries, but does not allow the switch to synchronize
itself to a device whose address passes the access list criteria.
3.
serve-only—Allows only time requests from a device whose address passes the access list criteria.
4.
query-only—Allows only NTP control queries from a device whose address passes the access list
criteria.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-41
�Chapter 7
Administering the Switch
Managing the System Time and Date
If the source IP address matches the access lists for more than one access type, the first type is granted.
If no access groups are specified, all access types are granted to all devices. If any access groups are
specified, only the specified access types are granted.
To remove access control to the switch NTP services, use the no ntp access-group {query-only |
serve-only | serve | peer} global configuration command.
This example shows how to configure the switch to allow itself to synchronize to a peer from access
list 99. However, the switch restricts access to allow only time requests from access list 42:
Switch# configure terminal
Switch(config)# ntp access-group peer 99
Switch(config)# ntp access-group serve-only 42
Switch(config)# access-list 99 permit 172.20.130.5
Switch(config)# access list 42 permit 172.20.130.6
Disabling NTP Services on a Specific Interface
NTP services are enabled on all interfaces by default.
Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on
an interface:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Enter interface configuration mode, and specify the interface to disable.
Step 3
ntp disable
Disable NTP packets from being received on the interface.
By default, all interfaces receive NTP packets.
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To re-enable receipt of NTP packets on an interface, use the no ntp disable interface configuration
command.
Configuring the Source IP Address for NTP Packets
When the switch sends an NTP packet, the source IP address is normally set to the address of the interface
through which the NTP packet is sent. Use the ntp source global configuration command when you want to
use a particular source IP address for all NTP packets. The address is taken from the specified interface. This
command is useful if the address on an interface cannot be used as the destination for reply packets.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-42
78-14982-01
�Chapter 7
Administering the Switch
Managing the System Time and Date
Beginning in privileged EXEC mode, follow these steps to configure a specific interface from which the IP
source address is to be taken:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
ntp source type number
Specify the interface type and number from which the IP source address
is taken.
By default, the source address is determined by the outgoing interface.
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
The specified interface is used for the source address for all packets sent to all destinations. If a source address
is to be used for a specific association, use the source keyword in the ntp peer or ntp server global
configuration command as described in the “Configuring NTP Associations” section on page 7-38.
Displaying the NTP Configuration
You can use two privileged EXEC commands to display NTP information:
•
show ntp associations [detail]
•
show ntp status
For detailed information about the fields in these displays, refer to the Cisco IOS Configuration
Fundamentals Command Reference for Release 12.1.
Configuring Time and Date Manually
If no other source of time is available, you can manually configure the time and date after the system is
restarted. The time remains accurate until the next system restart. We recommend that you use manual
configuration only as a last resort. If you have an outside source to which the switch can synchronize,
you do not need to manually set the system clock.
This section contains this configuration information:
•
Setting the System Clock, page 7-44
•
Displaying the Time and Date Configuration, page 7-44
•
Configuring the Time Zone, page 7-45
•
Configuring Summer Time (Daylight Saving Time), page 7-46
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-43
�Chapter 7
Administering the Switch
Managing the System Time and Date
Setting the System Clock
If you have an outside source on the network that provides time services, such as an NTP server, you do
not need to manually set the system clock.
Beginning in privileged EXEC mode, follow these steps to set the system clock:
Step 1
Command
Purpose
clock set hh:mm:ss day month year
Manually set the system clock using one of these formats.
or
•
For hh:mm:ss, specify the time in hours (24-hour format), minutes,
and seconds. The time specified is relative to the configured time
zone.
•
For day, specify the day by date in the month.
•
For month, specify the month by name.
•
For year, specify the year (no abbreviation).
clock set hh:mm:ss month day year
Step 2
show running-config
Verify your entries.
Step 3
copy running-config startup-config
(Optional) Save your entries in the configuration file.
This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001:
Switch# clock set 13:32:00 23 July 2001
Displaying the Time and Date Configuration
To display the time and date configuration, use the show clock [detail] privileged EXEC command.
The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to
be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time
is not authoritative, it is used only for display purposes. Until the clock is authoritative and the
authoritative flag is set, the flag prevents peers from synchronizing to the clock when the peers’ time is
invalid.
The symbol that precedes the show clock display has this meaning:
•
*—Time is not authoritative.
•
(blank)—Time is authoritative.
•
.—Time is authoritative, but NTP is not synchronized.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-44
78-14982-01
�Chapter 7
Administering the Switch
Managing the System Time and Date
Configuring the Time Zone
Beginning in privileged EXEC mode, follow these steps to manually configure the time zone:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
clock timezone zone hours-offset
[minutes-offset]
Set the time zone.
The switch keeps internal time in universal time coordinated (UTC), so
this command is used only for display purposes and when the time is
manually set.
•
For zone, enter the name of the time zone to be displayed when
standard time is in effect. The default is UTC.
•
For hours-offset, enter the hours offset from UTC.
•
(Optional) For minutes-offset, enter the minutes offset from UTC.
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
The minutes-offset variable in the clock timezone global configuration command is available for those
cases where a local time zone is a percentage of an hour different from UTC. For example, the time zone
for some sections of Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50
percent. In this case, the necessary command is clock timezone AST -3 30.
To set the time to UTC, use the no clock timezone global configuration command.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-45
�Chapter 7
Administering the Switch
Managing the System Time and Date
Configuring Summer Time (Daylight Saving Time)
Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving
time) in areas where it starts and ends on a particular day of the week each year:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
clock summer-time zone recurring
Configure summer time to start and end on the specified days every year.
[week day month hh:mm week day month Summer time is disabled by default. If you specify clock summer-time
hh:mm [offset]]
zone recurring without parameters, the summer time rules default to the
United States rules.
•
For zone, specify the name of the time zone (for example, PDT) to be
displayed when summer time is in effect.
•
(Optional) For week, specify the week of the month (1 to 5 or last).
•
(Optional) For day, specify the day of the week (Sunday, Monday...).
•
(Optional) For month, specify the month (January, February...).
•
(Optional) For hh:mm, specify the time (24-hour format) in hours and
minutes.
•
(Optional) For offset, specify the number of minutes to add during
summer time. The default is 60.
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
The first part of the clock summer-time global configuration command specifies when summer time
begins, and the second part specifies when it ends. All times are relative to the local time zone. The start
time is relative to standard time. The end time is relative to summer time. If the starting month is after
the ending month, the system assumes that you are in the southern hemisphere.
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and
ends on the last Sunday in October at 02:00:
Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October
2:00
Catalyst 2950 Desktop Switch Software Configuration Guide
7-46
78-14982-01
�Chapter 7
Administering the Switch
Managing the System Time and Date
Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a
recurring pattern (configure the exact date and time of the next summer time events):
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
Configure summer time to start on the first date and end on the second
clock summer-time zone date [month
date year hh:mm month date year hh:mm date.
[offset]]
Summer time is disabled by default.
or
• For zone, specify the name of the time zone (for example, PDT) to be
clock summer-time zone date [date
displayed when summer time is in effect.
month year hh:mm date month year
• (Optional) For week, specify the week of the month (1 to 5 or last).
hh:mm [offset]]
• (Optional) For day, specify the day of the week (Sunday, Monday...).
•
(Optional) For month, specify the month (January, February...).
•
(Optional) For hh:mm, specify the time (24-hour format) in hours and
minutes.
•
(Optional) For offset, specify the number of minutes to add during
summer time. The default is 60.
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
The first part of the clock summer-time global configuration command specifies when summer time
begins, and the second part specifies when it ends. All times are relative to the local time zone. The start
time is relative to standard time. The end time is relative to summer time. If the starting month is after
the ending month, the system assumes that you are in the southern hemisphere.
To disable summer time, use the no clock summer-time global configuration command.
This example shows how to set summer time to start on October 12, 2000, at 02:00, and end on April
26, 2001, at 02:00:
Switch(config)# clock summer-time pdt date 12 October 2000 2:00 26 April 2001 2:00
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-47
�Chapter 7
Administering the Switch
Configuring a System Name and Prompt
Configuring a System Name and Prompt
You configure the system name on the switch to identify it. By default, the system name and prompt are
Switch.
