Page 1 Catalyst 2950 Desktop Switch Software Configuration Guide Cisco IOS Release 12.1(9)EA1 April 2002 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7811380=...
Page 2 FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.;...
Page 3 Large Campus Configuration 1-13 Multidwelling Network Using Catalyst 2950 Switches 1-14 Long-Distance, High-Bandwidth Transport Configuration 1-16 Using the Command-Line Interface C H A P T E R IOS Command Modes Getting Help Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 4: Table Of Contents
Colors in the Topology View 3-13 Topology Display Options 3-13 Menus and Toolbar 3-14 Menu Bar 3-14 Toolbar 3-20 Front Panel View Popup Menus 3-21 Device Popup Menu 3-21 Port Popup Menu 3-21 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 5 Configuring the DHCP Server Configuring the TFTP Server Configuring the DNS Configuring the Relay Device Obtaining Configuration Files Example Configuration Manually Assigning IP Information 4-10 Checking and Saving the Running Configuration 4-11 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 6 Discovery through Different Management VLANs 6-10 Discovery of Newly Installed Switches 6-12 HSRP and Standby Command Switches 6-14 Virtual IP Addresses 6-15 Other Considerations for Cluster Standby Groups 6-15 Automatic Recovery of Cluster Configuration 6-17 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 7 7-12 Identifying the TACACS+ Server Host and Setting the Authentication Key 7-12 Configuring TACACS+ Login Authentication 7-13 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 7-15 Starting TACACS+ Accounting 7-16 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 8 Configuring Summer Time (Daylight Saving Time) 7-45 Configuring a System Name and Prompt 7-47 Default System Name and Prompt Configuration 7-47 Configuring a System Name 7-47 Configuring a System Prompt 7-48 Catalyst 2950 Desktop Switch Software Configuration Guide viii 78-11380-04...
Page 9 Enabling Periodic Re-Authentication 8-10 Manually Re-Authenticating a Client Connected to a Port 8-11 Changing the Quiet Period 8-11 Changing the Switch-to-Client Retransmission Time 8-12 Setting the Switch-to-Client Frame-Retransmission Number 8-13 Enabling Multiple Hosts 8-13 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 10 Supported Spanning-Tree Instances 10-2 Bridge Protocol Data Units 10-2 Election of the Root Switch 10-3 Bridge ID, Switch Priority, and Extended System ID 10-4 Spanning-Tree Timers 10-4 Creating the Spanning-Tree Topology 10-5 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 11 11-6 Processing Inferior BPDU Information 11-6 Topology Changes 11-6 Understanding MSTP 11-7 Multiple Spanning-Tree Regions 11-7 IST, CIST, and CST 11-8 Operations Within an MST Region 11-8 Operations Between MST Regions 11-9 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 12 Understanding BackboneFast 12-10 Understanding Root Guard 12-12 Understanding Loop Guard 12-13 Configuring Optional Spanning-Tree Features 12-13 Default Optional Spanning-Tree Configuration 12-14 Enabling Port Fast 12-14 Enabling BPDU Guard 12-15 Enabling BPDU Filtering 12-16 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 13 Default Layer 2 Ethernet Interface VLAN Configuration 13-21 Configuring an Ethernet Interface as a Trunk Port 13-21 Interaction with Other Features 13-21 Configuring a Trunk Port 13-22 Defining the Allowed VLANs on a Trunk 13-23 Catalyst 2950 Desktop Switch Software Configuration Guide xiii 78-11380-04...
Page 14 VTP Configuration in Privileged EXEC and Global Configuration Modes 14-7 VTP Configuration in VLAN Configuration Mode 14-7 VTP Configuration Guidelines 14-8 Domain Names 14-8 Passwords 14-8 Upgrading from Previous Software Releases 14-8 VTP Version 14-9 Configuration Requirements 14-9 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 15 Default Voice VLAN Configuration 15-2 Configuration Guidelines 15-3 Configuring a Port to Connect to a Cisco 7960 IP Phone 15-3 Configuring Ports to Carry Voice Traffic in 802.1Q Frames 15-4 Configuring Ports to Carry Voice Traffic in 802.1P Priority Tagged Frames...
Page 16 Understanding CDP 19-1 Configuring CDP 19-2 Default CDP Configuration 19-2 Configuring the CDP Characteristics 19-2 Disabling and Enabling CDP 19-3 Disabling and Enabling CDP on an Interface 19-4 Monitoring and Maintaining CDP 19-5 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 17 C H A P T E R Understanding SNMP 22-1 SNMP Versions 22-2 SNMP Manager Functions 22-2 SNMP Agent Functions 22-3 SNMP Community Strings 22-3 Using SNMP to Access MIB Variables 22-3 Catalyst 2950 Desktop Switch Software Configuration Guide xvii 78-11380-04...
Page 18 Understanding ACLs 23-1 ACLs 23-2 Handling Fragmented and Unfragmented Traffic 23-3 Understanding Access Control Parameters 23-4 Guidelines for Configuring ACLs on the Catalyst 2950 Switches 23-5 Configuring ACLs 23-6 Unsupported Features 23-6 Creating Standard and Extended IP ACLs 23-7 ACL Numbers...
Page 19 Physical Learners and Aggregate-Port Learners 25-4 PAgP Interaction with Other Features 25-5 Understanding Load Balancing and Forwarding Methods 25-5 Default EtherChannel Configuration 25-6 EtherChannel Configuration Guidelines 25-7 Configuring EtherChannels 25-7 Configuring EtherChannel Load Balancing 25-9 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 20 Enabling All-System Diagnostics 26-12 Redirecting Debug and Error Message Output 26-13 Supported MIBs A P P E N D I X MIB List Using FTP to Access the MIB Files N D E X Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 21 The Catalyst 2950 switch is supported by either the standard software image (SI) or the enhanced software image (EI). The enhanced software image provides a richer set of features, including access control lists (ACLs), enhanced quality of service (QoS) features, the Secure Shell Protocol, extended-range VLANs, IEEE 802.1W Rapid Spanning Tree Protocol (STP), and the IEEE 802.1S Multiple STP.
Page 22 This guide does not describe system messages you might encounter or how to install your switch. For more information, refer to the Catalyst 2950 Desktop Switch System Message Guide for this release and to the Catalyst 2950 Desktop Switch Hardware Installation Guide.
Page 23 MAC addresses; and how to set the aging time for all secure addresses. Chapter 19, “Configuring CDP,” describes how to configure Cisco Discovery Protocol (CDP) on your switch. Chapter 20, “Configuring SPAN,”...
Page 24 Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Means the following will help you solve a problem. The tips information might not be troubleshooting or even an action, but could be useful information. Catalyst 2950 Desktop Switch Software Configuration Guide xxiv 78-11380-04...
Page 25: Related Publications
The following sections explain how to obtain documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following URL: http://www.cisco.com Translated documentation is available at the following URL: http://www.cisco.com/public/countries_languages.shtml...
Page 26: Ordering Documentation
America, by calling 800 553-NETS (6387). Documentation Feedback If you are reading Cisco product documentation on the World Wide Web, you can send us your comments by completing the online survey. When you display the document listing for this platform, click Give Us Your Feedback.
Page 27 Cisco TAC Website The Cisco TAC website allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to the following URL: http://www.cisco.com/tac...
Page 28 TAC Case Open tool at the following URL: http://www.cisco.com/tac/caseopen If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC website.
Page 29 • Examples of the Catalyst 2950 switches in different network topologies Features The Catalyst 2950 software supports the switches listed in the Release Notes for the Catalyst 2950 Cisco IOS Release 12.1(9)EA1. Table 1-1 describes the features supported in this release.
Page 30 • Support for mini-jumbo frames. The Catalyst 2950 switches running Cisco IOS Release12.1(6)EA2 or later support frame sizes 1500 to 1530 bytes Per-port broadcast storm control for preventing faulty end stations from degrading overall system performance with •...
Page 31 Address Resolution Protocol (ARP) for identifying a switch through its IP address and its corresponding MAC address • Cisco Discovery Protocol (CDP) versions 1 and 2 for network topology discovery and mapping between the switch and • other Cisco devices on the network Network Time Protocol (NTP) for providing a consistent timestamp to all switches from an external source •...
Page 32 Note The switch supports up to 64 spanning-tree instances. VLAN Support Catalyst 2950 switches support 250 port-based VLANs for assigning users to VLANs associated with appropriate • network resources, traffic patterns, and bandwidth The Catalyst 2950-12 and Catalyst 2950-24 switches support only 64 port-based VLANs.
Page 33 Out-of-profile markdown for packets that exceed bandwidth utilization limits • Egress Policing and Scheduling of Egress Queues Four egress queues on all switch ports. Support for strict priority and weighted round-robin (WRR) CoS policies • Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 34: Management Options
1. This feature is available only on a switch running the enhanced software image. Management Options The Catalyst 2950 switches are designed for plug-and-play operation: you only need to assign basic IP information to the switch and connect it to the other devices in your network. If you have specific network needs, you can configure and monitor the switch—on an individual basis or as part of a switch...
Page 35: Advantages Of Using Cms And Clustering Switches
Using CMS and switch clusters can simplify and minimize your configuration and monitoring tasks. You can use Cisco switch clustering technology to manage up to 16 interconnected and supported Catalyst switches through one IP address as if they were a single entity. This can conserve IP addresses if you have a limited number of them.
Page 36: Network Configuration Examples
Use VLAN trunks, cross-stack UplinkFast, and BackboneFast for • traffic-load balancing on the uplink ports so that the uplink port with a lower relative port cost is selected to carry the VLAN traffic. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 37 Cost-effective wiring closet—A cost-effective way to connect many users to the wiring closet is to • connect up to nine Catalyst 2900 XL, Catalyst 2950, Catalyst 3500 XL, and Catalyst 3550 switches through GigaStack GBIC connections. When you use a stack of Catalyst 2950G-48 switches, you can connect up to 432 users.
Page 38 This divides the network into smaller segments (or workgroups) and reduces the amount of traffic that travels over a network backbone, thereby increasing the bandwidth available to each user and improving server response time. Catalyst 2950 Desktop Switch Software Configuration Guide 1-10 78-11380-04...
Page 39 It is required if numerous segments require access to the servers. The Catalyst 2900 XL, Catalyst 2950, Catalyst 3500 XL, and Catalyst 3550 switches in this network are connected through a GigaStack GBIC on each switch to form a 1-Gbps network backbone.
Page 40: Collapsed Backbone And Switch Cluster Configuration
Each 10/100 inline-power port on the Catalyst 3524-PWR XL switches provides –48 VDC power to the Cisco IP Phone. The IP phone can receive redundant power when it also is connected to an AC power source. IP phones not connected to the Catalyst 3524-PWR XL switches receive power from an AC power source.
Page 41: Large Campus Configuration
CallManager controls call processing, routing, and IP phone features and configuration. • Cisco Access gateway (such as Cisco Access Digital Trunk Gateway or Cisco Access Analog Trunk Gateway) that connects the IP network to the Public Switched Telephone Network (PSTN) or to users in an IP telephony network.
Page 42: Multidwelling Network Using Catalyst 2950 Switches
Catalyst 3550 multilayer switches as aggregation switches in the mini-point-of-presence (POP) location. These switches are connected through 1000BASE-X GBIC ports. The resident switches can be Catalyst 2950 switches, providing customers with high-speed connections to the MAN. Catalyst 2912-LRE or 2924-LRE XL Layer 2-only switches also can be used as residential switches for customers requiring connectivity through existing phone lines.
Page 43 Overview Network Configuration Examples All ports on the residential Catalyst 2950 switches (and Catalyst 2912-LRE XL or 2924-LRE XL switches if they are included) are configured as 802.1Q trunks with protected port and STP root guard features enabled. The protected port feature provides security and isolation between ports on the switch, ensuring that subscribers cannot view packets destined for other subscribers.
Page 44 A common wavelength for long-distance transmissions is 1550 nm. Up to eight CWDM GBIC modules, with any combination of wavelengths, can connect to a Cisco CWDM Passive Optical System. It combines (or multiplexes) the different CWDM wavelengths, allowing them to travel simultaneously on the same fiber-optic cable.
Page 45: Ios Command Modes
Accessing the CLI, page 2-9 IOS Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode.
Page 46 To return to console command. privileged EXEC mode, press Ctrl-Z or enter end. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 47: Abbreviating Commands
Length of time (in sec) that receiver must keep this packet Abbreviating Commands You only have to enter enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration command: Switch# show conf Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 48: Using No And Default Forms Of Commands
‘^’ marker. incorrectly. The caret (^) marks the commands that are available in this command mode. point of the error. The possible keywords that you can enter with the command appear. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 49: Using Command History
The command history feature is automatically enabled. To disable the feature during the current terminal session, enter the terminal no history user EXEC command. To disable command history for the line, enter the no history line configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 50: Using Editing Features
Recall commands from the buffer and Press Ctrl-Y. Recall the most recent entry in the buffer. paste them in the command line. (The switch provides a buffer with the last ten items that you deleted.) Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 51: Editing Command Lines That Wrap
You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 52: Searching And Filtering Output Of Show And More Commands
Switch# show interfaces | include protocol Vlan1 is up, line protocol is up Vlan10 is up, line protocol is down GigabitEthernet0/1 is up, line protocol is down GigabitEthernet0/2 is up, line protocol is up Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 53: Accessing The Cli
You can also access the CLI by clicking Monitor the router- HTML access to the command line interface from the Cisco Systems Access page. For information about the Cisco Systems Access page, see the “Accessing CMS” section in the release notes.
Page 54: Saving Configuration Changes
Access page. You can access the CLI by clicking Web Console - HTML access to the command line interface from a cached copy of the Cisco Systems Access page. To prevent unauthorized access to CMS and the CLI, exit your browser to end the browser session.
Page 55 For procedures for using CMS, refer to the online help. • This chapter describes CMS on the Catalyst 2950 switches. Refer to the appropriate switch Note documentation for descriptions of the web-based management software used on other Catalyst switches.
Page 56: Getting Started With Cms
Wizards that require minimal information from you to configure some complex features – Comprehensive online help that provides high-level concepts and procedures for performing – tasks from the window Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 57 Front Panel view of Topology view of the cluster. the cluster. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 58: Front Panel View
The color port LEDs. switch and option to view or change of the port LED reflects connected RPS. port-related settings. port or link status. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 59: Cluster Tree
The internal fan of the switch is not operating, or the switch is receiving power from an RPS. Switch is not powered up, has lost power, or the command switch is unable to communicate with the member switch. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 60: Front-Panel Images
Press the Ctrl key, and click the ports that you want to select. • Right-click a port, and select Select All Ports from the port popup menu. • Figure 3-5 Port Icons Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 61: Redundant Power System Led
Cisco RPS 300 (model PWR300-AC-RPS-N1)—Catalyst 2900 LRE XL, Catalyst 2950, • Catalyst 3524-PWR XL, and Catalyst 3550 switches Cisco RPS 600 (model PWR600-AC-RPS)—Catalyst 2900 XL and Catalyst 3500 XL switches, • except the Catalyst 2900 LRE XL and Catalyst 3524-PWR XL switches Refer to the appropriate switch hardware documentation for RPS descriptions specific for the switch.
Page 62: Port Modes And Leds
Port is operating at 10 Mbps (10/100 ports) or no link (10/100/1000 ports and GBIC module ports). Green Port is operating at 100 Mbps (10/100 ports) or 1000 Mbps (GBIC module ports). Blinking green Port is operating at 1000 Mbps (10/100/1000 ports). Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 63: Vlan Membership Modes
• Press the Ctrl key, and click the device icons that you want to select. After selecting the icons, drag the icons to any area in the view. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 64 Figure 3-7 Collapse Cluster View Neighboring cluster connected to cluster1. cluster1 Devices connected to cluster1 that are not eligible to join the cluster. Catalyst 2950 Desktop Switch Software Configuration Guide 3-10 78-11380-04...
Page 65: Topology Icons
• Customer premises equipment (CPE) devices that are connected to Long-Reach Ethernet (LRE) switches Devices that are not eligible to join the cluster, such as Cisco IP phones, Cisco access points, and • Cisco Discovery Protocol (CDP)-capable hubs and routers Devices that are identified as unknown devices, such as some Cisco devices and third-party devices •...
Page 66: Device And Link Labels
The displayed link speeds are the actual link speeds except on the LRE links, which display the administratively assigned speed settings. You can change the label settings from the Topology Options window, which is displayed by selecting View > Topology Options. Catalyst 2950 Desktop Switch Software Configuration Guide 3-12 78-11380-04...
Page 67: Colors In The Topology View
Topology Options window. To display this window, select View > Topology Options. From this window, you can select: Device icons to be displayed in the Topology view • Labels to be displayed with the device and link icons • Catalyst 2950 Desktop Switch Software Configuration Guide 3-13 78-11380-04...
Page 68: Menus And Toolbar
Layer 3 and Layer 2 switches in the cluster. – If the command switch is a Layer 2 switch, such as a Catalyst 2950 or Catalyst 3500 XL switch, the menu bar displays the features of all Layer 2 switches in the cluster. The menu bar does not display Layer 3 features even if the cluster has Catalyst 3550 Layer 3 member switches.
Page 69 If your switch cluster has a Catalyst 3550 switch, that switch should be the command switch. – If your switch cluster has Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches, the – Catalyst 2950 should be the command switch.
Page 70 Create a Hot Standby Router Protocol (HSRP) standby group to provide command-switch redundancy. Hop Count Enter the number of hops away that a command switch looks for members and for candidate switches. Catalyst 2950 Desktop Switch Software Configuration Guide 3-16 78-11380-04...
Page 71 Configure a port to prevent it from receiving bridged traffic from another port on the same switch. Flooding Control Block the normal flooding of unicast and multicast packets, and enable the switch to block packet storms. Catalyst 2950 Desktop Switch Software Configuration Guide 3-17 78-11380-04...
Page 72 Display the most recent system messages (IOS messages and switch-specific messages) sent by the switch software. This option is available on the Catalyst 2950 or Catalyst 3550 switches. It is not available from the Catalyst 2900 XL and Catalyst 3500 XL switches. You can display the system...
Page 73 4. Available only from a Device Manager session on a command-capable switch that is not a cluster member. 5. Available only from a cluster management session. 6. Available only from a switch running the enhanced software image. Catalyst 2950 Desktop Switch Software Configuration Guide 3-19 78-11380-04...
Page 74: Toolbar
2. Not available in read-only mode. For more information about the read-only and read-write access modes, see the “Access Modes in CMS” section on page 3-30. 3. Available only from a cluster-management session. Catalyst 2950 Desktop Switch Software Configuration Guide 3-20 78-11380-04...
Page 75: Front Panel View Popup Menus
2. Available on switches that support the Port Security feature. 3. Available only when there is an active link on the port (that is, the port LED is green when in port status mode). Catalyst 2950 Desktop Switch Software Configuration Guide 3-21...
Page 76: Topology View Popup Menus
If multiple links are configured between two devices, when you click the link icon and right-click, the Multilink Content window appears (Figure 3-10). Click the link icon in this window, and right-click to display the link popup menu specific for that link. Figure 3-10 Multilink Decomposer Window Catalyst 2950 Desktop Switch Software Configuration Guide 3-22 78-11380-04...
Page 77: Device Popup Menus
Catalyst 3500 XL switches running Release 12.0(5)WC2 and later. It is also available on Catalyst 2950 switches running Release 12.1(6)EA2 and later and on Catalyst 3550 switch running Release 12.1(8)EA1 or later. It is not available on the Catalyst 1900 and Catalyst 2820 switches.
