Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

Corporate Headquarters Cisco Systems, Inc.

170 West Tasman Drive San Jose, CA 95134-1706 USA

http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387) Fax: 408 526-4100

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

Cisco IOS Release 12.1(22)EA5 July 2005

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0502R)

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide Copyright © 2001–2005 Cisco Systems, Inc. All rights reserved.

C O N T E N T S

Preface xxvii

Audience

Purpose

Conventions

Related Publications

Obtaining Documentation

Cisco.com

Product Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support & Documentation Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information

C H A P T E R 1 Overview 1-1

Features

Ease of Use and Ease of Deployment

Performance

Manageability

Redundancy

VLAN Support

Security

Quality of Service and Class of Service

Monitoring

LRE Features (available only on Catalyst 2950 LRE switches)

Management Options

Management Interface Options

Advantages of Using Network Assistant and Clustering Switches

Small to Medium-Sized Network Configuration

Collapsed Backbone and Switch Cluster Configuration

Hotel Network Configuration

Service-Provider Central-Office Configuration

Large Campus Configuration

Multidwelling Network Using Catalyst 2950 Switches

Long-Distance, High-Bandwidth Transport Configuration

Where to Go Next

C H A P T E R 2 Using the Command-Line Interface 2-1

Cisco IOS Command Modes

Getting Help

Abbreviating Commands

Using no and default Forms of Commands

Understanding CLI Messages

Using Command History

Changing the Command History Buffer Size

Recalling Commands

Disabling the Command History Feature

Using Editing Features

Enabling and Disabling Editing Features

Editing Commands through Keystrokes

Editing Command Lines that Wrap

Searching and Filtering Output of show and more Commands

Accessing the CLI

C H A P T E R 3 Configuring Catalyst 2955 Switch Alarms 3-1

Understanding Catalyst 2955 Switch Alarms

Global Status Monitoring Alarms

FCS Error Hysteresis Threshold

Port Status Monitoring Alarms

Triggering Alarm Options

Configuring Catalyst 2955 Switch Alarms

Setting a Secondary Temperature Threshold for the Switch

Associating the Temperature Alarms to a Relay

Configuring the FCS Bit Error Rate Alarm

Setting the FCS Error Threshold

Setting the FCS Error Hysteresis Threshold

Configuring Alarm Profiles

Creating or Modifying an Alarm Profile

Attaching an Alarm Profile to a Specific Port

Enabling SNMP Traps

Displaying Catalyst 2955 Switch Alarms Status

C H A P T E R 4 Assigning the Switch IP Address and Default Gateway 4-1

Understanding the Boot Process

Assigning Switch Information

Default Switch Information

Understanding DHCP-Based Autoconfiguration

DHCP Client Request Process

Configuring DHCP-Based Autoconfiguration

DHCP Server Configuration Guidelines

Configuring the TFTP Server

Configuring the DNS

Configuring the Relay Device

Obtaining Configuration Files

Example Configuration

Manually Assigning IP Information

Checking and Saving the Running Configuration

Modifying the Startup Configuration

Default Boot Configuration

Automatically Downloading a Configuration File

Specifying the Filename to Read and Write the System Configuration

Booting Manually

Booting a Specific Software Image

Controlling Environment Variables

Scheduling a Reload of the Software Image

Configuring a Scheduled Reload

Displaying Scheduled Reload Information

C H A P T E R 5 Configuring IE2100 CNS Agents 5-1

Understanding IE2100 Series Configuration Registrar Software

CNS Configuration Service

CNS Event Service

NameSpace Mapper

What You Should Know About ConfigID, DeviceID, and Host Name

ConfigID

DeviceID

Host Name and DeviceID

Using Host Name, DeviceID, and ConfigID

Understanding CNS Embedded Agents

Initial Configuration

Incremental (Partial) Configuration

Synchronized Configuration

Configuring CNS Embedded Agents

Enabling Automated CNS Configuration

Enabling the CNS Event Agent

Enabling the CNS Configuration Agent

Enabling an Initial Configuration

Enabling a Partial Configuration

Displaying CNS Configuration

C H A P T E R 6 Clustering Switches 6-1

Understanding Switch Clusters

Clustering Overview

Cluster Command Switch Characteristics

Standby Command Switch Characteristics

Candidate Switch and Member Switch Characteristics

Using the CLI to Manage Switch Clusters

Catalyst 1900 and Catalyst 2820 CLI Considerations

Using SNMP to Manage Switch Clusters

C H A P T E R 7 Administering the Switch 7-1

Configuring NTP Authentication

Configuring NTP Associations

Configuring NTP Broadcast Service

Configuring NTP Access Restrictions

Configuring the Source IP Address for NTP Packets

Displaying the NTP Configuration

Configuring Time and Date Manually

Setting the System Clock

Displaying the Time and Date Configuration

Configuring the Time Zone

Configuring Summer Time (Daylight Saving Time)