If you have not configured a system prompt, the first 20 characters of the system name are used as the
system prompt. A greater-than symbol [>] is appended. The prompt is updated whenever the system
name changes, unless you manually configure the prompt by using the prompt global configuration
command.
Note
For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS
Configuration Fundamentals Command Reference and the Cisco IOS IP and IP Routing Command
Reference for Release 12.1.
This section contains this configuration information:
•
Default System Name and Prompt Configuration, page 7-48
•
Configuring a System Name, page 7-48
•
Configuring a System Prompt, page 7-49
•
Understanding DNS, page 7-49
Default System Name and Prompt Configuration
The default switch system name and prompt is Switch.
Configuring a System Name
Beginning in privileged EXEC mode, follow these steps to manually configure a system name:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
hostname name
Manually configure a system name.
The default setting is switch.
The name must follow the rules for ARPANET host names. They must start
with a letter, end with a letter or digit, and have as interior characters only
letters, digits, and hyphens. Names can be up to 63 characters.
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
When you set the system name, it is also used as the system prompt. You can override the prompt setting
by using the prompt global configuration command.
To return to the default hostname, use the no hostname global configuration command.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-48
78-14982-01
�Chapter 7
Administering the Switch
Configuring a System Name and Prompt
Configuring a System Prompt
Beginning in privileged EXEC mode, follow these steps to manually configure a system prompt:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
prompt string
Configure the command-line prompt to override the setting from the
hostname command.
The default prompt is either switch or the name defined with the
hostname global configuration command, followed by an angle
bracket (>) for user EXEC mode or a pound sign (#) for privileged EXEC
mode.
The prompt can consist of all printing characters and escape sequences.
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To return to the default prompt, use the no prompt [string] global configuration command.
Understanding DNS
The DNS protocol controls the Domain Name System (DNS), a distributed database with which you can
map host names to IP addresses. When you configure DNS on your switch, you can substitute the host
name for the IP address with all IP commands, such as ping, telnet, connect, and related Telnet support
operations.
IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain.
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco
Systems is a commercial organization that IP identifies by a com domain name, so its domain name is
cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is
identified as ftp.cisco.com.
To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache
(or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first
identify the host names, specify the name server that is present on your network, and enable the DNS.
This section contains this configuration information:
•
Default DNS Configuration, page 7-50
•
Setting Up DNS, page 7-50
•
Displaying the DNS Configuration, page 7-51
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-49
�Chapter 7
Administering the Switch
Configuring a System Name and Prompt
Default DNS Configuration
Table 7-3 shows the default DNS configuration.
Table 7-3
Default DNS Configuration
Feature
Default Setting
DNS enable state
Enabled.
DNS default domain name
None configured.
DNS servers
No name server addresses are configured.
Setting Up DNS
Beginning in privileged EXEC mode, follow these steps to set up your switch to use the DNS:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
ip domain-name name
Define a default domain name that the software uses to complete unqualified
host names (names without a dotted-decimal domain name).
Do not include the initial period that separates an unqualified name from the
domain name.
At start time, no domain name is configured; however, if the switch
configuration comes from a BOOTP or Dynamic Host Configuration Protocol
(DHCP) server, the default domain name might be set by the BOOTP or DHCP
server (if the servers were configured with this information).
Step 3
Step 4
ip name-server server-address1
[server-address2 ...
server-address6]
Specify the address of one or more name servers to use for name and address
resolution.
ip domain-lookup
(Optional) Enable DNS-based host name-to-address translation on your switch.
This feature is enabled by default.
You can specify up to six name servers. Separate each server address with a
space. The first server specified is the primary server. The switch sends DNS
queries to the primary server first. If that query fails, the backup servers are
queried.
If your network devices require connectivity with devices in networks for which
you do not control name assignment, you can dynamically assign device names
that uniquely identify your devices by using the global Internet naming scheme
(DNS).
Step 5
end
Return to privileged EXEC mode.
Step 6
show running-config
Verify your entries.
Step 7
copy running-config
startup-config
(Optional) Save your entries in the configuration file.
If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you
configure a hostname that contains no periods (.), a period followed by the default domain name is
appended to the hostname before the DNS query is made to map the name to an IP address. The default
Catalyst 2950 Desktop Switch Software Configuration Guide
7-50
78-14982-01
�Chapter 7
Administering the Switch
Creating a Banner
domain name is the value set by the ip domain-name global configuration command. If there is a
period (.) in the hostname, the IOS software looks up the IP address without appending any default
domain name to the hostname.
To remove a domain name, use the no ip domain-name name global configuration command. To remove
a name server address, use the no ip name-server server-address global configuration command. To
disable DNS on the switch, use the no ip domain-lookup global configuration command.
Displaying the DNS Configuration
To display the DNS configuration information, use the show running-config privileged EXEC
command.
Creating a Banner
You can configure a message-of-the-day (MOTD) and a login banner. The MOTD banner displays on all
connected terminals at login and is useful for sending messages that affect all network users (such as
impending system shutdowns).
The login banner also displays on all connected terminals. It is displayed after the MOTD banner and
before the login prompts.
Note
For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS
Configuration Fundamentals Command Reference for Release 12.1.
This section contains this configuration information:
•
Default Banner Configuration, page 7-51
•
Configuring a Message-of-the-Day Login Banner, page 7-52
•
Configuring a Login Banner, page 7-53
Default Banner Configuration
The MOTD and login banners are not configured.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-51
�Chapter 7
Administering the Switch
Creating a Banner
Configuring a Message-of-the-Day Login Banner
You can create a single or multiline message banner that appears on the screen when someone logs in to
the switch.
Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
banner motd c message c
Specify the message of the day.
For c, enter the delimiting character of your choice, for example, a
pound sign (#), and press the Return key. The delimiting character
signifies the beginning and end of the banner text. Characters after the
ending delimiter are discarded.
For message, enter a banner message up to 255 characters. You cannot
use the delimiting character in the message.
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To delete the MOTD banner, use the no banner motd global configuration command.
This example shows how to configure a MOTD banner for the switch by using the pound sign (#) symbol
as the beginning and ending delimiter:
Switch(config)# banner motd #
This is a secure site. Only authorized users are allowed.
For access, contact technical support.
#
Switch(config)#
This example shows the banner displayed from the previous configuration:
Unix> telnet 172.2.5.4
Trying 172.2.5.4...
Connected to 172.2.5.4.
Escape character is '^]'.
This is a secure site. Only authorized users are allowed.
For access, contact technical support.
User Access Verification
Password:
Catalyst 2950 Desktop Switch Software Configuration Guide
7-52
78-14982-01
�Chapter 7
Administering the Switch
Creating a Banner
Configuring a Login Banner
You can configure a login banner to be displayed on all connected terminals. This banner appears after
the MOTD banner and before the login prompt.
Beginning in privileged EXEC mode, follow these steps to configure a login banner:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
banner login c message c
Specify the login message.
For c, enter the delimiting character of your choice, for example, a pound
sign (#), and press the Return key. The delimiting character signifies the
beginning and end of the banner text. Characters after the ending delimiter
are discarded.
For message, enter a login message up to 255 characters. You cannot use the
delimiting character in the message.
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To delete the login banner, use the no banner login global configuration command.
This example shows how to configure a login banner for the switch by using the dollar sign ($) symbol
as the beginning and ending delimiter:
Switch(config)# banner login $
Access for authorized users only. Please enter your username and password.
$
Switch(config)#
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-53
�Chapter 7
Administering the Switch
Managing the MAC Address Table
Managing the MAC Address Table
The MAC address table contains address information that the switch uses to forward traffic between
ports. All MAC addresses in the address table are associated with one or more ports. The address table
includes these types of addresses:
•
Dynamic address: a source MAC address that the switch learns and then ages when it is not in use.
•
Static address: a manually entered unicast or multicast address that does not age and that is not lost
when the switch resets.