Page 78 Device Manager Access the web management interface of the device. Note This option is available on Cisco access points, but not on Cisco IP phones, hubs, routers and on unknown devices such as some Cisco devices and third-party devices. Disqualification Code Display the reason why the device could not join the cluster.
Page 79: Interaction Modes
Wizards are not available for all features. A menu-bar option that has wizard means that selecting that option launches the wizard for that feature. Catalyst 2950 Desktop Switch Software Configuration Guide 3-25 78-11380-04...
Page 80: Tool Tips
• You can send us feedback about the information provided in the online help. Click Feedback to display an online form. After completing the form, click Submit to send your comments to Cisco. We appreciate and value your comments. Figure 3-11 Help Contents and Index Glossary of terms used in the online help.
Page 81: Cms Window Components
Catalyst 1900 and Catalyst 2820 switches even though they are part of the cluster. Similarly, the Host Name list on the LRE Profiles window only lists the LRE switches in the cluster. Catalyst 2950 Desktop Switch Software Configuration Guide 3-27 78-11380-04...
Page 82: Tabs, Lists, And Tables
Icons Used in Windows Some window have icons for sorting information in tables, for showing which cells in a table are editable, and for displaying further information from Cisco.com (Figure 3-13).
Page 83: Accessing Cms
You can access the CLI by clicking Monitor the router - HTML access to the command line interface from a cached copy of the Cisco Systems Access page. To prevent unauthorized access to CMS and the CLI, exit your browser to end the browser session.
Page 84: Access Modes In Cms
Catalyst 2950 member switches running Release 12.0(5)WC2 or earlier – Catalyst 3550 member switches running Release 12.1(6)EA1 or earlier For more information about this limitation, refer to the Catalyst 2950 release notes. • These switches do not support read-only mode on CMS: Catalyst 1900 and Catalyst 2820 –...
Page 85: Verifying Your Changes
To save all configuration changes to Flash memory, you must select Administration > Save Configuration. Catalyst 1900 and Catalyst 2820 switches automatically save configuration changes to Flash memory as Note they occur. Catalyst 2950 Desktop Switch Software Configuration Guide 3-31 78-11380-04...
Page 86: Using Different Versions Of Cms
Chapter 7, “Administering the Switch” The rest of this guide provides information about and CLI procedures for the software features supported in this release. For CMS procedures and window descriptions, refer to the online help. Catalyst 2950 Desktop Switch Software Configuration Guide 3-32 78-11380-04...
Page 87: Chapter 4 Assigning The Switch Ip Address And Default Gateway
For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections: Understanding the Boot Process, page 4-1 •...
Page 88: Assigning Switch Information
For more information about the setup program, refer to the release notes on Cisco.com. Use a DHCP server for centralized control and automatic assignment of IP information once the server is configured.
Page 89: Default Switch Information
DHCP server when the configuration file is not present on the switch. Figure 4-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 90 If the switch accepts replies from a BOOTP server and configures itself, the switch broadcasts, instead of unicasts, TFTP requests to obtain the switch configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 91: Configuring The Dhcp Server
“Configuring the Relay Device” section on page 4-6. If your DHCP server is a Cisco device, refer to the “IP Addressing and Services” section in the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. Configuring the TFTP Server Based on the DHCP server configuration, the switch attempts to download one or more configuration files from the TFTP server.
Page 92: Configuring The Dns
TFTP packets. You must configure this relay device to forward received broadcast packets on an interface to the destination host. If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure a helper addresses by using the ip helper-address interface configuration command.
Page 93: Obtaining Configuration Files
DHCP server TFTP server DNS server For CLI procedures, refer to the Cisco IOS Release 12.1 documentation on Cisco.com for additional information and CLI procedures. Obtaining Configuration Files Depending on the availability of the IP address and the configuration filename in the DHCP reserved lease, the switch obtains its configuration information in these ways: •...
Page 94: Example Configuration
Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (maritsu) Table 4-2 shows the configuration of the reserved leases on the DHCP server. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 95 If no configuration filename is given in the DHCP server reply, Switch 1 reads the network-confg file from the base directory of the TFTP server. It adds the contents of the network-confg file to its host table. • Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 96: Manually Assigning Ip Information
For information on setting the switch system name, protecting access to privileged EXEC commands, and setting time and calendar services, see Chapter 7, “Administering the Switch.” Catalyst 2950 Desktop Switch Software Configuration Guide 4-10 78-11380-04...
Page 97: Checking And Saving The Running Configuration
350 no ip address spanning-tree portfast trunk interface FastEthernet0/9 switchport mode access no ip address shutdown interface FastEthernet0/10 switchport trunk native vlan 2 no ip address speed 100 Catalyst 2950 Desktop Switch Software Configuration Guide 4-11 78-11380-04...
Page 98 To display information stored in the NVRAM section of Flash memory, use the show startup-config or more startup-config privileged EXEC command. Catalyst 2950 Desktop Switch Software Configuration Guide 4-12 78-11380-04...
Page 99: Chapter 5 Configuring Ie2100 Cns Agents
Note For complete syntax and usage information for the commands used in this section, refer to the Cisco Intelligence Engine 2100 Series Configuration Registrar Manual, and select Cisco IOS Software Release 12.2 > New Feature Documentation > 12.2(2)T on Cisco.com.
Page 100: Cns Configuration Service
The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 101: Cns Event Service
ID or group ID, and event. Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software; for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using any desired naming convention.
Page 102: Deviceid
Configuration Registrar. The origin of the deviceID is defined by the Cisco IOS host name of the switch. However, the deviceID variable and its usage reside within the event gateway, which is adjacent to the switch.
Page 103: Understanding Cns Embedded Agents
DHCP-based autoconfiguration. Figure 5-2 Initial Configuration Overview TFTP server IE2100 Configuration Registrar DHCP server DHCP relay agent Distribution layer default gateway Access layer switches Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 104: Incremental (Partial) Configuration
Prerequisites for Enabling Automatic Configuration Device Required Configuration Access switch Factory default (no configuration file) Distribution switch • IP helper address • Enable DHCP relay agent • IP routing (if used as default gateway) Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 105 For more information about running the setup program and creating templates on the Configuration Note Registrar, refer to the Cisco Intelligence Engine 2100 Series Configuration Registrar Manual. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 106: Enabling The Cns Event Agent
Step 4 show cns event connections Verify information about the event agent. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 107: Enabling The Cns Configuration Agent
1 to 30 seconds. The default is 10 seconds. • (Optional) For retries num, enter the number of ping retries. The range is 1 to 30. The default is 5. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 108 ID, enter hostname (the default) to select the switch host name as the unique ID, or enter an arbitrary text string for string string as the unique ID. Catalyst 2950 Desktop Switch Software Configuration Guide 5-10 78-11380-04...
Page 109 Switch(config-cns-conn-if)# config-cli no keepalive Switch(config-cns-conn-if)# config-cli no shutdown Switch(config-cns-conn-if)# exit Switch(config)# hostname RemoteSwitch RemoteSwitch(config)# ip route 10.1.1.1 255.255.255.255 11.11.11.1 RemoteSwitch(config)# cns id Ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 10.1.1.1 no-persist Catalyst 2950 Desktop Switch Software Configuration Guide 5-11 78-11380-04...
Page 110: Enabling A Partial Configuration
Displays statistics about the CNS configuration agent. show cns event connections Displays the status of the CNS event agent connections. Catalyst 2950 Desktop Switch Software Configuration Guide 5-12 78-11380-04...
Page 111 Displaying CNS Configuration (continued) Command Purpose show cns event stats Displays statistics about the CNS event agent. show cns event subject Displays a list of event agent subjects that are subscribed to by applications. Catalyst 2950 Desktop Switch Software Configuration Guide 5-13 78-11380-04...
Page 112 Chapter 5 Configuring IE2100 CNS Agents Displaying CNS Configuration Catalyst 2950 Desktop Switch Software Configuration Guide 5-14 78-11380-04...
Page 113: Chapter 6 Clustering Switches
Java plug-in configurations. Note This chapter focuses on Catalyst 2950 switch clusters. It also includes guidelines and limitations for clusters mixed with other cluster-capable Catalyst switches, but it does not provide complete descriptions of the cluster features for these other switches. For complete cluster information for a specific Catalyst platform, refer to the software configuration guide for that switch.
Page 114: Understanding Switch Clusters
These sections describe: “Command Switch Characteristics” section on page 6-3 • “Standby Command Switch Characteristics” section on page 6-3 • “Candidate Switch and Member Switch Characteristics” section on page 6-4 • Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 115: Command Switch Characteristics
It is not a command or member switch of another cluster. • If the Catalyst 2950 command switch is running Release 12.1(9)EA1 or later, it is connected to the • standby command switches and member switches through a common VLAN.
Page 116: Candidate Switch And Member Switch Characteristics
It is not a command or member switch of another cluster. • If the Catalyst 2950 member or candidate switch is running Release 12.1(9)EA1 or later, it is • connected to the command switch through at least one common VLAN.
Page 117: Planning A Switch Cluster
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The command switch uses Cisco Discovery Protocol (CDP) to discover member switches, candidate switches, neighboring switch clusters, and edge devices in star or cascaded topologies.
Page 118 Management Management VLAN 16 VLAN 16 Member Member switch 8 switch 10 Member Switch 12 switch 9 Switch 11 Candidate candidate Switch 13 switches switch Edge of cluster Switch 14 Switch 15 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 119 Command switch VLAN 16 VLAN 62 Member Member switch 8 switch 10 Member Switch 12 switch 9 Switch 11 Candidate candidate Switch 13 switches switch Edge of cluster Switch 14 Switch 15 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 120: Discovery Through Non-Cdp-Capable And Noncluster-Capable Devices
Figure 6-3 shows that the command switch discovers the Catalyst 3500 XL switch, which is connected to a third-party hub. However, the command switch does not discover the Catalyst 2950 switch that is connected to a Catalyst 5000 switch. Refer to the release notes for the Catalyst switches that can be part of a switch cluster.
Page 121: Discovery Through The Same Management Vlan
Planning a Switch Cluster Discovery through the Same Management VLAN A Catalyst 2900 XL command switch, a Catalyst 2950 command switch running a release earlier than Release 12.1(9)EA1, or a Catalyst 3500 XL command switch must connect to all cluster members through its management VLAN.
Page 122: Discovery Through Different Management Vlans
All other member switches must be connected to the command switch through their management VLAN. In contrast, a Catalyst 2900 XL command switch, a Catalyst 2950 command switch running a release earlier than Release 12.1(9)EA1, or a Catalyst 3500 XL command switch must connect to all cluster members through its management VLAN.
Page 123 VLAN 9) Catalyst 2900 XL, Switch 4 Catalyst 2950, and (management VLAN 62 VLAN 4 Catalyst 3500 XL VLAN 16) switches Switch 9 Switch 10 (management (management VLAN 62) VLAN 4) Catalyst 2950 Desktop Switch Software Configuration Guide 6-11 78-11380-04...
Page 124: Discovery Of Newly Installed Switches
Figure 6-7 belongs to management VLAN 16. When the new Catalyst 2900 LRE XL and Catalyst 2950 switches join the cluster, their management VLAN and access ports change from VLAN 1 to VLAN 16. The command switch (running Release 12.1(9)EA1 or later) in Figure 6-8 belongs to VLANs 9 and 16.
Page 125 VLAN 9 VLAN 16 Catalyst 2950 Catalyst 3500 XL switch switch (Management (Management VLAN 9) VLAN 16) VLAN 9 VLAN 16 New (out-of-box) New (out-of-box) Catalyst 3550 Catalyst 2950 switch switch Catalyst 2950 Desktop Switch Software Configuration Guide 6-13 78-11380-04...
Page 126: Hsrp And Standby Command Switches
Note • Catalyst 3550 switches. When the command switch is a Catalyst 2950 switch running Release 12.1(9)EA1 or later, all • standby command switches must be Catalyst 2950 switches running Release 12.1(9)EA1 or later. When the command switch is a Catalyst 2950 switch running Release 12.1(6)EA2 or later, all •...
Page 127: Virtual Ip Addresses
When the command switch is a Catalyst 3550 switch, all standby command switches must be – Catalyst 3550 switches. When the command switch is a Catalyst 2950 switch running Release 12.1(9)EA1 or later, all – standby command switches must be Catalyst 2950 switches running Release 12.1(9)EA1 or later.
Page 128 VLAN. Each standby-group member must also be redundantly connected to each other through the management VLAN. Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL member switches must be connected to the cluster standby group through their management VLANs.
Page 129: Automatic Recovery Of Cluster Configuration
Automatic discovery has these limitations: This limitation applies only to clusters that have Catalyst 2950 and Catalyst 3550 command and • standby command switches: If the active command switch and standby command switch become disabled at the same time, the passive command switch with the highest priority becomes the active command switch.
Page 130: Host Names
SNMP and community strings, see Chapter 22, “Configuring SNMP.” For SNMP considerations specific to the Catalyst 1900 and Catalyst 2820 switches, refer to the installation and configuration guides specific to those switches. Catalyst 2950 Desktop Switch Software Configuration Guide 6-18 78-11380-04...
Page 131: Tacacs+ And Radius
Catalyst 2950 member switches running Release 12.0(5)WC2 or earlier – Catalyst 3550 member switches running Release 12.1(6)EA1 or earlier – For more information about this limitation, refer to the Catalyst 2950 release notes. • These switches do not support read-only mode on CMS: –...
Page 132: Management Vlan
VLAN. Note • If the command switch is a Catalyst 2950 running Release 12.1(9)EA1 or later, candidate, member, and standby command switches can belong to different management VLANs. However, they must connect to the command switch through their management VLAN.
Page 133: Availability Of Switch-Specific Features In Switch Clusters
Refer to the release notes for the list of Catalyst switches eligible for switch clustering, including which ones can be command switches and which ones can only be member switches, and for the required software versions and browser and Java plug-in configurations. Catalyst 2950 Desktop Switch Software Configuration Guide 6-21 78-11380-04...
Page 134: Enabling A Command Switch
If your switch cluster has a Catalyst 3550 switch, that switch should be the command switch. – If your switch cluster has Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches, the Catalyst 2950 should be the command switch.
Page 135: Adding Member Switches
When a candidate switch joins a cluster, it inherits the command-switch password. For more information about setting passwords, see the “Passwords” section on page 6-18. For additional authentication considerations in switch clusters, see the “TACACS+ and RADIUS” section on page 6-19. Catalyst 2950 Desktop Switch Software Configuration Guide 6-23 78-11380-04...
Page 136 Figure 6-12 Using the Topology View to Add Member Switches Thin line means a Right-click a candidate connection to a switch to display the candidate switch. pop-up menu, and select Add to Cluster to add the switch to the cluster. Catalyst 2950 Desktop Switch Software Configuration Guide 6-24 78-11380-04...
Page 137: Creating A Cluster Standby Group
Note • Catalyst 3550 switches. When the command switch is a Catalyst 2950 switch running Release 12.1(9)EA1 or later, all • standby command switches must be Catalyst 2950 switches running Release 12.1(9)EA1 or later. When the command switch is a Catalyst 2950 switch running Release 12.1(6)EA2 or later, all •...
Page 138 NMS-3550-12T-149 (cisco WS-C3550-1 3550-150 (cisco WS-C3550-12T, SC, ... Standby command switch. Must be a valid IP address in the same subnet as the active command switch. Once entered, this information cannot be changed. Catalyst 2950 Desktop Switch Software Configuration Guide 6-26 78-11380-04...
Page 139: Verifying A Switch Cluster
“Using Recovery Procedures” section on page 26-5. For more information about creating and managing clusters, refer to the online help. For information about the cluster commands, refer to the switch command reference. Catalyst 2950 Desktop Switch Software Configuration Guide 6-27 78-11380-04...
Page 140: Using The Cli To Manage Switch Clusters
The Catalyst 1900 and Catalyst 2820 CLI is available only on switches running Enterprise Edition Software. For more information about the Catalyst 1900 and Catalyst 2820 switches, refer to the installation and configuration guides for those switches. Catalyst 2950 Desktop Switch Software Configuration Guide 6-28 78-11380-04...
Page 141: Using Snmp To Manage Switch Clusters
For more information about SNMP and community strings, see Chapter 22, “Configuring SNMP.” Figure 6-15 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Catalyst 2950 Desktop Switch Software Configuration Guide 6-29 78-11380-04...
Page 142 Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 2950 Desktop Switch Software Configuration Guide 6-30 78-11380-04...
Page 143: Administering The Switch
Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 144: Protecting Access To Privileged Exec Commands
Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Note Security Command Reference for Release 12.1.
Page 145: Default Password And Privilege Level Configuration
(Optional) Save your entries in the configuration file. The enable password is not encrypted and can be read in the switch configuration file. To remove the password, use the no enable password global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 146: Protecting Enable And Enable Secret Passwords With Encryption
By default, no password is defined. • (Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password you copy...
Page 147: Setting A Telnet Password For A Terminal Line
For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 148: Configuring Username And Password Pairs
Step 2. Step 5 Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 149: Configuring Multiple Privilege Levels
For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined. Step 4 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 150: Changing The Default Privilege Level For Lines
You might specify a high level or privilege level for your console line to restrict line usage. To return to the default line privilege level, use the no privilege level line configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 151: Logging Into And Exiting A Privilege Level
TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Note Security Command Reference for Release 12.1.
Page 152 The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or...
Page 153: Tacacs+ Operation
Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services – Connection parameters, including the host or client IP address, access list, and user timeouts – Catalyst 2950 Desktop Switch Software Configuration Guide 7-11 78-11380-04...
Page 154: Configuring Tacacs
You can group servers to select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list and contains the list of IP addresses of the selected server hosts. Catalyst 2950 Desktop Switch Software Configuration Guide 7-12 78-11380-04...
Page 155: Configuring Tacacs+ Login Authentication
The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list. Catalyst 2950 Desktop Switch Software Configuration Guide 7-13 78-11380-04...
Page 156 For list-name, specify the list created with the aaa authentication login command. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide 7-14 78-11380-04...
Page 157: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 7-15 78-11380-04...
Page 158: Starting Tacacs+ Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:...
Page 159: Controlling Switch Access With Radius
(AAA) and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.1. This section contains this configuration information: •...
Page 160: Radius Operation
• Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 161: Configuring Radius
RADIUS and AAA are disabled by default. To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users accessing the switch through the CLI. Catalyst 2950 Desktop Switch Software Configuration Guide 7-19 78-11380-04...
Page 162: Identifying The Radius Server Host
7-28. You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 7-24. Catalyst 2950 Desktop Switch Software Configuration Guide 7-20 78-11380-04...