Configuring a System Name and Prompt

Default System Name and Prompt Configuration

Configuring a System Name

Understanding DNS

Default DNS Configuration

Setting Up DNS

Displaying the DNS Configuration

Creating a Banner

Default Banner Configuration

Configuring a Message-of-the-Day Login Banner

Configuring a Login Banner

Managing the MAC Address Table

Building the Address Table

MAC Addresses and VLANs

Default MAC Address Table Configuration

Changing the Address Aging Time

Removing Dynamic Address Entries

Configuring MAC Address Notification Traps

Adding and Removing Static Address Entries

Configuring Unicast MAC Address Filtering

Displaying Address Table Entries

Managing the ARP Table

C H A P T E R 8 Configuring Switch-Based Authentication 8-1

Preventing Unauthorized Access to Your Switch

Protecting Access to Privileged EXEC Commands

Protecting Enable and Enable Secret Passwords with Encryption

Disabling Password Recovery

Setting a Telnet Password for a Terminal Line

Configuring Username and Password Pairs

Configuring Multiple Privilege Levels

Setting the Privilege Level for a Command

Changing the Default Privilege Level for Lines

Logging into and Exiting a Privilege Level

Controlling Switch Access with TACACS+

Understanding TACACS+

TACACS+ Operation

Configuring TACACS+

Default TACACS+ Configuration

Identifying the TACACS+ Server Host and Setting the Authentication Key

Configuring TACACS+ Login Authentication

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services

Starting TACACS+ Accounting

Displaying the TACACS+ Configuration

Controlling Switch Access with RADIUS

Understanding RADIUS

RADIUS Operation

Configuring RADIUS

Default RADIUS Configuration

Identifying the RADIUS Server Host

Configuring RADIUS Login Authentication

Defining AAA Server Groups

Configuring RADIUS Authorization for User Privileged Access and Network Services

Starting RADIUS Accounting

Configuring Settings for All RADIUS Servers

Configuring the Switch to Use Vendor-Specific RADIUS Attributes

Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

Displaying the RADIUS Configuration

Configuring the Switch for Local Authentication and Authorization

Configuring the Switch for Secure Shell

Cryptographic Software Image Guidelines

Setting Up the Switch to Run SSH

Configuring the SSH Server

Displaying the SSH Configuration and Status

Configuring the Switch for Secure Copy Protocol

C H A P T E R 9 Configuring IEEE 802.1x Port-Based Authentication 9-1

Understanding IEEE 802.1x Port-Based Authentication

Device Roles

Authentication Initiation and Message Exchange

Ports in Authorized and Unauthorized States

IEEE 802.1x Accounting

IEEE 802.1x Accounting Attribute-Value Pairs

IEEE 802.1x Host Mode

Using IEEE 802.1x with Port Security

Using IEEE 802.1x with Voice VLAN Ports

Using IEEE 802.1x with VLAN Assignment

Using IEEE 802.1x with Guest VLAN

Using IEEE 802.1x with Wake-on-LAN

Unidirectional State

Bidirectional State

Configuring IEEE 802.1x Authentication

Default IEEE 802.1x Configuration

IEEE 802.1x Configuration Guidelines

Upgrading from a Previous Software Release

Enabling IEEE 802.1x Authentication

Configuring the Switch-to-RADIUS-Server Communication

Configuring IEEE 802.1x Authentication Using a RADIUS Server

Enabling Periodic Re-Authentication

Manually Re-Authenticating a Client Connected to a Port

Changing the Quiet Period

Changing the Switch-to-Client Retransmission Time

Setting the Switch-to-Client Frame-Retransmission Number

Configuring the Host Mode

Configuring a Guest VLAN

Resetting the IEEE 802.1x Configuration to the Default Values

Configuring IEEE 802.1x Authentication

Configuring IEEE 802.1x Accounting

