|
|
This chapter describes how to use the device-management features of the Cluster Management Suite (CMS). The features described in this chapter can all be implemented through Visual Switch Manager (VSM), the web-based interface for managing standalone switches, or through Cluster Manager. If you need information on how to group your switches into a cluster, see "Creating and Managing Clusters."
This chapter describes two ways to configure switches:
Certain combinations of port features conflict with one another. For example, if you define a port as the network port for a VLAN, all unknown unicast and multicast traffic is flooded to the port. You could not enable port security on the network port because a secure port limits the traffic allowed on it. In Table 4-1, no means that the two referenced features are incompatible.
If you try to enable incompatible features by using CMS, CMS issues a warning message and prevents you from making the change. Redisplay the web page to refresh a CMS window.
| ATM Port1 | Port Group | Port Security | SPAN Port | Multi-VLAN Port | Network Port | Connect to Cluster? | Private VLAN edge | |
|---|---|---|---|---|---|---|---|---|
ATM Port | - | No | No | No | No | No | Yes | No |
Port Group | No | - | No | No | Yes | Yes2 | Yes | Yes |
Port Security | No | No | - | No | No | No | Yes | Yes |
SPAN Port | No3 | No | No | - | No | No | Yes | Yes |
Multi-VLAN Port | No | Yes | No | No | - | Yes | Yes | Yes |
Network Port | No | Yes (source-based only) | No | No | Yes | - | No4 | Yes |
Connect to Cluster | Yes | Yes | Yes | Yes | Yes | No | - | Yes |
Private VLAN edge | No | Yes | Yes | Yes5 | Yes | No | Yes | - |
You can configure the software features of this release by using any of the available interfaces. Table 4-2 lists the most important features, their defaults, and where they are described in this guide.
| Feature | Default Setting | Location of Feature and Feature Description | Equivalent IOS CLI Procedure | |
|---|---|---|---|---|
| Network Management |
|
|
| |
| Creating clusters | None | Cluster Builder | |
Removing cluster members | None | Cluster Builder | ||
| Upgrading cluster software | Enabled | Cluster Manager: System>Software Upgrade | |
Displaying graphs | Enabled | Cluster Manager and Cluster Builder | - | |
| Configuring SNMP community strings and trap managers | None | Cluster Manager: System>SNMP Management | - |
| Configuring a port | None | Cluster Manager "Monitoring and Configuring Ports" section
| |
| Device Management | ||||
| Switch IP address, subnet mask, and default gateway | 0.0.0.0 | Cluster Manager: System>IP Management | |
Management VLAN | VLAN 1 | Cluster Manager: Cluster>Management VLAN | ||
Domain name | None | Cluster Manager: System>IP Management | Documentation set for Cisco IOS Release 12.0 on CCO | |
Cisco Discovery Protocol (CDP) | Enabled | - | Documentation set for Cisco IOS Release 12.0 on CCO | |
| Address Resolution Protocol (ARP) | Enabled | Cluster Manager: System>ARP Table | Documentation set for Cisco IOS Release 12.0 on CCO |
| System Time Management | None | Cluster Manager: Cluster>System Time Management | Documentation set for Cisco IOS Release 12.0 on CCO |
| Static address assignment | None assigned | Cluster Manager: Security>Address Management | |
| Dynamic address management | Enabled | Cluster Manager: Security>Address Management "Managing the MAC Address Tables" section and "Changing the Address Aging Time" section
| |
| Voice configuration |
| "CLI: Configuring a Port to Connect to a Cisco 7960 IP Phone" section "CLI: Configuring Inline Power on a Catalyst 3524-PWR Switch" section "CLI: Overriding the CoS Priority of Incoming Frames" section | |
| VLAN membership | Static- | Cluster Manager: VLAN>VLAN Membership "Displaying VLAN Membership" section | |
| VMPS Configuration | - | Cluster Manager: Cluster>VMPS Configuration | "CLI: Entering the IP Address of the VMPS" section "CLI: Configuring Dynamic Ports on VMPS Clients" section |
| VTP Management | VTP server mode | Cluster Manager: VLAN>VTP Management | |
| Performance | ||||
Autonegotiation of duplex mode and port speeds | Enabled | Cluster Manager: Port>Port Configuration | ||
Gigabit Ethernet flow control | Any | Cluster Manager: Port>Port Configuration | "CLI: Configuring Flow Control on Gigabit Ethernet Ports" section | |
| Flooding Control |
|
|
| |
Storm control | Disabled | Cluster Manager: Port>Flooding Control | ||
| Flooding unknown unicast and multicast packets | Enabled | Cluster Manager: Port>Flooding Control | |
| Cisco Group Management Protocol (CGMP) | Enabled | Cluster Manager: Device>Cisco Group Management Protocol | "CLI: Enabling the CGMP Fast Leave Feature" section |
| Network Port | Disabled | - | |
| Network Redundancy |
|
|
| |
Hot Standby Router Protocol | Disabled | "CLI: Creating a Standby Group" section | ||
Spanning Tree Protocol | Enabled | Cluster Manager: Device>Spanning Tree Protocol |
"CLI: Changing the Path Cost" section "CLI: Changing the Port Priority" section | |
Unidirectional link detection |
| - | ||
Port grouping | None assigned | Cluster Manager: Port>Port Grouping (EC) | ||
| Diagnostics |
|
|
| |
SPAN port monitoring | Disabled | Cluster Manager: Port>Switch Port Analyzer (SPAN) | ||
Console, buffer, and file logging | Disabled | - | Documentation set for Cisco IOS Release 12.0 on CCO | |
Remote monitoring (RMON) | Disabled | - | Documentation set for Cisco IOS Release 12.0 on CCO | |
| Security |
|
|
| |
Password | None | |||
Addressing security | Disabled | Cluster Manager: Security>Address Management | ||
Trap manager | 0.0.0.0 | Cluster Manager: System>SNMP Management | "CLI: Adding a Trap Manager" section
| |
Community strings | public | Cluster Manager: System>SNMP Configuration | Documentation set for Cisco IOS Release 12.0 on CCO | |
Port security | Disabled | Cluster Manager: Security>Port Security | ||
TACACS+ | Disabled | |||
Private VLAN edge | Disabled | - | ||
Visual Switch Manager (VSM) is one of the CMS interfaces for managing individual switch features. If you are configuring a standalone switch, you can access VSM directly by entering the switch IP address in the browser Location field (Netscape Communicator) or Address field (Internet Explorer). Click Cluster Management Suite or Visual Switch Manager on the Cisco Systems Access Page, and the switch senses that the IP address refers to a standalone switch and displays the VSM home page.
 |
Note Menu options are arranged slightly differently in VSM than in Cluster Manager. For the complete list of the options available, see "VSM Menu Bar Options" section. |
A browser plug-in is required to access the HTML interface. See the "Installing the Required Plug-In" section for more information.
Before you can create a cluster, one switch must be assigned an IP address and enabled as the command switch. See the "Command Switch Requirements" section to ensure that the switch meets all the requirements.
To enable a command switch, select Cluster>Cluster Command Configuration from the menu bar, and select Enable on the Cluster Configuration window. You can use up to 28 characters to name your cluster. After you have enabled the command switch, select Cluster>Cluster Builder to begin building your cluster. To build your cluster by using the CLI, see the "CLI: Creating a Cluster" section.
