Catalyst 2960 Switch Software Configuration Guide Cisco IOS Release 12.2(25)SED November 2005
Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100
Customer Order Number: DOC-7816881= Text Part Number: 78-16881-02
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0502R) Catalyst 2960 Switch Software Configuration Guide Copyright © 2005 Cisco Systems, Inc. All rights reserved.
C O N T E N T S Preface
xxix
Audience Purpose
xxix xxix
Conventions
xxx
Related Publications
xxx
Obtaining Documentation xxxi Cisco.com xxxi Product Documentation DVD xxxii Ordering Documentation xxxii Documentation Feedback
xxxii
Cisco Product Security Overview xxxiii Reporting Security Problems in Cisco Products
xxxiii
Obtaining Technical Assistance xxxiv Cisco Technical Support & Documentation Website Submitting a Service Request xxxiv Definitions of Service Request Severity xxxv Obtaining Additional Publications and Information
CHAPTER
1
Overview
xxxiv
xxxv
1-1
Features 1-1 Ease-of-Use and Ease-of-Deployment Features Performance Features 1-3 Management Options 1-3 Manageability Features 1-4 Availability and Redundancy Features 1-5 VLAN Features 1-6 Security Features 1-6 QoS and CoS Features 1-7 Monitoring Features 1-8 Default Settings After Initial Switch Configuration
1-1
1-9
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
iii
Contents
Network Configuration Examples 1-11 Design Concepts for Using the Switch 1-11 Small to Medium-Sized Network Using Catalyst 2960 Switches Long-Distance, High-Bandwidth Transport Configuration 1-16 Where to Go Next
CHAPTER
2
1-14
1-17
Using the Command-Line Interface Understanding Command Modes Understanding the Help System
2-1 2-1 2-3
Understanding Abbreviated Commands
2-4
Understanding no and default Forms of Commands Understanding CLI Error Messages Using Configuration Logging
2-4
2-5
2-5
Using Command History 2-6 Changing the Command History Buffer Size 2-6 Recalling Commands 2-6 Disabling the Command History Feature 2-7 Using Editing Features 2-7 Enabling and Disabling Editing Features 2-7 Editing Commands through Keystrokes 2-7 Editing Command Lines that Wrap 2-9 Searching and Filtering Output of show and more Commands
2-10
Accessing the CLI 2-10 Accessing the CLI through a Console Connection or through Telnet
CHAPTER
3
Assigning the Switch IP Address and Default Gateway Understanding the Boot Process
2-10
3-1
3-1
Assigning Switch Information 3-2 Default Switch Information 3-3 Understanding DHCP-Based Autoconfiguration DHCP Client Request Process 3-3
3-3
Catalyst 2960 Switch Software Configuration Guide
iv
78-16881-02
Contents
Configuring DHCP-Based Autoconfiguration 3-4 DHCP Server Configuration Guidelines 3-5 Configuring the TFTP Server 3-5 Configuring the DNS 3-6 Configuring the Relay Device 3-6 Obtaining Configuration Files 3-7 Example Configuration 3-8 Manually Assigning IP Information 3-9 Checking and Saving the Running Configuration
3-10
Modifying the Startup Configuration 3-11 Default Boot Configuration 3-12 Automatically Downloading a Configuration File 3-12 Specifying the Filename to Read and Write the System Configuration Booting Manually 3-13 Booting a Specific Software Image 3-13 Controlling Environment Variables 3-14
3-12
Scheduling a Reload of the Software Image 3-15 Configuring a Scheduled Reload 3-16 Displaying Scheduled Reload Information 3-17
CHAPTER
4
Configuring IE2100 CNS Agents
4-1
Understanding IE2100 Series Configuration Registrar Software 4-1 CNS Configuration Service 4-2 CNS Event Service 4-3 NameSpace Mapper 4-3 What You Should Know About ConfigID, DeviceID, and Hostname ConfigID 4-3 DeviceID 4-4 Hostname and DeviceID 4-4 Using Hostname, DeviceID, and ConfigID 4-4
4-3
Understanding CNS Embedded Agents 4-5 Initial Configuration 4-5 Incremental (Partial) Configuration 4-6 Synchronized Configuration 4-6
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
v
Contents
Configuring CNS Embedded Agents 4-6 Enabling Automated CNS Configuration 4-6 Enabling the CNS Event Agent 4-8 Enabling the CNS Configuration Agent 4-9 Enabling an Initial Configuration 4-9 Enabling a Partial Configuration 4-12 Displaying CNS Configuration
CHAPTER
5
Clustering Switches
4-13
5-1
Understanding Switch Clusters 5-1 Cluster Command Switch Characteristics 5-3 Standby Cluster Command Switch Characteristics 5-3 Candidate Switch and Cluster Member Switch Characteristics
5-3
Planning a Switch Cluster 5-4 Automatic Discovery of Cluster Candidates and Members 5-4 Discovery Through CDP Hops 5-5 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices Discovery Through Different VLANs 5-6 Discovery Through Different Management VLANs 5-7 Discovery of Newly Installed Switches 5-8 HSRP and Standby Cluster Command Switches 5-9 Virtual IP Addresses 5-10 Other Considerations for Cluster Standby Groups 5-10 Automatic Recovery of Cluster Configuration 5-11 IP Addresses 5-12 Hostnames 5-12 Passwords 5-13 SNMP Community Strings 5-13 TACACS+ and RADIUS 5-13 LRE Profiles 5-14 Using the CLI to Manage Switch Clusters 5-14 Catalyst 1900 and Catalyst 2820 CLI Considerations Using SNMP to Manage Switch Clusters
5-6
5-14
5-15
Catalyst 2960 Switch Software Configuration Guide
vi
78-16881-02
Contents
CHAPTER
6
Administering the Switch
6-1
Managing the System Time and Date 6-1 Understanding the System Clock 6-1 Understanding Network Time Protocol 6-2 Configuring NTP 6-3 Default NTP Configuration 6-4 Configuring NTP Authentication 6-4 Configuring NTP Associations 6-5 Configuring NTP Broadcast Service 6-6 Configuring NTP Access Restrictions 6-8 Configuring the Source IP Address for NTP Packets 6-10 Displaying the NTP Configuration 6-11 Configuring Time and Date Manually 6-11 Setting the System Clock 6-11 Displaying the Time and Date Configuration 6-12 Configuring the Time Zone 6-12 Configuring Summer Time (Daylight Saving Time) 6-13 Configuring a System Name and Prompt 6-14 Default System Name and Prompt Configuration Configuring a System Name 6-15 Understanding DNS 6-15 Default DNS Configuration 6-16 Setting Up DNS 6-16 Displaying the DNS Configuration 6-17 Creating a Banner 6-17 Default Banner Configuration 6-17 Configuring a Message-of-the-Day Login Banner Configuring a Login Banner 6-18
6-15
6-18
Managing the MAC Address Table 6-19 Building the Address Table 6-20 MAC Addresses and VLANs 6-20 Default MAC Address Table Configuration 6-20 Changing the Address Aging Time 6-20 Removing Dynamic Address Entries 6-21 Configuring MAC Address Notification Traps 6-21 Adding and Removing Static Address Entries 6-23 Configuring Unicast MAC Address Filtering 6-24 Displaying Address Table Entries 6-26 Managing the ARP Table
6-26
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
vii
Contents
CHAPTER
7
Configuring SDM Templates
7-1
Understanding the SDM Templates
7-1
Configuring the Switch SDM Template 7-2 Default SDM Template 7-2 SDM Template Configuration Guidelines Setting the SDM Template 7-2 Displaying the SDM Templates
CHAPTER
8
7-2
7-3
Configuring Switch-Based Authentication
8-1
Preventing Unauthorized Access to Your Switch
8-1
Protecting Access to Privileged EXEC Commands 8-2 Default Password and Privilege Level Configuration 8-2 Setting or Changing a Static Enable Password 8-3 Protecting Enable and Enable Secret Passwords with Encryption Disabling Password Recovery 8-5 Setting a Telnet Password for a Terminal Line 8-6 Configuring Username and Password Pairs 8-6 Configuring Multiple Privilege Levels 8-7 Setting the Privilege Level for a Command 8-8 Changing the Default Privilege Level for Lines 8-9 Logging into and Exiting a Privilege Level 8-9
8-3
Controlling Switch Access with TACACS+ 8-10 Understanding TACACS+ 8-10 TACACS+ Operation 8-12 Configuring TACACS+ 8-12 Default TACACS+ Configuration 8-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 8-13 Configuring TACACS+ Login Authentication 8-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting 8-16 Displaying the TACACS+ Configuration 8-17
8-16
Catalyst 2960 Switch Software Configuration Guide
viii
78-16881-02
Contents
Controlling Switch Access with RADIUS 8-17 Understanding RADIUS 8-17 RADIUS Operation 8-19 Configuring RADIUS 8-19 Default RADIUS Configuration 8-20 Identifying the RADIUS Server Host 8-20 Configuring RADIUS Login Authentication 8-23 Defining AAA Server Groups 8-25 Configuring RADIUS Authorization for User Privileged Access and Network Services 8-27 Starting RADIUS Accounting 8-28 Configuring Settings for All RADIUS Servers 8-29 Configuring the Switch to Use Vendor-Specific RADIUS Attributes 8-29 Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 8-30 Displaying the RADIUS Configuration 8-31 Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Secure Shell 8-33 Understanding SSH 8-33 SSH Servers, Integrated Clients, and Supported Versions Limitations 8-34 Configuring SSH 8-35 Configuration Guidelines 8-35 Setting Up the Switch to Run SSH 8-35 Configuring the SSH Server 8-36 Displaying the SSH Configuration and Status 8-37
8-32
8-33
Configuring the Switch for Secure Socket Layer HTTP 8-38 Understanding Secure HTTP Servers and Clients 8-38 Certificate Authority Trustpoints 8-38 CipherSuites 8-39 Configuring Secure HTTP Servers and Clients 8-40 Default SSL Configuration 8-40 SSL Configuration Guidelines 8-40 Configuring a CA Trustpoint 8-41 Configuring the Secure HTTP Server 8-42 Configuring the Secure HTTP Client 8-43 Displaying Secure HTTP Server and Client Status 8-44 Configuring the Switch for Secure Copy Protocol Information About Secure Copy 8-45
8-44
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
ix
Contents
CHAPTER
9
Configuring IEEE 802.1x Port-Based Authentication
9-1
Understanding IEEE 802.1x Port-Based Authentication 9-1 Device Roles 9-2 Authentication Initiation and Message Exchange 9-3 Ports in Authorized and Unauthorized States 9-4 IEEE 802.1x Accounting 9-5 IEEE 802.1x Accounting Attribute-Value Pairs 9-5 IEEE 802.1x Host Mode 9-6 Using IEEE 802.1x with Port Security 9-7 Using IEEE 802.1x with Voice VLAN Ports 9-8 Using IEEE 802.1x with VLAN Assignment 9-8 Using IEEE 802.1x with Guest VLAN 9-10 Using IEEE 802.1x with Restricted VLAN 9-10 Using IEEE 802.1x with Wake-on-LAN 9-11 Unidirectional State 9-11 Bidirectional State 9-12 Configuring IEEE 802.1x Authentication 9-12 Default IEEE 802.1x Configuration 9-12 IEEE 802.1x Configuration Guidelines 9-14 Configuring IEEE 802.1x Authentication 9-15 Configuring the Switch-to-RADIUS-Server Communication 9-16 Configuring IEEE 802.1x Authentication Using a RADIUS Server 9-17 Configuring Periodic Re-Authentication 9-18 Manually Re-Authenticating a Client Connected to a Port 9-19 Changing the Quiet Period 9-19 Changing the Switch-to-Client Retransmission Time 9-19 Setting the Switch-to-Client Frame-Retransmission Number 9-20 Setting the Re-Authentication Number 9-21 Configuring the Host Mode 9-21 Configuring a Guest VLAN 9-22 Configuring a Restricted VLAN 9-24 Resetting the IEEE 802.1x Configuration to the Default Values 9-25 Configuring IEEE 802.1x Accounting 9-25 Displaying IEEE 802.1x Statistics and Status
9-26
Catalyst 2960 Switch Software Configuration Guide
x
78-16881-02
Contents
CHAPTER
10
Configuring Interface Characteristics
10-1
Understanding Interface Types 10-1 Port-Based VLANs 10-2 Switch Ports 10-2 Access Ports 10-2 Trunk Ports 10-3 EtherChannel Port Groups 10-3 Dual-Purpose Uplink Ports 10-4 Connecting Interfaces 10-4 Using Interface Configuration Mode 10-4 Procedures for Configuring Interfaces 10-5 Configuring a Range of Interfaces 10-6 Configuring and Using Interface Range Macros
10-7
Configuring Ethernet Interfaces 10-9 Default Ethernet Interface Configuration 10-9 Configuring Interface Speed and Duplex Mode 10-10 Speed and Duplex Configuration Guidelines 10-10 Setting the Type of a Dual-Purpose Uplink Port 10-11 Setting the Interface Speed and Duplex Parameters 10-13 Configuring IEEE 802.3x Flow Control 10-14 Configuring Auto-MDIX on an Interface 10-15 Adding a Description for an Interface 10-16 Configuring the System MTU
10-16
Monitoring and Maintaining the Interfaces 10-18 Monitoring Interface Status 10-18 Clearing and Resetting Interfaces and Counters 10-19 Shutting Down and Restarting the Interface 10-19
CHAPTER
11
Configuring Smartports Macros
11-1
Understanding Smartports Macros
11-1
Configuring Smartports Macros 11-2 Default Smartports Macro Configuration 11-2 Smartports Macro Configuration Guidelines 11-3 Creating Smartports Macros 11-4 Applying Smartports Macros 11-5 Applying Cisco-Default Smartports Macros 11-6 Displaying Smartports Macros
11-8
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
xi
Contents
CHAPTER
12
Configuring VLANs