C H A P T E R 10 Configuring Interface Characteristics 10-1

Understanding Interface Types

Access Ports

Trunk Ports

Port-Based VLANs

EtherChannel Port Groups

Connecting Interfaces

Using the Interface Command

Procedures for Configuring Interfaces

Configuring a Range of Interfaces

Configuring and Using Interface-Range Macros

Configuring Ethernet Interfaces

Default Ethernet Interface Configuration

Configuring Interface Speed and Duplex Mode

Configuration Guidelines

Setting the Interface Speed and Duplex Parameters on a Non-LRE Switch Port

Setting the Interface Speed and Duplex Parameters on an LRE Switch Port

Configuring Media Types for Gigabit Ethernet Interfaces on LRE Switches

Configuring IEEE 802.3z Flow Control on Gigabit Ethernet Ports

Adding a Description for an Interface

Configuring Loopback Detection

Monitoring and Maintaining the Interfaces

Monitoring Interface and Controller Status

Clearing and Resetting Interfaces and Counters

Shutting Down and Restarting the Interface

C H A P T E R 11 Configuring Smartports Macros 11-1

Understanding Smartports Macros

Configuring Smartports Macros

Default Smartports Macro Configuration

Smartports Macro Configuration Guidelines

Creating Smartports Macros

Applying Smartports Macros

Applying Cisco-Default Smartports Macros

C H A P T E R 12 Configuring LRE 12-1

Understanding LRE Features

Ports on the Catalyst 2950 LRE Switches

LRE Links and LRE Profiles

LRE Profiles

LRE Sequences

CPE Ethernet Links

LRE Link Monitor

LRE Message Logging Process

Configuring LRE Ports

Default LRE Configuration

Environmental Guidelines for LRE Links

Guidelines for Using LRE Profiles

CPE Ethernet Link Guidelines

Guidelines for Configuring Cisco 575 LRE CPEs and 576 LRE 997 CPEs

Guidelines for Configuring Cisco 585 LRE CPEs

Assigning a Global Profile to All LRE Ports

Assigning a Profile to a Specific LRE Port

Assigning a Global Sequence to All LRE Ports

Assigning a Sequence to a Specific LRE Port

Using Rate Selection to Automatically Assign Profiles

Precedence

Profile Locking

Link Qualification and SNR Margins

Configuring LRE Link Persistence

Configuring LRE Link Monitor

Configuring LRE Interleave

Configuring Upstream Power Back-Off

Configuring CPE Toggle

Configuring Syslog Export

Upgrading LRE Switch Firmware

Configuring for an LRE Upgrade

Performing an LRE Upgrade

Global Configuration of LRE Upgrades

Controller Configuration of LRE Upgrades

LRE Upgrade Details

LRE Upgrade Example

C H A P T E R 13 Configuring STP 13-1

Understanding Spanning-Tree Features

STP Overview

Spanning-Tree Topology and BPDUs

Bridge ID, Switch Priority, and Extended System ID

Spanning-Tree Interface States

Blocking State

Listening State

Learning State

Forwarding State

Disabled State

How a Switch or Port Becomes the Root Switch or Root Port

Spanning Tree and Redundant Connectivity

Spanning-Tree Address Management

Accelerated Aging to Retain Connectivity

Spanning-Tree Modes and Protocols

Supported Spanning-Tree Instances

Spanning-Tree Interoperability and Backward Compatibility

STP and IEEE 802.1Q Trunks

Configuring Spanning-Tree Features

Default Spanning-Tree Configuration

Spanning-Tree Configuration Guidelines

Changing the Spanning-Tree Mode

Disabling Spanning Tree

Configuring the Root Switch

Configuring a Secondary Root Switch

Configuring the Port Priority

Configuring the Path Cost

Configuring the Switch Priority of a VLAN

Configuring Spanning-Tree Timers

Configuring the Hello Time

Configuring the Forwarding-Delay Time for a VLAN

Configuring the Maximum-Aging Time for a VLAN

Configuring Spanning Tree for Use in a Cascaded Stack

C H A P T E R 14 Configuring MSTP 14-1

Understanding MSTP