Page 163 Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified RADIUS server, use the no radius-server host {hostname | ip-address} global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 7-21 78-11380-04...
Page 164: Configuring Radius Login Authentication
If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted. Catalyst 2950 Desktop Switch Software Configuration Guide 7-22 78-11380-04...
Page 165 {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 7-23 78-11380-04...
Page 166: Defining Aaa Server Groups
You use the server group server configuration command to associate a particular server with a defined group server. You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords. Catalyst 2950 Desktop Switch Software Configuration Guide 7-24 78-11380-04...
Page 167 Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 7-25 78-11380-04...
Page 168: Configuring Radius Authorization For Privileged Exec Access And Network Services
Use the local database if authentication was not performed by using RADIUS. Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured. Catalyst 2950 Desktop Switch Software Configuration Guide 7-26 78-11380-04...
Page 169: Starting Radius Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 170: Configuring Settings For All Radius Servers
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and * for optional attributes.
Page 171: Configuring The Switch For Vendor-Proprietary Radius Server Communication
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“...
Page 172: Displaying The Radius Configuration
Switch(config)# radius-server host 172.20.30.15 nonstandard Switch(config)# radius-server key rad124 Displaying the RADIUS Configuration To display the RADIUS configuration, use the show running-config privileged EXEC command. Catalyst 2950 Desktop Switch Software Configuration Guide 7-30 78-11380-04...
Page 173: Configuring The Switch For Local Authentication And Authorization
(Optional) Save your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 7-31 78-11380-04...
Page 174: Configuring The Switch For Secure Shell
“Configuring the Switch for Local Authentication and Authorization” section on page 7-31) For more information about SSH, refer to the “Configuring Secure Shell” section in the Cisco IOS Security Configuration Guide for Release 12.2. Note The SSH feature in this software release does not support IP Security (IPSec).
Page 175: Managing The System Time And Date
You can manage the system time and date on your switch using automatic, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Note Configuration Fundamentals Command Reference for Release 12.1.
Page 176 Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 177: Configuring Ntp
Workstations Configuring NTP The Catalyst 2950 switches do not have a hardware-supported clock, and they cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. These switches also have no hardware support for a calendar. As a result, the ntp update-calendar and the ntp master global configuration commands are not available.
Page 178: Default Ntp Configuration
By default, no trusted keys are defined. For key-number, specify the key defined in Step 3. This command provides protection against accidentally synchronizing the switch to a device that is not trusted. Catalyst 2950 Desktop Switch Software Configuration Guide 7-36 78-11380-04...
Page 179: Configuring Ntp Associations
(Optional) Enter the prefer keyword to make this peer or server the • preferred one that provides synchronization. This keyword reduces switching back and forth between peers and servers. Catalyst 2950 Desktop Switch Software Configuration Guide 7-37 78-11380-04...
Page 180: Configuring Ntp Broadcast Service
(Optional) For destination-address, specify the IP address of the peer that is synchronizing its clock to this switch. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Catalyst 2950 Desktop Switch Software Configuration Guide 7-38 78-11380-04...
Page 181: Configuring Ntp Access Restrictions
You can control NTP access on two levels as described in these sections: • Creating an Access Group and Assigning a Basic IP Access List, page 7-40 • Disabling NTP Services on a Specific Interface, page 7-41 Catalyst 2950 Desktop Switch Software Configuration Guide 7-39 78-11380-04...
Page 182 NTP control queries from a device whose address passes the access list criteria. Catalyst 2950 Desktop Switch Software Configuration Guide 7-40 78-11380-04...
Page 183: Configuring The Source Ip Address For Ntp Packets
Step 2 ntp source type number Specify the interface type and number from which the IP source address is taken. By default, the source address is determined by the outgoing interface. Catalyst 2950 Desktop Switch Software Configuration Guide 7-41 78-11380-04...
Page 184: Displaying The Ntp Configuration
• show ntp status • For detailed information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. Configuring Time and Date Manually If no other source of time is available, you can manually configure the current time and date after the system is restarted.
Page 185: Displaying The Time And Date Configuration
The symbol that precedes the show clock display has this meaning: • *—Time is not authoritative. • (blank)—Time is authoritative. .—Time is authoritative, but NTP is not synchronized. • Catalyst 2950 Desktop Switch Software Configuration Guide 7-43 78-11380-04...
Page 186: Configuring The Time Zone
Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50 percent. In this case, the necessary command is clock timezone AST -3 30. To set the time to UTC, use the no clock timezone global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 7-44 78-11380-04...
Page 187: Configuring Summer Time (Daylight Saving Time)
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Catalyst 2950 Desktop Switch Software Configuration Guide 7-45 78-11380-04...
Page 188 This example shows how to set summer time to start on October 12, 2000, at 02:00, and end on April 26, 2001, at 02:00: Switch(config)# clock summer-time pdt date 12 October 2000 2:00 26 April 2001 2:00 Catalyst 2950 Desktop Switch Software Configuration Guide 7-46 78-11380-04...
Page 189: Configuring A System Name And Prompt
Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
Page 190: Configuring A System Prompt
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
Page 191: Default Dns Configuration
(.), a period followed by the default domain name is appended to the hostname before the DNS query is made to map the name to an IP address. The default Catalyst 2950 Desktop Switch Software Configuration Guide 7-49...
Page 192: Displaying The Dns Configuration
The login banner also displays on all connected terminals. It is displayed after the MOTD banner and before the login prompts. For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Note Configuration Fundamentals Command Reference for Release 12.1.
Page 193 Unix> telnet 172.2.5.4 Trying 172.2.5.4... Connected to 172.2.5.4. Escape character is '^]'. This is a secure site. Only authorized users are allowed. For access, contact technical support. User Access Verification Password: Catalyst 2950 Desktop Switch Software Configuration Guide 7-51 78-11380-04...
Page 194: Configuring A Login Banner
The address table lists the destination MAC address, the associated VLAN ID, and port number associated with the address. For complete syntax and usage information for the commands used in this section, refer to the Note Catalyst 2950 Desktop Switch Command Reference for this release. Catalyst 2950 Desktop Switch Software Configuration Guide 7-52 78-11380-04...
Page 195: Building The Address Table
VLAN. Addresses that are statically entered in one VLAN must be configured as static addresses in all other VLANs or remain unlearned in the other VLANs. Catalyst 2950 Desktop Switch Software Configuration Guide 7-53 78-11380-04...
Page 196: Default Mac Address Table Configuration
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default value, use the no mac-address-table aging-time global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 7-54 78-11380-04...
Page 197: Removing Dynamic Address Entries
For notification-type, use the mac-notification • keyword. Catalyst 2950 Desktop Switch Software Configuration Guide 7-55 78-11380-04...
Page 198 Switch(config)# mac-address-table notification history-size 100 Switch(config)# interface fastethernet0/4 Switch(config-if)# snmp trap mac-notification added You can verify the previous commands by entering the show mac-address-table notification interface and the show mac-address-table notification privileged EXEC commands. Catalyst 2950 Desktop Switch Software Configuration Guide 7-56 78-11380-04...
Page 199: Adding And Removing Static Address Entries
This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination address, the packets is forwarded to the specified interface: Switch(config)# mac-address-table static c2f3.220a.12f4 vlan 4 interface gigabitethernet0/1 Catalyst 2950 Desktop Switch Software Configuration Guide 7-57 78-11380-04...
Page 200: Configuring Static Addresses For Etherchannel Port Groups
Enter global configuration mode. Step 2 no switchport port-security Remove a secure address. mac-address mac-address Step 3 Return to privileged EXEC mode. Step 4 show port-security Verify your entry. Catalyst 2950 Desktop Switch Software Configuration Guide 7-58 78-11380-04...
Page 201: Displaying Address Table Entries
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, refer to the Cisco IOS Release 12.1 documentation on Cisco.com. Catalyst 2950 Desktop Switch Software Configuration Guide...
Page 202 Chapter 7 Administering the Switch Managing the ARP Table Catalyst 2950 Desktop Switch Software Configuration Guide 7-60 78-11380-04...
Page 203: Configuring 802.1X Port-Based Authentication
Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections: • Understanding 802.1X Port-Based Authentication, page 8-1 Configuring 802.1X Authentication, page 8-6...
Page 204: Understanding 802.1X Port-Based Authentication
In this release, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 205: Authentication Initiation And Message Exchange
Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication The devices that can act as intermediaries include the Catalyst 3550 multilayer switch, Catalyst 2950 switch, or a wireless access point. These devices must be running software that supports the RADIUS client and 802.1X.
Page 206: Ports In Authorized And Unauthorized States
802.1X-based authentication of the client. This is the default setting. force-unauthorized—causes the port to remain in the unauthorized state, ignoring all attempts by • the client to authenticate. The switch cannot provide authentication services to the client through the interface. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 207: Supported Topologies
Figure 8-3 Wireless LAN Example Authentication server Access point (RADIUS) Catalyst 2950 switch Wireless client Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 208: Configuring 802.1X Authentication
Retransmission time 30 seconds (number of seconds that the switch should wait for a response to an EAP request/identity frame from the client before retransmitting the request). Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 209: 802.1X Configuration Guidelines
Switch Port Analyzer (SPAN) destination port—You can enable 802.1X on a port that is a SPAN destination port; however, 802.1X is disabled until the port is removed as a SPAN destination. You can enable 802.1X on a SPAN source port. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 210: Enabling 802.1X Authentication
{default | list-name} method1 [method2...] global configuration command. To disable 802.1X authentication, use the dot1x port-control force-authorized or the no dot1x port-control interface configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 211: Configuring The Switch-To-Radius-Server Communication
If you want to use multiple RADIUS servers, re-enter this command. Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 212: Enabling Periodic Re-Authentication
To disable periodic re-authentication, use the no dot1x re-authentication global configuration command. To return to the default number of seconds between re-authentication attempts, use the no dot1x timeout re-authperiod global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 8-10 78-11380-04...
Page 213: Manually Re-Authenticating A Client Connected To A Port
To return to the default quiet time, use the no dot1x timeout quiet-period global configuration command. This example shows how to set the quiet time on the switch to 30 seconds: Switch(config)# dot1x timeout quiet-period 30 Catalyst 2950 Desktop Switch Software Configuration Guide 8-11 78-11380-04...
Page 214: Changing The Switch-To-Client Retransmission Time
This example shows how to set 60 seconds as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request: Switch(config)# dot1x timeout tx-period 60 Catalyst 2950 Desktop Switch Software Configuration Guide 8-12 78-11380-04...
Page 215: Setting The Switch-To-Client Frame-Retransmission Number
Step 3 dot1x multiple-hosts Allow multiple hosts (clients) on an 802.1X-authorized port. Make sure that the dot1x port-control interface configuration command set is set to auto for the specified interface. Catalyst 2950 Desktop Switch Software Configuration Guide 8-13 78-11380-04...
Page 216: Resetting The 802.1X Configuration To The Default Values
EXEC command. To display the 802.1X administrative and operational status for a specific interface, use the show dot1x interface interface-id privileged EXEC command. For detailed information about the fields in these displays, refer to the Catalyst 2950 Desktop Switch Command Reference for this release.
Page 217: Understanding Interface Types
For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 2950 Desktop Switch Command Reference for this release and the online Cisco IOS Interface Command Reference for Release 12.1. Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types.
Page 218: Switch Ports
VLAN membership of the port is discovered. In the Catalyst 2950 switch, dynamic access ports are assigned to a VLAN by a VLAN Membership Policy Server (VMPS). The VMPS can be a Catalyst 6000 series switch; the Catalyst 2950 switch does not support the function of a VMPS. Trunk Ports A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database.
Page 219: Etherchannel Port Groups
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
Page 220: Using The Interface Command
Cisco router Switch Host A Host B VLAN 20 VLAN 30 Using the Interface Command The Catalyst 2950 switch supports these interface types: Physical ports—switch ports • VLANs—Interfaces • Port-channels—EtherChannel of interfaces • You can also configure a range of interfaces (see the “Configuring a Range of Interfaces”...
Page 221: Procedures For Configuring Interfaces
Type—Fast Ethernet (fastethernet or fa) for 10/100 Ethernet or Gigabit Ethernet (gigabitethernet or • Slot—The slot number on the switch. On the Catalyst 2950 switch, the slot number is 0. • Port number—The interface number on the switch. The port numbers always begin at 1, starting at the left when facing the front of the switch, for example, gigabitethernet 0/1, gigabitethernet 0/2.
Page 222 Keepalive set (10 sec) Auto-duplex, Auto-speed input flow-control is off, output flow-control is off ARP type:ARPA, ARP Timeout 04:00:00 Last input never, output 2d00h, output hang never Last clearing of "show interface" counters never Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 223: Configuring A Range Of Interfaces
When using the interface range global configuration command, note these guidelines: • Valid entries for port-range: – vlan vlan-ID - vlan-ID – fastethernet slot/{first port} - {last port}, where slot is 0 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 224 If you exit interface range configuration mode while the commands are being executed, some commands might not be executed on all interfaces in the range. Wait until the command prompt reappears before exiting interface range configuration mode. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 225: Configuring And Using Interface Range Macros
All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet • ports, all EtherChannel ports, or all VLANs, but you can combine multiple interface types in a macro. Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 226: Configuring Layer 2 Interfaces
• Configuring the Port Speed and Duplex Mode, page 9-11 • Adding a Description for an Interface, page 9-15 • Configuring IEEE 802.3X Flow Control on Gigabit Ethernet Ports, page 9-14 Catalyst 2950 Desktop Switch Software Configuration Guide 9-10 78-11380-04...
Page 227: Default Layer 2 Ethernet Interface Configuration
Setting Speed and Duplex Parameters, page 9-12 • Caution If you reconfigure the port through which you are managing the switch, a Spanning Tree Protocol (STP) reconfiguration could cause a temporary loss of connectivity. Catalyst 2950 Desktop Switch Software Configuration Guide 9-11 78-11380-04...
Page 228: Configuration Guidelines
100BASE-FX ports operate only at 100 Mbps in full-duplex • mode. Note The Catalyst 2950C-24 does not support the speed and duplex interface configuration commands in Release 12.1(6)EA2 or later. Step 5 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 9-12 78-11380-04...
Page 229 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles Catalyst 2950 Desktop Switch Software Configuration Guide 9-13 78-11380-04...
Page 230: Configuring Ieee 802.3X Flow Control On Gigabit Ethernet Ports
For details on the command settings and the resulting flow control resolution on local and remote ports, Note refer to the flowcontrol interface configuration command in the Catalyst 2950 Desktop Switch Command Reference for this release. Catalyst 2950 Desktop Switch Software Configuration Guide...
Page 231: Adding A Description For An Interface
Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface fastethernet0/4 Switch(config-if)# description Connects to Marketing Switch(config-if)# end Switch# show interfaces fastethernet0/4 description Interface Status Protocol Description Fa0/4 down Connects to Marketing Catalyst 2950 Desktop Switch Software Configuration Guide 9-15 78-11380-04...
Page 232: Monitoring And Maintaining The Interface
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference for Release 12.1. Table 9-2...
Page 233 Negotiation of Trunking:Off Access Mode VLAN:1 (default) Trunking Native Mode VLAN:1 (default) Trunking VLANs Enabled:ALL Pruning VLANs Enabled:2-1001 Protected:false Voice VLAN:dot1p (Inactive) Appliance trust:5 Name:Fa0/2 Switchport:Enabled Administrative Mode:static access Operational Mode:down Catalyst 2950 Desktop Switch Software Configuration Guide 9-17 78-11380-04...
Page 234: Clearing And Resetting Interfaces And Counters
Note The clear counters privileged EXEC command does not clear counters retrieved by using Simple Network Management Protocol (SNMP), but only those seen with the show interfaces privileged EXEC command. Catalyst 2950 Desktop Switch Software Configuration Guide 9-18 78-11380-04...
Page 235: Shutting Down And Restarting The Interface
To verify that an interface is disabled, enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the show interfaces command display as with Fast Ethernet interface 0/5 in this example. Catalyst 2950 Desktop Switch Software Configuration Guide 9-19 78-11380-04...
Page 236 Hardware is Gigabit Ethernet, address is 0002.4b29.4403 (bia 0002.4b29.4403) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed Catalyst 2950 Desktop Switch Software Configuration Guide 9-20 78-11380-04...
Page 237: Understanding Spanning-Tree Features
Chapter 12, “Configuring Optional Spanning-Tree Features.” For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections: Understanding Spanning-Tree Features, page 10-1 •...
Page 238: Configuring Stp
The spanning-tree path cost to the root • The bridge ID of the sending switch • Message age • The identifier of the sending interface • • Values for the hello, forward delay, and max-age protocol timers Catalyst 2950 Desktop Switch Software Configuration Guide 10-2 78-11380-04...
Page 239: Election Of The Root Switch
Spanning tree uses this information to elect the root switch and root port for the switched network and the root port and designated port for each switched segment. Catalyst 2950 Desktop Switch Software Configuration Guide 10-3 78-11380-04...
Page 240: Bridge Id, Switch Priority, And Extended System Id
MAC address. In Release 12.1(9)EA1 and later, Catalyst 2950 switches support the 802.1T spanning-tree extensions, and some of the bits previously used for the switch priority are now used as the VLAN identifier. The result is that fewer MAC addresses are reserved for the switch, and a larger range of VLAN IDs can be supported, all while maintaining the uniqueness of the bridge ID.
Page 241: Creating The Spanning-Tree Topology
Forwarding—The interface forwards frames. Disabled—The interface is not participating in spanning tree because of a shutdown port, no link on • the port, or no spanning-tree instance running on the port. Catalyst 2950 Desktop Switch Software Configuration Guide 10-5 78-11380-04...
Page 242 In the learning state, the interface continues to block frame forwarding as the switch learns end-station location information for the forwarding database. When the forward-delay timer expires, spanning tree moves the interface to the forwarding state, where both learning and frame forwarding are enabled. Catalyst 2950 Desktop Switch Software Configuration Guide 10-6 78-11380-04...
Page 243: Blocking State
An interface in the forwarding state performs as follows: Receives and forwards frames received on the port • Forwards frames switched from another port • Learns addresses • • Receives BPDUs Catalyst 2950 Desktop Switch Software Configuration Guide 10-7 78-11380-04...
Page 244: Disabled State
However, in a network of Cisco switches connected through 802.1Q trunks, the switches maintain one spanning-tree instance for each VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch uses per-VLAN spanning tree+ (PVST+) to provide spanning-tree interoperability. It combines the spanning-tree instance of the 802.1Q VLAN of the trunk with the spanning-tree instance of the...