If you change the enable secret password, your connection with the switch breaks, and the browser prompts you for the new password. You can only change a password by using the CLI. If you have forgotten your password, see the "Recovering from a Lost or Forgotten Password" section.
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Use the Port Group (EtherChannel) window (Figure 4-4) to create Fast EtherChannel and Gigabit EtherChannel port groups. These port groups act as single logical ports for high-bandwidth connections between switches or between switches and servers.
|
Note You can create port groups of either Gigabit Ethernet ports or 100BaseTX ports, but you cannot create a port group that contains both port speeds at the same time. |
To display this window, select Port>Port Grouping (EtherChannel) from the menu bar.
For the restrictions that apply to port groups, see the "Managing Configuration Conflicts" section.
This software release supports two different types of port groups: source-based forwarding port groups and destination-based forwarding port groups.
Source-based forwarding port groups distribute packets forwarded to the group based on the source address of incoming packets. You can configure up to eight ports in a source-based forwarding port group. Source-based forwarding is enabled by default.
Destination-based port groups distribute packets forwarded to the group based on the destination address of incoming packets. You can configure an unlimited number of ports in a destination-based port group.
You can create up to 12 port groups of all source-based, all destination-based, or a combination of source- and destination-based ports. All ports in the group must be of the same type; for example, they must be all source based or all destination based. You can independently configure port groups that link switches, but you must consistently configure both ends of a port group.
In Figure 4-3, a port group of two workstations communicates with a router. Because the router is a single-MAC address device, source-based forwarding ensures that the switch uses all available bandwidth to the router. The router is configured for destination-based forwarding because the large number of stations ensures that the traffic is evenly distributed through the port-group ports on the router.
The switch treats the port group as a single logical port; therefore, when you create a port group, the switch uses the configuration of the first port for all ports added to the group. If you add a port and change the forwarding method, it changes the forwarding for all ports in the group. After the group is created, changing STP or VLAN membership parameters for one port in the group automatically changes the parameters for all ports. Each port group has one port that carries all unknown multicast, broadcast, and STP packets.
The following restrictions apply to entering static addresses that are forwarded to port groups:
Beginning in privileged EXEC mode, follow these steps to create a two-port group:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port of the first port to be added to the group. |
Step 3 | port group 1 distribution destination | Assign the port to group 1 with destination-based forwarding. |
Step 4 | interface interface | Enter the second port to be added to the group. |
Step 5 | port group 1 distribution destination | Assign the port to group 1 with destination-based forwarding. |
Step 6 | end | Return to privileged EXEC mode. |
Step 7 | show running-config | Verify your entries. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
You can monitor traffic on a given port by forwarding incoming and outgoing traffic on the port to another port in the same VLAN. Use the Switch Port Analyzer (SPAN) window (Figure 4-6) to enable port monitoring on a port, and use the Modify the Ports Being Monitored window (Figure 4-7) to select the ports to be monitored. A SPAN port cannot monitor ports in a different VLAN, and a SPAN port must be a static-access port. Any number of ports can be defined as SPAN ports, and any combination of ports can be monitored.
To display this window, select Port>Switch Port Analyzer from the menu bar.
For the restrictions that apply to SPAN ports, see the "Managing Configuration Conflicts" section.
Beginning in privileged EXEC mode, follow these steps to enable switch port analyzer:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port that acts as the monitor port. |
Step 3 | port monitor interface | Enable port monitoring on the port. |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | show running-config | Verify your entries. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to disable switch port analyzer:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port number of the monitor port. |
Step 3 | no port monitor interface | Disable port monitoring on the port. |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | show running-config | Verify your entries. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Use the Flooding Controls window (Figure 4-8) to block the forwarding of unnecessary flooded traffic. You can use three flooding techniques:
To display this window, select Port>Flooding Controls from the menu bar.
A packet storm occurs when a large number of broadcast, unicast, or multicast packets are received on a port. Forwarding these packets can cause the network to slow down or to time out. Storm control is configured for the switch as a whole but operates on a per-port basis. By default, storm control is disabled.
Storm control uses high and low thresholds to block and then restore the forwarding of broadcast, unicast, or multicast packets. You can also set the switch to shut down the port when the rising threshold is reached.
The rising threshold is the number of packets that a switch port can receive before forwarding is blocked. The falling threshold is the number of packets below which the switch resumes normal forwarding. In general, the higher the threshold, the less effective the protection against broadcast storms. The maximum half-duplex transmission on a 100BaseT link is 148,000 packets per second, but you can enter a threshold of up to 4294967295 broadcast packets per second.
To configure storm control, right-click a switch chassis in Cluster Manager, and select Port>Flooding Controls. Select one of the Storm tabs (Figure 4-8), select a port, and click Modify. Set the parameters on the Flooding Controls Configuration pop-up (Figure 4-9).
With the exception of the broadcast keyword, the following procedure could also be used to enable storm control for unicast or multicast packets.
Beginning in privileged EXEC mode, follow these steps to enable broadcast-storm control.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port to configure. |
Step 3 | port storm-control broadcast [threshold {rising rising-number falling falling-number}] | Enter the rising and falling thresholds for broadcast packets. Make sure the rising threshold is greater than the falling threshold. |
Step 4 | port storm-control trap | Generate an SNMP trap when the traffic on the port crosses the rising or falling threshold. |
Step 5 | end | Return to privileged EXEC mode. |
Step 6 | show port storm-control [interface] | Verify your entries. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to disable broadcast-storm control.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port to configure. |
Step 3 | no port storm-control broadcast | Disable port storm control. |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | show port storm-control [interface] | Verify your entries. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
By default, the switch floods packets with unknown destination MAC addresses to all ports. Some configurations do not require flooding. For example, a port that has only manually assigned addresses has no unknown destinations, and flooding serves no purpose. Therefore, you can disable the flooding of unicast and multicast packets on a per-port basis. Ordinarily, flooded traffic does not cross VLAN boundaries, but multi-VLAN ports flood traffic to all VLANs they belong to.
To block flooded traffic, select the Unknown MACs tab on the Flooding Control window to display the Flooding Controls Configuration pop-up (Figure 4-10).
Beginning in privileged EXEC mode, follow these steps to disable the flooding of multicast and unicast packets to a port:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port to configure. |
Step 3 | port block multicast | Block multicast forwarding to the port. |
Step 4 | port block unicast | Block unicast flooding to the port. |
Step 5 | end | Return to privileged EXEC mode. |
Step 6 | show port block {multicast | unicast} interface | Verify your entries, entering the appropriate command once for the multicast option and once for the unicast option. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to resume normal forwarding on a port:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port to configure. |
Step 3 | no port block multicast | Enable multicast forwarding to the port. |
Step 4 | no port block unicast | Enable unicast flooding to the port. |
Step 5 | end | Return to privileged EXEC mode |
Step 6 | show port block {multicast | unicast} interface | Verify your entries, entering the appropriate command once for the multicast option and once for the unicast option. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Network ports are assigned per VLAN and can reduce flooded traffic on your network. The switch forwards all traffic with unknown destination addresses to the network port instead of flooding the traffic to all ports in the VLAN.