The address table lists the destination MAC address, the associated VLAN ID, and port number
associated with the address.
Note
For complete syntax and usage information for the commands used in this section, refer to the command
reference for this release.
This section contains this configuration information:
•
Building the Address Table, page 7-54
•
MAC Addresses and VLANs, page 7-55
•
Default MAC Address Table Configuration, page 7-55
•
Changing the Address Aging Time, page 7-55
•
Removing Dynamic Address Entries, page 7-56
•
Configuring MAC Address Notification Traps, page 7-56
•
Adding and Removing Static Address Entries, page 7-58
•
Adding and Removing Secure Addresses, page 7-59
•
Displaying Address Table Entries, page 7-60
Building the Address Table
With multiple MAC addresses supported on all ports, you can connect any port on the switch to
individual workstations, repeaters, switches, routers, or other network devices. The switch provides
dynamic addressing by learning the source address of packets it receives on each port and adding the
address and its associated port number to the address table. As stations are added or removed from the
network, the switch updates the address table, adding new dynamic addresses and aging out those that
are not in use.
The aging interval is configured on a per-switch basis. However, the switch maintains an address table
for each VLAN, and STP can accelerate the aging interval on a per-VLAN basis.
The switch sends packets between any combination of ports, based on the destination address of the
received packet. Using the MAC address table, the switch forwards the packet only to the port or ports
associated with the destination address. If the destination address is on the port that sent the packet, the
packet is filtered and not forwarded. The switch always uses the store-and-forward method: complete
packets are stored and checked for errors before transmission.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-54
78-14982-01
�Chapter 7
Administering the Switch
Managing the MAC Address Table
MAC Addresses and VLANs
All addresses are associated with a VLAN. An address can exist in more than one VLAN and have
different destinations in each. Multicast addresses, for example, could be forwarded to port 1 in VLAN 1
and ports 9, 10, and 11 in VLAN 5.
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in
another until it is learned or statically associated with a port in the other VLAN. Addresses that are
statically entered in one VLAN must be configured as static addresses in all other VLANs or remain
unlearned in the other VLANs.
Default MAC Address Table Configuration
Table 7-4 shows the default MAC address table configuration.
Table 7-4
Default MAC Address Table Configuration
Feature
Default Setting
Aging time
300 seconds
Dynamic addresses
Automatically learned
Static addresses
None configured
Changing the Address Aging Time
Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in
use. You can change the aging time setting for all VLANs or for a specified VLAN.
Setting too short an aging time can cause addresses to be prematurely removed from the table. Then
when the switch receives a packet for an unknown destination, it floods the packet to all ports in the same
VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an
aging time can cause the address table to be filled with unused addresses, which prevents new addresses
from being learned. Flooding results, which can impact switch performance.
Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging
time:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
mac address-table aging-time [0 |
10-1000000] [vlan vlan-id]
Set the length of time that a dynamic entry remains in the MAC
address table after the entry is used or updated.
The range is 10 to 1000000 seconds. The default is 300. You can also
enter 0, which disables aging. Static address entries are never aged
or removed from the table.
For vlan-id, valid IDs are 1 to 4094 when the enhanced software
image (EI) is installed and 1 to 1005 when the standard software
image (SI) is installed. Do not enter leading zeros.
Step 3
end
Return to privileged EXEC mode.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-55
�Chapter 7
Administering the Switch
Managing the MAC Address Table
Command
Purpose
Step 4
show mac address-table aging-time
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To return to the default value, use the no mac address-table aging-time global configuration command.
Removing Dynamic Address Entries
To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC
mode. You can also remove a specific MAC address (clear mac address-table dynamic address
mac-address), remove all addresses on the specified physical port or port channel (clear mac
address-table dynamic interface interface-id), or remove all addresses on a specified VLAN (clear
mac address-table dynamic vlan vlan-id).
To verify that dynamic entries have been removed, use the show mac address-table dynamic privileged
EXEC command.
Configuring MAC Address Notification Traps
MAC address notification enables you to track users on a network by storing the MAC address activity
on the switch. Whenever the switch learns or removes a MAC address, an SNMP notification can be
generated and sent to the NMS. If you have many users coming and going from the network, you can set
a trap interval time to bundle the notification traps and reduce network traffic. The MAC notification
history table stores the MAC address activity for each hardware port for which the trap is enabled. MAC
address notifications are generated for dynamic and secure MAC addresses; events are not generated for
self addresses, multicast addresses, or other static addresses.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-56
78-14982-01
�Chapter 7
Administering the Switch
Managing the MAC Address Table
Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address
notification traps to an NMS host:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message.
| 2c | 3}} community-string notification-type
• For host-addr, specify the name or address of the
NMS.
•
Specify traps (the default) to send SNMP traps
to the host. Specify informs to send SNMP
informs to the host.
•
Specify the SNMP version to support. Version 1,
the default, is not available with informs.
•
For community-string, specify the string to send
with the notification operation. Though you can
set this string by using the snmp-server host
command, we recommend that you define this
string by using the snmp-server community
command before using the snmp-server host
command.
•
For notification-type, use the mac-notification
keyword.
Step 3
snmp-server enable traps mac-notification
Enable the switch to send MAC address traps to the
NMS.
Step 4
mac address-table notification
Enable the MAC address notification feature.
Step 5
mac address-table notification [interval value] |
[history-size value]
Enter the trap interval time and the history table size.
•
(Optional) For interval value, specify the
notification trap interval in seconds between
each set of traps that are generated to the NMS.
The range is 0 to 2147483647 seconds; the
default is 1 second.
•
(Optional) For history-size value, specify the
maximum number of entries in the MAC
notification history table. The range is 0 to 500;
the default is 1.
Step 6
interface interface-id
Enter interface configuration mode, and specify the
interface on which to enable the SNMP MAC
address notification trap.
Step 7
snmp trap mac-notification {added | removed}
Enable the MAC address notification trap.
Step 8
end
•
Enable the MAC notification trap whenever a
MAC address is added on this interface.
•
Enable the MAC notification trap whenever a
MAC address is removed from this interface.
Return to privileged EXEC mode.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-57
�Chapter 7
Administering the Switch
Managing the MAC Address Table
Step 9
Command
Purpose
show mac address-table notification interface
Verify your entries.
show running-config
Step 10
copy running-config startup-config
(Optional) Save your entries in the configuration
file.
To disable the switch from sending MAC address notification traps, use the no snmp-server enable
traps mac-notification global configuration command. To disable the MAC address notification traps
on a specific interface, use the no snmp trap mac-notification {added | removed} interface
configuration command. To disable the MAC address notification feature, use the no mac address-table
notification global configuration command.
This example shows how to specify 172.20.10.10 as the NMS, enable the switch to send MAC address
notification traps to the NMS, enable the MAC address notification feature, set the interval time to 60
seconds, set the history-size to 100 entries, and enable traps whenever a MAC address is added on Fast
Ethernet interface 0/4.
Switch(config)# snmp-server host 172.20.10.10 traps private
Switch(config)# snmp-server enable traps mac-notification
Switch(config)# mac address-table notification
Switch(config)# mac address-table notification interval 60
Switch(config)# mac address-table notification history-size 100
Switch(config)# interface fastethernet0/4
Switch(config-if)# snmp trap mac-notification added
You can verify the previous commands by entering the show mac address-table notification interface
and the show mac address-table notification privileged EXEC commands.
Adding and Removing Static Address Entries
A static address has these characteristics:
•
It is manually entered in the address table and must be manually removed.
•
It can be a unicast or multicast address.
•
It does not age and is retained when the switch restarts.
You can add and remove static addresses and define the forwarding behavior for them. The forwarding
behavior determines how a port that receives a packet forwards it to another port for transmission.
Because all ports are associated with at least one VLAN, the switch acquires the VLAN ID for the
address from the ports that you specify. You can specify a different list of destination ports for each
source port.
A static address in one VLAN must be a static address in other VLANs. A packet with a static address
that arrives on a VLAN where it has not been statically entered is flooded to all ports and not learned.