Multiple Spanning-Tree Regions

IST, CIST, and CST

Operations Within an MST Region

Operations Between MST Regions

Hop Count

Boundary Ports

Interoperability with IEEE 802.1D STP

Understanding RSTP

Port Roles and the Active Topology

Rapid Convergence

Synchronization of Port Roles

Bridge Protocol Data Unit Format and Processing

Processing Superior BPDU Information

Processing Inferior BPDU Information

Topology Changes

Configuring MSTP Features

Default MSTP Configuration

MSTP Configuration Guidelines

Specifying the MST Region Configuration and Enabling MSTP

Configuring the Root Switch

Configuring a Secondary Root Switch

Configuring the Port Priority

Configuring the Path Cost

Configuring the Switch Priority

Configuring the Hello Time

Configuring the Forwarding-Delay Time

Configuring the Maximum-Aging Time

Configuring the Maximum-Hop Count

Specifying the Link Type to Ensure Rapid Transitions

Restarting the Protocol Migration Process

Displaying the MST Configuration and Status

C H A P T E R 15 Configuring Optional Spanning-Tree Features 15-1

Understanding Optional Spanning-Tree Features

Understanding Port Fast

Understanding UplinkFast

Understanding Cross-Stack UplinkFast

How CSUF Works

Events that Cause Fast Convergence

Limitations

Connecting the Stack Ports

Understanding BackboneFast

Understanding EtherChannel Guard

Understanding Root Guard

Understanding Loop Guard

Configuring Optional Spanning-Tree Features

Default Optional Spanning-Tree Configuration

Optional Spanning-Tree Configuration Guidelines

Enabling Port Fast

Enabling BPDU Guard

Enabling BPDU Filtering

Enabling UplinkFast for Use with Redundant Links

Enabling Cross-Stack UplinkFast

Enabling BackboneFast

Enabling EtherChannel Guard

Enabling Root Guard

Enabling Loop Guard

Displaying the Spanning-Tree Status

C H A P T E R 16 Configuring VLANs 16-1

Understanding VLANs

Supported VLANs

VLAN Port Membership Modes

Configuring Normal-Range VLANs

Token Ring VLANs

Normal-Range VLAN Configuration Guidelines

VLAN Configuration Mode Options

VLAN Configuration in config-vlan Mode

VLAN Configuration in VLAN Configuration Mode

Configuring Extended-Range VLANs

Default VLAN Configuration

Extended-Range VLAN Configuration Guidelines

Creating an Extended-Range VLAN

Displaying VLANs

Configuring VLAN Trunks

Trunking Overview

IEEE 802.1Q Configuration Considerations

Default Layer 2 Ethernet Interface VLAN Configuration

Configuring an Ethernet Interface as a Trunk Port

Interaction with Other Features

Configuring a Trunk Port

Defining the Allowed VLANs on a Trunk

Changing the Pruning-Eligible List

Configuring the Native VLAN for Untagged Traffic

Load Sharing Using STP

Load Sharing Using STP Port Priorities

Load Sharing Using STP Path Cost

Configuring VMPS

Understanding VMPS

Dynamic Port VLAN Membership

VMPS Database Configuration File

Default VMPS Client Configuration

VMPS Configuration Guidelines

Configuring the VMPS Client

Entering the IP Address of the VMPS

Configuring Dynamic Access Ports on VMPS Clients

Reconfirming VLAN Memberships

Changing the Reconfirmation Interval

Changing the Retry Count

Monitoring the VMPS

Troubleshooting Dynamic Port VLAN Membership

VMPS Configuration Example

C H A P T E R 17 Configuring VTP 17-1

Understanding VTP

The VTP Domain

VTP Version 2

VTP Pruning

Configuring VTP

Default VTP Configuration

VTP Configuration Options

VTP Configuration in Global Configuration Mode

VTP Configuration in VLAN Configuration Mode

VTP Configuration Guidelines

Domain Names

Passwords

Upgrading from Previous Software Releases

VTP Version

Configuration Requirements

Configuring a VTP Server

Configuring a VTP Client

Disabling VTP (VTP Transparent Mode)