When you configure a port as the network port, the switch deletes all associated addresses from the address table and disables learning on the port. If you configure other ports in the VLAN as secure ports, the addresses on those ports are not aged. If you move a network port to a VLAN without a network port, it becomes the network port for the new VLAN.
You cannot change the settings for unicast and multicast flooding on a network port. You can assign only one network port per VLAN. For the restrictions that apply to a network port, see the "Managing Configuration Conflicts" section.
 |
Caution Do not attempt to connect cluster members through a network port. A network port cannot link cluster members. |
Beginning in privileged EXEC mode, follow these steps to define a network port:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port to be configured. |
Step 3 | port network | Define the port as the network port. |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | show running-config | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to disable a network port:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port to be configured. |
Step 3 | no port network | Disable the port as the network port. |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | show running-config | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Use the System Time Management window (Figure 4-11) to set the system time for a switch or enable an external source such as Network Time Protocol (NTP) to supply time to the switch.
You can use this window to set the switch time by using one of the following techniques:
To display this window, select Cluster>System Time Management from the menu bar.
Enter the date and a 24-hour clock time setting on the System Time Management window. If you are entering the time for an American time zone, enter the three-letter abbreviation for the time zone in the Name of Time Zone field, such as PST for Pacific standard time. If you are identifying the time zone by referring to Greenwich mean time, enter UTC (universal coordinated time) in the Name of Time Zone field. You then must enter a negative or positive number as an offset to indicate the number of time zones between the switch and Greenwich, England. Enter a negative number if the switch is west of Greenwich, England, and east of the international date line. For example, California is eight time zones west of Greenwich, so you would enter -8 in the Hours Offset From UTC field. Enter a positive number if the switch is east of Greenwich. You can also enter negative and positive numbers for minutes.
You can also set the date and time by using the CLI. "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
To configure daylight saving time, click the Set Daylight Saving Time tab (Figure 4-12). You can configure the switch to change to daylight saving time on a particular day every year, on a day that you enter, or not at all.
In complex networks, it is often prudent to distribute time information from a central server. The NTP can distribute time information by responding to requests from clients or by broadcasting time information. You can use the Network Time Protocol window (Figure 4-13) to enable these options and to enter authentication information to accompany NTP client requests.
To display this window, click Network Time Protocol on the System Time Management window.
You can also configure NTP by using the CLI. "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
You configure the switch as an NTP client by entering the IP addresses of up to ten NTP servers in the IP Address field. Click Preferred Server to specify which server should be used first. You can also enter an authentication key to be used as a password when requests for time information are sent to the server.
To ensure the validity of information received from NTP servers, you can authenticate NTP messages with public-key encryption. This procedure must be coordinated with the administrator of the NTP servers: the information you enter on this window will be matched by the servers to authenticate it.
Click Help for more information about entering information in the Key Number, Key Value, and Encryption Type fields.
You can configure the switch to receive NTP broadcast messages if there is an NTP broadcast server, such as a router, broadcasting time information on the network. You can also enter a delay in the Estimated Round-Trip Delay field to account for round-trip delay between the client and the NTP broadcast server.
Use the IP Management window (Figure 4-14) to change or enter IP information for the switch. Some of this information, such as the IP address was previously entered.
You can use this window to perform the following tasks:
To display this window, select System>IP Management from the menu bar.
You can use a BOOTP server to automatically assign IP information to the switch; however, the BOOTP server must be set up in advance with a database of physical MAC addresses and corresponding IP addresses, subnet masks, and default gateway addresses. In addition, the switch must be able to access the BOOTP server through one of its ports. At startup a switch without an IP address requests the information from the BOOTP server; the requested information is saved in the switch running configuration file. To ensure that the IP information is saved when the switch is restarted, select System>Save Configuration from the menu bar. If you are using the CLI, save the configuration by entering the write memory command in privileged EXEC mode.
You can also manually assign an IP address, mask, and default gateway to the switch through the management console. This information is displayed in the IP Address, IP Mask, and Default Gateway fields of the IP Management window.
You can change the information in these fields. The mask identifies the bits that denote the network number in the IP address. When you use the mask to subnet a network, the mask is then referred to as a subnet mask. The broadcast address is reserved for sending messages to all hosts. The CPU sends traffic to an unknown IP address through the default gateway.
|
Caution Changing the command switch IP address on this window ends your VSM session and any SNMP or Telnet sessions in progress. Restart the Cluster Manager by entering the new IP address in the browser Location field (Netscape Communicator) or Address field (Internet Explorer), as described in the "Using VSM" section. |
Beginning in privileged EXEC mode, follow these steps to enter the IP information:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface vlan 1 | Enter interface configuration mode, and enter the VLAN to which the IP information is assigned. |
Step 3 | ip address ip_address subnet_mask | Enter the IP address and subnet mask. |
Step 4 | exit | Return to global configuration mode. |
Step 5 | ip default-gateway ip_address | Enter the IP address of the default router. |
Step 6 | end | Return to privileged EXEC mode. |
Step 7 | show running-config | Verify that the information was entered correctly by displaying the running configuration. If the information is incorrect, repeat the procedure. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Use the following procedure to remove the IP information from a switch.
|
Note Using the no ip address command in configuration mode disables the IP protocol stack as well as removes the IP information. Cluster members without IP addresses rely on the IP protocol stack being enabled. |
Beginning in privileged EXEC mode, follow these steps to remove an IP address:
| Command | Purpose | |
|---|---|---|
Step 1 | clear ip address vlan 1 ip_address subnet_mask | Remove the IP address and subnet mask. |
Step 2 | end | Return to privileged EXEC mode. |
Step 3 | show running-config | Verify that the information was removed by displaying the running configuration. |
|
Caution If you are removing the IP address through a Telnet session, your connection to the switch will be lost. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Each unique Internet Protocol (IP) address can have a host name associated with it. The IOS software maintains a cache of host name-to-address mappings for use by the EXEC mode connect, telnet, ping, and related Telnet support operations. This cache speeds the process of converting names to addresses.
IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, the File Transfer Protocol (FTP) system for example, is identified as ftp.cisco.com.
To keep track of domain names, IP has defined the concept of a domain name server (DNS), whose job is to hold a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the host names and then specify a name server and enable the DNS, the Internet's global naming scheme that uniquely identifies network devices.
You can specify a default domain name that the software uses to complete domain name requests. You can specify either a single domain name or a list of domain names. When you specify a domain name, any IP host name without a domain name will have that domain name appended to it before being added to the host table.
To specify a domain name, enter the name into the Domain Name field of the IP Configuration tab of the IP Management window (Figure 4-15), and click OK. Do not include the initial period that separates an unqualified name (names without a dotted-decimal domain name) from the domain name.
You can also configure the DNS name by using the CLI. The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
If your network devices require connectivity with devices in networks for which you do not control name assignment, you can assign device names that uniquely identify your devices within the entire internetwork. The Internet's global naming scheme, the DNS, accomplishes this task. This service is enabled by default.
Use the SNMP Management window (Figure 4-16) to configure your switch for SNMP management. If your switch is part of a cluster, the clustering software can change SNMP parameters (such as host names) when the cluster is created. If you are configuring a cluster for SNMP, see the "Configuring SNMP for a Cluster" section.