You add a static address to the address table by specifying the destination MAC address (unicast or
multicast) and the VLAN from which it is received. Packets received with this destination address are
forwarded to the interface specified with the interface-id option.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-58
78-14982-01
�Chapter 7
Administering the Switch
Managing the MAC Address Table
Beginning in privileged EXEC mode, follow these steps to add a static address:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
mac address-table static mac-addr
vlan vlan-id interface interface-id
Add a static address to the MAC address table.
•
For mac-addr, specify the destination MAC address (unicast or
multicast) to add to the address table. Packets with this destination
address received in the specified VLAN are forwarded to the
specified interface.
•
For vlan-id, specify the VLAN for which the packet with the
specified MAC address is received. Valid VLAN IDs are 1 to 4094
when the EI is installed and 1 to 1005 when the SI is installed; do not
enter leading zeros.
•
For interface-id..., specify the interface to which the received packet
is forwarded. Valid interfaces include physical ports.
Step 3
end
Return to privileged EXEC mode.
Step 4
show mac address-table static
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To remove static entries from the address table, use the no mac address-table static mac-addr vlan
vlan-id interface interface-id global configuration command.
This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a
packet is received in VLAN 4 with this MAC address as its destination address, the packets is forwarded
to the specified interface:
Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 interface
gigabitethernet0/1
Adding and Removing Secure Addresses
A secure address is a manually entered unicast address or dynamically learned address that is forwarded
to only one port per VLAN. If you enter a static address that is already assigned to another port, the
request will be rejected.
Secure addresses can be learned dynamically if the configured secure addresses do not reach the
maximum limit of the port.
You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses
and to add them to the running configuration by enabling sticky learning. When sticky learning is
enabled, the interface converts all the dynamic secure MAC addresses, including those that were learned
dynamically before sticky learning is enabled, to sticky secure MAC addresses. It adds all the sticky
secure MAC addresses to the running configuration. For more information, see the “Secure MAC
Addresses” section on page 18-5.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-59
�Chapter 7
Administering the Switch
Managing the MAC Address Table
Beginning in privileged EXEC mode, follow these steps to add a secure address:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Specify an interface, and enter interface configuration mode.
Step 3
switchport port-security
mac-address mac-address
Add a secure address.
Step 4
end
Return to privileged EXEC mode.
Step 5
show port-security
Verify your entry.
Step 6
copy running-config
startup-config
(Optional) Save your entries in the configuration file.
To remove a secure address, use the no switchport port-security mac-address mac-address global
configuration command.
Displaying Address Table Entries
You can display the MAC address table by using one or more of the privileged EXEC commands
described in Table 7-5:
Table 7-5
Commands for Displaying the MAC Address Table
Command
Description
show mac address-table address
Displays MAC address table information for the specified MAC address.
show mac address-table aging-time
Displays the aging time in all VLANs or the specified VLAN.
show mac address-table count
Displays the number of addresses present in all VLANs or the specified VLAN.
show mac address-table dynamic
Displays dynamic MAC address table entries only.
show mac address-table interface
Displays the MAC address table information for the specified interface.
show mac address-table multicast
Displays the Layer 2 multicast entries for all VLANs or the specified VLAN.
show mac address-table static
Displays static MAC address table entries only.
show mac address-table vlan
Displays the MAC address table information for the specified VLAN.
Catalyst 2950 Desktop Switch Software Configuration Guide
7-60
78-14982-01
�Chapter 7
Administering the Switch
Managing the ARP Table
Managing the ARP Table
To communicate with a device (over Ethernet, for example), the software first must determine the 48-bit
MAC or the local data link address of that device. The process of determining the local data link address
from an IP address is called address resolution.
The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or
MAC addresses and the VLAN ID. Taking an IP address as input, ARP determines the associated MAC
address. Once a MAC address is determined, the IP-MAC address association is stored in an ARP cache
for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network.
Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet
is specified by the Subnetwork Access Protocol (SNAP). By default, standard Ethernet-style ARP
encapsulation (represented by the arpa keyword) is enabled on the IP interface.
ARP entries added manually to the table do not age and must be manually removed.
For CLI procedures, refer to the Cisco IOS Release 12.1 documentation on Cisco.com.
Switch Software Releases
The switch software is regularly updated with new features and bug fixes, and you might want to upgrade
your Catalyst 2950 switch with the latest software release. New software releases are posted on Cisco.com
and are available through authorized resellers. Cisco also supplies a TFTP server that you can download
from Cisco.com.
Before upgrading a switch, first find out the version of the software that the switch is running. You can
do this by selecting Reports > Inventory or by using the show version user EXEC command.
Knowing the software version is important, especially for:
•
Compatibility reasons (for example, for switch clusters)
•
LRE and non-LRE Catalyst 2950 switches, which do not share the same software image. The LRE-only
image cannot be installed on non-LRE switches. The non-LRE image does not include LRE functionality
and should not be installed on LRE switches.
Refer to the release notes
(http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12111YJ/ol236205.htm) for
•
Switch requirements
•
Switch upgrade guidelines and procedures
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
7-61
�Chapter 7
Administering the Switch
Switch Software Releases
Catalyst 2950 Desktop Switch Software Configuration Guide
7-62
78-14982-01
�C H A P T E R
8
Configuring 802.1X Port-Based Authentication
This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized
devices (clients) from gaining access to the network. As LANs extend to hotels, airports, and corporate
lobbies, insecure environments could be created.
Note
For complete syntax and usage information for the commands used in this chapter, refer to the command
reference for this release.
This chapter consists of these sections:
•
Understanding 802.1X Port-Based Authentication, page 8-1
•
Configuring 802.1X Authentication, page 8-5
•
Displaying 802.1X Statistics and Status, page 8-14
Understanding 802.1X Port-Based Authentication
The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that
restricts unauthorized clients from connecting to a LAN through publicly accessible ports. The
authentication server authenticates each client connected to a switch port before making available any
services offered by the switch or the LAN.
Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol
over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is
successful, normal traffic can pass through the port.
These sections describe 802.1X port-based authentication:
•
Device Roles, page 8-2
•
Authentication Initiation and Message Exchange, page 8-3
•
Ports in Authorized and Unauthorized States, page 8-4
•
Supported Topologies, page 8-5
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
8-1
�Chapter 8
Configuring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication
Device Roles
With 802.1X port-based authentication, the devices in the network have specific roles as shown in
Figure 8-1.
Figure 8-1
802.1X Device Roles
Catalyst 2950
or 3550
(switch)
Authentication
server
(RADIUS)
74615
Workstations
(clients)
•
Client—the device (workstation) that requests access to the LAN and switch services and responds
to requests from the switch.The workstation must be running 802.1X-compliant client software such
as that offered in the Microsoft Windows XP operating system. (The client is the supplicant in the
IEEE 802.1X specification.)
Note
To resolve Windows XP network connectivity and 802.1X authentication issues, read the
Microsoft Knowledge Base article at this URL:
http://support.microsoft.com/support/kb/articles/Q303/5/97.ASP
•
Authentication server—performs the actual authentication of the client. The authentication server
validates the identity of the client and notifies the switch whether or not the client is authorized to
access the LAN and switch services. Because the switch acts as the proxy, the authentication service
is transparent to the client. In this release, the Remote Authentication Dial-In User Service
(RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only
supported authentication server; it is available in Cisco Secure Access Control Server version 3.0.
RADIUS operates in a client/server model in which secure authentication information is exchanged
between the RADIUS server and one or more RADIUS clients.
•
Switch (edge switch or wireless access point)—controls the physical access to the network based on
the authentication status of the client. The switch acts as an intermediary (proxy) between the client
and the authentication server, requesting identity information from the client, verifying that
information with the authentication server, and relaying a response to the client. The switch includes
the RADIUS client, which is responsible for encapsulating and decapsulating the Extensible
Authentication Protocol (EAP) frames and interacting with the authentication server.