12-1
Understanding VLANs 12-1 Supported VLANs 12-2 VLAN Port Membership Modes
12-3
Configuring Normal-Range VLANs 12-4 Token Ring VLANs 12-5 Normal-Range VLAN Configuration Guidelines 12-5 VLAN Configuration Mode Options 12-6 VLAN Configuration in config-vlan Mode 12-6 VLAN Configuration in VLAN Database Configuration Mode Saving VLAN Configuration 12-6 Default Ethernet VLAN Configuration 12-7 Creating or Modifying an Ethernet VLAN 12-8 Deleting a VLAN 12-9 Assigning Static-Access Ports to a VLAN 12-10 Configuring Extended-Range VLANs 12-11 Default VLAN Configuration 12-11 Extended-Range VLAN Configuration Guidelines Creating an Extended-Range VLAN 12-12 Displaying VLANs
12-6
12-12
12-13
Configuring VLAN Trunks 12-14 Trunking Overview 12-14 IEEE 802.1Q Configuration Considerations 12-15 Default Layer 2 Ethernet Interface VLAN Configuration 12-16 Configuring an Ethernet Interface as a Trunk Port 12-16 Interaction with Other Features 12-16 Configuring a Trunk Port 12-17 Defining the Allowed VLANs on a Trunk 12-18 Changing the Pruning-Eligible List 12-19 Configuring the Native VLAN for Untagged Traffic 12-19 Configuring Trunk Ports for Load Sharing 12-20 Load Sharing Using STP Port Priorities 12-20 Load Sharing Using STP Path Cost 12-22
Catalyst 2960 Switch Software Configuration Guide
xii
78-16881-02
Contents
Configuring VMPS 12-23 Understanding VMPS 12-24 Dynamic-Access Port VLAN Membership 12-24 Default VMPS Client Configuration 12-25 VMPS Configuration Guidelines 12-25 Configuring the VMPS Client 12-26 Entering the IP Address of the VMPS 12-26 Configuring Dynamic-Access Ports on VMPS Clients 12-26 Reconfirming VLAN Memberships 12-27 Changing the Reconfirmation Interval 12-27 Changing the Retry Count 12-28 Monitoring the VMPS 12-28 Troubleshooting Dynamic-Access Port VLAN Membership 12-29 VMPS Configuration Example 12-29
CHAPTER
13
Configuring VTP
13-1
Understanding VTP 13-1 The VTP Domain 13-2 VTP Modes 13-3 VTP Advertisements 13-3 VTP Version 2 13-4 VTP Pruning 13-4 Configuring VTP 13-6 Default VTP Configuration 13-6 VTP Configuration Options 13-7 VTP Configuration in Global Configuration Mode 13-7 VTP Configuration in VLAN Database Configuration Mode VTP Configuration Guidelines 13-8 Domain Names 13-8 Passwords 13-8 VTP Version 13-8 Configuration Requirements 13-9 Configuring a VTP Server 13-9 Configuring a VTP Client 13-11 Disabling VTP (VTP Transparent Mode) 13-12 Enabling VTP Version 2 13-13 Enabling VTP Pruning 13-14 Adding a VTP Client Switch to a VTP Domain 13-14 Monitoring VTP
13-7
13-16
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
xiii
Contents
CHAPTER
14
Configuring Voice VLAN
14-1
Understanding Voice VLAN 14-1 Cisco IP Phone Voice Traffic 14-2 Cisco IP Phone Data Traffic 14-2 Configuring Voice VLAN 14-3 Default Voice VLAN Configuration 14-3 Voice VLAN Configuration Guidelines 14-3 Configuring a Port Connected to a Cisco 7960 IP Phone 14-4 Configuring Cisco IP Phone Voice Traffic 14-5 Configuring the Priority of Incoming Data Frames 14-6 Displaying Voice VLAN
CHAPTER
15
Configuring STP
14-6
15-1
Understanding Spanning-Tree Features 15-1 STP Overview 15-2 Spanning-Tree Topology and BPDUs 15-3 Bridge ID, Switch Priority, and Extended System ID 15-4 Spanning-Tree Interface States 15-4 Blocking State 15-6 Listening State 15-6 Learning State 15-6 Forwarding State 15-6 Disabled State 15-7 How a Switch or Port Becomes the Root Switch or Root Port 15-7 Spanning Tree and Redundant Connectivity 15-8 Spanning-Tree Address Management 15-8 Accelerated Aging to Retain Connectivity 15-8 Spanning-Tree Modes and Protocols 15-9 Supported Spanning-Tree Instances 15-9 Spanning-Tree Interoperability and Backward Compatibility 15-10 STP and IEEE 802.1Q Trunks 15-10 Configuring Spanning-Tree Features 15-10 Default Spanning-Tree Configuration 15-11 Spanning-Tree Configuration Guidelines 15-11 Changing the Spanning-Tree Mode. 15-13 Disabling Spanning Tree 15-14 Configuring the Root Switch 15-14 Configuring a Secondary Root Switch 15-16 Configuring Port Priority 15-16 Catalyst 2960 Switch Software Configuration Guide
xiv
78-16881-02
Contents
Configuring Path Cost 15-18 Configuring the Switch Priority of a VLAN 15-19 Configuring Spanning-Tree Timers 15-20 Configuring the Hello Time 15-20 Configuring the Forwarding-Delay Time for a VLAN 15-21 Configuring the Maximum-Aging Time for a VLAN 15-21 Configuring the Transmit Hold-Count 15-22 Displaying the Spanning-Tree Status
CHAPTER
16
Configuring MSTP
15-22
16-1
Understanding MSTP 16-2 Multiple Spanning-Tree Regions 16-2 IST, CIST, and CST 16-3 Operations Within an MST Region 16-3 Operations Between MST Regions 16-4 IEEE 802.1s Terminology 16-5 Hop Count 16-5 Boundary Ports 16-6 IEEE 802.1s Implementation 16-6 Port Role Naming Change 16-7 Interoperation Between Legacy and Standard Switches Detecting Unidirectional Link Failure 16-8 Interoperability with IEEE 802.1D STP 16-8
16-7
Understanding RSTP 16-8 Port Roles and the Active Topology 16-9 Rapid Convergence 16-10 Synchronization of Port Roles 16-11 Bridge Protocol Data Unit Format and Processing 16-12 Processing Superior BPDU Information 16-13 Processing Inferior BPDU Information 16-13 Topology Changes 16-13 Configuring MSTP Features 16-14 Default MSTP Configuration 16-14 MSTP Configuration Guidelines 16-15 Specifying the MST Region Configuration and Enabling MSTP Configuring the Root Switch 16-17 Configuring a Secondary Root Switch 16-18 Configuring Port Priority 16-19 Configuring Path Cost 16-20
16-16
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
xv
Contents
Configuring the Switch Priority 16-21 Configuring the Hello Time 16-22 Configuring the Forwarding-Delay Time 16-23 Configuring the Maximum-Aging Time 16-23 Configuring the Maximum-Hop Count 16-24 Specifying the Link Type to Ensure Rapid Transitions Designating the Neighbor Type 16-25 Restarting the Protocol Migration Process 16-25 Displaying the MST Configuration and Status
CHAPTER
17
Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast 17-2 Understanding BPDU Guard 17-3 Understanding BPDU Filtering 17-3 Understanding UplinkFast 17-4 Understanding BackboneFast 17-5 Understanding EtherChannel Guard 17-7 Understanding Root Guard 17-8 Understanding Loop Guard 17-9
16-24
16-26
17-1 17-1
Configuring Optional Spanning-Tree Features 17-9 Default Optional Spanning-Tree Configuration 17-9 Optional Spanning-Tree Configuration Guidelines 17-10 Enabling Port Fast 17-10 Enabling BPDU Guard 17-11 Enabling BPDU Filtering 17-12 Enabling UplinkFast for Use with Redundant Links 17-13 Enabling BackboneFast 17-13 Enabling EtherChannel Guard 17-14 Enabling Root Guard 17-15 Enabling Loop Guard 17-15 Displaying the Spanning-Tree Status
17-16
Catalyst 2960 Switch Software Configuration Guide
xvi
78-16881-02
Contents
CHAPTER
18
Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Flex Links 18-1 MAC Address-Table Move Update 18-2 Configuring Flex Links and MAC Address-Table Move Update Configuration Guidelines 18-4 Default Configuration 18-4
18-1
18-1
18-4
Configuring Flex Links and MAC Address-Table Move Update 18-5 Configuring Flex Links 18-5 Configuring the MAC Address-Table Move Update Feature 18-5 Monitoring Flex Links and the MAC Address-Table Move Update
CHAPTER
19
Configuring DHCP Features
19-1
Understanding DHCP Features 19-1 DHCP Server 19-2 DHCP Relay Agent 19-2 DHCP Snooping 19-2 Option-82 Data Insertion 19-3 DHCP Snooping Binding Database
19-5
Configuring DHCP Features 19-6 Default DHCP Configuration 19-7 DHCP Snooping Configuration Guidelines 19-7 Configuring the DHCP Relay Agent 19-8 Enabling DHCP Snooping and Option 82 19-9 Enabling the Cisco IOS DHCP Server Database 19-10 Enabling the DHCP Snooping Binding Database Agent Displaying DHCP Snooping Information
CHAPTER
20
18-7
Configuring IGMP Snooping and MVR
19-10
19-11
20-1
Understanding IGMP Snooping 20-1 IGMP Versions 20-2 Joining a Multicast Group 20-3 Leaving a Multicast Group 20-5 Immediate Leave 20-5 IGMP Configurable-Leave Timer 20-5 IGMP Report Suppression 20-5
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
xvii
Contents
Configuring IGMP Snooping 20-6 Default IGMP Snooping Configuration 20-6 Enabling or Disabling IGMP Snooping 20-7 Setting the Snooping Method 20-8 Configuring a Multicast Router Port 20-9 Configuring a Host Statically to Join a Group 20-10 Enabling IGMP Immediate Leave 20-10 Configuring the IGMP Leave Timer 20-11 Configuring TCN-Related Commands 20-12 Controlling the Multicast Flooding Time After a TCN Event Recovering from Flood Mode 20-12 Disabling Multicast Flooding During a TCN Event 20-13 Configuring the IGMP Snooping Querier 20-14 Disabling IGMP Report Suppression 20-15 Displaying IGMP Snooping Information
20-15
Understanding Multicast VLAN Registration 20-17 Using MVR in a Multicast Television Application Configuring MVR 20-19 Default MVR Configuration 20-19 MVR Configuration Guidelines and Limitations Configuring MVR Global Parameters 20-20 Configuring MVR Interfaces 20-21 Displaying MVR Information
20-12
20-18
20-20
20-23
Configuring IGMP Filtering and Throttling 20-23 Default IGMP Filtering and Throttling Configuration 20-24 Configuring IGMP Profiles 20-24 Applying IGMP Profiles 20-25 Setting the Maximum Number of IGMP Groups 20-26 Configuring the IGMP Throttling Action 20-27 Displaying IGMP Filtering and Throttling Configuration
CHAPTER
21
Configuring Port-Based Traffic Control
20-28
21-1
Configuring Storm Control 21-1 Understanding Storm Control 21-1 Default Storm Control Configuration 21-3 Configuring Storm Control and Threshold Levels
21-3
Catalyst 2960 Switch Software Configuration Guide
xviii
78-16881-02
Contents
Configuring Protected Ports 21-5 Default Protected Port Configuration 21-5 Protected Port Configuration Guidelines 21-6 Configuring a Protected Port 21-6 Configuring Port Blocking 21-6 Default Port Blocking Configuration 21-6 Blocking Flooded Traffic on an Interface 21-7 Configuring Port Security 21-7 Understanding Port Security 21-8 Secure MAC Addresses 21-8 Security Violations 21-9 Default Port Security Configuration 21-10 Port Security Configuration Guidelines 21-10 Enabling and Configuring Port Security 21-11 Enabling and Configuring Port Security Aging 21-15 Displaying Port-Based Traffic Control Settings
CHAPTER
22
Configuring CDP
22-1
Understanding CDP
22-1
Configuring CDP 22-2 Default CDP Configuration 22-2 Configuring the CDP Characteristics 22-2 Disabling and Enabling CDP 22-3 Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP
CHAPTER
23
21-16
Configuring SPAN and RSPAN
22-4
22-4
23-1
Understanding SPAN and RSPAN 23-1 Local SPAN 23-2 Remote SPAN 23-2 SPAN and RSPAN Concepts and Terminology 23-3 SPAN Sessions 23-3 Monitored Traffic 23-4 Source Ports 23-5 Source VLANs 23-6 VLAN Filtering 23-6 Destination Port 23-6 RSPAN VLAN 23-7 SPAN and RSPAN Interaction with Other Features 23-8 Catalyst 2960 Switch Software Configuration Guide 78-16881-02
xix
Contents
Configuring SPAN and RSPAN 23-9 Default SPAN and RSPAN Configuration 23-9 Configuring Local SPAN 23-9 SPAN Configuration Guidelines 23-10 Creating a Local SPAN Session 23-10 Creating a Local SPAN Session and Configuring Incoming Traffic 23-13 Specifying VLANs to Filter 23-14 Configuring RSPAN 23-15 RSPAN Configuration Guidelines 23-16 Configuring a VLAN as an RSPAN VLAN 23-16 Creating an RSPAN Source Session 23-17 Creating an RSPAN Destination Session 23-19 Creating an RSPAN Destination Session and Configuring Incoming Traffic Specifying VLANs to Filter 23-21 Displaying SPAN and RSPAN Status
CHAPTER
24
Configuring UDLD
23-22
24-1
Understanding UDLD 24-1 Modes of Operation 24-1 Methods to Detect Unidirectional Links Configuring UDLD 24-3 Default UDLD Configuration 24-4 Configuration Guidelines 24-4 Enabling UDLD Globally 24-5 Enabling UDLD on an Interface 24-5 Resetting an Interface Disabled by UDLD Displaying UDLD Status
CHAPTER
25
Configuring RMON
23-20
24-2
24-6
24-6
25-1
Understanding RMON
25-1
Configuring RMON 25-2 Default RMON Configuration 25-3 Configuring RMON Alarms and Events 25-3 Collecting Group History Statistics on an Interface 25-5 Collecting Group Ethernet Statistics on an Interface 25-5 Displaying RMON Status
25-6
Catalyst 2960 Switch Software Configuration Guide
xx
78-16881-02
Contents
CHAPTER
26
Configuring System Message Logging
26-1
Understanding System Message Logging
26-1