You can use this window to perform the following tasks:
To display this window, select System>SNMP Configuration from the menu bar.
SNMP is enabled by default and must be enabled for Cluster Management features to work properly. If you deselect Enable SNMP and click Apply, SNMP is disabled, and the SNMP parameters are disabled. For information on SNMP and Cluster Management, see "Managing Cluster Switches Through SNMP" section.
SNMP is always enabled for 1900 and 2820 switches.
Community strings serve as passwords for SNMP messages to permit access to the agent on the switch. If you are entering community strings for a cluster member, see the "Configuring Community Strings for Cluster Switches" section. You can enter community strings with the following characteristics:
Read-only (RO) | Requests accompanied by the string can display MIB-object information. |
Read-write (RW) | Requests accompanied by the string can display MIB-object information and set MIB objects. |
Use the Community Strings tab (Figure 4-17) to add and remove community strings. You can also use the CLI to configure SNMP community strings. The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
A trap manager is a management station that receives and processes traps. When you configure a trap manager, community strings for each member switch must be unique. If a member switch has an IP address assigned to it, the management station accesses the switch by using its assigned IP address. Use the Trap Managers tab (Figure 4-18) to configure trap managers and enter trap manager community strings.
By default, no trap manager is defined, and no traps are issued. Select a check box to enable one of the following classes of traps:
Generate traps whenever the switch configuration changes. | |
Generate the supported SNMP traps. | |
Generate traps when the switch starts a management console CLI session. | |
Generate a trap for each VLAN Membership Policy Server (VMPS) change. | |
Generate a trap for each VLAN Trunk Protocol (VTP) change. | |
Generate the switch-specific traps. These traps are in the private enterprise-specific MIB. |
Beginning in privileged EXEC mode, follow these steps to add a trap manager and community string:
| Command | Purpose | |
|---|---|---|
Step 1 | config terminal | Enter global configuration mode. |
Step 2 | snmp-server host 172.2.128.263 traps1 snmp vlan-membership | Enter the trap manager IP address, community string, and the traps to generate. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show running-config | Verify that the information was entered correctly by displaying the running configuration. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
To communicate with a device (on Ethernet, for example), the software first must determine the 48-bit MAC or local data link address of that device. The process of determining the local data link address from an IP address is called address resolution.
The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC addresses and VLAN ID. Taking an IP address as input, ARP determines the associated MAC address. Once a MAC address is determined, the IP-MAC address association is stored in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network. Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol (SNAP). By default, standard Ethernet-style ARP encapsulation (represented by the arpa keyword) is enabled on the IP interface.
Use the ARP Table window (Figure 4-19) to display the table and change the timeout value.
To display this window, select System>ARP Table from the menu bar. ARP entries added manually to the table do not age and must be manually removed.
You can manually add entries to the ARP Table by using the CLI; however, these entries do not age and must be manually removed. The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Use the Address Management window (Figure 4-21) to manage the MAC address tables that the switch uses to forward traffic between ports. All MAC addresses in the address tables are associated with one or more ports. These MAC tables include the following types of addresses:
To display this window, select Security>Address Management from the menu bar.
The address tables list the destination MAC address and the associated VLAN ID, module, and port number associated with the address. Figure 4-20 shows an example list of addresses as they would appear in the dynamic, secure, or static address table.
All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different destinations in each. Multicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 11 in VLAN 5.
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN. An address can be secure in one VLAN and dynamic in another. Addresses that are statically entered in one VLAN must be static addresses in all other VLANs.
Dynamic addresses are source MAC addresses that the switch learns and then drops when they are not in use. Use the Aging Time field to define how long the switch retains unseen addresses in the table. This parameter applies to all VLANs.
Setting too short an aging time can cause addresses to be prematurely removed from the table. Then when the switch receives a packet for an unknown destination, it floods the packet to all ports in the same VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time can cause the address table to be filled with unused addresses; it can cause delays in establishing connectivity when a workstation is moved to a new port.
Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging time.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | mac-address-table aging-time seconds | Enter the number of seconds that dynamic addresses are to be retained in the address table. You can enter a number from 10 to 1000000. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show mac-address-table aging-time | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to remove a dynamic address entry:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | no mac-address-table dynamic hw-addr | Enter the MAC address to be removed from dynamic MAC address table. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show mac-address-table | Verify your entry. |
You can remove all dynamic entries by using the clear mac-address-table dynamic command in privileged EXEC mode.
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
The secure address table contains secure MAC addresses and their associated ports and VLANs. A secure address is a manually entered unicast address that is forwarded to only one port per VLAN. If you enter an address that is already assigned to another port, the switch reassigns the secure address to the new port.
You can enter a secure port address even when the port does not yet belong to a VLAN. When the port is later assigned to a VLAN, packets destined for that address are forwarded to the port.
You can use the Secure Address tab (Figure 4-22) to remove individual secure addresses or a group of them. To display this window, click the Secure Address tab on the Address Management window. Click the New button to display the New Address window (Figure 4-23), and enter a new secure address.
After you have entered the secure address, select Security>Port Security from the menu bar to secure the port by using the Port Security window.
Beginning in privileged EXEC mode, follow these steps to add a secure address:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | mac-address-table secure hw-addr interface | Enter the MAC address, its associated port, and the VLAN ID. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show mac-address-table secure | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to remove a secure address:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | no mac-address-table secure hw-addr vlan vlan-id | Enter the secure MAC address, its associated port, and the VLAN ID to be removed. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show mac-address-table secure | Verify your entry. |
You can remove all secure addresses by using the clear mac-address-table secure command in privileged EXEC mode.
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
A static address has the following characteristics:
By clicking the Static Address tab on the Address Management window (Figure 4-21), you can add and remove static addresses. You can also define the forwarding behavior for the static address. Click Forwarding to display the Static Address Forwarding window (Figure 4-24).
On the Static Address Forwarding window, you determine how a port that receives a packet forwards it to another port for transmission. Because all ports are associated with at least one VLAN, the switch acquires the VLAN ID for the address from the ports that you select on the forwarding map.
The Received On Port column lists the ports where a static address is received. The Forward to Port(s) column lists the ports that the address with the static address can be forwarded to. Select a row, and click Modify to change the entries for an address.
A static address in one VLAN must be a static address in other VLANs. A packet with a static address that arrives on a VLAN where it has not been statically entered is flooded to all ports and not learned.
Follow these rules if you are configuring a static address to forward to ports in an EtherChannel port group:
Static addresses are entered in the address table with an in-port-list, an out-port-list, and a VLAN ID, if needed. Packets received from the in-port are forwarded to ports listed in the out-port-list.
|
Note If the in-port and out-port-list parameters are all access ports in a single VLAN, you can omit the VLAN ID. In this case, the switch recognizes the VLAN as that associated with the in-port VLAN. Otherwise, you must supply the VLAN ID. |
Beginning in privileged EXEC mode, follow these steps to add a static address:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | mac-address-table static hw-addr in-port out-port-list vlan vlan-id | Enter the MAC address, the input port, the ports to which it can be forwarded, and the VLAN ID of those ports. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show mac-address-table static | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to remove a static address:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | no mac-address-table static hw-addr in-port in-port out-port-list out-port-list vlan vlan-id | Enter the static MAC address, the input port, the ports to which it can be forwarded, and the VLAN ID to be removed. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show mac-address-table static | Verify your entry. |
You can remove all secure addresses by using the clear mac-address-table static command in privileged EXEC mode.