When the switch receives EAPOL frames and relays them to the authentication server, the Ethernet
header is stripped and the remaining EAP frame is re-encapsulated in the RADIUS format. The EAP
frames are not modified or examined during encapsulation, and the authentication server must
support EAP within the native frame format. When the switch receives frames from the
authentication server, the server’s frame header is removed, leaving the EAP frame, which is then
encapsulated for Ethernet and sent to the client.
The devices that can act as intermediaries include the Catalyst 3550 multilayer switch, the Catalyst
2950 switch, or a wireless access point. These devices must be running software that supports the
RADIUS client and 802.1X.
Catalyst 2950 Desktop Switch Software Configuration Guide
8-2
78-14982-01
�Chapter 8
Configuring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication
Authentication Initiation and Message Exchange
The switch or the client can initiate authentication. If you enable authentication on a port by using the
dot1x port-control auto interface configuration command, the switch must initiate authentication when
it determines that the port link state transitions from down to up. It then sends an EAP-request/identity
frame to the client to request its identity (typically, the switch sends an initial identity/request frame
followed by one or more requests for authentication information). Upon receipt of the frame, the client
responds with an EAP-response/identity frame.
However, if during bootup, the client does not receive an EAP-request/identity frame from the switch,
the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to
request the client’s identity.
Note
If 802.1X is not enabled or supported on the network access device, any EAPOL frames from the client
are dropped. If the client does not receive an EAP-request/identity frame after three attempts to start
authentication, the client sends frames as if the port is in the authorized state. A port in the authorized
state effectively means that the client has been successfully authenticated. For more information, see the
“Ports in Authorized and Unauthorized States” section on page 8-4.
When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames
between the client and the authentication server until authentication succeeds or fails. If the
authentication succeeds, the switch port becomes authorized. For more information, see the “Ports in
Authorized and Unauthorized States” section on page 8-4.
The specific exchange of EAP frames depends on the authentication method being used. Figure 8-2
shows a message exchange initiated by the client using the One-Time-Password (OTP) authentication
method with a RADIUS server.
Figure 8-2
Client
Message Exchange
Catalyst 2950 or 3550 switch
Authentication
server
(RADIUS)
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
RADIUS Access-Request
EAP-Request/OTP
RADIUS Access-Challenge
EAP-Response/OTP
RADIUS Access-Request
EAP-Success
RADIUS Access-Accept
Port Authorized
Port Unauthorized
74616
EAPOL-Logoff
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
8-3
�Chapter 8
Configuring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication
Ports in Authorized and Unauthorized States
The switch port state determines whether or not the client is granted access to the network. The port
starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except
for 802.1X protocol packets. When a client is successfully authenticated, the port transitions to the
authorized state, allowing all traffic for the client to flow normally.
If a client that does not support 802.1X is connected to an unauthorized 802.1X port, the switch requests
the client’s identity. In this situation, the client does not respond to the request, the port remains in the
unauthorized state, and the client is not granted access to the network.
In contrast, when an 802.1X-enabled client connects to a port that is not running the 802.1X protocol,
the client initiates the authentication process by sending the EAPOL-start frame. When no response is
received, the client sends the request for a fixed number of times. Because no response is received, the
client begins sending frames as if the port is in the authorized state.
You control the port authorization state by using the dot1x port-control interface configuration
command and these keywords:
•
force-authorized—disables 802.1X authentication and causes the port to transition to the
authorized state without any authentication exchange required. The port sends and receives normal
traffic without 802.1X-based authentication of the client. This is the default setting.
•
force-unauthorized—causes the port to remain in the unauthorized state, ignoring all attempts by
the client to authenticate. The switch cannot provide authentication services to the client through the
interface.
•
auto—enables 802.1X authentication and causes the port to begin in the unauthorized state,
allowing only EAPOL frames to be sent and received through the port. The authentication process
begins when the link state of the port transitions from down to up or when an EAPOL-start frame is
received. The switch requests the identity of the client and begins relaying authentication messages
between the client and the authentication server. Each client attempting to access the network is
uniquely identified by the switch by using the client’s MAC address.
If the client is successfully authenticated (receives an Accept frame from the authentication server), the
port state changes to authorized, and all frames from the authenticated client are allowed through the
port. If the authentication fails, the port remains in the unauthorized state, but authentication can be
retried. If the authentication server cannot be reached, the switch can resend the request. If no response
is received from the server after the specified number of attempts, authentication fails, and network
access is not granted.
When a client logs off, it sends an EAPOL-logoff message, causing the switch port to transition to the
unauthorized state.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port
returns to the unauthorized state.
Catalyst 2950 Desktop Switch Software Configuration Guide
8-4
78-14982-01
�Chapter 8
Configuring 802.1X Port-Based Authentication
Configuring 802.1X Authentication
Supported Topologies
The 802.1X port-based authentication is supported in two topologies:
•
Point-to-point
•
Wireless LAN
In a point-to-point configuration (see Figure 8-1 on page 8-2), only one client can be connected to the
802.1X-enabled switch port. The switch detects the client when the port link state changes to the up state.
If a client leaves or is replaced with another client, the switch changes the port link state to down, and
the port returns to the unauthorized state.
Figure 8-3 shows 802.1X port-based authentication in a wireless LAN. The 802.1X port is configured
as a multiple-host port that becomes authorized as soon as one client is authenticated. When the port is
authorized, all other hosts indirectly attached to the port are granted access to the network. If the port
becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch
denies access to the network to all of the attached clients. In this topology, the wireless access point is
responsible for authenticating the clients attached to it, and the wireless access point acts as a client to
the switch.
Figure 8-3
Wireless LAN Example
Access point
Catalyst 2950 or
3550 switch
Authentication
server
(RADIUS)
74617
Wireless clients
Configuring 802.1X Authentication
These sections describe how to configure 802.1X port-based authentication on your switch:
•
Default 802.1X Configuration, page 8-6
•
802.1X Configuration Guidelines, page 8-7
•
Enabling 802.1X Authentication, page 8-8 (required)
•
Configuring the Switch-to-RADIUS-Server Communication, page 8-9 (required)
•
Enabling Periodic Re-Authentication, page 8-10 (optional)
•
Manually Re-Authenticating a Client Connected to a Port, page 8-11 (optional)
•
Changing the Quiet Period, page 8-11 (optional)
•
Changing the Switch-to-Client Retransmission Time, page 8-12 (optional)
•
Setting the Switch-to-Client Frame-Retransmission Number, page 8-13 (optional)
•
Enabling Multiple Hosts, page 8-13 (optional)
•
Resetting the 802.1X Configuration to the Default Values, page 8-14 (optional)
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
8-5
�Chapter 8
Configuring 802.1X Port-Based Authentication
Configuring 802.1X Authentication
Default 802.1X Configuration
Table 8-1 shows the default 802.1X configuration.
Table 8-1
Default 802.1X Configuration
Feature
Default Setting
Authentication, authorization, and
accounting (AAA)
Disabled.
RADIUS server
•
IP address
•
None specified.
•
UDP authentication port
•
1812.
•
Key
•
None specified.
Per-interface 802.1X enable state
Disabled (force-authorized).
The port sends and receives normal traffic without
802.1X-based authentication of the client.
Periodic re-authentication
Disabled.
Number of seconds between
re-authentication attempts
3600 seconds.
Quiet period
60 seconds (number of seconds that the switch remains in
the quiet state following a failed authentication exchange
with the client).
Retransmission time
30 seconds (number of seconds that the switch should
wait for a response to an EAP request/identity frame
from the client before resending the request).
Maximum retransmission number
2 times (number of times that the switch will send an
EAP-request/identity frame before restarting the
authentication process).
Multiple host support
Disabled.
Client timeout period
30 seconds (when relaying a request from the
authentication server to the client, the amount of time the
switch waits for a response before resending the request
to the client.
Authentication server timeout period
30 seconds (when relaying a response from the client to
the authentication server, the amount of time the switch
waits for a reply before resending the response to the
server. This setting is not configurable.)
Catalyst 2950 Desktop Switch Software Configuration Guide
8-6
78-14982-01
�Chapter 8
Configuring 802.1X Port-Based Authentication
Configuring 802.1X Authentication
802.1X Configuration Guidelines
These are the 802.1X authentication configuration guidelines:
•
When 802.1X is enabled, ports are authenticated before any other Layer 2 features are enabled.