Configuring System Message Logging 26-2 System Log Message Format 26-2 Default System Message Logging Configuration 26-3 Disabling Message Logging 26-3 Setting the Message Display Destination Device 26-4 Synchronizing Log Messages 26-5 Enabling and Disabling Time Stamps on Log Messages 26-7 Enabling and Disabling Sequence Numbers in Log Messages 26-7 Defining the Message Severity Level 26-8 Limiting Syslog Messages Sent to the History Table and to SNMP 26-9 Configuring UNIX Syslog Servers 26-10 Logging Messages to a UNIX Syslog Daemon 26-10 Configuring the UNIX System Logging Facility 26-11 Displaying the Logging Configuration
CHAPTER
27
Configuring SNMP
26-12
27-1
Understanding SNMP 27-1 SNMP Versions 27-2 SNMP Manager Functions 27-3 SNMP Agent Functions 27-4 SNMP Community Strings 27-4 Using SNMP to Access MIB Variables 27-4 SNMP Notifications 27-5 SNMP ifIndex MIB Object Values 27-6 Configuring SNMP 27-6 Default SNMP Configuration 27-7 SNMP Configuration Guidelines 27-7 Disabling the SNMP Agent 27-8 Configuring Community Strings 27-8 Configuring SNMP Groups and Users 27-10 Configuring SNMP Notifications 27-12 Setting the Agent Contact and Location Information Limiting TFTP Servers Used Through SNMP 27-16 SNMP Examples 27-16 Displaying SNMP Status
27-15
27-17
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
xxi
Contents
CHAPTER
28
Configuring Network Security with ACLs
28-1
Understanding ACLs 28-1 Port ACLs 28-2 Handling Fragmented and Unfragmented Traffic
28-3
Configuring IPv4 ACLs 28-4 Creating Standard and Extended IPv4 ACLs 28-5 Access List Numbers 28-6 Creating a Numbered Standard ACL 28-7 Creating a Numbered Extended ACL 28-8 Resequencing ACEs in an ACL 28-12 Creating Named Standard and Extended ACLs 28-12 Using Time Ranges with ACLs 28-14 Including Comments in ACLs 28-15 Applying an IPv4 ACL to a Terminal Line 28-16 Applying an IPv4 ACL to an Interface 28-16 Hardware and Software Treatment of IP ACLs 28-17 IPv4 ACL Configuration Examples 28-17 Numbered ACLs 28-18 Extended ACLs 28-18 Named ACLs 28-18 Time Range Applied to an IP ACL 28-19 Commented IP ACL Entries 28-19 Creating Named MAC Extended ACLs 28-19 Applying a MAC ACL to a Layer 2 Interface Displaying IPv4 ACL Configuration
CHAPTER
29
Configuring QoS
28-21
28-22
29-1
Understanding QoS 29-1 Basic QoS Model 29-3 Classification 29-5 Classification Based on QoS ACLs 29-7 Classification Based on Class Maps and Policy Maps Policing and Marking 29-8 Policing on Physical Ports 29-8 Mapping Tables 29-11
29-7
Catalyst 2960 Switch Software Configuration Guide
xxii
78-16881-02
Contents
Queueing and Scheduling Overview 29-12 Weighted Tail Drop 29-12 SRR Shaping and Sharing 29-13 Queueing and Scheduling on Ingress Queues 29-14 Queueing and Scheduling on Egress Queues 29-16 Packet Modification 29-18 Configuring Auto-QoS 29-19 Generated Auto-QoS Configuration 29-20 Effects of Auto-QoS on the Configuration 29-24 Auto-QoS Configuration Guidelines 29-24 Enabling Auto-QoS for VoIP 29-25 Auto-QoS Configuration Example 29-27 Displaying Auto-QoS Information
29-29
Configuring Standard QoS 29-29 Default Standard QoS Configuration 29-30 Default Ingress Queue Configuration 29-30 Default Egress Queue Configuration 29-31 Default Mapping Table Configuration 29-32 Standard QoS Configuration Guidelines 29-32 QoS ACL Guidelines 29-32 FPolicing Guidelines 29-32 General QoS Guidelines 29-33 Enabling QoS Globally 29-33 Configuring Classification Using Port Trust States 29-33 Configuring the Trust State on Ports within the QoS Domain 29-34 Configuring the CoS Value for an Interface 29-35 Configuring a Trusted Boundary to Ensure Port Security 29-36 Enabling DSCP Transparency Mode 29-37 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain 29-38 Configuring a QoS Policy 29-40 Classifying Traffic by Using ACLs 29-41 Classifying Traffic by Using Class Maps 29-44 Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps 29-46 Classifying, Policing, and Marking Traffic by Using Aggregate Policers 29-49
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
xxiii
Contents
Configuring DSCP Maps 29-51 Configuring the CoS-to-DSCP Map 29-52 Configuring the IP-Precedence-to-DSCP Map 29-53 Configuring the Policed-DSCP Map 29-54 Configuring the DSCP-to-CoS Map 29-55 Configuring the DSCP-to-DSCP-Mutation Map 29-56 Configuring Ingress Queue Characteristics 29-57 Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds 29-58 Allocating Buffer Space Between the Ingress Queues 29-59 Allocating Bandwidth Between the Ingress Queues 29-59 Configuring the Ingress Priority Queue 29-60 Configuring Egress Queue Characteristics 29-61 Configuration Guidelines 29-62 Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set 29-62 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID 29-64 Configuring SRR Shaped Weights on Egress Queues 29-66 Configuring SRR Shared Weights on Egress Queues 29-67 Configuring the Egress Expedite Queue 29-67 Limiting the Bandwidth on an Egress Interface 29-68 Displaying Standard QoS Information
CHAPTER
30
Configuring EtherChannels
29-69
30-1
Understanding EtherChannels 30-1 EtherChannel Overview 30-2 Port-Channel Interfaces 30-3 Port Aggregation Protocol 30-3 PAgP Modes 30-4 PAgP Interaction with Other Features 30-4 Link Aggregation Control Protocol 30-5 LACP Modes 30-5 LACP Interaction with Other Features 30-5 EtherChannel On Mode 30-6 Load Balancing and Forwarding Methods 30-6
Catalyst 2960 Switch Software Configuration Guide
xxiv
78-16881-02
Contents
Configuring EtherChannels 30-8 Default EtherChannel Configuration 30-8 EtherChannel Configuration Guidelines 30-9 Configuring Layer 2 EtherChannels 30-10 Configuring EtherChannel Load Balancing 30-12 Configuring the PAgP Learn Method and Priority 30-13 Configuring LACP Hot-Standby Ports 30-14 Configuring the LACP System Priority 30-15 Configuring the LACP Port Priority 30-15 Displaying EtherChannel, PAgP, and LACP Status
CHAPTER
31
Troubleshooting
30-16
31-1
Recovering from a Software Failure
31-2
Recovering from a Lost or Forgotten Password 31-3 Procedure with Password Recovery Enabled 31-4 Procedure with Password Recovery Disabled 31-6 Recovering from a Command Switch Failure 31-7 Replacing a Failed Command Switch with a Cluster Member 31-8 Replacing a Failed Command Switch with Another Switch 31-10 Recovering from Lost Cluster Member Connectivity Preventing Autonegotiation Mismatches SFP Module Security and Identification Monitoring SFP Module Status
31-11
31-11 31-12
31-13
Using Ping 31-13 Understanding Ping 31-13 Executing Ping 31-14 Using Layer 2 Traceroute 31-14 Understanding Layer 2 Traceroute 31-15 Usage Guidelines 31-15 Displaying the Physical Path 31-16 Using IP Traceroute 31-16 Understanding IP Traceroute 31-16 Executing IP Traceroute 31-17 Using TDR 31-18 Understanding TDR 31-18 Running TDR and Displaying the Results
31-18
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
xxv
Contents
Using Debug Commands 31-19 Enabling Debugging on a Specific Feature 31-19 Enabling All-System Diagnostics 31-20 Redirecting Debug and Error Message Output 31-20 Using the show platform forward Command
31-20
Using the crashinfo Files 31-22 Basic crashinfo Files 31-22 Extended crashinfo Files 31-23
APPENDIX
A
Supported MIBs MIB List
A-1
A-1
Using FTP to Access the MIB Files
APPENDIX
B
A-3
Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System B-1 Displaying Available File Systems B-2 Setting the Default File System B-3 Displaying Information about Files on a File System B-3 Changing Directories and Displaying the Working Directory Creating and Removing Directories B-4 Copying Files B-4 Deleting Files B-5 Creating, Displaying, and Extracting tar Files B-5 Creating a tar File B-5 Displaying the Contents of a tar File B-6 Extracting a tar File B-7 Displaying the Contents of a File B-7
B-1
B-3
Working with Configuration Files B-8 Guidelines for Creating and Using Configuration Files B-8 Configuration File Types and Location B-9 Creating a Configuration File By Using a Text Editor B-9 Copying Configuration Files By Using TFTP B-10 Preparing to Download or Upload a Configuration File By Using TFTP Downloading the Configuration File By Using TFTP B-10 Uploading the Configuration File By Using TFTP B-11
B-10
Catalyst 2960 Switch Software Configuration Guide
xxvi
78-16881-02
Contents
Copying Configuration Files By Using FTP B-12 Preparing to Download or Upload a Configuration File By Using FTP B-12 Downloading a Configuration File By Using FTP B-13 Uploading a Configuration File By Using FTP B-14 Copying Configuration Files By Using RCP B-15 Preparing to Download or Upload a Configuration File By Using RCP B-15 Downloading a Configuration File By Using RCP B-16 Uploading a Configuration File By Using RCP B-17 Clearing Configuration Information B-18 Clearing the Startup Configuration File B-18 Deleting a Stored Configuration File B-18 Working with Software Images B-18 Image Location on the Switch B-19 tar File Format of Images on a Server or Cisco.com B-19 Copying Image Files By Using TFTP B-20 Preparing to Download or Upload an Image File By Using TFTP B-21 Downloading an Image File By Using TFTP B-21 Uploading an Image File By Using TFTP B-23 Copying Image Files By Using FTP B-23 Preparing to Download or Upload an Image File By Using FTP B-24 Downloading an Image File By Using FTP B-25 Uploading an Image File By Using FTP B-27 Copying Image Files By Using RCP B-28 Preparing to Download or Upload an Image File By Using RCP B-28 Downloading an Image File By Using RCP B-29 Uploading an Image File By Using RCP B-31
APPENDIX
APPENDIX
C
D
Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Configuration Compatibility Issues
C-1
Feature Behavior Incompatibilities
C-5
Unsupported Commands in Cisco IOS Release 12.2(25)SED
C-1
D-1
Access Control Lists D-1 Unsupported Privileged EXEC Commands D-1 Unsupported Global Configuration Commands D-1 Unsupported Route-Map Configuration Commands D-1 Debug Commands D-2 Unsupported Privileged EXEC Commands
D-2
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
xxvii
Contents
IGMP Snooping Commands D-2 Unsupported Global Configuration Commands
D-2
Interface Commands D-2 Unsupported Privileged EXEC Commands D-2 Unsupported Global Configuration Commands D-2 Unsupported Interface Configuration Commands D-2 MAC Address Commands D-2 Unsupported Privileged EXEC Commands D-2 Unsupported Global Configuration Commands D-3 Miscellaneous D-3 Unsupported Privileged EXEC Commands D-3 Unsupported Global Configuration Commands D-3 Network Address Translation (NAT) Commands D-3 Unsupported Privileged EXEC Commands D-3 QoS
D-4
Unsupported Global Configuration Commands D-4 Unsupported Interface Configuration Commands D-4 Unsupported Policy-Map Configuration Commands D-4 RADIUS D-4 Unsupported Global Configuration Commands
D-4
SNMP D-4 Unsupported Global Configuration Commands
D-4
Spanning Tree D-4 Unsupported Global Configuration Command D-4 Unsupported Interface Configuration Command D-5 VLAN D-5 Unsupported Global Configuration Commands Unsupported vlan-config Command D-5 Unsupported User EXEC Commands D-5 VTP
D-5
D-5
Unsupported Privileged EXEC Commands
D-5
INDEX
Catalyst 2960 Switch Software Configuration Guide
xxviii
78-16881-02
Preface Audience This guide is for the networking professional managing the Catalyst 2960 switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Purpose This guide provides the information that you need to configure Cisco IOS software features on your switch. The Catalyst 2960 software provides enterprise-class intelligent services such as access control lists (ACLs) and quality of service (QoS) features. This guide provides procedures for using the commands that have been created or changed for use with the Catalyst 2960 switch. It does not provide detailed information about these commands. For detailed information about these commands, see the Catalyst 2960 Switch Command Reference for this release. For information about the standard Cisco IOS Release 12.2 commands, see the Cisco IOS documentation set available from the Cisco.com home page at Technical Support & Documentation > Cisco IOS Software. This guide does not provide detailed information on the graphical user interfaces (GUIs) for the embedded device manager or for Cisco Network Assistant (hereafter referred to as Network Assistant) that you can use to manage the switch. However, the concepts in this guide are applicable to the GUI user. For information about the device manager, see the switch online help. For information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com This guide does not describe system messages you might encounter or how to install your switch. For more information, see the Catalyst 2960 Switch System Message Guide for this release and to the Catalyst 2960 Switch Hardware Installation Guide. For documentation updates, see the release notes for this release.