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Use the Port Security window (Figure 4-25) to enable port security on a port and to define the actions to take place when a security violation occurs. As part of securing the port, you can also define the size of the address table for the port.
To display this window, select Security>Port Security from the menu bar. To modify port-security parameters for several ports at once, select the rows by using the mouse, and click Modify to display the Port Security Configuration window (Figure 4-26).
Secured ports generate address-security violations under the following conditions:
Limiting the number of devices that can connect to a secure port has the following advantages:
The following fields validate port security or indicate security violations:
Interface | Port to secure. |
Security | Enable port security on the port. |
Trap | Issue a trap when an address-security violation occurs. |
Shutdown Port | Disable the port when an address-security violation occurs. |
Secure Addresses | Number of addresses in the address table for this port. Secure ports have at least one in this field. |
Max Addresses | Number of addresses that the address table for the port can contain. |
Security Rejects | The number of unauthorized addresses seen on the port. |
For the restrictions that apply to secure ports, see the "Managing Configuration Conflicts" section.
Beginning in privileged EXEC mode, follow these steps to enable port security.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode for the port you want to secure. |
Step 3 | port security max-mac-count 1 | Secure the port and set the address table to one address. |
Step 4 | port security action shutdown | Set the port to shutdown when a security violation occurs. |
Step 5 | end | Return to privileged EXEC mode. |
Step 6 | show port security | Verify the entry. |
"Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to disable port security.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode for the port you want to unsecure. |
Step 3 | no port security | Disable port security |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | show port security | Verify the entry |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Use the Cisco IOS command-line interface and Cisco Discovery Protocol (CDP) to enable CDP for the switch, set global CDP parameters, and display information about neighboring Cisco devices.
CDP enables the Cluster Management Suite to display a graphical view of the network. For example, the switch uses CDP to find cluster candidates and maintain information about cluster members and other devices up to three cluster-enabled devices away from the command switch.
If necessary, you can configure CDP to discover switches running the Cluster Management Suite up to seven devices away from the command switch. Devices that do not run clustering software display as edge devices, and no device connected to them can be discovered by CDP.
|
Note Creating and maintaining switch clusters is based on the regular exchange of CDP messages. Disabling CDP can interrupt cluster discovery. For more information on the role that CDP plays in clustering, see the "Automatically Discovering Cluster Candidates" section. |
You can change the default configuration of CDP on the command switch to continue discovering devices up to seven hops away. Figure 4-27 shows a command switch that can discover candidates up to seven devices away from it. Figure 4-27 also shows the command switch connected to a Catalyst 5000 series switch. Because the Catalyst 5000 is a CDP device that does not support clustering, the command switch cannot learn about cluster candidate switches connected to it, even if they are running the Cluster Management Suite.
Beginning in privileged EXEC mode, follow these steps to configure the number of hops that CDP discovers.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | cluster discovery hop-count number | Enter the number of hops that you want CDP to search for cluster candidates. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show running-config | Verify the change by displaying the running configuration file. The hop count is displayed in the file. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Use the Cisco Group Management Protocol (CGMP) window (Figure 4-28) to enable CGMP and the CGMP Fast Leave feature. CGMP reduces the unnecessary flooding of IP multicast packets by limiting the transmission of these packets to CGMP clients that request them. The Fast Leave feature accelerates the removal of unused CGMP groups. By default, CGMP is enabled, and the Fast Leave feature is disabled.
End stations issue join messages to become part of a CGMP group and issue leave messages to leave the group. The membership of these groups is managed by the switch and by connected routers through the further exchange of CGMP messages.
CGMP groups are maintained on a per-VLAN basis: a multicast IP address packet can be forwarded to one list of ports in one VLAN and to a different list of ports in another VLAN. When a CGMP group is added, it is added on a per-VLAN, per-group basis. When a CGMP group is removed, it is only removed in a given VLAN.
You can use this window to perform the following tasks:
To display this window, select Device>Cisco Group Management Protocol from the menu bar.
The CGMP Fast Leave feature reduces the delay when group members leave groups. When an end station requests to leave a CGMP group, the group remains enabled for that VLAN until all members have requested to leave. With the Fast Leave feature enabled, the switch immediately checks if there are other members attached to its ports in that group. If there are no other members, the switch removes the port from the group. If there are no other ports in the group, the switch sends a message to routers connected to the VLAN to delete the entire group.
The Fast Leave feature functions only if CGMP is enabled. The client must be running IGMP version 2 for the Fast Leave feature to function properly.
Beginning in privileged EXEC mode, follow these steps to enable the CGMP Fast Leave feature:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | cgmp leave-processing | Enable CGMP and CGMP Fast Leave. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show running-config | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to disable the CGMP Fast Leave feature:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | no cgmp leave-processing | Disable CGMP and CGMP Fast Leave. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show running-config | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
The router hold-time is the number of seconds the switch waits before removing (aging) a router entry and ceasing to exchange messages with it. If it is the last router entry on a VLAN, then all CGMP groups on that VLAN are removed. You can thus enter a lower number in the Router Hold-Time field (Figure 4-28) to accelerate the removal of CGMP groups.
|
Note You can also use the Router Ports tab (Figure 4-28) to remove router ports before the router hold-time has expired. |
Beginning in privileged EXEC mode, follow these steps to change the router hold-time.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | cgmp holdtime 400 | Configure the number of seconds the switch is to wait before dropping a router entry. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show running-config | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
You can reduce the forwarding of IP multicast packets by removing groups from the Current Multicast Groups table. Each entry in the table consists of the VLAN, IGMP multicast address, and ports.
You can use the CLI to clear all CGMP groups, all CGMP groups in a VLAN, or all routers, their ports, and their expiration times. Beginning in privileged EXEC mode, follow these steps to remove all multicast groups.
| Command | Purpose | |
|---|---|---|
Step 1 | clear cgmp group | Clear all CGMP groups on all VLANs on the switch. |
Step 2 | show cgmp | Verify your entry by displaying CGMP information. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Use the Spanning Tree Protocol (STP) window (Figure 4-30) to change parameters for STP, an industry standard for avoiding loops in switched networks. Each VLAN supports its own instance of STP.
You can use this window to perform the following tasks:
To display this window, select Device>Spanning Tree Protocol from the menu bar to display STP information for the command switch, or right-click on a switch, and select Device>Spanning Tree Protocol from the pop-up menu to display the STP information defined for the switch. You can also click the STP icon on the toolbar.
The STP rootguard option is described in the "CLI: Configuring STP Root Guard" section,
You can create a redundant backbone with STP by connecting two of the switch ports to another device or to two different devices. STP automatically disables one port but enables it if the other port is lost. If one link is high-speed and the other low-speed, the low-speed link is always disabled. If the speed of the two links is the same, the port priority and port ID are added together, and STP disables the link with the lowest value.