Enabling VTP Version 2

Enabling VTP Pruning

Adding a VTP Client Switch to a VTP Domain

Monitoring VTP

C H A P T E R 18 Configuring Voice VLAN 18-1

Understanding Voice VLAN

Configuring Voice VLAN

Default Voice VLAN Configuration

Voice VLAN Configuration Guidelines

Configuring a Port to Connect to a Cisco 7960 IP Phone

Configuring Ports to Carry Voice Traffic in IEEE 802.1Q Frames

Configuring Ports to Carry Voice Traffic in IEEE 802.1p Priority-Tagged Frames

Overriding the CoS Priority of Incoming Data Frames

Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames

Displaying Voice VLAN

19 Configuring DHCP Features 19-1

Configuring DHCP Features

Default DHCP Configuration

DHCP Snooping Configuration Guidelines

Configuring the DHCP Server

Enabling DHCP Snooping and Option 82

Displaying DHCP Information

C H A P T E R 20 Configuring IGMP Snooping and MVR 20-1

Understanding IGMP Snooping

IGMP Versions

Joining a Multicast Group

Leaving a Multicast Group

Immediate-Leave Processing

IGMP Configurable-Leave Timer

IGMP Leave Timer Guidelines

IGMP Report Suppression

IGMP Snooping Querier Configuration Guidelines and Restrictions

Source-Only Networks

Configuring IGMP Snooping

Default IGMP Snooping Configuration

Enabling or Disabling IGMP Snooping

Setting the Snooping Method

Configuring a Multicast Router Port

Configuring a Host Statically to Join a Group

Enabling IGMP Immediate-Leave Processing

Configuring the IGMP Leave Timer

Disabling IGMP Report Suppression

Disabling IP Multicast-Source-Only Learning

Configuring the Aging Time

Configuring the IGMP Snooping Querier

Displaying IGMP Snooping Information

Understanding Multicast VLAN Registration

Using MVR in a Multicast Television Application

Configuring MVR

Default MVR Configuration

MVR Configuration Guidelines and Limitations

Configuring MVR Global Parameters

Configuring IGMP Filtering and Throttling

Default IGMP Filtering and Throttling Configuration

Configuring IGMP Profiles

Applying IGMP Profiles

Setting the Maximum Number of IGMP Groups

Configuring the IGMP Throttling Action

Displaying IGMP Filtering and Throttling Configuration

C H A P T E R 21 Configuring Port-Based Traffic Control 21-1

Configuring Storm Control

Understanding Storm Control

Default Storm Control Configuration

Configuring Storm Control and Threshold Levels

Configuring Protected Ports

Configuring Port Blocking

Blocking Flooded Traffic on an Interface

Resuming Normal Forwarding on a Port

Configuring Port Security

Understanding Port Security

Secure MAC Addresses

Security Violations

Default Port Security Configuration

Port Security Configuration Guidelines

Enabling and Configuring Port Security

Enabling and Configuring Port Security Aging

Displaying Port-Based Traffic Control Settings

C H A P T E R 22 Configuring UDLD 22-1

Understanding UDLD

Modes of Operation

Methods to Detect Unidirectional Links

Configuring UDLD

Default UDLD Configuration

C H A P T E R 23 Configuring CDP 23-1

Understanding CDP

Configuring CDP

Default CDP Configuration

Configuring the CDP Characteristics

Disabling and Enabling CDP

Disabling and Enabling CDP on an Interface

Monitoring and Maintaining CDP

C H A P T E R 24 Configuring SPAN and RSPAN 24-1

Understanding SPAN and RSPAN

SPAN and RSPAN Concepts and Terminology

SPAN Session

Traffic Types

Source Port

Destination Port

Reflector Port

SPAN Traffic

SPAN and RSPAN Interaction with Other Features

SPAN and RSPAN Session Limits

Default SPAN and RSPAN Configuration

Configuring SPAN

SPAN Configuration Guidelines

Creating a SPAN Session and Specifying Ports to Monitor

Creating a SPAN Session and Enabling Ingress Traffic

Removing Ports from a SPAN Session

Configuring RSPAN

RSPAN Configuration Guidelines

Configuring a VLAN as an RSPAN VLAN

Creating an RSPAN Source Session

Creating an RSPAN Destination Session

Removing Ports from an RSPAN Session

Displaying SPAN and RSPAN Status

C H A P T E R 25 Configuring RMON 25-1

Understanding RMON

Configuring RMON

Configuring RMON Alarms and Events

Configuring RMON Collection on an Interface

Displaying RMON Status

C H A P T E R 26 Configuring System Message Logging 26-1

Understanding System Message Logging

Configuring System Message Logging

System Log Message Format

Default System Message Logging Configuration

Disabling and Enabling Message Logging

Setting the Message Display Destination Device

Synchronizing Log Messages

Enabling and Disabling Timestamps on Log Messages

Enabling and Disabling Sequence Numbers in Log Messages

Defining the Message Severity Level

Limiting Syslog Messages Sent to the History Table and to SNMP