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
xxix
Preface Conventions
Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: •
Commands and keywords are in boldface text.
•
Arguments for which you supply values are in italic.
•
Square brackets ([ ]) mean optional elements.
•
Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
•
Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional element.
Interactive examples use these conventions: •
Terminal sessions and system displays are in screen font.
•
Information you enter is in boldface
•
Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).
screen
font.
Notes, cautions, and timesavers use these conventions and symbols:
Note
Caution
Means reader take note. Notes contain helpful suggestions or references to materials not contained in this manual.
Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.
Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/index.htm
Note
Before installing, configuring, or upgrading the switch, see these documents: •
For initial configuration information, see the “Using Express Setup” chapter in the getting started guide or the “Configuring the Switch with the CLI-Based Setup Program” appendix in the hardware installation guide.
•
For device manager requirements, see the “System Requirements” section in the release notes (not orderable but available on Cisco.com).
•
For Network Assistant requirements, see the Getting Started with Cisco Network Assistant (not orderable but available on Cisco.com).
Catalyst 2960 Switch Software Configuration Guide
xxx
78-16881-02
Preface Obtaining Documentation
•
For cluster requirements, see the Release Notes for Cisco Network Assistant (not orderable but available on Cisco.com).
•
For upgrading information, see the “Downloading Software” section in the release notes.
You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxxi. •
Release Notes for the Catalyst 3750, 3560, 2970, and 2960 Switches (not orderable but available on Cisco.com)
•
Catalyst 2960 Switch Software Configuration Guide (order number DOC-7816881=)
•
Catalyst 2960 Switch Command Reference (order number DOC-7816882=)
•
Catalyst 2960 Switch System Message Guide (order number DOC-7816883=)
•
Device manager online help (available on the switch)
•
Catalyst 2960 Switch Hardware Installation Guide (not orderable but available on Cisco.com)
•
Catalyst 2960 Switch Getting Started Guide (order number DOC-7816879=)
•
Regulatory Compliance and Safety Information for the Catalyst 2960 Switch (order number DOC-7816880=)
•
Getting Started with Cisco Network Assistant (not orderable but available on Cisco.com)
•
Release Notes for Cisco Network Assistant (not orderable but available on Cisco.com)
•
Cisco Small Form-Factor Pluggable Modules Installation Notes (order number DOC-7815160=)
•
Cisco CWDM GBIC and CWDM SFP Installation Note (not orderable but available on Cisco.com)
•
Cisco RPS 300 Redundant Power System Hardware Installation Guide (order number DOC-7810372=)
•
Cisco RPS 675 Redundant Power System Hardware Installation Guide (order number DOC-7815201=)
Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/techsupport You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
xxxi
Preface Documentation Feedback
Product Documentation DVD Cisco documentation and additional literature are available in the Product Documentation DVD package, which may have shipped with your product. The Product Documentation DVD is updated regularly and may be more current than printed documentation. The Product Documentation DVD is a comprehensive library of technical product documentation on portable media. The DVD enables you to access multiple versions of hardware and software installation, configuration, and command guides for Cisco products and to view technical documentation in HTML. With the DVD, you have access to the same documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available. The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD=) from Cisco Marketplace at this URL: http://www.cisco.com/go/marketplace/
Ordering Documentation Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL: http://www.cisco.com/go/marketplace/ Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m. (0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by calling 011 408 519-5055. You can also order documentation by e-mail at
[email protected] or by fax at 1 408 519-5001 in the United States and Canada, or elsewhere at 011 408 519-5001.
Documentation Feedback You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com. You can send comments about Cisco documentation to
[email protected]. You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments.
Catalyst 2960 Switch Software Configuration Guide
xxxii
78-16881-02
Preface Cisco Product Security Overview
Cisco Product Security Overview Cisco provides a free online Security Vulnerability Policy portal at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html From this site, you can perform these tasks: •
Report security vulnerabilities in Cisco products.
•
Obtain assistance with security incidents that involve Cisco products.
•
Register to receive security information from Cisco.
A current list of security advisories and notices for Cisco products is available at this URL: http://www.cisco.com/go/psirt If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT: •
Emergencies —
[email protected] An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.
•
Nonemergencies —
[email protected]
In an emergency, you can also reach PSIRT by telephone:
Tip
•
1 877 228-7302
•
1 408 525-6532
We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x. Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html The link on this page has the current PGP key ID in use.
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
xxxiii
Preface Obtaining Technical Assistance
Obtaining Technical Assistance Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.
Cisco Technical Support & Documentation Website The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL: http://www.cisco.com/techsupport Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do
Note
Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.
Submitting a Service Request Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly. To open a service request by telephone, use one of the following numbers: Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447
Catalyst 2960 Switch Software Configuration Guide
xxxiv
78-16881-02
Preface Obtaining Additional Publications and Information
For a complete list of Cisco TAC contacts, go to this URL: http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity To ensure that all service requests are reported in a standard format, Cisco has established severity definitions. Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation. Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation. Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels. Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. •
Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/
•
Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com
•
Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL: http://www.cisco.com/packet
•
iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL: http://www.cisco.com/go/iqmagazine or view the digital edition at this URL: http://ciscoiq.texterity.com/ciscoiq/sample/
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
xxxv
Preface
•
Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj
•
Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL: http://www.cisco.com/en/US/products/index.html
•
Networking Professionals Connection is an interactive website for networking professionals to share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL: http://www.cisco.com/discuss/networking
•
World-class networking training is available from Cisco. You can view current offerings at this URL: http://www.cisco.com/en/US/learning/index.html
Catalyst 2960 Switch Software Configuration Guide
xxxvi
78-16881-02
C H A P T E R
1
Overview This chapter provides these topics about the Catalyst 2960 switch software: •
Features, page 1-1
•
Default Settings After Initial Switch Configuration, page 1-9
•
Network Configuration Examples, page 1-11
•
Where to Go Next, page 1-17
In this document, IP refers to IP Version 4 (IPv4).
Features Some features described in this chapter are available only on the cryptographic (supports encryption) version of the software. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, see the release notes for this release. The switch has these features: •
Ease-of-Use and Ease-of-Deployment Features, page 1-1
•
Performance Features, page 1-3
•
Management Options, page 1-3
•
Manageability Features, page 1-4 (includes a feature requiring the cryptographic version of the software)
•
Availability and Redundancy Features, page 1-5
•
VLAN Features, page 1-6
•
Security Features, page 1-6 (includes a feature requiring the cryptographic version of the software)
•
QoS and CoS Features, page 1-7
•
Monitoring Features, page 1-8
Ease-of-Use and Ease-of-Deployment Features The switch ships with these features to make use and deployment easier:
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
1-1
Chapter 1
Overview
Features
•
Express Setup for quickly configuring a switch for the first time with basic IP information, contact information, switch and Telnet passwords, and Simple Network Management Protocol (SNMP) information through a browser-based program. For more information about Express Setup, see the getting started guide.
•
User-defined and Cisco-default Smartports macros for creating custom switch configurations for simplified deployment across the network.
•
An embedded device manager GUI for configuring and monitoring a single switch through a web browser. For information about launching the device manager, see the getting started guide. For more information about the device manager, see the switch online help.
•
Cisco Network Assistant (hereafter referred to as Network Assistant) for – Managing communities, which are device groups like clusters, except that they can contain
routers and access points and can be made more secure. – Simplifying and minimizing switch and switch cluster management from anywhere in your
intranet. – Accomplishing multiple configuration tasks from a single graphical interface without needing
to remember command-line interface (CLI) commands to accomplish specific tasks. – Interactive guide mode that guides you in configuring complex features such as VLANs, ACLs,
and quality of service (QoS). – Configuration wizards that prompt you to provide only the minimum required information to
configure complex features such as QoS priorities for video traffic, priority levels for data applications, and security. – Downloading an image to a switch. – Applying actions to multiple ports and multiple switches at the same time, such as VLAN and
QoS settings, inventory and statistic reports, link- and switch-level monitoring and troubleshooting, and multiple switch software upgrades. – Viewing a topology of interconnected devices to identify existing switch clusters and eligible
switches that can join a cluster and to identify link information between switches. – Monitoring real-time status of a switch or multiple switches from the LEDs on the front-panel
images. The system, redundant power system (RPS), and port LED colors on the images are similar to those used on the physical LEDs. •
Switch clustering technology for – Unified configuration, monitoring, authentication, and software upgrade of multiple,
cluster-capable switches, regardless of their geographic proximity and interconnection media, including Ethernet, Fast Ethernet, Fast EtherChannel, small form-factor pluggable (SFP) modules, Gigabit Ethernet, and Gigabit EtherChannel connections. For a list of cluster-capable switches, see the release notes. – Automatic discovery of candidate switches and creation of clusters of up to 16 switches that can
be managed through a single IP address. – Extended discovery of cluster candidates that are not directly connected to the command switch.
Catalyst 2960 Switch Software Configuration Guide
1-2
78-16881-02
Chapter 1
Overview Features
Performance Features The switch ships with these performance features: •
Autosensing of port speed and autonegotiation of duplex mode on all switch ports for optimizing bandwidth
•
Automatic-medium-dependent interface crossover (auto-MDIX) capability on 10/100 and 10/100/1000 Mbps interfaces and on 10/100/1000 BASE-TX SFP module interface that enables the interface to automatically detect the required cable connection type (straight-through or crossover) and to configure the connection appropriately
•
Support for up to 9000 bytes for frames that are bridged in hardware and up to 2000 bytes for frames that are bridged by software
•
IEEE 802.3x flow control on all ports (the switch does not send pause frames)
•
EtherChannel for enhanced fault tolerance and for providing up to 8 Gbps (Gigabit EtherChannel) or 800 Mbps (Fast EtherChannel) full-duplex bandwidth among switches, routers, and servers
•
Port Aggregation Protocol (PAgP) and Link Aggregation Control Protocol (LACP) for automatic creation of EtherChannel links
•
Forwarding of Layer 2 packets at Gigabit line rate
•
Per-port storm control for preventing broadcast, multicast, and unicast storms
•
Port blocking on forwarding unknown Layer 2 unknown unicast, multicast, and bridged broadcast traffic
•
Internet Group Management Protocol (IGMP) snooping for IGMP Versions 1, 2, and 3 for efficiently forwarding multimedia and multicast traffic
•
IGMP report suppression for sending only one IGMP report per multicast router query to the multicast devices (supported only for IGMPv1 or IGMPv2 queries)
•
IGMP snooping querier support to configure switch to generate periodic IGMP General Query messages
• •
Multicast VLAN registration (MVR) to continuously send multicast streams in a multicast VLAN while isolating the streams from subscriber VLANs for bandwidth and security reasons
•
IGMP filtering for controlling the set of multicast groups to which hosts on a switch port can belong
•
IGMP throttling for configuring the action when the maximum number of entries is in the IGMP forwarding table
•
IGMP configurable leave timer to configure the leave latency for the network.