You can also create redundant links between switches by using EtherChannel port groups. For more information on creating port groups, see the "Creating EtherChannel Port Groups" section.
STP is enabled by default. Disable STP only if you are sure there are no loops in the network topology.
|
Caution When STP is disabled and loops are present in the topology, excessive traffic and indefinite packet duplication can drastically reduce network performance. |
Beginning in privileged EXEC mode, follow these steps to disable STP:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | no spanning-tree vlan stp-list | Disable STP on a VLAN. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show spanning-tree | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
STP uses default values that can be reduced when configuring 2900 and 3500 XL switches in daisy-chained configurations. If an STP root switch is part of a cluster that is one switch from a daisy-chained stack, you can customize STP to reconverge more quickly after a switch failure. Figure 4-32 shows modular Catalyst 2900 XL and Catalyst 3500 XL switches in three daisy-chained clusters that use the GigaStack GBIC. Table 4-3 shows the default STP settings and those that are acceptable for these configurations.
| STP Parameter | STP Default (IEEE) | Acceptable for Option 1 | Acceptable for Option 2 | Acceptable for Option 3 |
|---|---|---|---|---|
Hello Time | 2 | 1 | 1 | 1 |
Max Age | 20 | 6 | 10 | 6 |
Forwarding delay | 15 | 4 | 7 | 4 |
Enabling UplinkFast on all switches in the cluster can further reduce the time it takes cluster switches to begin forwarding after a new root switch is selected.
|
Note If you have configured VLANs, each VLAN is a separate STP instance and needs to have its parameters changed. You can change all VLANs on a switch by using the stp-list parameter when you enter STP commands through the CLI. For more information, see the Cisco IOS Desktop Switching Command Reference available on Cisco Connection Online (CCO). |
Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 4-33 shows a complex network where distribution switches and access switches each have at least one redundant link that STP blocks to prevent loops.
If a switch looses connectivity, the switch begins using the alternate paths as soon as STP selects a new root port. When STP reconfigures the new root port, other ports flood the network with multicast packets, one for each address that was learned on the port. You can limit these bursts of multicast traffic by reducing the max-update-rate parameter (the default for this parameter is 150 packets per second). However, if you enter zero, station-learning frames are not generated, so the STP topology converges more slowly after a loss of connectivity.
STP UplinkFast is an enhancement that accelerates the choice of a new root port when a link or switch fails or when STP reconfigures itself. The root port transitions to the forwarding state immediately without going through the listening and learning states, as it would with normal STP procedures. UplinkFast is most useful in edge or access switches and might not be appropriate for backbone devices.
You can change STP parameters by using the UplinkFast tab of the Spanning Tree Protocol window or by using the CLI. The "Configuring the Spanning Tree Protocol" section describes the use of the Spanning Tree Protocol window.
To display this window, select Device>Spanning-Tree Protocol from the menu bar. Then click the UplinkFast tab.
When you enable UplinkFast, it is enabled for the entire switch and cannot be enabled for individual VLANs.
Beginning in privileged EXEC mode, follow these steps to configure UplinkFast:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | spanning-tree uplinkfast max-update-rate pkts-per-second | Enable UplinkFast on the switch. The range is from 0 to 1000 packets per second; The default is 150. If you set the rate to 0, station-learning frames are not generated, so the STP topology converges more slowly after a loss of connectivity. |
Step 3 | exit | Return to privileged EXEC mode. |
Step 4 | show spanning-tree | Verify your entries. |
When UplinkFast is enabled, the bridge priority of all VLANs is set to 49152, and the path cost of all ports and VLAN trunks is increased by 3000. This change reduces the chance that the switch will become the root port. When UplinkFast is disabled, the bridge priorities of all VLANs and path costs of all ports are set to default values.
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
To change STP parameters for a VLAN, select Device>Spanning Tree Protocol from the menu bar, select the VLAN ID of the STP instance to change, and click Root Parameters.
In Figure 4-34, the parameters under the heading Current Spanning-Tree Root are read-only. The MAC Address field shows the MAC address of the switch currently acting as the root for each VLAN; the remaining parameters show the other STP settings for the root switch for each VLAN. The root switch is the switch with the highest priority and transmits topology frames to other switches in the spanning tree.
In the Spanning Tree Protocol window (Figure 4-35), you can change the root parameters for the VLANs on a selected switch. The following fields (Figure 4-35) define how your switch responds when STP reconfigures itself.
Protocol | Implementation of STP to use. Select one of the menu bar items: IBM, or IEEE. The default is IEEE. |
Priority | Value used to identify the root switch. The switch with the lowest value has the highest priority and is selected as the root. Enter a number from 0 to 65535. |
Max age | Number of seconds a switch waits without receiving STP configuration messages before attempting a reconfiguration. This parameter takes effect when a switch is operating as the root switch. Switches not acting as the root use the root-switch Max age parameter. Enter a number from 6 to 200. |
Number of seconds between the transmission of hello messages, which indicate that the switch is active. Switches not acting as a root switch use the root-switch Hello-time value. Enter a number from 1 to 10. | |
Number of seconds a port waits before changing from its STP learning and listening states to the forwarding state. This wait is necessary so that other switches on the network ensure no loop is formed before they allow the port to forward packets. Enter a number from 4 to 200. |
Beginning in privileged EXEC mode, follow these steps to change the STP implementation. The stp-list is the list of VLANs to which the STP command applies.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | spanning-tree [vlan stp-list] protocol {ieee | ibm} | Specify the STP implementation to be used for a spanning-tree instance. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show spanning-tree | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to change the switch priority and affect which switch is the root switch. The stp-list is the list of VLANs to which the STP command applies.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | spanning-tree [vlan stp-list] priority bridge-priority | Configure the switch priority for the specified spanning-tree instance. Enter a number from 0 to 65535; the lower the number, the more likely the switch will be chosen as the root switch. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show spanning-tree | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to change the BPDU message interval (max age time). The stp-list is the list of VLANs to which the STP command applies.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | spanning-tree [vlan stp-list] max-age seconds | Specify the interval between messages the spanning tree receives from the root switch. The maximum age is the number of seconds a switch waits without receiving STP configuration messages before attempting a reconfiguration. Enter a number from 6 to 200. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show spanning-tree | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to change the hello BPDU interval (hello time). The stp-list is the list of VLANs to which the STP command applies.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | spanning-tree [vlan stp-list] hello-time seconds | Specify the interval between hello BPDUs. Hello messages indicate that the switch is active. Enter a number from 1 to 10. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show spanning-tree | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to change the forwarding delay time. The stp-list is the list of VLANs to which the STP command applies.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | spanning-tree [vlan stp-list] forward-time seconds | Specify the forwarding time for the specified spanning-tree instance. The forward delay is the number of seconds a port waits before changing from its STP learning and listening states to the forwarding state. Enter a number from 4 to 200. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show spanning-tree | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
The ports listed on this window (Figure 4-36) belong to the VLAN selected in the VLAN ID list above the table of parameters. To change STP port options, select Device>Spanning Tree Protocol from the menu bar, select the VLAN ID, and click Modify STP Parameters.