Configuring UNIX Syslog Servers

Logging Messages to a UNIX Syslog Daemon

Configuring the UNIX System Logging Facility

Displaying the Logging Configuration

C H A P T E R 27 Configuring SNMP 27-1

Understanding SNMP

SNMP Versions

SNMP Manager Functions

SNMP Agent Functions

SNMP Community Strings

Using SNMP to Access MIB Variables

SNMP Notifications

Configuring SNMP

Default SNMP Configuration

SNMP Configuration Guidelines

Disabling the SNMP Agent

Configuring Community Strings

Displaying SNMP Status

C H A P T E R 28 Configuring Network Security with ACLs 28-1

Understanding ACLs

Handling Fragmented and Unfragmented Traffic

Understanding Access Control Parameters

Guidelines for Applying ACLs to Physical Interfaces

Configuring ACLs

Unsupported Features

Creating Standard and Extended IP ACLs

ACL Numbers

Creating a Numbered Standard ACL

Creating a Numbered Extended ACL

Creating Named Standard and Extended ACLs

Applying Time Ranges to ACLs

Including Comments About Entries in ACLs

Creating Named MAC Extended ACLs

Creating MAC Access Groups

Applying ACLs to Terminal Lines or Physical Interfaces

Applying ACLs to a Terminal Line

Applying ACLs to a Physical Interface

Displaying ACL Information

Displaying ACLs

Displaying Access Groups

Examples for Compiling ACLs

Numbered ACL Examples

Extended ACL Examples

Named ACL Example

Commented IP ACL Entry Examples

C H A P T E R 29 Configuring QoS 29-1

Understanding QoS

Basic QoS Model

Classification

Classification Based on QoS ACLs

Classification Based on Class Maps and Policy Maps

Policing and Marking

How Class of Service Works

Port Priority

Port Scheduling

Egress CoS Queues

Configuring Auto-QoS

Generated Auto-QoS Configuration

Effects of Auto-QoS on the Configuration

Configuration Guidelines

Upgrading from a Previous Software Release

Enabling Auto-QoS for VoIP

Displaying Auto-QoS Information

Auto-QoS Configuration Example

Configuring Standard QoS

Default Standard QoS Configuration

Configuration Guidelines

Configuring Classification Using Port Trust States

Configuring the Trust State on Ports within the QoS Domain

Configuring the CoS Value for an Interface

Configuring Trusted Boundary

Enabling Pass-Through Mode

Configuring a QoS Policy

Classifying Traffic by Using ACLs

Classifying Traffic by Using Class Maps

Classifying, Policing, and Marking Traffic by Using Policy Maps

Configuring CoS Maps

Configuring the CoS-to-DSCP Map

Configuring the DSCP-to-CoS Map

Configuring the Egress Queues

Configuring CoS Priority Queues

Configuring WRR Priority

Enabling the Expedite Queue and Configuring WRR Priority

Displaying Standard QoS Information

Standard QoS Configuration Examples

QoS Configuration for the Existing Wiring Closet

Understanding the Port Aggregation Protocol and Link Aggregation Protocol

PAgP and LACP Modes

Physical Learners and Aggregate-Port Learners

PAgP and LACP Interaction with Other Features

Understanding Load Balancing and Forwarding Methods

Configuring EtherChannels

Default EtherChannel Configuration

EtherChannel Configuration Guidelines

Configuring Layer 2 EtherChannels

Configuring EtherChannel Load Balancing

Configuring the PAgP Learn Method and Priority

Configuring the LACP Port Priority

Configuring Hot Standby Ports

Configuring the LACP System Priority

Displaying EtherChannel, PAgP, and LACP Status

C H A P T E R 31 Troubleshooting 31-1

Using Recovery Procedures

Recovering from a Software Failure

Recovering from Lost or Forgotten Passwords on Non-LRE Catalyst 2950 Switches

Recovering from Lost or Forgotten Passwords on Catalyst 2950 LRE Switches

Password Recovery with Password Recovery Enabled

Procedure with Password Recovery Disabled

Recovering from Lost or Forgotten Passwords on Catalyst 2955 Switches

Recovering from a Command Switch Failure

Replacing a Failed Command Switch with a Cluster Member

Replacing a Failed Command Switch with Another Switch

Recovering from Lost Member Connectivity

Preventing Autonegotiation Mismatches

GBIC and SFP Module Security and Identification

Diagnosing Connectivity Problems

Using Ping

Understanding Ping

Executing Ping

Using Layer 2 Traceroute

Understanding Layer 2 Traceroute

Usage Guidelines

Using Debug Commands

Enabling Debugging on a Specific Feature

Enabling All-System Diagnostics

Redirecting Debug and Error Message Output

Using the debug auto qos Command

Using the show controllers Commands

Using the crashinfo File

A P P E N D I X A Supported MIBs A-1

MIB List

Using FTP to Access the MIB Files

A P P E N D I X B Working with the Cisco IOS File System, Configuration Files, and Software Images B-1