•
Switch Database Management (SDM) templates for allocating system resources to maximize support for user-selected features
Management Options These are the options for configuring and managing the switch: •
An embedded device manager—The device manager is a GUI that is integrated in the software image. You use it to configure and to monitor a single switch. For information about launching the device manager, see the getting started guide. For more information about the device manager, see the switch online help.
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
1-3
Chapter 1
Overview
Features
•
Network Assistant—Network Assistant is a network management application that can be downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com.
•
CLI—The Cisco IOS software supports desktop- and multilayer-switching features. You can access the CLI either by connecting your management station directly to the switch console port or by using Telnet from a remote management station. For more information about the CLI, see Chapter 2, “Using the Command-Line Interface.”
•
SNMP—SNMP management applications such as CiscoWorks2000 LAN Management Suite (LMS) and HP OpenView. You can manage from an SNMP-compatible management station that is running platforms such as HP OpenView or SunNet Manager. The switch supports a comprehensive set of MIB extensions and four remote monitoring (RMON) groups. For more information about using SNMP, see Chapter 27, “Configuring SNMP.”
•
IE2100—Cisco Intelligence Engine 2100 Series Configuration Registrar is a network management device that works with embedded Cisco Networking Services (CNS) agents in the switch software. You can automate initial configurations and configuration updates by generating switch-specific configuration changes, sending them to the switch, executing the configuration change, and logging the results. For more information about IE2100, see Chapter 4, “Understanding CNS Embedded Agents.”
Manageability Features These are the manageability features: •
Cisco IE2100 Series CNS embedded agents for automating switch management, configuration storage, and delivery
•
DHCP for automating configuration of switch information (such as IP address, default gateway, hostname, and Domain Name System [DNS] and TFTP server names)
•
DHCP relay for forwarding User Datagram Protocol (UDP) broadcasts, including IP address requests, from DHCP clients
•
DHCP server for automatic assignment of IP addresses and other DHCP options to IP hosts
•
Directed unicast requests to a DNS server for identifying a switch through its IP address and its corresponding hostname and to a TFTP server for administering software upgrades from a TFTP server
•
Address Resolution Protocol (ARP) for identifying a switch through its IP address and its corresponding MAC address
•
Unicast MAC address filtering to drop packets with specific source or destination MAC addresses
•
Cisco Discovery Protocol (CDP) Versions 1 and 2 for network topology discovery and mapping between the switch and other Cisco devices on the network
•
Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external source
•
Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses
•
Configuration logging to log and to view changes to the switch configuration
•
Unique device identifier to provide product identification information through a show inventory user EXEC command display
Catalyst 2960 Switch Software Configuration Guide
1-4
78-16881-02
Chapter 1
Overview Features
Note
•
In-band management access through the device manager over a Netscape Navigator or Microsoft Internet Explorer browser session
•
In-band management access for up to 16 simultaneous Telnet connections for multiple CLI-based sessions over the network
•
In-band management access for up to five simultaneous, encrypted Secure Shell (SSH) connections for multiple CLI-based sessions over the network (requires the cryptographic version of the software)
•
In-band management access through SNMP Versions 1, 2c, and 3 get and set requests
•
Out-of-band management access through the switch console port to a directly attached terminal or to a remote terminal through a serial connection or a modem
•
Secure Copy Protocol (SCP) feature to provide a secure and authenticated method for copying switch configuration or switch image files (requires the cryptographic version of the software)
For additional descriptions of the management interfaces, see the “Network Configuration Examples” section on page 1-11.
Availability and Redundancy Features These are the availability and redundancy features: •
UniDirectional Link Detection (UDLD) and aggressive UDLD for detecting and disabling unidirectional links on fiber-optic interfaces caused by incorrect fiber-optic wiring or port faults
•
IEEE 802.1D Spanning Tree Protocol (STP) for redundant backbone connections and loop-free networks. STP has these features: – Up to 128 spanning-tree instances supported – Per-VLAN spanning-tree plus (PVST+) for load balancing across VLANs – Rapid PVST+ for load balancing across VLANs and providing rapid convergence of
spanning-tree instances – UplinkFast and BackboneFast for fast convergence after a spanning-tree topology change and
for achieving load balancing between redundant uplinks, including Gigabit uplinks •
IEEE 802.1s Multiple Spanning Tree Protocol (MSTP) for grouping VLANs into a spanning-tree instance and for providing multiple forwarding paths for data traffic and load balancing and rapid per-VLAN Spanning-Tree plus (rapid-PVST+) based on the IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) for rapid convergence of the spanning tree by immediately changing root and designated ports to the forwarding state
•
Optional spanning-tree features available in PVST+, rapid-PVST+, and MSTP mode: – Port Fast for eliminating the forwarding delay by enabling a port to immediately change from
the blocking state to the forwarding state – BPDU guard for shutting down Port Fast-enabled ports that receive bridge protocol data units
(BPDUs) – BPDU filtering for preventing a Port Fast-enabled port from sending or receiving BPDUs – Root guard for preventing switches outside the network core from becoming the spanning-tree
root
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
1-5
Chapter 1
Overview
Features
– Loop guard for preventing alternate or root ports from becoming designated ports because of a
failure that leads to a unidirectional link •
Flex Link Layer 2 interfaces to back up one another as an alternative to STP for basic link redundancy
•
RPS support through the Cisco RPS 300 and Cisco RPS 675 for enhancing power reliability
VLAN Features These are the VLAN features: •
Support for up to 255 VLANs for assigning users to VLANs associated with appropriate network resources, traffic patterns, and bandwidth
•
Support for VLAN IDs in the 1 to 4094 range as allowed by the IEEE 802.1Q standard
•
VLAN Query Protocol (VQP) for dynamic VLAN membership
•
IEEE 802.1Q trunking encapsulation on all ports for network moves, adds, and changes; management and control of broadcast and multicast traffic; and network security by establishing VLAN groups for high-security users and network resources
•
Dynamic Trunking Protocol (DTP) for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation (IEEE 802.1Q) to be used
•
VLAN Trunking Protocol (VTP) and VTP pruning for reducing network traffic by restricting flooded traffic to links destined for stations receiving the traffic
•
Voice VLAN for creating subnets for voice traffic from Cisco IP Phones
•
VLAN1 minimization for reducing the risk of spanning-tree loops or storms by allowing VLAN 1 to be disabled on any individual VLAN trunk link. With this feature enabled, no user traffic is sent or received on the trunk. The switch CPU continues to send and receive control protocol frames.
Security Features The switch ships with these security features: •
Password-protected access (read-only and read-write access) to management interfaces (device manager, Network Assistant, CLI) for protection against unauthorized configuration changes
•
Multilevel security for a choice of security level, notification, and resulting actions
•
Static MAC addressing for ensuring security
•
Protected port option for restricting the forwarding of traffic to designated ports on the same switch
•
Port security option for limiting and identifying MAC addresses of the stations allowed to access the port
•
Port security aging to set the aging time for secure addresses on a port
•
BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs
•
Standard and extended IP access control lists (ACLs) for defining inbound security policies on Layer 2 interfaces (port ACLs)
•
Extended MAC access control lists for defining security policies in the inbound direction on Layer 2 interfaces
•
Source and destination MAC-based ACLs for filtering non-IP traffic
Catalyst 2960 Switch Software Configuration Guide
1-6
78-16881-02
Chapter 1
Overview Features
•
DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers
•
IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. These features are supported: – VLAN assignment for restricting IEEE 802.1x-authenticated users to a specified VLAN – Port security for controlling access to IEEE 802.1x ports – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized
or unauthorized state of the port – Guest VLAN to provide limited services to non-IEEE 802.1x-compliant users – Restricted VLAN to provide limited services to users who are IEEE 802.1x compliant, but do
not have the credentials to authenticate via the standard IEEE 802.1x processes – IEEE 802.1x accounting to track network usage – IEEE 802.1x with wake-on-LAN to allow dormant PCs to be powered on based on the receipt
of a specific Ethernet frame •
TACACS+, a proprietary feature for managing network security through a TACACS server
•
RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users through authentication, authorization, and accounting (AAA) services
•
SecureSocket Layer (SSL) Version 3.0 support for the HTTP1.1 server authentication, encryption, and message integrity, and HTTP client authentication to allow secure HTTP communications (requires the cryptographic version of the software)
QoS and CoS Features These are the QoS and CoS features: •
Automatic QoS (auto-QoS) to simplify the deployment of existing QoS features by classifying traffic and configuring egress queues
•
Classification – IP type-of-service/Differentiated Services Code Point (IP ToS/DSCP) and IEEE 802.1p CoS
marking priorities on a per-port basis for protecting the performance of mission-critical applications – IP ToS/DSCP and IEEE 802.1p CoS marking based on flow-based packet classification
(classification based on information in the MAC, IP, and TCP/UDP headers) for high-performance quality of service at the network edge, allowing for differentiated service levels for different types of network traffic and for prioritizing mission-critical traffic in the network – Trusted port states (CoS, DSCP, and IP precedence) within a QoS domain and with a port
bordering another QoS domain – Trusted boundary for detecting the presence of a Cisco IP Phone, trusting the CoS value
received, and ensuring port security •
Policing – Traffic-policing policies on the switch port for managing how much of the port bandwidth
should be allocated to a specific traffic flow
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
1-7
Chapter 1
Overview
Features
– In Cisco IOS Release 12.2(25)SED and later, if you configure multiple class maps for a
hierarchical policy map, each class map can be associated with its own port-level (second-level) policy map. Each second-level policy map can have a different policer. – Aggregate policing for policing traffic flows in aggregate to restrict specific applications or
traffic flows to metered, predefined rates •
Out-of-Profile – Out-of-profile markdown for packets that exceed bandwidth utilization limits
•
Ingress queueing and scheduling – Two configurable ingress queues for user traffic (one queue can be the priority queue) – Weighted tail drop (WTD) as the congestion-avoidance mechanism for managing the queue
lengths and providing drop precedences for different traffic classifications – Shaped round robin (SRR) as the scheduling service for specifying the rate at which packets are
sent to the internal ring (sharing is the only supported mode on ingress queues) •
Egress queues and scheduling – Four egress queues per port – WTD as the congestion-avoidance mechanism for managing the queue lengths and providing
drop precedences for different traffic classifications – SRR as the scheduling service for specifying the rate at which packets are dequeued to the
egress interface (shaping or sharing is supported on egress queues). Shaped egress queues are guaranteed but limited to using a share of port bandwidth. Shared egress queues are also guaranteed a configured share of bandwidth, but can use more than the guarantee if other queues become empty and do not use their share of the bandwidth.
Monitoring Features These are the monitoring features: •
Switch LEDs that provide port- and switch-level status
•
MAC address notification traps and RADIUS accounting for tracking users on a network by storing the MAC addresses that the switch has learned or removed
•
Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) for traffic monitoring on any port or VLAN
•
SPAN and RSPAN support of Intrusion Detection Systems (IDS) to monitor, repel, and report network security violations
•
Four groups (history, statistics, alarms, and events) of embedded RMON agents for network monitoring and traffic analysis
•
Syslog facility for logging system messages about authentication or authorization errors, resource issues, and time-out events
•
Layer 2 traceroute to identify the physical path that a packet takes from a source device to a destination device
•
Time Domain Reflector (TDR) to diagnose and resolve cabling problems on 10/100 and 10/100/1000 copper Ethernet ports
•
SFP module diagnostic management interface to monitor physical or operational status of an SFP module
Catalyst 2960 Switch Software Configuration Guide
1-8
78-16881-02
Chapter 1
Overview Default Settings After Initial Switch Configuration
Default Settings After Initial Switch Configuration The switch is designed for plug-and-play operation, requiring only that you assign basic IP information to the switch and connect it to the other devices in your network. If you have specific network needs, you can change the interface-specific and system-wide settings.
Note
For information about assigning an IP address by using the browser-based Express Setup program, see the getting started guide. For information about assigning an IP address by using the CLI-based setup program, see the hardware installation guide. If you do not configure the switch at all, the switch operates with these default settings: •
Default switch IP address, subnet mask, and default gateway is 0.0.0.0. For more information, see Chapter 3, “Assigning the Switch IP Address and Default Gateway,” and Chapter 19, “Configuring DHCP Features.”