Page 245: Accelerated Aging To Retain Connectivity
Configuring a Secondary Root Switch, page 10-13 • Configuring the Port Priority, page 10-14 • • Configuring the Path Cost, page 10-15 • Configuring the Switch Priority of a VLAN, page 10-17 Catalyst 2950 Desktop Switch Software Configuration Guide 10-9 78-11380-04...
Page 246: Default Stp Configuration
VLAN where you want it to run. Use the no spanning-tree vlan vlan-id global configuration command to disable STP on a specific VLAN, and use the spanning-tree vlan vlan-id global configuration command to enable STP on the desired VLAN. Catalyst 2950 Desktop Switch Software Configuration Guide 10-10 78-11380-04...
Page 247: Disabling Stp
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To re-enable STP, use the spanning-tree vlan vlan-id global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 10-11 78-11380-04...
Page 248: Configuring The Root Switch
Before 12.1(9)EA1, entering the spanning-tree vlan vlan-id root global configuration command on a Catalyst 2950 switch (no extended system ID) caused it to set its own switch priority for the specified VLAN to 8192 if this value caused this switch to become the root for the specified VLAN. If any root switch for the specified VLAN has a switch priority lower than 8192, the switch sets its own priority for the specified VLAN to 1 less than the lowest switch priority.
Page 249: Configuring A Secondary Root Switch
Configuring a Secondary Root Switch When you configure a Catalyst 2950 switch that supports the extended system ID as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails.
Page 250: Configuring The Port Priority
Cisco IOS uses the port priority value when the interface is configured as an access port and uses VLAN port priority values when the interface is configured as a trunk port.
Page 251: Configuring The Path Cost
Spanning tree uses the cost value when the interface is configured as an access port and uses VLAN port cost values when the interface is configured as a trunk port. Catalyst 2950 Desktop Switch Software Configuration Guide 10-15 78-11380-04...
Page 252 To return the interface to its default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command. For information on how to configure load sharing on trunk ports using spanning-tree path costs, see the “Load Sharing Using STP” section on page 13-26. Catalyst 2950 Desktop Switch Software Configuration Guide 10-16 78-11380-04...
Page 253: Configuring The Switch Priority Of A Vlan
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree vlan vlan-id priority global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 10-17 78-11380-04...
Page 254: Configuring The Hello Time
1 to 1005 when the standard software image is installed. Do not enter leading zeros. • For seconds, the range is 4 to 30; the default is 15. Step 3 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 10-18 78-11380-04...
Page 255: Configuring The Maximum-Aging Time For A Vlan
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 10-19 78-11380-04...
Page 256: Configuring Stp For Use In A Cascaded Stack
Catalyst 6000 Cisco 7000 switch router Option 1: Option 2: Option 3: standalone cascaded cascaded cascaded cluster connected to cluster connected to cluster a Layer 2 backbone a Layer 3 backbone Catalyst 2950 Desktop Switch Software Configuration Guide 10-20 78-11380-04...
Page 257: Displaying Spanning-Tree Status
Displays a summary of port states or displays the total lines of the STP state section. For information about other keywords for the show spanning-tree privileged EXEC command, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. Catalyst 2950 Desktop Switch Software Configuration Guide 10-21...
Page 258 Chapter 10 Configuring STP Displaying Spanning-Tree Status Catalyst 2950 Desktop Switch Software Configuration Guide 10-22 78-11380-04...
Page 259: Chapter 11 Configuring Rstp And Mstp
C H A P T E R Configuring RSTP and MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1W Rapid Spanning Tree Protocol (RSTP) and the IEEE 802.1S Multiple STP (MSTP) on your switch. To use the features described in this chapter, you must have the enhanced software image installed on your switch.
Page 260: Understanding Rstp
RSTP port states. Table 11-1 Port State Comparison Is Port Included in the Operational Status STP Port State RSTP Port State Active Topology? Enabled Blocking Discarding Enabled Listening Discarding Enabled Learning Learning Catalyst 2950 Desktop Switch Software Configuration Guide 11-2 78-11380-04...
Page 261: Rapid Convergence
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide documents the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of switch, a switch port, or a LAN.
Page 262: Synchronization Of Port Roles
When the switches connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 11-2. Catalyst 2950 Desktop Switch Software Configuration Guide 11-4 78-11380-04...
Page 263: Bridge Protocol Data Unit Format And Processing
LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. The port role in the agreement message is always set to the root port. Catalyst 2950 Desktop Switch Software Configuration Guide 11-5 78-11380-04...
Page 264: Processing Superior Bpdu Information
802.1D switch and a configuration BPDU with the TCA bit set is received, the TC-while timer is reset. This behavior is only required to support 802.1D switches. The RSTP BPDUs never have the TCA bit set. Catalyst 2950 Desktop Switch Software Configuration Guide 11-6 78-11380-04...
Page 265: Understanding Mstp
RSTP BPDUs. There is no limit to the number of MST regions in a network, but each region can support up to 16 spanning-tree instances. You can assign a VLAN to only one spanning-tree instance at a time. Catalyst 2950 Desktop Switch Software Configuration Guide 11-7 78-11380-04...
Page 266: Ist, Cist, And Cst
For correct operation, all switches in the MST region must agree on the same IST master. Therefore, any two switches in the region synchronize their port roles for an MST instance only if they converge to a common IST master. Catalyst 2950 Desktop Switch Software Configuration Guide 11-8 78-11380-04...
Page 267: Operations Between Mst Regions
VLAN cost, port VLAN priority) can be configured on both the CST instance and the MST instance. MSTP switches use version 3 RSTP BPDUs or 802.1D STP BPDUs to communicate with legacy 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. Catalyst 2950 Desktop Switch Software Configuration Guide 11-9 78-11380-04...
Page 268: Hop Count
BPDU, an MST BPDU (version 3) associated with a different region, or an RST BPDU (version 2). Catalyst 2950 Desktop Switch Software Configuration Guide 11-10...
Page 269: Configuring Rstp And Mstp Features
Configuring the Maximum-Aging Time, page 11-21 (optional) • Configuring the Maximum-Hop Count, page 11-21 (optional) • Specifying the Link Type to Ensure Rapid Transitions, page 11-22 (optional) • Restarting the Protocol Migration Process, page 11-22 (optional) Catalyst 2950 Desktop Switch Software Configuration Guide 11-11 78-11380-04...
Page 270: Default Rstp And Mstp Configuration
Partitioning the network into a large number of regions is not recommended. However, if this situation is unavoidable, we recommend that you partition the switched LAN into smaller LANs interconnected by routers or non-Layer 2 devices. Catalyst 2950 Desktop Switch Software Configuration Guide 11-12 78-11380-04...
Page 271: Specifying The Mst Region Configuration And Enabling Mstp
To return to the default MST region configuration, use the no spanning-tree mst configuration global configuration command. To return to the default VLAN-to-instance map, use the no instance instance-id [vlan vlan-range] MST configuration command. To return to the default name, use the no name MST Catalyst 2950 Desktop Switch Software Configuration Guide 11-13 78-11380-04...
Page 272: Configuring The Root Switch
Note Catalyst 2950 switches running software earlier than Release 12.1(9)EA1 do not support the extended system ID. Catalyst 2950 switches running software earlier than Release 12.1(9)EA1 do not support the MSTP. If your network consists of switches that both do and do not support the extended system ID, it is unlikely Note that the switch with the extended system ID support will become the root switch.
Page 273 Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst instance-id root global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 11-15 78-11380-04...
Page 274: Configuring A Secondary Root Switch
Configuring RSTP and MSTP Features Configuring a Secondary Root Switch When you configure a Catalyst 2950 switch that supports the extended system ID as the secondary root, the spanning-tree switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails.
Page 275: Configuring The Port Priority
Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id port-priority interface configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 11-17 78-11380-04...
Page 276: Configuring The Path Cost
Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id cost interface configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 11-18 78-11380-04...
Page 277: Configuring The Switch Priority
Exercise care when using this command. For most situations, we recommend that you use the Note spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the hello time. Catalyst 2950 Desktop Switch Software Configuration Guide 11-19 78-11380-04...
Page 278: Configuring The Forwarding-Delay Time
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst forward-time global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 11-20 78-11380-04...
Page 279: Configuring The Maximum-Aging Time
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst max-hops global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 11-21 78-11380-04...
Page 280: Specifying The Link Type To Ensure Rapid Transitions
EXEC command. Use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command to restart the protocol migration process on a specific interface. Catalyst 2950 Desktop Switch Software Configuration Guide 11-22 78-11380-04...
Page 281: Displaying The Mst Configuration And Status
1 to 4094; the valid port-channel range is 1 to 6. For information about other keywords for the show spanning-tree privileged EXEC command, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. Catalyst 2950 Desktop Switch Software Configuration Guide...
Page 282 Chapter 11 Configuring RSTP and MSTP Displaying the MST Configuration and Status Catalyst 2950 Desktop Switch Software Configuration Guide 11-24 78-11380-04...
Page 283: Understanding Optional Spanning-Tree Features
Chapter 11, “Configuring RSTP and MSTP.” Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections: • Understanding Optional Spanning-Tree Features, page 12-1 Configuring Optional Spanning-Tree Features, page 12-13 •...
Page 284: Understanding Port Fast
The MSTP is available only if you have the enhanced software image installed on your switch. Figure 12-1 Port Fast-Enabled Ports Catalyst 3550 series switch Catalyst 2950-T or 2950G switch Catalyst 2950 Server switch Port Port Fast-enabled port Fast-enabled ports Workstations Workstations Catalyst 2950 Desktop Switch Software Configuration Guide 12-2 78-11380-04...
Page 285: Understanding Bpdu Guard
If your switch is running PVST or MSTP, you can enable the BPDU filtering feature for the entire switch or for an interface. The MSTP is available only if you have the enhanced software image installed on your switch. Catalyst 2950 Desktop Switch Software Configuration Guide 12-3 78-11380-04...
Page 286: Understanding Uplinkfast
Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state. Catalyst 2950 Desktop Switch Software Configuration Guide 12-4...
Page 287: Understanding Cross-Stack Uplinkfast
CSUF might not provide a fast transition all the time; in these cases, the normal spanning-tree transition occurs, completing in 30 to 40 seconds. For more information, see the “Events that Cause Fast Convergence” section on page 12-7. Catalyst 2950 Desktop Switch Software Configuration Guide 12-5 78-11380-04...
Page 288: How Csuf Works
CSUF implements the Stack Membership Discovery Protocol and the Fast Uplink Transition Protocol. Using the Stack Membership Discovery Protocol, all stack switches build a neighbor list of stack members through the receipt of discovery hello packets. When certain link loss or spanning-tree events Catalyst 2950 Desktop Switch Software Configuration Guide 12-6 78-11380-04...
Page 289: Events That Cause Fast Convergence
A new switch, which might become the stack root, is added to the stack. • A switch other than the stack root is powered off or failed. • A link fails between stack ports on the multidrop backbone. Catalyst 2950 Desktop Switch Software Configuration Guide 12-7 78-11380-04...
Page 290: Limitations
Each stack switch can be connected to the spanning-tree backbone through one uplink. • If the stack consists of a mixture of Catalyst 3550, Catalyst 3500 XL, Catalyst 2950, and • Catalyst 2900 XL switches, up to 64 VLANs with spanning tree enabled are supported. If the stack consists of only Catalyst 3550 switches, up to 128 VLANs with spanning tree enabled are supported.
Page 291 GigaStack GBIC connection for normal convergence Catalyst 2950G-12 Catalyst 2950 11 12 Catalyst 2950G-24 Catalyst 2950 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Catalyst 2950G-48 Catalyst 2950 Catalyst 2950 Desktop Switch Software Configuration Guide 12-9 78-11380-04...
Page 292: Understanding Backbonefast
BackboneFast then transitions the Layer 2 interface on Switch C to the forwarding state, providing a path from Switch B to Switch A. This Catalyst 2950 Desktop Switch Software Configuration Guide 12-10...
Page 293 BPDUs, and the new switch learns that Switch B is the designated bridge to Switch A, the root switch. Figure 12-9 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch B Switch C (Designated bridge) Blocked port Added switch Catalyst 2950 Desktop Switch Software Configuration Guide 12-11 78-11380-04...
Page 294: Understanding Root Guard
Desired root switch Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being in the path to the root. Catalyst 2950 Desktop Switch Software Configuration Guide 12-12 78-11380-04...
Page 295: Understanding Loop Guard
Enabling UplinkFast for Use with Redundant Links, page 12-17 • • Enabling Cross-Stack UplinkFast, page 12-18 • Enabling BackboneFast, page 12-19 • Enabling Root Guard, page 12-19 • Enabling Loop Guard, page 12-20 Catalyst 2950 Desktop Switch Software Configuration Guide 12-13 78-11380-04...
Page 296: Default Optional Spanning-Tree Configuration
Make sure that there are no loops in the network between the trunk port and the workstation or server before you enable Port Fast on a trunk port. By default, Port Fast is disabled on all ports. Catalyst 2950 Desktop Switch Software Configuration Guide 12-14 78-11380-04...
Page 297: Enabling Bpdu Guard
Enter interface configuration mode, and specify the interface connected to an end station. Step 4 spanning-tree portfast Enable the Port Fast feature. Step 5 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 12-15 78-11380-04...
Page 298: Enabling Bpdu Filtering
Enable the Port Fast feature. Step 5 Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide 12-16 78-11380-04...
Page 299: Enabling Uplinkfast For Use With Redundant Links
To return the update packet rate to the default setting, use the no spanning-tree uplinkfast max-update-rate global configuration command. To disable UplinkFast, use the no spanning-tree uplinkfast command. Catalyst 2950 Desktop Switch Software Configuration Guide 12-17 78-11380-04...
Page 300: Enabling Cross-Stack Uplinkfast
To disable CSUF on an interface, use the no spanning-tree stack-port interface configuration command. To disable UplinkFast on the switch and all its VLANs, use the no spanning-tree uplinkfast global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 12-18 78-11380-04...
Page 301: Enabling Backbonefast
Enter interface configuration mode, and specify an interface to configure. Step 3 spanning-tree guard root Enable root guard on the interface. By default, root guard is disabled on all interfaces. Step 4 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 12-19 78-11380-04...
Page 302: Enabling Loop Guard
To globally disable loop guard, use the no spanning-tree loopguard default global configuration command. You can override the setting of the no spanning-tree loopguard default global configuration command by using the spanning-tree guard loop interface configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 12-20 78-11380-04...
Page 303: Displaying The Spanning-Tree Status
Displays a summary of port states or displays the total lines of the spanning-tree state section. For information about other keywords for the show spanning-tree privileged EXEC command, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. Catalyst 2950 Desktop Switch Software Configuration Guide 12-21...
Page 304 Chapter 12 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 2950 Desktop Switch Software Configuration Guide 12-22 78-11380-04...
Page 305: Chapter 13 Configuring Vlans
VLAN Membership Policy Server (VMPS). Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. The chapter includes these sections: • Understanding VLANs, page 13-1 Configuring Normal-Range VLANs, page 13-6 •...
Page 306: Supported Vlans
When you assign switch interfaces to VLANs by using this method, it is known as interface-based, or static, VLAN membership. Supported VLANs Table 13-1 lists the number of supported VLANs on Catalyst 2950 switches. Table 13-1 Maximum Number of Supported VLANs Number of Switch Model...
Page 307: Management Vlans
VLAN change. • On switches running a IOS software version that is earlier than Cisco IOS 12.0(5)XP, you cannot change the management VLAN. Switches running Cisco IOS 12.0(5)XP should be upgraded to the current software release as described in the release notes.
Page 308: Determining The Management Vlan For A New Switch
VLAN for new switches when they are connected to the cluster. In this way, the new switch can exchange Cisco Discovery Protocol (CDP) messages with the command switch and be proposed as a cluster candidate.
Page 309: Vlan Port Membership Modes
When a port belongs to a VLAN, the switch learns and manages the addresses associated with the port on a per-VLAN basis. For more information, see the “Managing the MAC Address Table” section on page 7-52. Catalyst 2950 Desktop Switch Software Configuration Guide 13-5 78-11380-04...
Page 310: Configuring Normal-Range Vlans
Caution If you want to modify the VLAN configuration, use the commands described in these sections and in the Catalyst 2950 Desktop Switch Command Reference for this release. To change the VTP configuration, Chapter 14, “Configuring VTP.” You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs.
Page 311: Token Ring Vlans
Assigning Static-Access Ports to a VLAN, page 13-13 Token Ring VLANs Although the Catalyst 2950 switches do not support Token Ring connections, a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches.
Page 312: Vlan Configuration Mode Options
Catalyst 2950 Desktop Switch Command Reference for this release. When you have finished the configuration, you must exit config-vlan mode for the configuration to take effect. To display the VLAN configuration, enter the show vlan privileged EXEC command.
Page 313: Saving Vlan Configuration
VLAN and VTP configurations in the startup configuration file, so the switch uses the VLAN database configuration. Caution If the startup configuration file contains extended-range VLAN configuration, this information will be lost when the system boots up. Catalyst 2950 Desktop Switch Software Configuration Guide 13-9 78-11380-04...
Page 314: Default Ethernet Vlan Configuration
VLAN IDs greater than 1006, but they are not added to the VLAN database. See the “Configuring Extended-Range VLANs” section on page 13-14. For the list of default parameters that are assigned when you add a VLAN, see the “Configuring Normal-Range VLANs” section on page 13-6. Catalyst 2950 Desktop Switch Software Configuration Guide 13-10 78-11380-04...
Page 315 VLAN. For example, VLAN0004 is a default VLAN name for VLAN 4. Step 3 vlan vlan-id mtu mtu-size (Optional) To modify a VLAN, identify the VLAN and change a characteristic, such as the MTU size. Catalyst 2950 Desktop Switch Software Configuration Guide 13-11 78-11380-04...
Page 316: Deleting A Vlan
To delete a VLAN by using VLAN configuration mode, use the vlan database privileged EXEC command to enter VLAN configuration mode and the no vlan vlan-id VLAN configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 13-12 78-11380-04...
Page 317: Assigning Static-Access Ports To A Vlan
Switch(config-if)# end Switch# These examples show how to verify the configuration: Switch# show running-config interface fastethernet0/1 Building configuration... Current configuration : 74 bytes interface FastEthernet0/12 switchport access vlan 2 switchport mode access Catalyst 2950 Desktop Switch Software Configuration Guide 13-13 78-11380-04...
Page 318: Configuring Extended-Range Vlans
Table 13-3 on page 13-10 for the default configuration for Ethernet VLANs. You can change only the MTU size on extended-range VLANs; all other characteristics must remain at the default state. Catalyst 2950 Desktop Switch Software Configuration Guide 13-14 78-11380-04...
Page 319: Configuration Guidelines For Extended-Range Vlans
MTU size is the only parameter you can change. Refer to the description of the vlan global configuration command in the Catalyst 2950 Desktop Switch Command Reference for defaults of all parameters. If you enter an extended-range VLAN ID when the switch is not in VTP transparent mode, an error message is generated when you exit from config-vlan mode, and the extended-range VLAN is not created.
Page 320: Displaying Vlans
(accessed by entering the vlan database privileged EXEC command). For a list of the VLAN IDs on the switch, use the show running-config vlan privileged EXEC command, optionally entering a VLAN ID range. Table 13-4 lists the commands for monitoring VLANs. Catalyst 2950 Desktop Switch Software Configuration Guide 13-16 78-11380-04...