•
The 802.1X protocol is supported on Layer 2 static-access ports, but it is not supported on these port
types:
– Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X
is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode
is not changed.
– Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is
not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode
is not changed.
– Dynamic-access ports—If you try to enable 802.1X on a dynamic-access (VLAN Query
Protocol [VQP]) port, an error message appears, and 802.1X is not enabled. If you try to change
an 802.1X-enabled port to dynamic VLAN assignment, an error message appears, and the
VLAN configuration is not changed.
– EtherChannel port—Before enabling 802.1X on the port, you must first remove it from the
EtherChannel. If you try to enable 802.1X on an EtherChannel or on an active port in an
EtherChannel, an error message appears, and 802.1X is not enabled. If you enable 802.1X on a
not-yet active port of an EtherChannel, the port does not join the EtherChannel.
– Secure port—You cannot configure a secure port as an 802.1X port. If you try to enable 802.1X
on a secure port, an error message appears, and 802.1X is not enabled. If you try to change an
802.1X-enabled port to a secure port, an error message appears, and the security settings are not
changed.
– Switched Port Analyzer (SPAN) destination port—You can enable 802.1X on a port that is a
SPAN destination port; however, 802.1X is disabled until the port is removed as a SPAN
destination. You can enable 802.1X on a SPAN source port.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
8-7
�Chapter 8
Configuring 802.1X Port-Based Authentication
Configuring 802.1X Authentication
Enabling 802.1X Authentication
To enable 802.1X port-based authentication, you must enable AAA and specify the authentication
method list. A method list describes the sequence and authentication methods to be queried to
authenticate a user.
The software uses the first method listed to authenticate users; if that method fails to respond, the
software selects the next authentication method in the method list. This process continues until there is
successful communication with a listed authentication method or until all defined methods are
exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other
authentication methods are attempted.
Beginning in privileged EXEC mode, follow these steps to configure 802.1X port-based authentication.
This procedure is required.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa new-model
Enable AAA.
Step 3
aaa authentication dot1x {default}
method1 [method2...]
Create an 802.1X authentication method list.
To create a default list that is used when a named list is not specified in
the authentication command, use the default keyword followed by the
methods that are to be used in default situations. The default method list
is automatically applied to all interfaces.
Enter at least one of these keywords:
•
group radius—Use the list of all RADIUS servers for authentication.
•
none—Use no authentication. The client is automatically
authenticated by the switch without using the information supplied by
the client.
Step 4
interface interface-id
Enter interface configuration mode, and specify the interface connected to
the client that is to be enabled for 802.1X authentication.
Step 5
dot1x port-control auto
Enable 802.1X authentication on the interface.
For feature interaction information with trunk, dynamic, dynamic-access,
EtherChannel, secure, and SPAN ports, see the “802.1X Configuration
Guidelines” section on page 8-7.
Step 6
end
Return to privileged EXEC mode.
Step 7
show dot1x
Verify your entries.
Check the Status column in the 802.1X Port Summary section of the
display. An enabled status means the port-control value is set either to
auto or to force-unauthorized.
Step 8
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable AAA, use the no aaa new-model global configuration command. To disable 802.1X AAA
authentication, use the no aaa authentication dot1x {default | list-name} method1 [method2...] global
configuration command. To disable 802.1X authentication, use the dot1x port-control
force-authorized or the no dot1x port-control interface configuration command.
Catalyst 2950 Desktop Switch Software Configuration Guide
8-8
78-14982-01
�Chapter 8
Configuring 802.1X Port-Based Authentication
Configuring 802.1X Authentication
This example shows how to enable AAA and 802.1X on Fast Ethernet port 0/1:
Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# interface fastethernet0/1
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end
Configuring the Switch-to-RADIUS-Server Communication
RADIUS security servers are identified by their host name or IP address, host name and specific UDP
port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP
port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP
ports on a server at the same IP address. If two different host entries on the same RADIUS server are
configured for the same service—for example, authentication—the second host entry configured acts as
the fail-over backup to the first one. The RADIUS host entries are tried in the order that they were
configured.
Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on
the switch. This procedure is required.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
radius-server host {hostname |
Configure the RADIUS server parameters on the switch.
ip-address} auth-port port-number key
For hostname | ip-address, specify the host name or IP address of the
string
remote RADIUS server.
For auth-port port-number, specify the UDP destination port for
authentication requests. The default is 1812.
For key string, specify the authentication and encryption key used
between the switch and the RADIUS daemon running on the RADIUS
server. The key is a text string that must match the encryption key used on
the RADIUS server.
Note
Always configure the key as the last item in the radius-server
host command syntax because leading spaces are ignored, but
spaces within and at the end of the key are used. If you use spaces
in the key, do not enclose the key in quotation marks unless the
quotation marks are part of the key. This key must match the
encryption used on the RADIUS daemon.
If you want to use multiple RADIUS servers, re-enter this command.
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global
configuration command.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
8-9
�Chapter 8
Configuring 802.1X Port-Based Authentication
Configuring 802.1X Authentication
This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to
use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the
RADIUS server:
Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123
You can globally configure the timeout, retransmission, and encryption key values for all RADIUS
servers by using the radius-server host global configuration command. If you want to configure these
options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the
radius-server key global configuration commands. For more information, see the “Configuring Settings
for All RADIUS Servers” section on page 7-29.
You also need to configure some settings on the RADIUS server. These settings include the IP address
of the switch and the key string to be shared by both the server and the switch. For more information,
refer to the RADIUS server documentation.
Enabling Periodic Re-Authentication
You can enable periodic 802.1X client re-authentication and specify how often it occurs. If you do not
specify a time period before enabling re-authentication, the number of seconds between
re-authentication attempts is 3600.
Automatic 802.1X client re-authentication is a global setting and cannot be set for clients connected to
individual ports. To manually re-authenticate the client connected to a specific port, see the “Manually
Re-Authenticating a Client Connected to a Port” section on page 8-11.
Beginning in privileged EXEC mode, follow these steps to enable periodic re-authentication of the client
and to configure the number of seconds between re-authentication attempts:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
dot1x re-authentication
Enable periodic re-authentication of the client, which is disabled by
default.
Step 3
dot1x timeout re-authperiod seconds
Set the number of seconds between re-authentication attempts.
The range is 1 to 4294967295; the default is 3600 seconds.
This command affects the behavior of the switch only if periodic
re-authentication is enabled.
Step 4
end
Return to privileged EXEC mode.
Step 5
show dot1x
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable periodic re-authentication, use the no dot1x re-authentication global configuration
command.To return to the default number of seconds between re-authentication attempts, use the no
dot1x timeout re-authperiod global configuration command.
This example shows how to enable periodic re-authentication and set the number of seconds between
re-authentication attempts to 4000:
Switch(config)# dot1x re-authentication
Switch(config)# dot1x timeout re-authperiod 4000
Catalyst 2950 Desktop Switch Software Configuration Guide
8-10
78-14982-01
�Chapter 8
Configuring 802.1X Port-Based Authentication
Configuring 802.1X Authentication
Manually Re-Authenticating a Client Connected to a Port
You can manually re-authenticate the client connected to a specific port at any time by entering the dot1x
re-authenticate interface interface-id privileged EXEC command. If you want to enable or disable
periodic re-authentication, see the “Enabling Periodic Re-Authentication” section on page 8-10.
This example shows how to manually re-authenticate the client connected to Fast Ethernet port 0/1:
Switch# dot1x re-authenticate interface fastethernet0/1
Starting reauthentication on FastEthernet0/1
Changing the Quiet Period
When the switch cannot authenticate the client, the switch remains idle for a set period of time, and then
tries again. The idle time is determined by the quiet-period value. A failed authentication of the client
might occur because the client provided an invalid password. You can provide a faster response time to
the user by entering a smaller number than the default.