•
Default domain name is not configured. For more information, see Chapter 3, “Assigning the Switch IP Address and Default Gateway.”
•
DHCP client is enabled, the DHCP server is enabled (only if the device acting as a DHCP server is configured and is enabled), and the DHCP relay agent is enabled (only if the device is acting as a DHCP relay agent is configured and is enabled). For more information, see Chapter 3, “Assigning the Switch IP Address and Default Gateway,” and Chapter 19, “Configuring DHCP Features.”
•
Switch cluster is disabled. For more information about switch clusters, see Chapter 5, “Clustering Switches,” and the Getting Started with Cisco Network Assistant, available on Cisco.com.
•
No passwords are defined. For more information, see Chapter 6, “Administering the Switch.”
•
System name and prompt is Switch. For more information, see Chapter 6, “Administering the Switch.”
•
NTP is enabled. For more information, see Chapter 6, “Administering the Switch.”
•
DNS is enabled. For more information, see Chapter 6, “Administering the Switch.”
•
TACACS+ is disabled. For more information, see Chapter 8, “Configuring Switch-Based Authentication.”
•
RADIUS is disabled. For more information, see Chapter 8, “Configuring Switch-Based Authentication.”
•
The standard HTTP server and Secure Socket Layer (SSL) HTTPS server are both enabled. For more information, see Chapter 8, “Configuring Switch-Based Authentication.”
•
IEEE 802.1x is disabled. For more information, see Chapter 9, “Configuring IEEE 802.1x Port-Based Authentication.”
•
Port parameters – Interface speed and duplex mode is autonegotiate. For more information, see Chapter 10,
“Configuring Interface Characteristics.” – Auto-MDIX is enabled. For more information, see Chapter 10, “Configuring Interface
Characteristics.” – Flow control is off. For more information, see Chapter 10, “Configuring Interface
Characteristics.” •
No Smartports macros are defined. For more information, see Chapter 11, “Configuring Smartports Macros.”
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
1-9
Chapter 1
Overview
Default Settings After Initial Switch Configuration
•
VLANs – Default VLAN is VLAN 1. For more information, see Chapter 12, “Configuring VLANs.” – VLAN trunking setting is dynamic auto (DTP). For more information, see Chapter 12,
“Configuring VLANs.” – Trunk encapsulation is negotiate. For more information, see Chapter 12, “Configuring
VLANs.” – VTP mode is server. For more information, see Chapter 13, “Configuring VTP.” – VTP version is Version 1. For more information, see Chapter 13, “Configuring VTP.” – Voice VLAN is disabled. For more information, see Chapter 14, “Configuring Voice VLAN.” •
For STP, PVST+ is enabled on VLAN 1. For more information, see Chapter 15, “Configuring STP.”
•
MSTP is disabled. For more information, see Chapter 16, “Configuring MSTP.”
•
Optional spanning-tree features are disabled. For more information, see Chapter 17, “Configuring Optional Spanning-Tree Features.”
•
Flex Links are not configured. For more information, see Chapter 18, “Configuring Flex Links and the MAC Address-Table Move Update Feature.”
•
DHCP snooping is disabled. The DHCP snooping information option is enabled. For more information, see Chapter 19, “Configuring DHCP Features.”
•
IGMP snooping is enabled. No IGMP filters are applied. For more information, see Chapter 20, “Configuring IGMP Snooping and MVR.”
•
IGMP throttling setting is deny. For more information, see Chapter 20, “Configuring IGMP Snooping and MVR.”
•
The IGMP snooping querier feature is disabled. For more information, see Chapter 20, “Configuring IGMP Snooping and MVR.”
•
MVR is disabled. For more information, see Chapter 20, “Configuring IGMP Snooping and MVR.”
•
Port-based traffic – Broadcast, multicast, and unicast storm control is disabled. For more information, see
Chapter 21, “Configuring Port-Based Traffic Control.” – No protected ports are defined. For more information, see Chapter 21, “Configuring Port-Based
Traffic Control.” – Unicast and multicast traffic flooding is not blocked. For more information, see Chapter 21,
“Configuring Port-Based Traffic Control.” – No secure ports are configured. For more information, see Chapter 21, “Configuring Port-Based
Traffic Control.” •
CDP is enabled. For more information, see Chapter 22, “Configuring CDP.”
•
UDLD is disabled. For more information, see Chapter 24, “Configuring UDLD.”
•
SPAN and RSPAN are disabled. For more information, see Chapter 23, “Configuring SPAN and RSPAN.”
•
RMON is disabled. For more information, see Chapter 25, “Configuring RMON.”
•
Syslog messages are enabled and appear on the console. For more information, see Chapter 26, “Configuring System Message Logging.”
•
SNMP is enabled (Version 1). For more information, see Chapter 27, “Configuring SNMP.”
Catalyst 2960 Switch Software Configuration Guide
1-10
78-16881-02
Chapter 1
Overview Network Configuration Examples
•
No ACLs are configured. For more information, see Chapter 28, “Configuring Network Security with ACLs.”
•
QoS is disabled. For more information, see Chapter 29, “Configuring QoS.”
•
No EtherChannels are configured. For more information, see Chapter 30, “Configuring EtherChannels.”
Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch to create dedicated network segments and interconnecting the segments through Fast Ethernet and Gigabit Ethernet connections. •
“Design Concepts for Using the Switch” section on page 1-11
•
“Small to Medium-Sized Network Using Catalyst 2960 Switches” section on page 1-14
•
“Long-Distance, High-Bandwidth Transport Configuration” section on page 1-16
Design Concepts for Using the Switch As your network users compete for network bandwidth, it takes longer to send and receive data. When you configure your network, consider the bandwidth required by your network users and the relative priority of the network applications they use. Table 1-1 describes what can cause network performance to degrade and how you can configure your network to increase the bandwidth available to your network users. Table 1-1
Increasing Network Performance
Network Demands Too many users on a single network segment and a growing number of users accessing the Internet
•
Increased power of new PCs, workstations, and servers
•
High bandwidth demand from networked applications (such as e-mail with large attached files) and from bandwidth-intensive applications (such as multimedia)
Suggested Design Methods •
Create smaller network segments so that fewer users share the bandwidth, and use VLANs and IP subnets to place the network resources in the same logical network as the users who access those resources most.
•
Use full-duplex operation between the switch and its connected workstations.
•
Connect global resources—such as servers and routers to which the network users require equal access—directly to the high-speed switch ports so that they have their own high-speed segment.
•
Use the EtherChannel feature between the switch and its connected servers and routers.
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
1-11
Chapter 1
Overview
Network Configuration Examples
Bandwidth alone is not the only consideration when designing your network. As your network traffic profiles evolve, consider providing network services that can support applications for voice and data integration, multimedia integration, application prioritization, and security. Table 1-2 describes some network demands and how you can meet them. Table 1-2
Providing Network Services
Network Demands
Suggested Design Methods •
Use IGMP snooping to efficiently forward multimedia and multicast traffic.
•
Use other QoS mechanisms such as packet classification, marking, scheduling, and congestion avoidance to classify traffic with the appropriate priority level, thereby providing maximum flexibility and support for mission-critical, unicast, and multicast and multimedia applications.
•
Use MVR to continuously send multicast streams in a multicast VLAN but to isolate the streams from subscriber VLANs for bandwidth and security reasons.
High demand on network redundancy and availability to provide always on mission-critical applications
•
Use VLAN trunks and BackboneFast for traffic-load balancing on the uplink ports so that the uplink port with a lower relative port cost is selected to carry the VLAN traffic.
An evolving demand for IP telephony
•
Use QoS to prioritize applications such as IP telephony during congestion and to help control both delay and jitter within the network.
•
Use switches that support at least two queues per port to prioritize voice and data traffic as either high- or low-priority, based on IEEE 802.1p/Q. The switch supports at least four queues per port.
•
Use voice VLAN IDs (VVIDs) to provide separate VLANs for voice traffic.
Efficient bandwidth usage for multimedia applications and guaranteed bandwidth for critical applications
A growing demand for using existing Use the Catalyst Long-Reach Ethernet (LRE) switches to provide up to 15 Mb of IP connectivity over existing infrastructure, such as existing telephone lines. infrastructure to transport data and voice from a home or office to the Note LRE is the technology used in the Catalyst 2900 LRE XL and Catalyst 2950 Internet or an intranet at higher LRE switches. See the documentation sets specific to these switches for LRE speeds information. •
You can use the switches to create the following:
•
Cost-effective Gigabit-to-the-desktop for high-performance workgroups (Figure 1-1)—For high-speed access to network resources, you can use Catalyst 2960 switches in the access layer to provide Gigabit Ethernet to the desktop. To prevent congestion, use QoS DSCP marking priorities on these switches. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch with routing capability, such as a Catalyst 3750 switch, or to a router. The first illustration is of an isolated high-performance workgroup, where the Catalyst 2960 switches are connected to Catalyst 3750 switches in the distribution layer. The second illustration is of a high-performance workgroup in a branch office, where the Catalyst 2960 switches are connected to a router in the distribution layer. Each switch in this configuration provides users with a dedicated 1-Gbps connection to network resources. Using SFP modules also provides flexibility in media and distance options through fiber-optic connections.
Catalyst 2960 Switch Software Configuration Guide
1-12
78-16881-02
Chapter 1
Overview Network Configuration Examples
Figure 1-1
High-Performance Workgroup (Gigabit-to-the-Desktop)
Catalyst 3750 switches
89373
Access-layer Catalyst switches
WAN
Cisco 2600 router
89374
Access-layer Catalyst switches
•
Server aggregation (Figure 1-2)—You can use the switches to interconnect groups of servers, centralizing physical security and administration of your network. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to multilayer switches with routing capability. The Gigabit interconnections minimize latency in the data flow. QoS and policing on the switches provide preferential treatment for certain data streams, if required. They segment traffic streams into different paths for processing. Security features on the switch ensure rapid handling of packets. Fault tolerance from the server racks to the core is achieved through dual homing of servers connected to the switches, which have redundant Gigabit EtherChannels. Using dual SFP module uplinks from the switches provides redundant uplinks to the network core. Using SFP modules provides flexibility in media and distance options through fiber-optic connections.
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
1-13
Chapter 1
Overview
Network Configuration Examples
Figure 1-2
Server Aggregation
Campus core Catalyst 6500 switches
Catalyst 3750 StackWise switch stacks
Server racks
89376
Access-layer Catalyst switches
Small to Medium-Sized Network Using Catalyst 2960 Switches Catalyst 3750 Redundant SFP StackWise switch stack module uplinks
EtherChannel across uplinks
Catalyst 3750 StackWise switch stack
86932
Campus core
Linux cluster parallelprocessing server farm 32-Gbps ring
Figure 1-3 shows a configuration for a network of up to 500 employees. This network uses Catalyst 2960 switches with high-speed connections to two routers. This ensures connectivity to the Internet, WAN, and mission-critical network resources in case one of the routers fails. The switches are using EtherChannel for load sharing.
Catalyst 2960 Switch Software Configuration Guide
1-14
78-16881-02
Chapter 1
Overview Network Configuration Examples
The switches are connected to workstations, local servers, and IEEE 802.3af compliant and noncompliant powered devices (such as Cisco IP Phones). The server farm includes a call-processing server running Cisco CallManager software. Cisco CallManager controls call processing, routing, and Cisco IP Phone features and configuration. The switches are interconnected through Gigabit interfaces. This network uses VLANs to logically segment the network into well-defined broadcast groups and for security management. Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet. When an end station in one VLAN needs to communicate with an end station in another VLAN, a router routes the traffic to the destination VLAN. In this network, the routers are providing inter-VLAN routing. VLAN access control lists (VLAN maps) on the switch provide intra-VLAN security and prevent unauthorized users from accessing critical areas of the network. In addition to inter-VLAN routing, the routers provide QoS mechanisms such as DSCP priorities to prioritize the different types of network traffic and to deliver high-priority traffic. If congestion occurs, QoS drops low-priority traffic to allow delivery of high-priority traffic. For prestandard and IEEE 802.3af-compliant powered devices connected to Catalyst PoE switches, IEEE 802.1p/Q QoS gives voice traffic forwarding-priority over data traffic. Catalyst PoE switch ports automatically detect any Cisco pre-standard and IEEE 802.3af-compliant powered devices that are connected. Each PoE switch port provides 15.4 W of power per port. The powered device, such as a Cisco IP Phone, can receive redundant power when it is also connected to an AC power source. Powered devices not connected to Catalyst PoE switches must be connected to AC power sources to receive power. Cisco CallManager controls call processing, routing, and Cisco IP Phone features and configuration. Users with workstations running Cisco SoftPhone software can place, receive, and control calls from their PCs. Using Cisco IP Phones, Cisco CallManager software, and Cisco SoftPhone software integrates telephony and IP networks, and the IP network supports both voice and data. The routers also provide firewall services, Network Address Translation (NAT) services, voice-over-IP (VoIP) gateway services, and WAN and Internet access.