Working with the Flash File System

Displaying Available File Systems

Setting the Default File System

Displaying Information about Files on a File System

Changing Directories and Displaying the Working Directory

Creating and Removing Directories

Copying Files

Deleting Files

Creating, Displaying, and Extracting tar Files

Creating a tar File

Displaying the Contents of a tar File

Extracting a tar File

Displaying the Contents of a File

Working with Configuration Files

Guidelines for Creating and Using Configuration Files

Configuration File Types and Location

Creating a Configuration File By Using a Text Editor

Copying Configuration Files By Using TFTP

Preparing to Download or Upload a Configuration File By Using TFTP

Downloading the Configuration File By Using TFTP

Uploading the Configuration File By Using TFTP

Preparing to Download or Upload a Configuration File By Using RCP

Downloading a Configuration File By Using RCP

Uploading a Configuration File By Using RCP

Clearing Configuration Information

Clearing the Startup Configuration File

Deleting a Stored Configuration File

Working with Software Images

Image Location on the Switch

tar File Format of Images on a Server or Cisco.com

Copying Image Files By Using TFTP

Preparing to Download or Upload an Image File By Using TFTP

Downloading an Image File By Using TFTP

Uploading an Image File By Using TFTP

Copying Image Files By Using FTP

Preparing to Download or Upload an Image File By Using FTP

Downloading an Image File By Using FTP

Uploading an Image File By Using FTP

Copying Image Files By Using RCP

Preparing to Download or Upload an Image File By Using RCP

Downloading an Image File By Using RCP

Uploading an Image File By Using RCP

IN D E X

Preface

Audience

This guide is for the networking professional managing the Catalyst 2950 and 2955 switches, hereafter referred to as the switches. Before using this guide, you should have experience working with the Cisco IOS and be familiar with the concepts and terminology of Ethernet and local area networking.

Purpose

This guide provides the information you need to configure software features on your switch. The Catalyst 2950 switch is supported by either the standard software image (SI) or the enhanced software image (EI). The Catalyst 2955 and Catalyst 2950 Long-Reach Ethernet (LRE) switches are supported only by the EI.

The EI provides a richer set of features, including access control lists (ACLs), enhanced quality of service (QoS) features, extended-range VLANs, Remote Switched Port Analyzer (RSPAN), and unicast MAC address filtering. The cryptographic EI provides support for the Secure Shell Protocol (SSP). For a list of switches that support the SI and the EI, see Table 1-1 in Chapter 1, “Overview.”

The Catalyst 2955 switch also supports an additional set of features that are described in Chapter 3,

“Configuring Catalyst 2955 Switch Alarms.” The switch has facilities to process alarms related to the temperature, power supply conditions, and status of the Ethernet ports.

Use this guide with other documents for information about these topics:

• Requirements—This guide assumes that you have met the hardware and software requirements and cluster compatibility requirements described in the release notes.

• Start-up information—This guide assumes that you have assigned switch IP information and passwords by using the browser setup program described in the switch hardware installation guide.

• Embedded device manager and Network Assistant graphical user interfaces (GUIs)—This guide does not provide detailed information on the GUIs. However, the concepts in this guide are applicable to the GUI user. For information about the device manager, see the switch online help.

For information about Network Assistant, see the Getting Started with Cisco Network Assistant, available on Cisco.com.

• Cluster configuration—For information about planning for, creating, and maintaining switch clusters, see the Getting Started with Cisco Network Assistant, available on Cisco.com. For information about the clustering-related command-line interface (CLI) commands, see the command reference for this release.

• CLI command information—This guide provides an overview for using the CLI. For complete syntax and usage information about the commands that have been specifically created or changed for the switches, see the command reference for this release.

This guide provides procedures for using the commands that have been created or changed for use with the switch. It does not provide detailed information about these commands. For detailed information about these commands, see the command reference for this release.

This guide does not repeat the concepts and CLI procedures provided in the standard Cisco IOS Release 12.1 documentation. For information about the standard Cisco IOS Release 12.1 commands, see the Cisco IOS documentation set available from the Cisco.com home page at Service and Support >

Technical Documents. On the Cisco Product Documentation home page, select Release 12.1 from the Cisco IOS Software drop-down list.

This guide does not describe system messages you might encounter or how to install your switch. For this information, see the system message guide for this release and to the hardware installation guide.

For documentation updates, see the release notes for this release.

Conventions

This publication uses these conventions to convey instructions and information:

Command descriptions use these conventions:

• Commands and keywords are in boldface text.

• Arguments for which you supply values are in italic.

• Square brackets ([ ]) mean optional elements.

• Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.

• Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional element.

Interactive examples use these conventions:

• Terminal sessions and system displays are in ^screen font.

• Information you enter is in boldface screen font.

• Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).

Notes, cautions, and timesavers use these conventions and symbols:

Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in this manual.

Caution Means reader be careful. In this situation, you might do something that could result equipment damage or loss of data.