Page 321 For more details about the show command options and explanations of output fields, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. This is an example of output from the show vlan privileged EXEC command, showing all VLANs:...
Page 322: Configuring Vlan Trunks
Fast Ethernet and Gigabit Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network. Catalyst 2950 Desktop Switch Software Configuration Guide 13-18...
Page 323 Chapter 13 Configuring VLANs Configuring VLAN Trunks Figure 13-2 shows a network of switches that are connected by 802.1Q trunks. Figure 13-2 Catalyst 2950, 2900 XL, and 3500 XL Switches in a 802.1Q Trunking Environment Catalyst 6000 series switch 802.1Q 802.1Q 802.1Q...
Page 324: 802.1Q Configuration Considerations
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco 802.1Q switch.
Page 325: Default Layer 2 Ethernet Interface Vlan Configuration
STP port priority for each VLAN – STP Port Fast setting – trunk status: if one port in a port group ceases to be a trunk, all ports cease to be trunks. Catalyst 2950 Desktop Switch Software Configuration Guide 13-21 78-11380-04...
Page 326: Configuring A Trunk Port
To reset all trunking characteristics of a trunking interface to the defaults, use the no switchport trunk interface configuration command. To disable trunking, use the switchport mode access interface configuration commands to configure the port as a static-access port. Catalyst 2950 Desktop Switch Software Configuration Guide 13-22 78-11380-04...
Page 327: Defining The Allowed Vlans On A Trunk
VLAN. When VTP detects a new VLAN and the VLAN is not in the allowed list for a trunk port, the trunk port does not become a member of the new VLAN. Catalyst 2950 Desktop Switch Software Configuration Guide 13-23...
Page 328: Changing The Pruning-Eligible List
| none | remove} vlan-list For explanations about using the add, except, none, and remove keywords, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. The vlan-list parameter is either a single VLAN number from 1 to 4094 or a range of VLANs described by two VLAN numbers, the lower one first, separated by a hyphen.
Page 329: Configuring The Native Vlan For Untagged Traffic
14-4). [,vlan[,vlan[,,,]] For explanations about using the add, except, none, and remove keywords, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. Separate nonconsecutive VLAN IDs with a comma and no spaces; use a hyphen to designate a range of IDs. Valid IDs are from 2 to 1001.
Page 330: Load Sharing Using Stp
6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs. No duplication of traffic occurs over any trunk port. Catalyst 2950 Desktop Switch Software Configuration Guide 13-26...
Page 331 Step 18 spanning-tree vlan 9 port-priority 10 Assign the port priority of 10 for VLAN 9. Step 19 spanning-tree vlan 10 port-priority 10 Assign the port priority of 10 for VLAN 10. Catalyst 2950 Desktop Switch Software Configuration Guide 13-27 78-11380-04...
Page 332: Load Sharing Using Stp Path Cost
Enter global configuration mode on Switch 1. Step 2 interface fastethernet 0/1 Enter interface configuration mode, and define Fast Ethernet port 0/1 as the interface to be configured as a trunk. Catalyst 2950 Desktop Switch Software Configuration Guide 13-28 78-11380-04...
Page 333 In the display, verify that the path costs are set correctly for interfaces Fast Ethernet 0/1 and 0/2. Step 18 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide 13-29 78-11380-04...
Page 334: Configuring Vmps
Configuring VMPS Configuring VMPS The Catalyst 2950 switch cannot be a VMPS server but can act as a client to the VMPS and communicate with it through the VLAN Query Protocol (VQP). VMPS dynamically assigns dynamic access port VLAN membership.
Page 335: Dynamic Port Vlan Membership
TFTP server that functions as a VMPS server. The file contains VMPS information, such as the domain name, the fallback VLAN name, and the MAC-address-to-VLAN mapping. The Catalyst 2950 switch cannot act as the VMPS, but you can use a Catalyst 5000 or Catalyst 6000 series switch as the VMPS.
Page 336 !VLAN port Policies !vmps-port-policies {vlan-name | vlan-group } ! { port-group | device port } vmps-port-policies vlan-group Engineering port-group WiringCloset1 vmps-port-policies vlan-name Green device 198.92.30.32 port 0/8 Catalyst 2950 Desktop Switch Software Configuration Guide 13-32 78-11380-04...
Page 337: Default Vmps Configuration
VQP does not support extended-range VLANs (VLAN IDs higher than 1006). Extended-range • VLANs cannot be configured by VMPS. The VLAN configured on the VMPS server should not be a voice VLAN. • Catalyst 2950 Desktop Switch Software Configuration Guide 13-33 78-11380-04...
Page 338: Configuring The Vmps Client
Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode and the switch port that is connected to the end station. Step 3 switchport mode access Set the port to access mode. Catalyst 2950 Desktop Switch Software Configuration Guide 13-34 78-11380-04...
Page 339: Reconfirming Vlan Memberships
Interval field of the display. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no vmps reconfirm global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 13-35 78-11380-04...
Page 340: Changing The Retry Count
The result of the most recent reconfirmation attempt. A reconfirmation attempt can occur automatically when the reconfirmation interval expired, or you can force it by entering the vmps reconfirm privileged EXEC command or its CMS or SNMP equivalent. Catalyst 2950 Desktop Switch Software Configuration Guide 13-36 78-11380-04...
Page 341: Troubleshooting Dynamic Port Vlan Membership
The end stations are connected to these clients: – Catalyst 2950 Switch 2 – Catalyst 3500 XL Switch 9 The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. • Catalyst 2950 Desktop Switch Software Configuration Guide 13-37 78-11380-04...
Page 342 Switch 4 172.20.26.154 Switch 5 172.20.26.155 Switch 6 172.20.26.156 Switch 7 172.20.26.157 Switch 8 Dynamic-access port Client 172.20.26.158 station 2 Switch 9 Trunk port Secondary VMPS 172.20.26.159 Server 3 Switch 10 Catalyst 2950 Desktop Switch Software Configuration Guide 13-38 78-11380-04...
Page 343: Configuring Vtp
This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 2950 Desktop Switch Command Reference for this release. The chapter includes these sections: • Understanding VTP, page 14-1 •...
Page 344: The Vtp Domain
For domain name and password configuration guidelines, see the “VTP Configuration Guidelines” section on page 14-8. Catalyst 2950 Desktop Switch Software Configuration Guide 14-2 78-11380-04...
Page 345: Vtp Modes
Otherwise, the switch cannot receive any VTP advertisements. For more information on trunk ports, see “Configuring VLAN Trunks” section on page 13-18. VTP advertisements distribute this global domain information: • VTP domain name • VTP configuration revision number • Update identity and update timestamp Catalyst 2950 Desktop Switch Software Configuration Guide 14-3 78-11380-04...
Page 346: Vtp Version 2
Switch 4 are assigned to the Red VLAN. If a broadcast is sent from the host connected to Switch 1, Switch 1 floods the broadcast and every switch in the network receives it, even though Switches 3, 5, and 6 have no ports in the Red VLAN. Catalyst 2950 Desktop Switch Software Configuration Guide 14-4 78-11380-04...
Page 347 VLANs that are pruning-ineligible. VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs higher than 1005) are also pruning-ineligible. Catalyst 2950 Desktop Switch Software Configuration Guide 14-5 78-11380-04...
Page 348: Default Vtp Configuration
VTP configuration. Table 14-2 Default VTP Configuration Feature Default Setting VTP domain name Null. VTP mode Server. VTP version 2 enable state Version 2 is disabled. VTP password None. VTP pruning Disabled. Catalyst 2950 Desktop Switch Software Configuration Guide 14-6 78-11380-04...
Page 349: Vtp Configuration Options
VTP file name, the interface providing updated VTP information, the domain name, and the mode. For more information about available keywords, refer to the command descriptions in the Catalyst 2950 Desktop Switch Command Reference for this release. The VTP information is saved in the VLAN database.
Page 350: Vtp Configuration Guidelines
Release 12.0(5.1)WC, to a version that does support VTP, ports that belong to a VLAN retain their VLAN membership, and VTP enters transparent mode. The domain name becomes UPGRADE, and VTP does not propagate the VLAN configuration to other switches. Catalyst 2950 Desktop Switch Software Configuration Guide 14-8 78-11380-04...
Page 351: Vtp Version
For more information about the command, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. If you are configuring extended-range VLANs on the switch, the switch must be in VTP transparent mode.
Page 352 Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display. Step 7 copy running-config (Optional) Save the VTP mode in the startup configuration file. startup-config Catalyst 2950 Desktop Switch Software Configuration Guide 14-10 78-11380-04...
Page 353: Configuring A Vtp Client
Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display. Step 7 copy running-config startup-config (Optional) Save the VTP mode in the startup configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide 14-11 78-11380-04...
Page 354: Disabling Vtp (Vtp Transparent Mode)
To return the switch to VTP server mode, use the no vtp mode global configuration command. If extended-range VLANs are configured on the switch, you cannot change VTP mode to server. You Note receive an error message, and the configuration is not allowed. Catalyst 2950 Desktop Switch Software Configuration Guide 14-12 78-11380-04...
Page 355: Enabling Vtp Version 2
You can also enable VTP version 2 by using the vlan database privileged EXEC command to enter VLAN configuration mode and entering the vtp v2-mode VLAN configuration command. To disable VTP version 2, use the no vtp v2-mode VLAN configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 14-13 78-11380-04...
Page 356: Enabling Vtp Pruning
Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible on trunk ports. Reserved VLANs and extended-range VLANs cannot be pruned. To change the pruning-eligible VLANs, see the “Changing the Pruning-Eligible List” section on page 13-24. Catalyst 2950 Desktop Switch Software Configuration Guide 14-14 78-11380-04...
Page 357: Adding A Vtp Client Switch To A Vtp Domain
You can use the vtp mode transparent global configuration command or the vtp transparent VLAN Note configuration command to disable VTP on the switch, and then change its VLAN information without affecting the other switches in the VTP domain. Catalyst 2950 Desktop Switch Software Configuration Guide 14-15 78-11380-04...
Page 358: Monitoring Vtp
Number of config revision errors Number of config digest errors Number of V1 summary errors VTP pruning statistics: Trunk Join Transmitted Join Received Summary advts received from non-pruning-capable device ---------------- ---------------- ---------------- --------------------------- Catalyst 2950 Desktop Switch Software Configuration Guide 14-16 78-11380-04...
Page 359: Chapter 15 Configuring Voice Vlan
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. The switch can connect to a Cisco 7960 IP Phone and carry IP voice traffic. Because the sound quality of an IP phone call can deteriorate if the data is unevenly transmitted, the switch supports quality of service ( QoS) based on IEEE 802.1P class of service (CoS).
Page 360: Configuring Voice Vlan
Default Voice VLAN Configuration, page 15-2 • Configuration Guidelines, page 15-3 • Configuring a Port to Connect to a Cisco 7960 IP Phone, page 15-3 • Default Voice VLAN Configuration The voice VLAN feature is disabled by default. When the voice VLAN feature is enabled, untagged traffic is sent according to the default CoS priority of the port.
Page 361: Configuration Guidelines
Configuring a Port to Connect to a Cisco 7960 IP Phone Because a Cisco 7960 IP Phone also supports a connection to a PC or other device, a port connecting the switch to a Cisco 7960 IP Phone can carry mixed traffic.
Page 362: Configuring Ports To Carry Voice Traffic In 802.1Q Frames
Instruct the switch port to use 802.1P priority tagging for voice traffic and to use the default native VLAN to carry all traffic. By default, the Cisco IP phone forwards the voice traffic with an 802.1P priority of 5.
Page 363: Overriding The Cos Priority Of Incoming Data Frames
Overriding the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to override the priority of frames arriving on the IP phone port from connected devices.
Page 364: Displaying Voice Vlan
To display voice VLAN for an interface, use the show interfaces interface-id switchport privileged EXEC command. For detailed information about the fields in the display, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. Catalyst 2950 Desktop Switch Software Configuration Guide...
Page 365: Configuring Igmp Snooping And Mvr
Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release and the Cisco IOS Release Network Protocols Command Reference, Part 1, for Release 12.1.
Page 366: Joining A Multicast Group
IGMP snooping. Multicast group membership lists can consist of both user-defined and IGMP snooping-learned settings. Catalyst 2950 switches support a maximum of 255 IP multicast groups and support both IGMP version 1 and IGMP version 2. If a port spanning-tree, a port group, or a VLAN ID change occurs, the IGMP snooping-learned multicast groups from this port on the VLAN are deleted.
Page 367 If another host (for example, Host 4) sends an IGMP join message for the same group (Figure 16-2), the CPU receives that message and adds the port number of Host 4 to the multicast forwarding table as shown in Table 16-2. Catalyst 2950 Desktop Switch Software Configuration Guide 16-3 78-11380-04...
Page 368: Leaving A Multicast Group
The VLAN interface is pruned from the multicast tree for the multicast group specified in the original leave message. Immediate-Leave processing ensures optimal bandwidth management for all hosts on a switched network, even when multiple multicast groups are in use simultaneously. Catalyst 2950 Desktop Switch Software Configuration Guide 16-4 78-11380-04...
Page 369: Configuring Igmp Snooping
VLANs, but it can be enabled and disabled on a per-VLAN basis. Global IGMP snooping overrides the VLAN IGMP snooping. If global snooping is disabled, you cannot enable VLAN snooping. If global snooping is enabled, you can enable or disable VLAN snooping. Catalyst 2950 Desktop Switch Software Configuration Guide 16-5 78-11380-04...
Page 370: Setting The Snooping Method
Snooping on Protocol Independent Multicast (PIM) packets and Distance Vector Multicast Routing • Protocol (DVMRP) packets • Listening to Cisco Group Management Protocol (CGMP) self-join packets from other routers Statically connecting to a multicast router port with the ip igmp snooping mrouter global • configuration command You can configure the switch to either snoop on PIM/DVMRP packets or to listen to CGMP self-join packets.
Page 371: Configuring A Multicast Router Port
Configuring a Multicast Router Port To add a multicast router port (add a static connection to a multicast router), use the ip igmp snooping vlan mrouter global configuration command on the switch. Catalyst 2950 Desktop Switch Software Configuration Guide 16-7 78-11380-04...
Page 372: Configuring A Host Statically To Join A Group
• vlan-id is the multicast group VLAN ID. • mac-address is the group MAC address. • interface-id is the member port. Step 3 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 16-8 78-11380-04...
Page 373: Enabling Igmp Immediate-Leave Processing
Verify that Immediate Leave is enabled on the VLAN. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable Immediate-Leave processing, use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 16-9 78-11380-04...
Page 374: Displaying Igmp Snooping Information
• igmp-snooping—Displays only entries learned through IGMP • snooping. count—Displays only the total number of entries for the selected • criteria, not the actual entries. Catalyst 2950 Desktop Switch Software Configuration Guide 16-10 78-11380-04...
Page 375: Understanding Multicast Vlan Registration
VLAN from the source. This forwarding behavior selectively allows traffic to cross between different VLANs. The Catalyst 2950 switch has dynamic and compatible modes of MVR operation: • When operating in MVR dynamic mode, the switch performs standard IGMP snooping. IGMP information packets are sent to the switch CPU, but multicast data packets are not sent to the CPU.
Page 376 RP1 RP2 RP3 RP4 RP5 RP6 RP7 Customer premises IGMP join Set-top box Set-top box data RP = Receiver Port Note: All source ports belong to SP = Source Port the multicast VLAN. Catalyst 2950 Desktop Switch Software Configuration Guide 16-12 78-11380-04...
Page 377: Configuring Mvr
IP multicast addresses (in the range 224.0.0.xx). Note For complete syntax and usage information for the commands used in this section, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. Default MVR Configuration Table 16-5 shows the default MVR configuration.
Page 378: Configuring Mvr Global Parameters
Catalyst 2900 XL and Catalyst 3500 XL switches and does not support IGMP dynamic joins on source ports. The default is compatible mode. Step 7 Exit configuration mode. Catalyst 2950 Desktop Switch Software Configuration Guide 16-14 78-11380-04...
Page 379: Configuring Mvr Interfaces
It does not receive data unless it becomes a member of the multicast group, either statically or by using IGMP leave and join messages. Receiver ports cannot belong to the multicast VLAN. Catalyst 2950 Desktop Switch Software Configuration Guide 16-15 78-11380-04...
Page 380 Switch# show mvr interface gigabitethernet0/6 members 239.255.0.0 DYNAMIC ACTIVE 239.255.0.1 DYNAMIC ACTIVE 239.255.0.2 DYNAMIC ACTIVE 239.255.0.3 DYNAMIC ACTIVE 239.255.0.4 DYNAMIC ACTIVE 239.255.0.5 DYNAMIC ACTIVE 239.255.0.6 DYNAMIC ACTIVE 239.255.0.7 DYNAMIC ACTIVE 239.255.0.8 DYNAMIC ACTIVE 239.255.0.9 DYNAMIC ACTIVE Catalyst 2950 Desktop Switch Software Configuration Guide 16-16 78-11380-04...
Page 381: Displaying Mvr Information
Displays MVR status and values for the switch—whether MVR is enabled or disabled, the multicast VLAN, the number of multicast groups (always 256 for the Catalyst 2950 switch), the query response time, and the MVR mode. show mvr interface [interface-id] Displays all MVR interfaces and their MVR configurations.
Page 382: Configuring Igmp Filtering
IP multicast traffic. The filtering feature operates in the same manner whether CGMP or MVR is used to forward the multicast traffic. You can also set the maximum number of IGMP groups that an interface can join. Catalyst 2950 Desktop Switch Software Configuration Guide 16-18 78-11380-04...
Page 383: Default Igmp Filtering Configuration
IP multicast address. You can use the range command multiple times to enter multiple addresses or ranges of addresses. Step 5 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 16-19 78-11380-04...
Page 384: Applying Igmp Profiles
This example shows how to apply IGMP profile 4 to an interface and verify the configuration. Switch # configure terminal Switch(config)# interface fastethernet0/12 Switch(config-if)# ip igmp filter 4 Switch(config-if)# end Switch# show running-config interface fastethernet0/12 Catalyst 2950 Desktop Switch Software Configuration Guide 16-20 78-11380-04...
Page 385: Setting The Maximum Number Of Igmp Groups
Switch(config-if)# end Switch# show running-config interface fastethernet0/12 Building configuration... Current configuration : 123 bytes interface FastEthernet0/12 no ip address shutdown snmp trap link-status ip igmp max-groups 25 ip igmp filter 4 Catalyst 2950 Desktop Switch Software Configuration Guide 16-21 78-11380-04...
Page 386: Displaying Igmp Filtering Configuration
Switch# show running-config interface fastethernet0/12 Building configuration... Current configuration : 123 bytes interface FastEthernet0/12 no ip address shutdown snmp trap link-status ip igmp max-groups 25 ip igmp filter 4 Catalyst 2950 Desktop Switch Software Configuration Guide 16-22 78-11380-04...
Page 387: Chapter 17 Configuring Port-Based Traffic Control
This chapter describes how to configure the port-based traffic control features on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections: Configuring Storm Control, page 17-1 •...
Page 388: Disabling Storm Control
Step 5 Return to privileged EXEC mode. Step 6 show storm-control {broadcast | Verify your entries. multicast | unicast} Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide 17-2 78-11380-04...
Page 389: Configuring Protected Ports
Layer 3 device such as a router. To meet this requirement, you can configure Catalyst 2950 ports as protected ports (also referred to as private VLAN edge ports). Protected ports do not forward any traffic to protected ports on the same switch.
Page 390: Defining The Maximum Secure Address Count
If you enable port security on a voice VLAN port and if there is a PC connected to the IP phone, you should set the maximum allowed secure addresses on the port to more than 1. Catalyst 2950 Desktop Switch Software Configuration Guide 17-4...
Page 391: Enabling Port Security
Step 2 interface interface-id Enter interface configuration mode for the port that you want to unsecure. Step 3 no switchport port-security Disable port security. Step 4 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 17-5 78-11380-04...
Page 392: Configuring And Enabling Port Security Aging
Use this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while still limiting the number of secure addresses on a port. You can enable or disable aging of statically configured secure addresses on a per port basis. Catalyst 2950 Desktop Switch Software Configuration Guide 17-6 78-11380-04...
Page 393: Displaying Port-Based Traffic Control Settings
The show interfaces counters privileged EXEC commands display the count of discarded packets. The show storm control and show port-security privileged EXEC commands display those features. Catalyst 2950 Desktop Switch Software Configuration Guide 17-7 78-11380-04...