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
1-15
Chapter 1
Overview
Network Configuration Examples
Figure 1-3
Catalyst 2960 Switches in a Collapsed Backbone Configuration
Internet
Cisco 2600 or 3700 routers
IP Cisco IP phones
IP Workstations running Cisco SoftPhone software
Aironet wireless access points
101388
Gigabit servers
Long-Distance, High-Bandwidth Transport Configuration Figure 1-4 shows a configuration for sending 8 Gigabits of data over a single fiber-optic cable. The Catalyst 2960 switches have coarse wavelength-division multiplexing (CWDM) fiber-optic SFP modules installed. Depending on the CWDM SFP module, data is sent at wavelengths from 1470 to 1610 nm. The higher the wavelength, the farther the transmission can travel. A common wavelength used for long-distance transmissions is 1550 nm. The CWDM SFP modules connect to CWDM optical add/drop multiplexer (OADM) modules over distances of up to 393,701 feet (74.5 miles or 120 km). The CWDM OADM modules combine (or multiplex) the different CWDM wavelengths, allowing them to travel simultaneously on the same fiber-optic cable. The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, see the Cisco CWDM GBIC and CWDM SFP Installation Note.
Catalyst 2960 Switch Software Configuration Guide
1-16
78-16881-02
Chapter 1
Overview Where to Go Next
Figure 1-4
Long-Distance, High-Bandwidth Transport Configuration
Access layer
Aggregation layer
CWDM OADM modules
Eight 1-Gbps connections
CWDM OADM modules
Catalyst 4500 multilayer switches
95750
8 Gbps
Catalyst switches
Where to Go Next Before configuring the switch, review these sections for startup information: •
Chapter 2, “Using the Command-Line Interface”
•
Chapter 3, “Assigning the Switch IP Address and Default Gateway”
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
1-17
Chapter 1
Overview
Where to Go Next
Catalyst 2960 Switch Software Configuration Guide
1-18
78-16881-02
C H A P T E R
2
Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 2960 switch. It contains these sections: •
Understanding Command Modes, page 2-1
•
Understanding the Help System, page 2-3
•
Understanding Abbreviated Commands, page 2-4
•
Understanding no and default Forms of Commands, page 2-4
•
Understanding CLI Error Messages, page 2-5
•
Using Configuration Logging, page 2-5
•
Using Command History, page 2-6
•
Using Editing Features, page 2-7
•
Searching and Filtering Output of show and more Commands, page 2-10
•
Accessing the CLI, page 2-10
Understanding Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode. When you start a session on the switch, you begin in user mode, often called user EXEC mode. Only a limited subset of the commands are available in user EXEC mode. For example, most of the user EXEC commands are one-time commands, such as show commands, which show the current configuration status, and clear commands, which clear counters or interfaces. The user EXEC commands are not saved when the switch reboots. To have access to all commands, you must enter privileged EXEC mode. Normally, you must enter a password to enter privileged EXEC mode. From this mode, you can enter any privileged EXEC command or enter global configuration mode. Using the configuration modes (global, interface, and line), you can make changes to the running configuration. If you save the configuration, these commands are stored and used when the switch reboots. To access the various configuration modes, you must start at global configuration mode. From global configuration mode, you can enter interface configuration mode and line configuration mode.
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
2-1
Chapter 2
Using the Command-Line Interface
Understanding Command Modes
Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 2-1
Command Mode Summary
Mode
Access Method
Prompt
Exit Method
About This Mode
User EXEC
Begin a session with your switch.
Switch>
Enter logout or quit.
Use this mode to •
Change terminal settings.
•
Perform basic tests.
•
Display system information.
Privileged EXEC
While in user EXEC mode, enter the enable command.
Switch#
Enter disable to exit.
Global configuration
While in privileged EXEC mode, enter the configure command.
Switch(config)#
To exit to privileged Use this mode to configure EXEC mode, enter parameters that apply to the exit or end, or press entire switch. Ctrl-Z.
Config-vlan
While in global configuration mode, enter the vlan vlan-id command.
Switch(config-vlan)#
To exit to global configuration mode, enter the exit command.
While in privileged EXEC mode, enter the vlan database command.
Switch(vlan)#
VLAN configuration
To return to privileged EXEC mode, press Ctrl-Z or enter end.
Use this mode to verify commands that you have entered. Use a password to protect access to this mode.
Use this mode to configure VLAN parameters. When VTP mode is transparent, you can create extended-range VLANs (VLAN IDs greater than 1005) and save configurations in the switch startup configuration file.
To exit to privileged Use this mode to configure EXEC mode, enter VLAN parameters for VLANs exit. 1 to 1005 in the VLAN database.
Catalyst 2960 Switch Software Configuration Guide
2-2
78-16881-02
Chapter 2
Using the Command-Line Interface Understanding the Help System
Table 2-1
Command Mode Summary (continued)
Mode
Access Method
Prompt
Exit Method
Interface configuration
While in global configuration mode, enter the interface command (with a specific interface).
Switch(config-if)#
Use this mode to configure To exit to global configuration mode, parameters for the Ethernet ports. enter exit. To return to privileged EXEC mode, press Ctrl-Z or enter end.
About This Mode
For information about defining interfaces, see the “Using Interface Configuration Mode” section on page 10-4. To configure multiple interfaces with the same parameters, see the “Configuring a Range of Interfaces” section on page 10-6.
Line configuration
While in global configuration mode, specify a line with the line vty or line console command.
Switch(config-line)#
Use this mode to configure To exit to global configuration mode, parameters for the terminal line. enter exit. To return to privileged EXEC mode, press Ctrl-Z or enter end.
For more detailed information on the command modes, see the command reference guide for this release.
Understanding the Help System You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 2-2. Table 2-2
Help Summary
Command
Purpose
help
Obtain a brief description of the help system in any command mode.
abbreviated-command-entry?
Obtain a list of commands that begin with a particular character string. For example: Switch# di? dir disable disconnect
abbreviated-command-entry
Complete a partial command name. For example: Switch# sh conf Switch# show configuration
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
2-3
Chapter 2
Using the Command-Line Interface
Understanding Abbreviated Commands
Table 2-2
Help Summary (continued)
Command
Purpose
?
List all commands available for a particular command mode. For example: Switch> ?
command ?
List the associated keywords for a command. For example: Switch> show ?
command keyword ?
List the associated arguments for a keyword. For example: Switch(config)# cdp holdtime ? <10-255> Length of time (in sec) that receiver must keep this packet
Understanding Abbreviated Commands You need to enter only enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command in an abbreviated form: Switch# show conf
Understanding no and default Forms of Commands Almost every configuration command also has a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface. Use the command without the keyword no to re-enable a disabled feature or to enable a feature that is disabled by default. Configuration commands can also have a default form. The default form of a command returns the command setting to its default. Most commands are disabled by default, so the default form is the same as the no form. However, some commands are enabled by default and have variables set to certain default values. In these cases, the default command enables the command and sets variables to their default values.
Catalyst 2960 Switch Software Configuration Guide
2-4
78-16881-02
Chapter 2
Using the Command-Line Interface Understanding CLI Error Messages
Understanding CLI Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3
Common CLI Error Messages
Error Message
Meaning
How to Get Help
% Ambiguous command: "show con"
You did not enter enough characters for your switch to recognize the command.
Re-enter the command followed by a question mark (?) with a space between the command and the question mark. The possible keywords that you can enter with the command appear.
% Incomplete command.
You did not enter all the keywords or Re-enter the command followed by a question mark (?) values required by this command. with a space between the command and the question mark. The possible keywords that you can enter with the command appear.
% Invalid input detected at ‘^’ marker.
You entered the command incorrectly. The caret (^) marks the point of the error.
Enter a question mark (?) to display all the commands that are available in this command mode. The possible keywords that you can enter with the command appear.
Using Configuration Logging Beginning with Cisco IOS Release 12.2(25)SED, you can log and view changes to the switch configuration. You can use the Configuration Change Logging and Notification feature to track changes on a per-session and per-user basis. The logger tracks each configuration command that is applied, the user who entered the command, the time that the command was entered, and the parser return code for the command. This feature includes a mechanism for asynchronous notification to registered applications whenever the configuration changes. You can choose to have the notifications sent to the syslog. For more information, see the Configuration Change Notification and Logging feature module at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/ gtconlog.htm
Note
Only CLI or HTTP changes are logged.
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
2-5
Chapter 2
Using the Command-Line Interface
Using Command History
Using Command History The software provides a history or record of commands that you have entered. The command history feature is particularly useful for recalling long or complex commands or entries, including access lists. You can customize this feature to suit your needs as described in these sections: •
Changing the Command History Buffer Size, page 2-6 (optional)
•
Recalling Commands, page 2-6 (optional)
•
Disabling the Command History Feature, page 2-7 (optional)
Changing the Command History Buffer Size By default, the switch records ten command lines in its history buffer. You can alter this number for a current terminal session or for all sessions on a particular line. These procedures are optional. Beginning in privileged EXEC mode, enter this command to change the number of command lines that the switch records during the current terminal session: Switch# terminal history
[size number-of-lines]
The range is from 0 to 256. Beginning in line configuration mode, enter this command to configure the number of command lines the switch records for all sessions on a particular line: Switch(config-line)# history
[size number-of-lines]
The range is from 0 to 256.
Recalling Commands To recall commands from the history buffer, perform one of the actions listed in Table 2-4. These actions are optional. Table 2-4
Recalling Commands
Action1
Result
Press Ctrl-P or the up arrow key.
Recall commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands.
Press Ctrl-N or the down arrow key.
Return to more recent commands in the history buffer after recalling commands with Ctrl-P or the up arrow key. Repeat the key sequence to recall successively more recent commands.
show history
While in privileged EXEC mode, list the last several commands that you just entered. The number of commands that appear is controlled by the setting of the terminal history global configuration command and the history line configuration command.
1. The arrow keys function only on ANSI-compatible terminals such as VT100s.
Catalyst 2960 Switch Software Configuration Guide
2-6
78-16881-02
Chapter 2
Using the Command-Line Interface Using Editing Features
Disabling the Command History Feature The command history feature is automatically enabled. You can disable it for the current terminal session or for the command line. These procedures are optional. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command.
Using Editing Features This section describes the editing features that can help you manipulate the command line. It contains these sections: •
Enabling and Disabling Editing Features, page 2-7 (optional)
•
Editing Commands through Keystrokes, page 2-7 (optional)
•
Editing Command Lines that Wrap, page 2-9 (optional)
Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled, you can disable it, re-enable it, or configure a specific line to have enhanced editing. These procedures are optional. To globally disable enhanced editing mode, enter this command in line configuration mode: Switch (config-line)# no editing
To re-enable the enhanced editing mode for the current terminal session, enter this command in privileged EXEC mode: Switch# terminal editing
To reconfigure a specific line to have enhanced editing mode, enter this command in line configuration mode: Switch(config-line)# editing
Editing Commands through Keystrokes Table 2-5 shows the keystrokes that you need to edit command lines. These keystrokes are optional. Table 2-5
Editing Commands through Keystrokes
Capability
Keystroke1
Move around the command line to make changes or corrections.
Press Ctrl-B, or press the Move the cursor back one character. left arrow key.
Purpose
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
2-7
Chapter 2
Using the Command-Line Interface
Using Editing Features
Table 2-5
Editing Commands through Keystrokes (continued)
Capability
Keystroke1
Purpose
Press Ctrl-F, or press the right arrow key.
Move the cursor forward one character.
Press Ctrl-A.
Move the cursor to the beginning of the command line.
Press Ctrl-E.
Move the cursor to the end of the command line.
Press Esc B.
Move the cursor back one word.
Press Esc F.
Move the cursor forward one word.
Press Ctrl-T.
Transpose the character to the left of the cursor with the character located at the cursor.
Recall commands from the buffer and Press Ctrl-Y. paste them in the command line. The switch provides a buffer with the last ten items that you deleted. Press Esc Y.
Recall the most recent entry in the buffer.
Recall the next buffer entry. The buffer contains only the last 10 items that you have deleted or cut. If you press Esc Y more than ten times, you cycle to the first buffer entry.
Delete entries if you make a mistake Press the Delete or or change your mind. Backspace key.
Capitalize or lowercase words or capitalize a set of letters.
Erase the character to the left of the cursor.
Press Ctrl-D.
Delete the character at the cursor.
Press Ctrl-K.
Delete all characters from the cursor to the end of the command line.
Press Ctrl-U or Ctrl-X.
Delete all characters from the cursor to the beginning of the command line.
Press Ctrl-W.
Delete the word to the left of the cursor.
Press Esc D.
Delete from the cursor to the end of the word.
Press Esc C.
Capitalize at the cursor.
Press Esc L.
Change the word at the cursor to lowercase.
Press Esc U.
Capitalize letters from the cursor to the end of the word.
Designate a particular keystroke as Press Ctrl-V or Esc Q. an executable command, perhaps as a shortcut.