Related Publications

These documents provide complete information about the switch and are available from this Cisco.com site:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/index.htm

You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page Boilerplate 1.

• Release Notes for the Catalyst 2950 and Catalyst 2955 Switches (not orderable but available on Cisco.com)

Note Switch requirements and procedures for initial configurations and software upgrades tend to change and therefore appear only in the release notes. Before installing, configuring, or upgrading the switch, see the release notes on Cisco.com for the latest information.

For information about the switch, see these documents:

• Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide (order number DOC-7811380=)

• Catalyst 2950 and Catalyst 2955 Switch Command Reference (order number DOC-7811381=)

• Catalyst 2950 and Catalyst 2955 Switch System Message Guide (order number DOC-7814233=)

• Device manager online help (available on the switch)

• Catalyst 2950 Switch Hardware Installation Guide (not orderable but available on Cisco.com)

• Catalyst 2950 Switch Getting Started Guide (order number DOC-1786521=)

• Regulatory Compliance and Safety Information for the Catalyst 2950 Switch (order number DOC-7816625=)

• Catalyst 2955 Switch Hardware Installation Guide (order number DOC-7814944=) For information about related products, see these documents:

• Getting Started with Cisco Network Assistant (not orderable but available on Cisco.com)

• Release Notes for Cisco Network Assistant (not orderable but available on Cisco.com)

• Catalyst GigaStack Gigabit Interface Converter Hardware Installation Guide (order number DOC-786460=)

• CWDM Passive Optical System Installation Note (not orderable but is available on Cisco.com)

• 1000BASE-T Gigabit Interface Converter Installation Notes (not orderable but is available on Cisco.com)

• Cisco Small Form-Factor Pluggable Modules Installation Notes (order number DOC-7815160=)

• Cisco CWDM GBIC and CWDM SFP Installation Note (not orderable but available on Cisco.com)

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Product Documentation DVD

Cisco documentation and additional literature are available in the Product Documentation DVD package, which may have shipped with your product. The Product Documentation DVD is updated regularly and may be more current than printed documentation.

The Product Documentation DVD is a comprehensive library of technical product documentation on portable media. The DVD enables you to access multiple versions of hardware and software installation, configuration, and command guides for Cisco products and to view technical documentation in HTML.

With the DVD, you have access to the same documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available.

The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number

DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.

Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Cisco Marketplace:

http://www.cisco.com/go/marketplace/

Ordering Documentation

Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Cisco will continue to support documentation orders using the Ordering tool:

• Registered Cisco.com users (Cisco direct customers) can order documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

• Instructions for ordering documentation using the Ordering tool are at this URL:

Documentation Feedback

You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com.

You can send comments about Cisco documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems

Attn: Customer Document Ordering 170 West Tasman Drive

San Jose, CA 95134-9883 We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html From this site, you can perform these tasks:

• Report security vulnerabilities in Cisco products.

• Obtain assistance with security incidents that involve Cisco products.

• Register to receive security information from Cisco.

A current list of security advisories and notices for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:

• Emergencies —security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.

• Nonemergencies —psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

• 1 408 525-6532

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.htm The link on this page has the current PGP key ID in use.

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources.

In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support &

Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone.

(S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55

USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine or view the digital edition at this URL:

http://ciscoiq.texterity.com/ciscoiq/sample/

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

• Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL:

http://www.cisco.com/en/US/products/index.html

• Networking Professionals Connection is an interactive website for networking professionals to share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL:

http://www.cisco.com/discuss/networking

• World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html

C H A P T E R

1

Overview

This chapter provides these topics about the Catalyst 2950 and Catalyst 2955 switch software:

• Features, page 1-1

• Management Options, page 1-9

• Network Configuration Examples, page 1-11

• Where to Go Next, page 1-24

Note In this document, IP refers to IP version 4 (IPv4). Layer 3 IP version 6 (IPv6) packets are treated as non-IP packets.

Features

The switch software supports the switches listed in Table 1-1 and in the release notes.

Table 1-1 Switches Supported

Switch Software Image

Catalyst 2950-12 SI¹

Catalyst 2950-24 SI

Catalyst 2950C-24 EI²

Catalyst 2950G-12-EI EI Catalyst 2950G-24-EI EI Catalyst 2950G-24-EI-DC EI Catalyst 2950G-48-EI EI Catalyst 2950ST-8 LRE EI Catalyst 2950ST-24 LRE EI Catalyst 2950ST-24 LRE 997 EI

Catalyst 2950SX-24 SI

Catalyst 2950SX-48-SI SI