Page 394 Voice VLAN:none (Inactive) Appliance trust:none This is an example of output from the show interfaces counters broadcast privileged EXEC command: Switch# show interfaces counters broadcast Port BcastSuppDiscards Fa0/1 Fa0/2 Fa0/3 Fa0/4 Catalyst 2950 Desktop Switch Software Configuration Guide 17-8 78-11380-04...
Page 395 Port status :SecureUp Violation mode :Shutdown Maximum MAC Addresses :11 Total MAC Addresses :11 Configured MAC Addresses :3 Aging time :20 mins Aging type :Inactivity SecureStatic address aging :Enabled Security Violation count :0 Catalyst 2950 Desktop Switch Software Configuration Guide 17-9 78-11380-04...
Page 396 Switch# show storm-control fastethernet0/4 multicast Interface Filter State Trap State Upper Lower Current Traps Sent --------- ------------- ------------- ------- ------- ------- ---------- Fa0/4 inactive inactive 100.00% 100.00% 0.00% Catalyst 2950 Desktop Switch Software Configuration Guide 17-10 78-11380-04...
Page 397: Chapter 18 Configuring Udld
This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections: • Understanding UDLD, page 18-1 •...
Page 398 Switch A on this port. However, Switch A does not receive traffic from Switch B on the same port. UDLD detects the problem and disables the port. Switch B Catalyst 2950 Desktop Switch Software Configuration Guide 18-2 78-11380-04...
Page 399: Configuring Udld
Step 3 Return to privileged EXEC mode. Step 4 show udld Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide 18-3 78-11380-04...
Page 400: Enabling Udld On An Interface
The no shutdown interface configuration command restarts the disabled interface. • The no udld enable global configuration command re-enables UDLD globally. • The udld disable interface configuration command re-enables UDLD on the specified interface. Catalyst 2950 Desktop Switch Software Configuration Guide 18-4 78-11380-04...
Page 401: Displaying Udld Status
Chapter 18 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces, use the show udld [interface-id] privileged EXEC command. Catalyst 2950 Desktop Switch Software Configuration Guide 18-5 78-11380-04...
Page 402: Displaying Udld Status
Chapter 18 Configuring UDLD Displaying UDLD Status Catalyst 2950 Desktop Switch Software Configuration Guide 18-6 78-11380-04...
Page 403: Chapter 19 Configuring Cdp
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 404: Configuring Cdp
The range is from 10 to 255 seconds; the default is 180 seconds. Step 4 cdp advertise-v2 (Optional) Configure CDP to send version-2 advertisements. This is the default state. Step 5 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 19-2 78-11380-04...
Page 405: Disabling And Enabling Cdp
Beginning in privileged EXEC mode, follow these steps to enable CDP when it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cdp run Enable CDP after disabling it. Step 3 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 19-3 78-11380-04...
Page 406: Disabling And Enabling Cdp On An Interface
(Optional) Save your entries in the configuration file. This example shows how to enable CDP on an interface when it has been disabled. Switch# configure terminal Switch(config)# interface fastethernet0/5 Switch(config-if)# cdp enable Switch(config-if)# end Catalyst 2950 Desktop Switch Software Configuration Guide 19-4 78-11380-04...
Page 407: Monitoring And Maintaining Cdp
Version : Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Experimental Version 12.1(20011119:23 611) [eleza-cal2_throttle 141] Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Tue 05-Feb-02 09:06 by eleza Catalyst 2950 Desktop Switch Software Configuration Guide 19-5 78-11380-04...
Page 408 Sending CDP packets every 60 seconds Holdtime is 180 seconds FastEthernet0/3 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds Catalyst 2950 Desktop Switch Software Configuration Guide 19-6 78-11380-04...
Page 409 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0 CDP version 1 advertisements output: 0, Input: 0 CDP version 2 advertisements output: 50882, Input: 52510 Catalyst 2950 Desktop Switch Software Configuration Guide 19-7 78-11380-04...
Page 410 Chapter 19 Configuring CDP Monitoring and Maintaining CDP Catalyst 2950 Desktop Switch Software Configuration Guide 19-8 78-11380-04...
Page 411: Chapter 20 Configuring Span
This chapter describes how to configure Switch Port Analyzer (SPAN) on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections: Understanding SPAN, page 20-1 •...
Page 412: Span Concepts And Terminology
SPAN session. You can monitor a series or range of ingress ports in a SPAN session. At the destination port, the packets are seen with the 802.1Q tag, but packets from the switch CPU to the destination port are without the 802.1Q tag. Catalyst 2950 Desktop Switch Software Configuration Guide 20-2 78-11380-04...
Page 413: Source Port
The destination port has these characteristics: It must reside on the same switch as the source port. • It can be any Ethernet physical port. • It cannot be a source port. • Catalyst 2950 Desktop Switch Software Configuration Guide 20-3 78-11380-04...
Page 414: Span Traffic
Make sure there are no potential loops in the network topology when you enable incoming traffic for a destination port. • Cisco Discovery Protocol (CDP)—A SPAN destination port does not participate in CDP while the SPAN session is active. After the SPAN session is disabled, the port again participates in CDP. •...
Page 415: Configuring Span
A SPAN destination port never participates in any VLAN spanning tree. SPAN does include BPDUs in the monitored traffic, so any spanning-tree BPDUs received on the SPAN destination port for a SPAN session were copied from the SPAN source ports. Catalyst 2950 Desktop Switch Software Configuration Guide 20-5 78-11380-04...
Page 416: Creating A Span Session And Specifying Ports To Monitor
This example shows how to set up a SPAN session, session 1, for monitoring source port traffic to a destination port. First, any existing SPAN configuration for session 1 is cleared, and then bidirectional traffic is mirrored from source port 1 to destination port 2. Catalyst 2950 Desktop Switch Software Configuration Guide 20-6 78-11380-04...
Page 417: Removing Ports From A Span Session
(Optional) Save your entries in the configuration file. To remove a destination port from the SPAN session, use the no monitor session session_number destination interface interface-id global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 20-7 78-11380-04...
Page 418: Displaying Span Status
This is an example of output for the show monitor privileged EXEC command for session 1: Switch# show monitor session 1 Session 2 --------- Source Ports: RX Only: Gi0/1 TX Only: None Both: None Destination Ports:Gi0/2 Catalyst 2950 Desktop Switch Software Configuration Guide 20-8 78-11380-04...
Page 419: Chapter 21 Configuring System Message Logging
Configuring System Message Logging This chapter describes how to configure system message logging on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Configuration Fundamentals Command Reference for Release 12.1.
Page 420: Configuring System Message Logging
Table 21-4 on page 21-12. severity Single-digit code from 0 to 7 that is the severity of the message. For a description of the severity levels, see Table 21-3 on page 21-9. Catalyst 2950 Desktop Switch Software Configuration Guide 21-2 78-11380-04...
Page 421: Default System Message Logging Configuration
Logging server Disabled. Syslog server IP address None configured. Server facility Local7 (see Table 21-4 on page 21-12). Server severity Informational (and numerically lower levels; see Table 21-3 on page 21-9). Catalyst 2950 Desktop Switch Software Configuration Guide 21-3 78-11380-04...
Page 422: Disabling And Enabling Message Logging
Use the show memory privileged EXEC command to view the free processor memory on the switch; however, this value is the maximum available, and the buffer size should not be set to this amount. Catalyst 2950 Desktop Switch Software Configuration Guide 21-4 78-11380-04...
Page 423 To disable logging to the console, use the no logging console global configuration command. To disable logging to a file, use the no logging file [severity-level-number | type] global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 21-5 78-11380-04...
Page 424: Synchronizing Log Messages
(Optional) For limit number-of-buffers, specify the number of • buffers to be queued for the terminal after which new messages are dropped. The default is 20. Step 4 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 21-6 78-11380-04...
Page 425: Enabling And Disabling Timestamps On Log Messages
1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) This example shows part of a logging display with the service timestamps log uptime global configuration command enabled: 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up Catalyst 2950 Desktop Switch Software Configuration Guide 21-7 78-11380-04...
Page 426: Enabling And Disabling Sequence Numbers In Log Messages
(see Table 21-3 on page 21-9). For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 21-10. Step 5 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 21-8 78-11380-04...
Page 427 Error messages about software or hardware malfunctions, displayed at levels warnings through emergencies. These types of messages mean that the functionality of the switch is affected. For information on how to recover from these malfunctions, refer to the Catalyst 2950 Desktop Switch System Message Guide.
Page 428: Limiting Syslog Messages Sent To The History Table And To Snmp
Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and define the UNIX system logging facility. Catalyst 2950 Desktop Switch Software Configuration Guide 21-10 78-11380-04...
Page 429: Logging Messages To A Unix Syslog Daemon
Step 3 logging trap level Limit messages logged to the syslog servers. Be default, syslog servers receive informational messages and lower. See Table 21-3 on page 21-9 for level keywords. Catalyst 2950 Desktop Switch Software Configuration Guide 21-11 78-11380-04...
Page 430: Displaying The Logging Configuration
To display the current logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Page 431: Chapter 22 Configuring Snmp
For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 2950 Desktop Switch Command Reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This chapter consists of these sections: •...
Page 432: Snmp Versions
1. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table. 2. The get-bulk command only works with SNMPv2. Catalyst 2950 Desktop Switch Software Configuration Guide 22-2 78-11380-04...
Page 433: Snmp Agent Functions
(up or down), MAC address tracking, and so forth. The SNMP agent also responds to MIB-related queries sent by the SNMP manager in get-request, get-next-request, and set-request format. Catalyst 2950 Desktop Switch Software Configuration Guide 22-3 78-11380-04...
Page 434: Configuring Snmp
SNMP configuration. Table 22-2 Default SNMP Configuration Feature Default Setting SNMP agent Enabled SNMP community strings Read-Only: Public Read-Write: Private Read-Write-all: Secret SNMP trap receiver None configured SNMP traps None enabled Catalyst 2950 Desktop Switch Software Configuration Guide 22-4 78-11380-04...
Page 435: Disabling The Snmp Agent
MIB objects. By default, the community string permits read-only access to all objects. (Optional) For access-list-number, enter an IP standard access • list numbered from 1 to 99 and 1300 to 1999. Catalyst 2950 Desktop Switch Software Configuration Guide 22-5 78-11380-04...
Page 436 This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent: Switch(config)# snmp-server community comaccess ro 4 Catalyst 2950 Desktop Switch Software Configuration Guide 22-6 78-11380-04...
Page 437: Configuring Trap Managers And Enabling Traps
Table 22-3 Switch Notification Types Notification Type Description c2900 Generates a trap for Catalyst 2950-specific notifications. cluster Generates a trap when the cluster configuration changes. config Generates a trap for SNMP configuration changes.
Page 438 To remove the specified host from receiving traps, use the no snmp-server host host global configuration command. To disable a specific trap type, use the no snmp-server enable traps notification-types global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 22-8 78-11380-04...
Page 439: Setting The Agent Contact And Location Information
Place ones in the bit positions that you want to ignore. Recall that the access list is always terminated by an implicit deny statement for everything. Catalyst 2950 Desktop Switch Software Configuration Guide 22-9 78-11380-04...
Page 440: Snmp Examples
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 441: Chapter 23 Configuring Network Security With Acls
Chapter 3, “Getting Started with CMS.” You can also use the security wizard to filter inbound traffic on the Catalyst 2950 switches. Filtering can be based on network addresses or TCP/UDP applications. You can choose whether to drop or forward packets that meet the filtering criteria.
Page 442: Acls
In Figure 23-1, ACLs applied at the switch input allow Host A to access the Human Resources network, but prevent Host B from accessing the same network. Catalyst 2950 Desktop Switch Software Configuration Guide 23-2 78-11380-04...
Page 443: Handling Fragmented And Unfragmented Traffic
In the first and second ACEs in the examples, the eq keyword after the destination address means to test Note for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SMTP) and Telnet, respectively. Catalyst 2950 Desktop Switch Software Configuration Guide 23-3 78-11380-04...
Page 444: Understanding Access Control Parameters
ACEs were checking different hosts. Understanding Access Control Parameters Before configuring ACLs on the Catalyst 2950 switches, you must have a thorough understanding of the Access Control Parameters (ACPs). ACPs are referred to as masks in the switch CLI commands, output, and CMS.
Page 445: Guidelines For Configuring Acls On The Catalyst 2950 Switches
ACLs. The Catalyst 2950 switch ACL configuration is consistent with other Cisco Catalyst switches. However, there are significant restrictions as well as differences for ACL configurations on the Catalyst 2950 switches.
Page 446: Configuring Acls
Cisco routers. The process is briefly described here. For more detailed information on configuring router ACLs, refer to the “Configuring IP Services” chapter in the Cisco IP and IP Routing Configuration Guide for IOS Release 12.1. For detailed information about the commands, refer to Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1.
Page 447: Creating Standard And Extended Ip Acls
Table 23-2 lists the access list number and corresponding type and shows whether or not they are supported by the switch. The Catalyst 2950 switch supports IP standard and IP extended access lists, numbers 1 to 199 and 1300 to 2699.
Page 448: Creating A Numbered Standard Acl
0.0.0.0. (Optional) The source-wildcard applies wildcard bits to the source. (See first bullet item.) Note The log option is not supported on Catalyst 2950 switches. Step 3 Return to privileged EXEC mode. Step 4 show access-lists [number | name] Show the access list configuration.
Page 449: Creating A Numbered Extended Acl
– – IP source address IP destination address Fragments – – TCP or UDP Layer 4 Parameters Source port operator Source port Destination port operator Destination port TCP flag – – Catalyst 2950 Desktop Switch Software Configuration Guide 23-9 78-11380-04...
Page 450 1. X in a protocol column means support for the filtering parameter. 2. No support for type of service (TOS) minimize monetary cost bit. For more details on the specific keywords relative to each protocol, refer to the Cisco IP and IP Routing Command Reference for IOS Release 12.1.
Page 451 The keyword host, followed by the 32-bit quantity in dotted-decimal • format, as an abbreviation for a single host with source and source-wildcard of source 0.0.0.0. Only the ip, tcp, and udp protocols are supported on Catalyst 2950 Note switches. Step 3 show access-lists [number | name] Verify the access list configuration.
Page 452: Creating Named Standard And Extended Acls
A standard ACL and an extended ACL cannot have the same name. Numbered ACLs are also available, as described in the “Creating Standard and Extended IP ACLs” • section on page 23-7. Catalyst 2950 Desktop Switch Software Configuration Guide 23-12 78-11380-04...
Page 453 • any represents a source and source wildcard of 0.0.0.0 255.255.255.255. Note The log option is not supported on Catalyst 2950 switches. Step 4 Return to privileged EXEC mode. Step 5 show access-lists [number | name] Show the access list configuration.
Page 454: Including Comments About Entries In Acls
In this example, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet Catalyst 2950 Desktop Switch Software Configuration Guide 23-14 78-11380-04...
Page 455: Applying The Acl To An Interface Or Terminal Line
The interface must be a Layer 2 or management interface or a management interface VLAN ID. Step 3 ip access-group {access-list-number | Control access to the specified interface. name} {in} Step 4 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 23-15 78-11380-04...
Page 456: Displaying Acls
Standard IP access list 12 deny 1.3.3.2 Standard IP access list 32 permit 172.20.20.20 Standard IP access list 34 permit 10.24.35.56 permit 23.45.56.34 Extended IP access list 120 Extended MAC access list mac1 Catalyst 2950 Desktop Switch Software Configuration Guide 23-16 78-11380-04...
Page 457: Displaying Access Groups
This example shows how to display the ACL configuration of Gigabit Ethernet interface 0/1: Switch# show running-config interface gigabitethernet0/1 Building configuration... Current configuration :112 bytes interface GigabitEthernet0/1 ip access-group 11 in snmp trap link-status no cdp enable end! Catalyst 2950 Desktop Switch Software Configuration Guide 23-17 78-11380-04...
Page 458: Examples For Compiling Acls
Services” chapter of the Cisco IOS IP and IP Routing Configuration Guide for IOS Release 12.1. Figure 23-2 shows a small networked office with a stack of Catalyst 2950 switches that are connected to a Cisco router. A host is connected to the network through the Internet using a WAN link.
Page 459 The ACLs are applied to permit Gigabit Ethernet port 0/1, which is configured as a Layer 2 port, with the Marketing_group ACL applied to incoming traffic. Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip access-group marketing_group in Catalyst 2950 Desktop Switch Software Configuration Guide 23-19 78-11380-04...
Page 460: Creating Named Mac Extended Acls
Note For more information about the supported non-IP protocols in the mac access-list extended command, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. Matching on any SNAP-encapsulated packet with a nonzero Organizational Unique Identifier (OUI) is Note not supported.
Page 461: Creating Mac Access Groups
Display the MAC ACLs applied to the interface. Step 5 Return to privileged EXEC mode. Step 6 show mac-access group Display the ACL configuration. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide 23-21 78-11380-04...
Page 462 When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs as a means of network security. Catalyst 2950 Desktop Switch Software Configuration Guide 23-22 78-11380-04...
Page 463 For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 2950 Desktop Switch Command Reference for this release. QoS can be configured either by using the Cluster Management Suite (CMS) or through the command-line interface (CLI).
Page 464: Configuring Qos
QoS Configuration Examples, page 24-25 Understanding QoS This section describes how QoS is implemented on the Catalyst 2950 switch. If you have the standard software image installed on your switch, some concepts and features in this section might not apply.
Page 465: Basic Qos Model
The result of this determination is passed to the marker. For more information, see the “Policing and Marking” section on page 24-6. Catalyst 2950 Desktop Switch Software Configuration Guide 24-3 78-11380-04...
Page 466: Classification
Classification occurs only on a physical interface basis. No support exists for classifying packets at the VLAN or the switched virtual interface level. You specify which fields in the frame or packet that you want to use to classify incoming traffic. Catalyst 2950 Desktop Switch Software Configuration Guide 24-4 78-11380-04...
Page 467: Classification Based On Qos Acls
• action, and QoS processing begins. • Configuration of a deny action is not supported in QoS ACLs on a Catalyst 2950 switch. • System-defined masks are allowed in class maps with these restrictions: A combination of system-defined and user-defined masks cannot be used in the multiple class –...
Page 468: Policing And Marking
The trust DSCP configuration is meaningless for non-IP traffic. If you configure a port with this option and non-IP traffic is received, the switch assigns the default port CoS value and classifies traffic based on the CoS value. Catalyst 2950 Desktop Switch Software Configuration Guide 24-6 78-11380-04...
Page 469: Mapping Tables
Mapping Tables This feature is available only if your switch is running the enhanced software image. Note The Catalyst 2950 switches support these types of marking to apply to the switch: CoS value to the DSCP value • DSCP value to CoS value •...
Page 470: Queueing And Scheduling
How Class of Service Works Before you set up 802.1P CoS on a Catalyst 2950 that operates with the Catalyst 6000 family of switches, refer to the Catalyst 6000 documentation. There are differences in the 802.1P implementation, and they should be understood to ensure compatibility.
Page 471: Configuring Qos
Table 24-2 Default QoS Configuration The default port CoS value is 0. The default port trust state is untrusted. No policy maps are configured. No policers are configured. No policers are configured. Catalyst 2950 Desktop Switch Software Configuration Guide 24-9 78-11380-04...
Page 472: Configuration Guidelines
This section describes how to classify incoming traffic by using port trust states: • Configuring the Trust State on Ports within the QoS Domain, page 24-11 • Configuring the CoS Value for an Interface, page 24-13 Catalyst 2950 Desktop Switch Software Configuration Guide 24-10 78-11380-04...