Use the following fields (Figure 4-36) to check the status of ports that are not forwarding due to STP:
Port | The interface and port number. FastEthernet0/1 refers to port 1x. |
State | The current state of the port. A port can be in one of the following states: |
| Port is not participating in the frame-forwarding process and is not learning new addresses. |
| Port is not participating in the frame-forwarding process, but is progressing towards a forwarding state. The port is not learning addresses. |
| Port is not forwarding frames but is learning addresses. |
| Port is forwarding frames and learning addresses. |
| Port has been removed from STP operation. |
| Port has no physical link. |
| One end of the link is configured as an access port and the other end is configured as an 802.1Q trunk port. Or both ends of the link are configured as 802.1Q trunk ports but have different native VLAN IDs. |
The Port Fast feature brings a port directly from a blocking state into a forwarding state. This feature is useful when a connected server or workstation times out because its port is going through the normal cycle of STP status changes. The only time a port with Port Fast enabled goes through the normal cycle of STP status changes is when the switch is restarted.
To enable the Port Fast feature on the Port Configuration pop-up (Figure 4-37), select a row in the Port Parameters tab, and click Modify.
|
Caution Enabling this feature on a port connected to a switch or hub could prevent STP from detecting and disabling loops in your network, and this could cause broadcast storms and address-learning problems. |
You can modify the following parameters and enable the Port Fast feature by selecting a row on the Port Parameters tab and clicking Modify.
Port Fast | Enable to bring the port more quickly to an STP forwarding state. |
A lower path cost represents higher-speed transmission. This can affect which port remains enabled in the event of a loop. Enter a number from 1 to 65535. The default is 100 for 10 Mbps, 19 for 100 Mbps, 14 for 155 Mbps (ATM), 4 for 1 Gbps, 2 for | |
Number used to set the priority for a port. A higher number has higher priority. Enter a number from 0 to 65535. |
Enabling this feature on a port connected to a switch or hub could prevent STP from detecting and disabling loops in your network. Beginning in privileged EXEC mode, follow these steps to enable the Port Fast feature:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port to be configured. |
Step 3 | spanning-tree portfast | Enable the Port Fast feature for the port. |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | show running-config | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to change the path cost for STP calculations. The STP command applies to the stp-list.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port to be configured. |
Step 3 | spanning-tree [vlan stp-list] cost cost | Configure the path cost for the specified spanning-tree instance. Enter a number from 1 to 65535. |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | show running-config | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to change the port priority, which is used when two switches tie for position as the root switch. The stp-list is the list of VLANs to which the STP command applies.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port to be configured. |
Step 3 | spanning-tree [vlan stp-list] port-priority port-priority | Configure the port priority for a specified instance of STP. Enter a number from 0 to 255. The lower the number, the higher the priority. |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | show running-config | Verify your entry. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, STP can reconfigure itself and select a customer switch as the STP root switch, as shown in Figure 4-38. You can avoid this possibility by configuring the root guard parameter on ports that connect to switches outside of your network. If a switch outside the network becomes the root switch, the port is blocked, and STP selects a new root switch.
|
Caution Misuse of this command can cause a loss of connectivity. |
Root guard enabled on a port applies to all the VLANs that the port belongs to. Each VLAN has its own instance of STP.
Beginning in privileged EXEC mode, follow these steps to set root guard on a port:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port to be configured. |
Step 3 | spanning-tree rootguard | Enable root guard on the port. |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | show running-config | Verify that the port is configured for root guard. |
Use the no version of the spanning-tree rootguard command to disable the root guard feature.
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
UniDirectional Link Detection (UDLD) is a Layer 2 protocol that detects and shuts down unidirectional links. You can configure UDLD on the entire switch or on an individual port.
Beginning in privileged EXEC mode, follow these steps to configure UDLD on a switch:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | udld enable | Enable UDLD. |
Step 3 | end | Return to privileged EXEC mode. |
Step 4 | show running-config | Verify the entry by displaying the running configuration. |
Use the udld reset command to reset any port that has been shut down by UDLD.
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Some applications require that no traffic be forwarded by the Layer 2 protocol between ports on the same switch. In such an environment, there is no exchange of unicast, broadcast, or multicast traffic between ports on the switch, and traffic between ports on the same switch is forwarded through a Layer 3 device such as a router.
To meet this requirement, you can configure 2900 and 3500 XL ports as private VLAN edge ports. Private VLAN edge ports do not forward any traffic to private VLAN edge ports on the same switch. This means that all traffic passing between private VLAN edge ports---unicast, broadcast, and multicast---must be forwarded through a Layer 3 device. Private VLAN edge ports can forward any type of traffic to non-private VLAN edge ports, and they forward as usual to all ports on other switches.
|
Note There could be times when unknown unicast traffic from a non-private VLAN edge port is flooded to a private VLAN edge port because a MAC address has timed out or has not been learned by the switch. Use the port block command to guarantee that no unicast and multicast traffic is flooded to the port in such a case. See the "Configuring Flooding Controls" section for more information. |
Beginning in privileged EXEC mode, follow these steps to define a port as a private VLAN edge port:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port to be configured. |
Step 3 | port protected | Enable private VLAN edge port on the port. |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | show port protected | Verify that the port has private VLAN edge port enabled. |
Use the no version of the port protected command to disable private VLAN edge port.
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
The Terminal Access Controller Access Control System Plus (TACACS+) provides the means to manage network security (authentication, authorization, and accounting [AAA]) from a server. This section describes how TACACS+ works and how you can configure it. For complete syntax and usage information for the commands described in this chapter, refer to the
Cisco IOS Release 12.0 Security Command Reference.
You can only configure this feature by using the CLI; you cannot configure it through the Cluster Management Suite.
In large enterprise networks, the task of administering passwords on each device can be simplified by centralizing user authentication on a server. TACACS+ is an access-control protocol that allows a switch to authenticate all login attempts through a central server. The network administrator configures the switch with the address of the TACACS+ server, and the switch and the server exchange messages to authenticate each user before allowing access to the management console.
TACACS+ consists of three services: authentication, authorization, and accounting. Authentication determines who the user is and whether or not the user is allowed access to the switch. Authorization is the action of determining what the user is allowed to do on the system. Accounting is the action of collecting data related to resource usage.