Beginning in privileged EXEC mode, follow these steps to change the quiet period:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
dot1x timeout quiet-period seconds
Set the number of seconds that the switch remains in the quiet state
following a failed authentication exchange with the client.
The range is 0 to 65535 seconds; the default is 60.
Step 3
end
Return to privileged EXEC mode.
Step 4
show dot1x
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To return to the default quiet time, use the no dot1x timeout quiet-period global configuration
command.
This example shows how to set the quiet time on the switch to 30 seconds:
Switch(config)# dot1x timeout quiet-period 30
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
8-11
�Chapter 8
Configuring 802.1X Port-Based Authentication
Configuring 802.1X Authentication
Changing the Switch-to-Client Retransmission Time
The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity
frame. If the switch does not receive this response, it waits a set period of time (known as the
retransmission time) and then resends the frame.
Note
You should change the default value of this command only to adjust for unusual circumstances such as
unreliable links or specific behavioral problems with certain clients and authentication servers.
Beginning in privileged EXEC mode, follow these steps to change the amount of time that the switch
waits for client notification:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
dot1x timeout tx-period seconds
Set the number of seconds that the switch waits for a response to an
EAP-request/identity frame from the client before resending the request.
The range is 1 to 65535 seconds; the default is 30.
Step 3
end
Return to privileged EXEC mode.
Step 4
show dot1x
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To return to the default retransmission time, use the no dot1x timeout tx-period global configuration
command.
This example shows how to set 60 as the number of seconds that the switch waits for a response to an
EAP-request/identity frame from the client before resending the request:
Switch(config)# dot1x timeout tx-period 60
Catalyst 2950 Desktop Switch Software Configuration Guide
8-12
78-14982-01
�Chapter 8
Configuring 802.1X Port-Based Authentication
Configuring 802.1X Authentication
Setting the Switch-to-Client Frame-Retransmission Number
In addition to changing the switch-to-client retransmission time, you can change the number of times
that the switch sends an EAP-request/identity frame (assuming no response is received) to the client
before restarting the authentication process.
Note
You should change the default value of this command only to adjust for unusual circumstances such as
unreliable links or specific behavioral problems with certain clients and authentication servers.
Beginning in privileged EXEC mode, follow these steps to set the switch-to-client frame-retransmission
number:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
dot1x max-req count
Set the number of times that the switch sends an EAP-request/identity
frame to the client before restarting the authentication process. The range
is 1 to 10; the default is 2.
Step 3
end
Return to privileged EXEC mode.
Step 4
show dot1x
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To return to the default retransmission number, use the no dot1x max-req global configuration
command.
This example shows how to set 5 as the number of times that the switch sends an EAP-request/identity
request before restarting the authentication process:
Switch(config)# dot1x max-req 5
Enabling Multiple Hosts
You can attach multiple hosts to a single 802.1X-enabled port as shown in Figure 8-3 on page 8-5. In
this mode, only one of the attached hosts must be successfully authorized for all hosts to be granted
network access. If the port becomes unauthorized (re-authentication fails or an EAPOL-logoff message
is received), all attached clients are denied access to the network.
Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an
802.1X-authorized port that has the dot1x port-control interface configuration command set to auto.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Enter interface configuration mode, and specify the interface to which
multiple hosts are indirectly attached.
Step 3
dot1x multiple-hosts
Allow multiple hosts (clients) on an 802.1X-authorized port.
Make sure that the dot1x port-control interface configuration command
set is set to auto for the specified interface.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
8-13
�Chapter 8
Configuring 802.1X Port-Based Authentication
Displaying 802.1X Statistics and Status
Command
Purpose
Step 4
end
Return to privileged EXEC mode.
Step 5
show dot1x interface interface-id
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable multiple hosts on the port, use the no dot1x multiple-hosts interface configuration command.
This example shows how to enable 802.1X on Fast Ethernet interface 0/1 and to allow multiple hosts:
Switch(config)# interface fastethernet0/1
Switch(config-if)# dot1x port-control auto
Switch(config-if)# dot1x multiple-hosts
Resetting the 802.1X Configuration to the Default Values
Beginning in privileged EXEC mode, follow these steps to reset the 802.1X configuration to the default
values:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
dot1x default
Reset the configurable 802.1X parameters to the default values.
Step 3
end
Return to privileged EXEC mode.
Step 4
show dot1x
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Displaying 802.1X Statistics and Status
To display 802.1X statistics for all interfaces, use the show dot1x statistics privileged EXEC command.
To display 802.1X statistics for a specific interface, use the show dot1x statistics interface interface-id
privileged EXEC command.
To display the 802.1X administrative and operational status for the switch, use the show dot1x privileged
EXEC command. To display the 802.1X administrative and operational status for a specific interface,
use the show dot1x interface interface-id privileged EXEC command.
For detailed information about the fields in these displays, refer to the command reference for this
release.
Catalyst 2950 Desktop Switch Software Configuration Guide
8-14
78-14982-01
�C H A P T E R
9
Configuring the Switch Interfaces
This chapter defines the types of interfaces on the switch and describes how to configure them. The
chapter has these sections:
Note
•
Understanding Interface Types, page 9-1
•
Using the Interface Command, page 9-4
•
Configuring Switch Interfaces, page 9-9
•
Monitoring and Maintaining the Interfaces, page 9-16
For complete syntax and usage information for the commands used in this chapter, refer to the switch
command reference for this release and the online Cisco IOS Interface Command Reference for
Release 12.1.
Understanding Interface Types
This section describes the different types of interfaces supported by the switch with references to
chapters that contain more detailed information about configuring these interface types. The rest of the
chapter describes configuration procedures for switch ports.
Switch ports are Layer 2-only interfaces associated with a physical port. They are used for managing the
physical interface and associated Layer 2 protocols and do not handle routing or bridging. A switch port
can be an access port or a trunk port.
You can configure a port as an access port or trunk port or let the Dynamic Trunking Protocol (DTP)
operate on a per-port basis to determine if a switch port should be an access port or a trunk port by
negotiating with the port on the other end of the link.
Configure switch ports by using the switchport interface configuration commands. For detailed
information about configuring access port and trunk port characteristics, see Chapter 14, “Configuring
VLANs.”
Note
The physical switch ports switches can be 10/100 Ethernet ports, 10/100/1000 Ethernet ports,
100BASE-FX ports, 1000BASE-SX ports, GBIC module ports, and Long-Reach Ethernet (LRE) ports.
For more information, refer to the switch hardware installation guide.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
9-1
�Chapter 9
Configuring the Switch Interfaces
Understanding Interface Types
These sections describes these types of interfaces:
•
Access Ports, page 9-2
•
Trunk Ports, page 9-2
•
Port-Based VLANs, page 9-3
•
EtherChannel Port Groups, page 9-3
•
Connecting Interfaces, page 9-3
Access Ports
An access port belongs to and carries the traffic of only one VLAN. Traffic is received and sent in native
formats with no VLAN tagging. Traffic arriving on an access port is assumed to belong to the VLAN
assigned to the port. If an access port receives a tagged packet (Inter-Switch Link [ISL] or 802.1Q
tagged), the packet is dropped, the source address is not learned, and the frame is counted in the No
destination statistic. An access port can forward a tagged packet (802.1P and 802.1Q).
Two types of access ports are supported:
•
Static access ports are manually assigned to a VLAN.
•
VLAN membership of dynamic access ports is learned through incoming packets. By default, a
dynamic access port is a member of no VLAN, and forwarding to and from the port is enabled only
when the VLAN membership of the port is discovered. Dynamic access ports on the switch are
assigned to a VLAN by a VLAN Membership Policy Server (VMPS). The VMPS can be a
Catalyst 6000 series switch; the Catalyst 2950 switch does not support the function of a VMPS.
Trunk Ports
A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN
database. Only IEEE 802.1Q trunk ports are supported. An IEEE 802.1Q trunk port supports
simultaneous tagged and untagged traffic. An 802.1Q trunk port is assigned a default Port VLAN ID
(PVID), and all untagged traffic travels on the port default PVID. All untagged traffic and tagged traffic
with a NULL VLAN ID are assumed to belong to the port default PVID. A packet with a VLAN ID equal
to the outgoing port default PVID is sent untagged. All other traffic is sent with a VLAN tag.