Page 473 Figure 24-3 shows a sample network topology. Figure 24-3 Port Trusted States within the QoS Domain Catalyst 3550-12T switch Trusted interface Catalyst 2950 Trunk wiring closet Classification of traffic performed here Catalyst 2950 Desktop Switch Software Configuration Guide 24-11 78-11380-04...
Page 474 By default, the port is not trusted. Use the cos keyword setting if your network is composed of Ethernet LANs or Catalyst 2950 switches and has no more than two types of traffic. Use the dscp keyword if your network is not composed of only Ethernet LANs and if you are familiar with sophisticated QoS features and implementations.
Page 475: Configuring The Cos Value For An Interface
Configuring a QoS policy typically requires classifying traffic into classes, configuring policies applied to those traffic classes, and attaching policies to interfaces. For background information, see the “Classification” section on page 24-4 and the “Policing and Marking” section on page 24-6. Catalyst 2950 Desktop Switch Software Configuration Guide 24-13 78-11380-04...
Page 476: Classifying Traffic By Using Acls
Any host with a source address that does not match the ACL statements is rejected. Switch(config)# access-list 1 permit 192.5.255.0 0.0.0.255 Switch(config)# access-list 1 permit 36.0.0.0 0.0.0.255 Catalyst 2950 Desktop Switch Software Configuration Guide 24-14 78-11380-04...
Page 477 Step 4 show access-lists Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an ACL, use the no access-list access-list-number global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 24-15 78-11380-04...
Page 478 This example shows how to create a Layer 2 MAC ACL with a permit statement. The statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. Switch(config)# mac access-list extended maclist1 Switch(config-ext-macl)# permit host 0001.0000.0001 host 0002.0000.0001 Catalyst 2950 Desktop Switch Software Configuration Guide 24-16 78-11380-04...
Page 479 Only one match criterion per class map is supported, and only one ACL per class map is supported. For access-group acl-index | name acl-name, specify the number or name of the ACL created in Step 3. Step 5 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 24-17 78-11380-04...
Page 480: Classifying, Policing, And Marking Traffic By Using Policy Maps
A policy map can contain multiple class statements, each with different match criteria and policers. • A separate policy-map class can exist for each type of traffic received through an interface. • You can attach only one policy map per interface in the input direction. Catalyst 2950 Desktop Switch Software Configuration Guide 24-18 78-11380-04...
Page 481 In a policy map, the class named class-default is not supported. Note The switch does not filter traffic based on the policy map defined by the class class-default policy-map configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 24-19 78-11380-04...
Page 482 DSCP value in the incoming packet is trusted. If the matched traffic exceeds an average traffic rate of 48000 bps and a normal burst size of 8000 bytes, its DSCP is marked down to a value of 10 and transmitted. Catalyst 2950 Desktop Switch Software Configuration Guide 24-20 78-11380-04...
Page 483: Configuring Cos Maps
You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 24-3 shows the default CoS-to-DSCP map. Catalyst 2950 Desktop Switch Software Configuration Guide 24-21 78-11380-04...
Page 484: Configuring The Dscp-To-Cos Map
You use the DSCP-to-CoS map to map DSCP values in incoming packets to a CoS value, which is used to select one of the four egress queues. The Catalyst 2950 switches support these DSCP values: 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and Table 24-4 shows the default DSCP-to-CoS map.
Page 485: Configuring Cos And Wrr
This feature is supported by both the enhanced and standard software images. This section describes how to configure CoS priorities and weighted round-robin (WRR): • CLI: Configuring CoS Priority Queues, page 24-24 • Configuring WRR, page 24-24 Catalyst 2950 Desktop Switch Software Configuration Guide 24-23 78-11380-04...
Page 486: Cli: Configuring Cos Priority Queues
Display the WRR bandwidth allocation for the CoS priority queues. To disable the WRR scheduler and enable the strict priority scheduler, use the no wrr-queue bandwidth global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 24-24 78-11380-04...
Page 487: Displaying Qos Information
Figure 24-4. It contains this information: QoS Configuration for the Common Wiring Closet, page 24-26 • QoS Configuration for the Intelligent Wiring Closet, page 24-27 • Catalyst 2950 Desktop Switch Software Configuration Guide 24-25 78-11380-04...
Page 488: Qos Configuration For The Common Wiring Closet
XL switches, you can override this priority with the default value by using the switchport priority default override interface configuration command. For Catalyst 2950 and Catalyst 2900 XL switches and other 3500 XL models that do not have the override feature, the Catalyst 3550-12T switch at the distribution layer can override the 802.1P CoS value by using the mls qos cos override interface...
Page 489: Qos Configuration For The Intelligent Wiring Closet
The intelligent wiring closet in Figure 24-4 is composed of Catalyst 2950 switches. One of the switches is connected to a video server, which has an IP address of 172.20.10.16. The object of this example is to prioritize the video traffic over all other traffic. To do so, a DSCP of 46 is assigned to the video traffic.
Page 490 Step 19 show class-map videoclass Verify your entries. show policy-map videopolicy show mls qos maps [cos-dscp | dscp-cos] Step 20 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide 24-28 78-11380-04...
Page 491: Chapter 25 Configuring Etherchannels
Note The network device to which your switch is connected can impose its own limits on the number of interfaces in the EtherChannel. For Catalyst 2950 switches, the number of EtherChannels is limited to six with eight ports per EtherChannel.
Page 492: Understanding Port-Channel Interfaces
EtherChannel by using the channel-group interface configuration command as shown in Figure 25-2. Each EtherChannel has a logical port-channel interface numbered from 1 to 6. Catalyst 2950 Desktop Switch Software Configuration Guide 25-2 78-11380-04...
Page 493: Understanding The Port Aggregation Protocol
Switch interfaces exchange PAgP packets only with partner interfaces configured in the auto or desirable modes; interfaces configured in the on mode do not exchange PAgP packets. Catalyst 2950 Desktop Switch Software Configuration Guide 25-3 78-11380-04...
Page 494: Physical Learners And Aggregate-Port Learners
Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical learner if it learns addresses by physical ports and directs transmissions based on that learning. A device is an aggregate-port learner if it learns addresses by aggregate (logical) ports. Catalyst 2950 Desktop Switch Software Configuration Guide 25-4 78-11380-04...
Page 495: Pagp Interaction With Other Features
EtherChannel. With aggregate-port learning, it is not important on which physical port the packet arrives. The Catalyst 2950 switch uses source-MAC address distribution for a channel if it is connected to a physical learner even if the user configures destination-MAC address distribution.
Page 496: Default Etherchannel Configuration
128 on all interfaces. (Changing this value on Catalyst 2950 switches has no effect.) Load balancing Load distribution on the switch is based on the source-MAC address of the incoming packet. Catalyst 2950 Desktop Switch Software Configuration Guide 25-6 78-11380-04...
Page 497: Etherchannel Configuration Guidelines
You configure Layer 2 EtherChannels by configuring the Ethernet interfaces with the channel-group interface configuration command, which creates the port-channel logical interface. Note Layer 2 interfaces must be connected and functioning for IOS to create port-channel interfaces. Catalyst 2950 Desktop Switch Software Configuration Guide 25-7 78-11380-04...
Page 498 “PAgP Modes” section on page 25-3. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide 25-8 78-11380-04...
Page 499: Configuring Etherchannel Load Balancing
If the channel-group interface configuration command is set to on, set the load-distribution method based on the source-MAC address by using the port-channel load-balance src-mac global configuration command. Step 3 Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide 25-9 78-11380-04...
Page 500: Configuring The Pagp Learn Method And Priority
MAC address, regardless of the configured load distribution method. If the link partner to the Catalyst 2950 switch is a physical learner that has the channel-group interface configuration command set to on, set the load-distribution method based on the source MAC address by using the port-channel load-balance src-mac global configuration command.
Page 501: Chapter 26 Troubleshooting
Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release and the Cisco IOS Command Summary for Release 12.1. This chapter consists of these sections: Avoiding Configuration Conflicts, page 26-1 •...
Page 502: Avoiding Autonegotiation Mismatches
GBIC Security and Identification Cisco-approved GBIC modules have a serial EEPROM that contains the module serial number, the vendor name and ID, a unique security code, and a cyclic redundancy check (CRC). When a GBIC module is inserted in the switch, the switch software reads the EEPROM to check the serial number, vendor name, and vendor ID, and recomputes the security code and CRC.
Page 503: Troubleshooting Cms Sessions
Chapter 26 Troubleshooting Troubleshooting CMS Sessions If you are using a non-Cisco approved GBIC module, remove the GBIC module from the switch, and Note replace with a Cisco-approved module. After inserting a Cisco-approved GBIC, use the errdisable recovery cause gbic-invalid global configuration command to verify the port status, and enter a time interval for recovering from the error-disabled state.
Page 504: Copying Configuration Files To Troubleshoot Configuration Problems
Mar 01 2001 03:18:16 config.text -rwx 1667997 Mar 01 2001 00:02:39 c2950-i6q412-mz.121-9.EA1.bin -rwx 3060 Mar 01 2001 00:14:20 vlan.dat -rwx Mar 01 2001 00:02:54 env_vars 7741440 bytes total (3884509 bytes free) Catalyst 2950 Desktop Switch Software Configuration Guide 26-4 78-11380-04...
Page 505: Using Recovery Procedures
Member switches connected to the command switch through a secure port can lose connectivity if • the port is disabled due to a security violation. Secure ports are described in the “Configuring Port Security” section on page 17-3. Catalyst 2950 Desktop Switch Software Configuration Guide 26-5 78-11380-04...
Page 506: Recovering From A Command Switch Failure
“Creating a Cluster Standby Group” section on page 6-25. For a list of command-capable Catalyst switches, refer to the Release Notes for the Catalyst 2950 Switch on Cisco.com. If you have not configured a standby command switch, and your command switch loses power or fails in some other way, management contact with the member switches is lost, and a new command switch must be installed.
Page 507 Start your browser, and enter the IP address of the new command switch. Step 17 Step 18 From the Cluster menu, select Add to Cluster to display a list of candidate switches to add to the cluster. Catalyst 2950 Desktop Switch Software Configuration Guide 26-7 78-11380-04...
Page 508: Replacing A Failed Command Switch With Another Switch
When prompted for the enable secret and enable passwords, enter the passwords of the failed command switch again. Step 9 When prompted, enable the switch as the cluster command switch, and press Return. Catalyst 2950 Desktop Switch Software Configuration Guide 26-8 78-11380-04...
Page 509: Recovering From A Failed Command Switch Without Hsrp
The system has been interrupted prior to initializing the flash file system. These commands will initialize the flash file system, and finish loading the operating system software: flash_init load_helper boot Initialize the Flash file system: Step 5 switch: flash_init Catalyst 2950 Desktop Switch Software Configuration Guide 26-9 78-11380-04...
Page 510 The configuration file is now reloaded, and you can use the following normal commands to change the password. Step 14 Enter global configuration mode: switch# config terminal Step 15 Change the password: switch(config)# enable secret switch(config)# enable password Catalyst 2950 Desktop Switch Software Configuration Guide 26-10 78-11380-04...
Page 511: Recovering From Corrupted Software
This section explains how you use debug commands to diagnose and resolve internetworking problems: Enabling Debugging on a Specific Feature, page 26-12 • Enabling All-System Diagnostics, page 26-12 • Redirecting Debug and Error Message Output, page 26-13 • Catalyst 2950 Desktop Switch Software Configuration Guide 26-11 78-11380-04...
Page 512: Enabling Debugging On A Specific Feature
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Page 513: Redirecting Debug And Error Message Output
Logging messages to a syslog server produces even less, and logging to an internal buffer produces the least overhead of any method. Catalyst 2950 Desktop Switch Software Configuration Guide 26-13 78-11380-04...
Page 514 Chapter 26 Troubleshooting Using Debug Commands Catalyst 2950 Desktop Switch Software Configuration Guide 26-14 78-11380-04...
Page 515: Appendix
• CISCO-FLASH-MIB CISCO-IGMP-FILTER-MIB • • CISCO-IMAGE-MIB CISCO-MAC-NOTIFICATION-MIB • • CISCO-MEMORY-POOL-MIB CISCO-PAGP-MIB • • CISCO-PING-MIB CISCO-PROCESS-MIB • • CISCO-PRODUCTS-MIB CISCO-SMI • • CISCO-STACKMAKER-MIB CISCO-STP-EXTENSIONS-MIB • • CISCO-SYSLOG-MIB CISCO-TC • • CISCO-TCP-MIB CISCO-VLAN-MEMBERSHIP-MIB • Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04...
Page 516: Using Ftp To Access The Mib Files
/pub/mibs/v1 and the /pub/mibs/v2. ftp> Step 5 Use the get MIB_filename command to obtain a copy of the MIB file. You can also access information about MIBs on the Cisco web site: Note http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Catalyst 2950 Desktop Switch Software Configuration Guide...
Page 517: I N D E X
802.3Z flow control 9-14 23-2 Layer 3 parameters 23-9 Layer 4 parameters 23-9 ACLs abbreviating commands ACEs 23-2 AC (command switch) 6-14, 6-25 applying to an interface access-class command 23-15 23-15 Catalyst 2950 Desktop Switch Software Configuration Guide IN-1 78-11380-04...
Page 518 STP 10-9, 10-18 secure addresses MAC address table 7-58 7-54 address maximum count, secure 17-4 for MSTP 11-21 resolution for STP 7-59 10-19 security violations allowed-VLAN list 17-4 13-23 Catalyst 2950 Desktop Switch Software Configuration Guide IN-2 78-11380-04...
Page 519 See also CDP support for automatic recovery, clusters 6-14 broadcast storm control See also HSRP disabling 17-2 autonegotiation enabling 17-1 connecting to devices without 9-12 broadcast traffic and protected ports 17-3 mismatches 26-2 Catalyst 2950 Desktop Switch Software Configuration Guide IN-3 78-11380-04...
Page 520 VTP 14-3 change notification, CMS 3-31 clock Cisco Access Analog Trunk Gateway 1-13 See system clock Cisco CallManager software 1-12, 1-13 Cluster Management Suite Cisco Discovery Protocol See CMS See CDP Catalyst 2950 Desktop Switch Software Configuration Guide IN-4 78-11380-04...
Page 521 Coarse Wave Division Multiplexer verifying 6-27 See CWDM GBIC modules cluster standby group Collapse Cluster view 3-10 automatic recovery 6-17 command-line interface considerations 6-15 see CLI creating 6-25 command modes defined Catalyst 2950 Desktop Switch Software Configuration Guide IN-5 78-11380-04...
Page 522 6-18 protected 17-3 overview 22-3 speed 9-12 SNMP static addresses (EtherChannel) 6-18 7-58 compatibility TACACS+ 7-17 feature 26-2 config-vlan mode 13-8 conflicts, configuration 26-1, 26-5 connections, secure remote 7-32 Catalyst 2950 Desktop Switch Software Configuration Guide IN-6 78-11380-04...
Page 523 7-58 debugging detecting indirect link failures, STP 12-10 enabling all system diagnostics 26-12 device discovery protocol 19-1 enabling for a specific feature 26-12 redirecting error message output 26-13 using commands 26-11 Catalyst 2950 Desktop Switch Software Configuration Guide IN-7 78-11380-04...
Page 524 Disqualification Code option 3-24 enabling and disabling keystrokes used and DHCP-based autoconfiguration wrapped lines default configuration 7-49 egress port scheduling 24-8 displaying the configuration 7-50 enable password overview 7-48 enable secret password Catalyst 2950 Desktop Switch Software Configuration Guide IN-8 78-11380-04...
Page 525 25-4 Flash memory, files in 26-4, 26-5 silent mode 25-4 flow-based packet classification support for flow control 9-14 port-channel interfaces 25-2 forward-delay time port groups MSTP 11-20 10-6, 10-18 Catalyst 2950 Desktop Switch Software Configuration Guide IN-9 78-11380-04...
Page 526 GigaStack GBIC cluster tree fast transition of redundant link 12-5 colors global configuration mode cluster tree graphs, bandwidth Topology view 3-13 guide mode 3-25 editable table cell 3-28 Front Panel view Catalyst 2950 Desktop Switch Software Configuration Guide IN-10 78-11380-04...
Page 527 IOS command-line interface 16-5 disabling see CLI 16-5 enabling 16-5 joining a multicast group 16-2 numbered extended ACL 23-9 leaving a multicast group numbered standard ACL 16-4 23-8 monitoring 16-10 Catalyst 2950 Desktop Switch Software Configuration Guide IN-11 78-11380-04...
Page 528 See system message logging calls 15-1 loop guard configuring 15-3 described 12-13 IP protocols enabling 12-20 in ACLs 23-11 support for LRE profiles considerations in switch clusters 6-20 Java plug-in configuration 3-1, 6-1 Catalyst 2950 Desktop Switch Software Configuration Guide IN-12 78-11380-04...
Page 529 FTP changing 6-20, 13-3, 13-4 location of files configuring 13-4 overview 22-1 discovery through different management VLANs 6-10 SNMP interaction with 22-3 discovery through same management VLAN supported Catalyst 2950 Desktop Switch Software Configuration Guide IN-13 78-11380-04...
Page 530 12-13 BPDU guard enabling 12-20 described mapping VLANs to MST instance 12-3 11-13 enabling 12-15 MST region CIST, described 11-8 CIST 11-8 configuration guidelines configuring 11-12 11-13 configuring described 11-7 Catalyst 2950 Desktop Switch Software Configuration Guide IN-14 78-11380-04...
Page 531 13-1 See MSTP configuring interfaces 16-15 associations default configuration 16-13 authenticating 7-36 description 16-11 defined 7-34 modes 16-14 enabling broadcast messages 7-38 monitoring 16-17 peer 7-37 setting global parameters 16-14 Catalyst 2950 Desktop Switch Software Configuration Guide IN-15 78-11380-04...
Page 532 6-18, 6-23 port-channel in CMS 3-29 See EtherChannel overview Port Fast recovery of 26-9 described 12-2 setting enabling 12-14 enable mode, spanning tree 13-33 enable secret support for Telnet Catalyst 2950 Desktop Switch Software Configuration Guide IN-16 78-11380-04...
Page 533 6-28 security overview 7-2, 7-7 described setting a command with 17-3 disabling 17-5 protected ports 1-2, 17-3 enabling 17-5 speed, setting and checking 9-12 static-access 3-9, 13-5, 13-13 Catalyst 2950 Desktop Switch Software Configuration Guide IN-17 78-11380-04...
Page 534 24-18 displaying 24-25 displaying 24-25 configuration examples queueing, defined 24-4 common wiring closet 24-26 scheduling intelligent wiring closet 24-27 defined 24-4 configuration guidelines 24-10 support for trust states 24-6 understanding 24-2 Catalyst 2950 Desktop Switch Software Configuration Guide IN-18 78-11380-04...
Page 535 6-28 1902 to 1907, SNMPv2 22-2 read-only access mode 3-30 root guard read-write access mode 3-30 described 12-12 reconfirmation interval, VMPS, changing 13-35 enabling 12-19 recovery procedures 26-5 support for Catalyst 2950 Desktop Switch Software Configuration Guide IN-19 78-11380-04...
Page 536 CMS 3-31 SNAP 19-1 SC (standby command switch) 6-14, 6-25 SNMP secure address count 17-4 accessing MIB variables with 22-3 secure addresses agent adding 7-58 described 22-3 described 7-58 disabling 22-5 Catalyst 2950 Desktop Switch Software Configuration Guide IN-20 78-11380-04...
Page 537 20-5 destination ports static access ports 20-3 displaying status 20-8 assigning to VLAN 13-13 interaction with other features 20-4 defined 9-2, 13-5 monitored ports 20-3 monitoring ports 20-3 Catalyst 2950 Desktop Switch Software Configuration Guide IN-21 78-11380-04...
Page 538 12-13 path cost enabling 10-15 12-20 port priority multicast addresses, affect of 10-14, 11-17 10-8 root switch 10-12 overview 10-2 secondary root switch 10-13 path costs 13-28 switch priority 10-17 Catalyst 2950 Desktop Switch Software Configuration Guide IN-22 78-11380-04...
Page 539 7-47 switch ports, configuring manual configuration 25-1 7-47 switch priority See also DNS MSTP 11-19 system prompt default setting 10-17 7-47 switch-to-client frame retransmission number manual configuration 8-13 7-48 Catalyst 2950 Desktop Switch Software Configuration Guide IN-23 78-11380-04...
Page 540 26-1 See NTP and system clock CWDM GBIC security and identification 26-2 timestamps in log messages 21-7 detecting time zones 7-44 unidirectional links 18-1 with CiscoWorks 22-3 with debug commands 26-11 Catalyst 2950 Desktop Switch Software Configuration Guide IN-24 78-11380-04...
Page 541 17-3 13-8 UniDirectional Link Detection protocol VLAN ID, discovering 7-59 See UDLD VLAN management domain 14-2 VLAN Management Policy Server See VMPS Catalyst 2950 Desktop Switch Software Configuration Guide IN-25 78-11380-04...
Page 542 VLANs 14-1 VLAN Trunking Protocol and normal-range VLANs 14-1 See VTP client mode, configuring 14-11 VLAN trunks 13-18, 13-19 configuration global configuration mode 14-7 guidelines 14-8 privileged EXEC mode 14-7 Catalyst 2950 Desktop Switch Software Configuration Guide IN-26 78-11380-04...
Page 543 14-14 enabling 14-14 examples 14-5 overview 14-4 pruning-eligible list, changing 13-24 server mode, configuring 14-9 statistics 14-16 Token Ring support 14-4 transparent mode, configuring 14-12 using 14-1 version, guidelines 14-9 Catalyst 2950 Desktop Switch Software Configuration Guide IN-27 78-11380-04...
Page 544 Index Catalyst 2950 Desktop Switch Software Configuration Guide IN-28 78-11380-04...