The TACACS+ feature is disabled by default. However, you can enable and configure it by using the CLI. You can access the CLI through the console port or through Telnet. To prevent a lapse in security, you cannot configure TACACS+ through a network-management application. When enabled, TACACS+ can authenticate users accessing the switch through the CLI.
|
Note Although the TACACS+ configuration is performed through the CLI, the TACACS+ server authenticates HTTP connections that have been configured with a privilege level of 15. |
Use the tacacs-server host command to specify the names of the IP host or hosts maintaining an AAA/TACACS+ server. On TACACS+ servers, you can configure the following additional options:
Beginning in privileged EXEC mode, follow these steps to configure the TACACS+ server:
| Command | Purpose | |
|---|---|---|
Step 1 | Define a TACACS+ host. Entering the timeout and key parameters with this command overrides the global values that you can enter with the tacacs-server timeout (Step 3) and the tacacs-server key commands (Step 5). | |
Step 2 | Enter the number of times the server searches the list of TACACS+ servers before stopping. The default is two. | |
Step 3 | Set the interval that the server waits for a TACACS+ server host to reply. The default is 5 seconds. | |
Step 4 | tacacs-server attempts count | Set the number of login attempts that can be made on the line. |
Step 5 | tacacs-server key key | Define a set of encryption keys for all of TACACS+ and communication between the access server and the TACACS daemon. Repeat the command for each encryption key. |
Step 6 | exit | Return to privileged EXEC mode. |
Step 7 | show tacacs | Verify your entries. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Beginning in privileged EXEC mode, follow these steps to configure login authentication by using AAA/TACACS+:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | Enable AAA/TACACS+. | |
Step 3 | aaa authentication login {default | list-name} method1 [method2...] | Enable authentication at login, and create one or more lists of authentication methods. |
Step 4 | line [aux | console | tty | vty] line-number [ending-line-number] | Enter line configuration mode, and configure the lines to which you want to apply the authentication list. |
Step 5 | login authentication {default | list-name} | Apply the authentication list to a line or set of lines. |
Step 6 | exit | Return to privileged EXEC mode. |
Step 7 | show running-config | Verify your entries. |
The variable list-name is any character string used to name the list you are creating. The method variable refers to the actual methods the authentication algorithm tries, in the sequence entered. You can choose one of the following methods:
line | Uses the line password for authentication. You must define a line password before you can use this authentication method. Use the password password line configuration mode command. |
local | Uses the local username database for authentication. You must enter username information into the database. Use the username password global configuration command. |
tacacs+ | Uses TACACS+ authentication. You must configure the TACACS+ server before you can use this authentication method. For more information, see the "CLI: Configuring the TACACS+ Server Host" section. |
To create a default list that is used if no list is specified in the login authentication command, use the default keyword followed by the methods you want used in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication succeed even if all methods return an error, specify none as the final method in the command line.
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
You can use the aaa authorization command with the tacacs+ keyword to set parameters that restrict a user's network access to Cisco IOS privilege mode (EXEC access) and to network services such as Serial Line Internet Protocol (SLIP), Point-to-Point Protocol (PPP) with Network Control Protocols (NCPs), and AppleTalk Remote Access (ARA).
The aaa authorization exec tacacs+ local command sets the following authorization parameters:
|
Note Authorization is bypassed for authenticated users who login through the CLI even if authorization has been configured. |
Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for EXEC access and network services:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | aaa authorization network tacacs+ | Configure the switch for user TACACS+ authorization for all network-related service requests, including SLIP, PPP NCPs, and ARA protocols. |
Step 3 | aaa authorization exec tacacs+ | Configure the switch for user TACACS+ authorization to determine if the user is allowed EXEC access. The exec keyword might return user profile information (such as autocommand information). |
Step 4 | exit | Return to privileged EXEC mode. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
You use the aaa accounting command with the tacacs+ keyword to turn on TACACS+ accounting for each Cisco IOS privilege level and for network services.
Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | aaa accounting exec start-stop tacacs+ | Enable TACACS+ accounting to send a start-record accounting notice at the beginning of an EXEC process and a stop-record at the end. |
Step 3 | aaa accounting network start-stop tacacs+ | Enable TACACS+ accounting for all network-related service requests, including SLIP, PPP, and PPP NCPs. |
Step 4 | exit | Return to privileged EXEC mode. |
|
Note These commands are documented in the "Accounting and Billing Commands" chapter of the Cisco IOS Release 12.0 Security Command Reference. |
You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. Authentication and authorization are then handled by the switch. No accounting is available in this configuration.
Beginning in privileged EXEC mode, follow these steps to configure the switch for local AAA:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | Enable AAA. | |
Step 3 | Set the login authorization to default to local. | |
Step 4 | aaa authorization exec local | Configure user AAA authorization for all network-related service requests, including SLIP, PPP NCPs, and ARA protocols. |
Step 5 | aaa authorization network local | Configure user AAA authorization to determine if the user is allowed to run an EXEC shell. |
Step 6 | username name password password privilege level | Enter the local database. Repeat this command for each user. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
The 2900 and 3500 XL switches can connect to a Cisco 7960 IP Phone and carry IP voice traffic. If necessary, the Catalyst 3524-PWR XL can supply electrical power to the circuit connecting it to the Cisco 7960 IP Phone.
Because the sound quality of an IP telephone call can deteriorate if the data is unevenly transmitted, this release of IOS supports quality of service (QoS) based on IEEE 802.1p class of service (CoS). QoS uses classification and scheduling to transmit network traffic from the switch in a predictable manner. The Cisco 7960 IP Phone itself is also a configurable device, and it can be configured to forward traffic with an 802.1p priority. You can use the CLI to configure the Catalyst 3524-PWR XL to honor or ignore a traffic priority assigned by a Cisco 7960 IP Phone.
The Cisco 7960 IP Phone contains an integrated 3-port 10/100 switch. The ports are dedicated to connect to the following devices:
Figure 4-39 shows one way to configure a Cisco 7960 IP Phone.
Before you configure a Catalyst 3524-PWR XL port to carry IP voice traffic, the port should be configured as an 802.1Q trunk and as a member of the voice VLAN (VVID).
See "Configuring a Trunk Port" section for instructions on configuring an 802.1Q trunk port.
Beginning in privileged EXEC mode, follow these steps to configure a port to instruct the phone to give voice traffic a higher priority and forward all traffic through the 802.1Q native VLAN.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port to be configured. |
Step 3 | switchport voice vlan dot1p | Instruct the switch to use 802.1p priority tagging for voice traffic and to use VLAN 0 (default native VLAN) to carry all traffic. |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | show interface interface switchport | Verify the port configuration. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
The Catalyst 3524-PWR XL can supply inline power to the
Cisco 7960 IP Phone if necessary. The Cisco 7960 IP Phone can also be connected to an AC power source and supply its own power to the voice circuit. When the Cisco 7960 IP Phone is supplying its own power, any 2900 or 3500 XL can forward IP voice traffic to and from the phone.
You can configure the switch to never supply power to the Cisco 7960 IP Phone and to disable the detection mechanism.
Beginning in privileged EXEC mode, follow these steps to configure a port to never supply power to Cisco 7960 IP Phones.
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port to be configured. |
Step 3 | power inline never | Permanently disable inline power on the port. |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | show power inline interface configured | Verify the change by displaying the setting as configured. |
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
A PC or other data device can connect to a port on the Cisco 7960 IP Phone. The PC can generate packets with a CoS value assigned, and there can be times when a network administrator would want to override that priority. You can use the Catalyst 3524-PWR XL CLI to override the priority of frames arriving on the phone port from connected devices. You can also set the phone port to accept (trust) the priority of frames arriving on the port.
Beginning in privileged EXEC mode, follow these steps to override the CoS priority setting received from the non-voice port on the Cisco 7960 IP Phone:
| Command | Purpose | |
|---|---|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface | Enter interface configuration mode, and enter the port to be configured. |
Step 3 | switchport priority extend cos 3 | Set the phone port to override the priority received from PC or attached device and forward the received data with a priority of 3. |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | show interface interface switchport | Verify the change by displaying the setting as configured. |
Use the no switchport priority extend command to return the port to its default setting.
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
Posted: Wed May 3 17:20:44 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.