Although by default, a trunk port is a member of every VLAN known to the VTP, you can limit VLAN
membership by configuring an allowed list of VLANs for each trunk port. The list of allowed VLANs
does not affect any other port but the associated trunk port. By default, all possible VLANs (VLAN ID 1
to 1005 when the standard software image [SI] is installed or VLAN ID 1 to 4094 when the enhanced
software image [EI] is installed) are in the allowed list. A trunk port can only become a member of a
VLAN if VTP knows of the VLAN and the VLAN is in the enabled state. If VTP learns of a new, enabled
VLAN and the VLAN is in the allowed list for a trunk port, the trunk port automatically becomes a
member of that VLAN and traffic is forwarded to and from the trunk port for that VLAN. If VTP learns
of a new, enabled VLAN that is not in the allowed list for a trunk port, the port does not become a
member of the VLAN, and no traffic for the VLAN is forwarded to or from the port.
Note
VLAN 1 cannot be excluded from the allowed list.
For more information about trunk ports, see Chapter 14, “Configuring VLANs.”
Catalyst 2950 Desktop Switch Software Configuration Guide
9-2
78-14982-01
�Chapter 9
Configuring the Switch Interfaces
Understanding Interface Types
Port-Based VLANs
A VLAN is a switched network that is logically segmented by function, team, or application, without
regard to the physical location of the users. For more information about VLANs, see Chapter 14,
“Configuring VLANs.” Packets received on a port are forwarded only to ports that belong to the same
VLAN as the receiving port. Network devices in different VLANs cannot communicate with one another
without a Layer 3 device to route traffic between the VLANs.
VLAN partitions provide hard firewalls for traffic in the VLAN, and each VLAN has its own MAC
address table. A VLAN comes into existence when a local port is configured to be associated with the
VLAN, when the VLAN Trunking Protocol (VTP) learns of its existence from a neighbor on a trunk, or
when a user creates a VLAN.
To configure normal-range VLANs (VLAN IDs 1 to 1005), use the vlan vlan-id global configuration
command to enter config-vlan mode or the vlan database privileged EXEC command to enter VLAN
configuration mode. The VLAN configurations for VLAN IDs 1 to 1005 are saved in the VLAN
database. To configure extended-range VLANs (VLAN IDs 1006 to 4094) when the EI is installed, you
must use config-vlan mode with VTP mode set to transparent. Extended-range VLANs are not added to
the VLAN database. When VTP mode is transparent, the VTP and VLAN configuration is saved in the
switch running configuration, and you can save it in the switch startup configuration file by entering the
copy running-config startup-config privileged EXEC command.
Add ports to a VLAN by using the switchport interface configuration commands:
•
Identify the interface.
•
For a trunk port, set trunk characteristics, and if desired, define the VLANs to which it can belong.
•
For an access port, set and define the VLAN to which it belongs.
EtherChannel Port Groups
EtherChannel port groups provide the ability to treat multiple switch ports as one switch port. These port
groups act as a single logical port for high-bandwidth connections between switches or between switches
and servers. An EtherChannel balances the traffic load across the links in the channel. If a link within
the EtherChannel fails, traffic previously carried over the failed link changes to the remaining links. You
can group multiple trunk ports into one logical trunk port or group multiple access ports into one logical
access port. Most protocols operate over either single ports or aggregated switch ports and do not
recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol
(CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
When you configure an EtherChannel, you create a port-channel logical interface and assign an interface
to the EtherChannel. For Layer 2 interfaces, the logical interface is dynamically created. You manually
assign an interface to the EtherChannel by using the channel-group interface configuration command.
This command binds the physical and logical ports together. For more information, see Chapter 27,
“Configuring EtherChannels.”
Connecting Interfaces
Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs
cannot exchange data without going through a routing device or routed interface.
With a standard Layer 2 switch, ports in different VLANs have to exchange information through a router.
In the configuration shown in Figure 9-1, when Host A in VLAN 20 sends data to Host B in VLAN 30,
it must go from Host A to the switch, to the router, back to the switch, and then to Host B.
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
9-3
�Chapter 9
Configuring the Switch Interfaces
Using the Interface Command
Figure 9-1
Connecting VLANs with Layer 2 Switches
Cisco router
Switch
Host B
VLAN 20
VLAN 30
46647
Host A
Using the Interface Command
To configure a physical interface (port), use the interface global configuration command to enter interface
configuration mode and to specify the interface type, slot, and number.
•
Type—Fast Ethernet (fastethernet or fa) for 10/100 Ethernet or Gigabit Ethernet (gigabitethernet or
gi)
•
Slot—The slot number on the switch (always 0 on this switch).
•
Port number—The interface number on the switch. The port numbers always begin at 1, starting at
the left when facing the front of the switch, for example, fastethernet 0/1, fastethernet 0/2. If there
is more than one media type (for example, 10/100 ports and Gigabit Ethernet ports), the port number
starts again with the second media: gigabitethernet 0/1, gigabitethernet 0/2.
You can identify physical interfaces by physically checking the interface location on the switch. You can
also use the IOS show privileged EXEC commands to display information about a specific interface or
all the interfaces on the switch. The remainder of this chapter primarily provides physical interface
configuration procedures.
This section describes how to configure all types of interfaces and how to configure a range of interfaces:
•
Procedures for Configuring Interfaces, page 9-4
•
Configuring a Range of Interfaces, page 9-6
•
Configuring and Using Interface-Range Macros, page 9-8
Procedures for Configuring Interfaces
These general instructions apply to all interface configuration processes.
Step 1
Enter the configure terminal command at the privileged EXEC prompt:
Switch# configure terminal
Catalyst 2950 Desktop Switch Software Configuration Guide
9-4
78-14982-01
�Chapter 9
Configuring the Switch Interfaces
Using the Interface Command
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#
Step 2
Enter the interface global configuration command. Identify the interface type and the number of the
connector. In this example, Gigabit Ethernet interface 0/1 is selected:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)#
Note
Step 3
You do not need to add a space between the interface type and interface number. For example,
in the preceding line, you can specify either gigabitethernet 0/1, gigabitethernet0/1, gi 0/1, or
gi0/1.
Follow each interface command with the interface configuration commands your particular interface
requires. The commands you enter define the protocols and applications that will run on the interface.
The commands are collected and applied to the interface when you enter another interface command or
enter end to return to privileged EXEC mode.
You can also configure a range of interfaces by using the interface range or interface range macro
global configuration commands. Interfaces configured in a range must be the same type and must be
configured with the same feature options.
Step 4
After you configure an interface, verify its status by using the show privileged EXEC commands listed
in the “Monitoring and Maintaining the Interfaces” section on page 9-16.
Enter the show interfaces privileged EXEC command to see a list of all interfaces on or configured for
the switch. A report is provided for each interface that the device supports or for the specified interface:
Switch# show interfaces
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 0000.0000.0000 (bia 0000.0000.00
Internet address is 10.1.1.64/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:35, output 2d14h, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 1 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
264251 packets input, 163850228 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
380 packets output, 26796 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
FastEthernet0/1 is up, line protocol is down
Hardware is Fast Ethernet, address is 0000.0000.0001 (bia 0000.00
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
9-5
�Chapter 9
Configuring the Switch Interfaces
Using the Interface Command
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Source Exif Data:
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.3
Linearized : No
Page Count : 648
Page Mode : UseOutlines
Format : application/pdf
Title :
Producer : iText 1.4.1 (by lowagie.com)
Modify Date : 2002:12:02 14:56:19-08:00
Concept :
Keywords :
Doc Type :
Creator : FrameMaker 5.5.6p145
Create Date : 2002:12:02 14:52:31
Content Type :
Date : 2007-05-04T15:39:44.000-07:00
Access Level : Guest,Customer,Partner
Country : US
Description :
Ia Path :
Language : en
Secondary Concept :
EXIF Metadata provided by EXIF.tools