Cisco Catalyst 2950 Software Configuration Manual

Getting Help

Abbreviating Commands

Using no and Default Forms of Commands

Understanding CLI Messages

Using Command History

Using Editing Features

Searching and Filtering Output of Show and more Commands

Accessing the CLI

Chapter 3 Getting Started with CM

Getting Started with CMS

Chapter 4 Assigning the Switch IP Address and Default Gateway

Chapter 5 Configuring IE2100 CNS Agents

Chapter 6 Clustering Switches

HSRP and Standby Command Switches

IP Addresses

Host Names

Passwords

SNMP Community Strings

TACACS+ and RADIUS

Access Modes in CMS

Management VLAN

LRE Profiles

Availability of Switch-Specific Features in Switch Clusters

Chapter 7 Administering the Switch

Building the Address Table

MAC Addresses and Vlans

Default MAC Address Table Configuration

Changing the Address Aging Time

Removing Dynamic Address Entries

Configuring MAC Address Notification Traps

Adding and Removing Static Address Entries

Displaying Address Table Entries

CHAPTER 8 Configuring 802.1X Port-Based Authentication

Understanding 802.1X Port-Based Authentication

Device Roles

Authentication Initiation and Message Exchange

Ports in Authorized and Unauthorized States

Supported Topologies

Default 802.1X Configuration

802.1X Configuration Guidelines

Enabling 802.1X Authentication

Configuring the Switch-To-RADIUS-Server Communication

Enabling Periodic Re-Authentication

Manually Re-Authenticating a Client Connected to a Port

Changing the Quiet Period

Changing the Switch-To-Client Retransmission Time

Setting the Switch-To-Client Frame-Retransmission Number

Enabling Multiple Hosts

Resetting the 802.1X Configuration to the Default Values

CHAPTER 9 Configuring Interface Characteristics

Understanding Interface Types

Port-Based Vlans

Switch Ports

Etherchannel Port Groups

Connecting Interfaces

Understanding Spanning-Tree Features

Chapter 10 Configuring STP

STP Overview

Supported Spanning-Tree Instances

Bridge Protocol Data Units

Election of the Root Switch

Bridge ID, Switch Priority, and Extended System ID

Quick Links

Troubleshooting

Related Manuals for Cisco Catalyst 2950

Summary of Contents for Cisco Catalyst 2950