Catalyst 2960 Switch Software Configuration Guide
2-8
78-16881-02
Chapter 2
Using the Command-Line Interface Using Editing Features
Table 2-5
Editing Commands through Keystrokes (continued)
Capability
Keystroke1
Purpose
Scroll down a line or screen on displays that are longer than the terminal screen can display.
Press the Return key.
Scroll down one line.
Press the Space bar.
Scroll down one screen.
Press Ctrl-L or Ctrl-R.
Redisplay the current command line.
Note
The More prompt is used for any output that has more lines than can be displayed on the terminal screen, including show command output. You can use the Return and Space bar keystrokes whenever you see the More prompt.
Redisplay the current command line if the switch suddenly sends a message to your screen.
1. The arrow keys function only on ANSI-compatible terminals such as VT100s.
Editing Command Lines that Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command. The keystroke actions are optional. To scroll back to the beginning of the command entry, press Ctrl-B or the left arrow key repeatedly. You can also press Ctrl-A to immediately move to the beginning of the line.
Note
The arrow keys function only on ANSI-compatible terminals such as VT100s. In this example, the access-list global configuration command entry extends beyond one line. When the cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar sign ($) shows that the line has been scrolled to the left. Each time the cursor reaches the end of the line, the line is again shifted ten spaces to the left. Switch(config)# Switch(config)# Switch(config)# Switch(config)#
access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1 $ 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.25 $t tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq $108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq 45
After you complete the entry, press Ctrl-A to check the complete syntax before pressing the Return key to execute the command. The dollar sign ($) appears at the end of the line to show that the line has been scrolled to the right: Switch(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$
The software assumes you have a terminal screen that is 80 columns wide. If you have a width other than that, use the terminal width privileged EXEC command to set the width of your terminal.
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
2-9
Chapter 2
Using the Command-Line Interface
Searching and Filtering Output of show and more Commands
Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands through Keystrokes” section on page 2-7.
Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see. Using these commands is optional. To use this functionality, enter a show or more command followed by the pipe character (|), one of the keywords begin, include, or exclude, and an expression that you want to search for or filter out: command | {begin | include | exclude} regular-expression Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output appear. This example shows how to include in the output display only lines where the expression protocol appears: Switch# show interfaces | include protocol Vlan1 is up, line protocol is up Vlan10 is up, line protocol is down GigabitEthernet0/1 is up, line protocol is down GigabitEthernet0/2 is up, line protocol is up
Accessing the CLI You can access the CLI through a console connection, through Telnet, or by using the browser.
Accessing the CLI through a Console Connection or through Telnet Before you can access the CLI, you must connect a terminal or PC to the switch console port and power on the switch as described in the hardware installation guide that shipped with your switch. Then, to understand the boot process and the options available for assigning IP information, see Chapter 3, “Assigning the Switch IP Address and Default Gateway.” If your switch is already configured, you can access the CLI through a local console connection or through a remote Telnet session, but your switch must first be configured for this type of access. For more information, see the “Setting a Telnet Password for a Terminal Line” section on page 8-6. You can use one of these methods to establish a connection with the switch: •
Connect the switch console port to a management station or dial-up modem. For information about connecting to the console port, see the switch hardware installation guide.
•
Use any Telnet TCP/IP or encrypted Secure Shell (SSH) package from a remote management station. The switch must have network connectivity with the Telnet or SSH client, and the switch must have an enable secret password configured. For information about configuring the switch for Telnet access, see the “Setting a Telnet Password for a Terminal Line” section on page 8-6. The switch supports up to 16 simultaneous Telnet sessions. Changes made by one Telnet user are reflected in all other Telnet sessions.
Catalyst 2960 Switch Software Configuration Guide
2-10
78-16881-02
Chapter 2
Using the Command-Line Interface Accessing the CLI
For information about configuring the switch for SSH, see the “Configuring the Switch for Secure Shell” section on page 8-33. The switch supports up to five simultaneous secure SSH sessions. After you connect through the console port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station.
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
2-11
Chapter 2
Using the Command-Line Interface
Accessing the CLI
Catalyst 2960 Switch Software Configuration Guide
2-12
78-16881-02
C H A P T E R
3
Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the switch IP address and default gateway information) for the Catalyst 2960 switch by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration.
Note
For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and to the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. This chapter consists of these sections: •
Understanding the Boot Process, page 3-1
•
Assigning Switch Information, page 3-2
•
Checking and Saving the Running Configuration, page 3-10
•
Modifying the Startup Configuration, page 3-11
•
Scheduling a Reload of the Software Image, page 3-15
Understanding the Boot Process To start your switch, you need to follow the procedures in the hardware installation guide about installing and powering on the switch, and setting up the initial configuration (IP address, subnet mask, default gateway, secret and Telnet passwords, and so forth) of the switch. The normal boot process involves the operation of the boot loader software, which performs these activities: •
Performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, its quantity, its speed, and so forth.
•
Performs power-on self-test (POST) for the CPU subsystem. It tests the CPU DRAM and the portion of the flash device that makes up the flash file system.
•
Initializes the flash file system on the system board.
•
Loads a default operating system software image into memory and boots the switch.
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
3-1
Chapter 3
Assigning the Switch IP Address and Default Gateway
Assigning Switch Information
The boot loader provides access to the flash file system before the operating system is loaded. Normally, the boot loader is used only to load, uncompress, and launch the operating system. After the boot loader gives the operating system control of the CPU, the boot loader is not active until the next system reset or power-on. The boot loader also provides trap-door access into the system if the operating system has problems serious enough that it cannot be used. The trap-door mechanism provides enough access to the system so that if it is necessary, you can format the flash file system, reinstall the operating system software image by using the Xmodem Protocol, recover from a lost or forgotten password, and finally restart the operating system. For more information, see the “Recovering from a Software Failure” section on page 31-2 and the “Recovering from a Lost or Forgotten Password” section on page 31-3.
Note
You can disable password recovery. For more information, see the “Disabling Password Recovery” section on page 8-5. Before you can assign switch information, make sure you have connected a PC or terminal to the console port, and configured the PC or terminal-emulation software baud rate and character format to match these of the switch console port: •
Baud rate default is 9600.
•
Data bits default is 8.
Note
If the data bits option is set to 8, set the parity option to none.
•
Stop bits default is 1.
•
Parity settings default is none.
Assigning Switch Information You can assign IP information through the switch setup program, through a DHCP server, or manually. Use the switch setup program if you want to be prompted for specific IP information. With this program, you can also configure a hostname and an enable secret password. It gives you the option of assigning a Telnet password (to provide security during remote management) and configuring your switch as a command or member switch of a cluster or as a standalone switch. For more information about the setup program, see the hardware installation guide. Use a DHCP server for centralized control and automatic assignment of IP information after the server is configured.
Note
If you are using DHCP, do not respond to any of the questions in the setup program until the switch receives the dynamically assigned IP address and reads the configuration file. If you are an experienced user familiar with the switch configuration steps, manually configure the switch. Otherwise, use the setup program described previously. These sections contain this configuration information: •
Default Switch Information, page 3-3
•
Understanding DHCP-Based Autoconfiguration, page 3-3
Catalyst 2960 Switch Software Configuration Guide
3-2
78-16881-02
Chapter 3
Assigning the Switch IP Address and Default Gateway Assigning Switch Information
•
Manually Assigning IP Information, page 3-9
Default Switch Information Table 3-1 shows the default switch information. Table 3-1
Default Switch Information
Feature
Default Setting
IP address and subnet mask
No IP address or subnet mask are defined.
Default gateway
No default gateway is defined.
Enable secret password
No password is defined.
Hostname
The factory-assigned default hostname is Switch.
Telnet password
No password is defined.
Cluster command switch functionality
Disabled.
Cluster name
No cluster name is defined.
Understanding DHCP-Based Autoconfiguration DHCP provides configuration information to Internet hosts and internetworking devices. This protocol consists of two components: one for delivering configuration parameters from a DHCP server to a device and a mechanism for allocating network addresses to devices. DHCP is built on a client-server model, in which designated DHCP servers allocate network addresses and deliver configuration parameters to dynamically configured devices. The switch can act as both a DHCP client and a DHCP server. During DHCP-based autoconfiguration, your switch (DHCP client) is automatically configured at startup with IP address information and a configuration file. With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch. However, you need to configure the DHCP server for various lease options associated with IP addresses. If you are using DHCP to relay the configuration file location on the network, you might also need to configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server. The DHCP server for your switch can be on the same LAN or on a different LAN than the switch. If the DHCP server is running on a different LAN, you should configure a DHCP relay device between your switch and the DHCP server. A relay device forwards broadcast traffic between two directly connected LANs. A router does not forward broadcast packets, but it forwards packets based on the destination IP address in the received packet. DHCP-based autoconfiguration replaces the BOOTP client functionality on your switch.
DHCP Client Request Process When you boot your switch, the DHCP client is invoked and requests configuration information from a DHCP server when the configuration file is not present on the switch. If the configuration file is present and the configuration includes the ip address dhcp interface configuration command on specific routed interfaces, the DHCP client is invoked and requests the IP address information for those interfaces.
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
3-3
Chapter 3
Assigning the Switch IP Address and Default Gateway
Assigning Switch Information
Figure 3-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server. Figure 3-1
DHCP Client and Server Message Exchange
DHCPDISCOVER (broadcast) Switch A
DHCPOFFER (unicast)
DHCP server
DHCPACK (unicast)
51807
DHCPREQUEST (broadcast)
The client, Switch A, broadcasts a DHCPDISCOVER message to locate a DHCP server. The DHCP server offers configuration parameters (such as an IP address, subnet mask, gateway IP address, DNS IP address, a lease for the IP address, and so forth) to the client in a DHCPOFFER unicast message. In a DHCPREQUEST broadcast message, the client returns a formal request for the offered configuration information to the DHCP server. The formal request is broadcast so that all other DHCP servers that received the DHCPDISCOVER broadcast message from the client can reclaim the IP addresses that they offered to the client. The DHCP server confirms that the IP address has been allocated to the client by returning a DHCPACK unicast message to the client. With this message, the client and server are bound, and the client uses configuration information received from the server. The amount of information the switch receives depends on how you configure the DHCP server. For more information, see the “Configuring the TFTP Server” section on page 3-5. If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid (a configuration error exists), the client returns a DHCPDECLINE broadcast message to the DHCP server. The DHCP server sends the client a DHCPNAK denial broadcast message, which means that the offered configuration parameters have not been assigned, that an error has occurred during the negotiation of the parameters, or that the client has been slow in responding to the DHCPOFFER message (the DHCP server assigned the parameters to another client). A DHCP client might receive offers from multiple DHCP or BOOTP servers and can accept any of the offers; however, the client usually accepts the first offer it receives. The offer from the DHCP server is not a guarantee that the IP address is allocated to the client; however, the server usually reserves the address until the client has had a chance to formally request the address. If the switch accepts replies from a BOOTP server and configures itself, the switch broadcasts, instead of unicasts, TFTP requests to obtain the switch configuration file.
Configuring DHCP-Based Autoconfiguration These sections contain this configuration information: •
DHCP Server Configuration Guidelines, page 3-5
•
Configuring the TFTP Server, page 3-5
•
Configuring the DNS, page 3-6
•
Configuring the Relay Device, page 3-6
•
Obtaining Configuration Files, page 3-7
•
Example Configuration, page 3-8
Catalyst 2960 Switch Software Configuration Guide
3-4
78-16881-02
Chapter 3
Assigning the Switch IP Address and Default Gateway Assigning Switch Information
If your DHCP server is a Cisco device, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for additional information about configuring DHCP.
DHCP Server Configuration Guidelines Follow these guidelines if you are configuring a device as a DHCP server: You should configure the DHCP server with reserved leases that are bound to each switch by the switch hardware address. If you want the switch to receive IP address information, you must configure the DHCP server with these lease options: •
IP address of the client (required)
•
Subnet mask of the client (required)
•
DNS server IP address (optional)
•
Router IP address (default gateway address to be used by the switch) (required)
If you want the switch to receive the configuration file from a TFTP server, you must configure the DHCP server with these lease options: •
TFTP server name (required)
•
Boot filename (the name of the configuration file that the client needs) (recommended)
•
Hostname (optional)
Depending on the settings of the DHCP server, the switch can receive IP address information, the configuration file, or both. If you do not configure the DHCP server with the lease options described previously, it replies to client requests with only those parameters that are configured. If the IP address and the subnet mask are not in the reply, the switch is not configured. If the router IP address or the TFTP server name are not found, the switch might send broadcast, instead of unicast, TFTP requests. Unavailability of other lease options does not affect autoconfiguration.
Configuring the TFTP Server Based on the DHCP server configuration, the switch attempts to download one or more configuration files from the TFTP server. If you configured the DHCP server to respond to the switch with all the options required for IP connectivity to the TFTP server, and if you configured the DHCP server with a TFTP server name, address, and configuration filename, the switch attempts to download the specified configuration file from the specified TFTP server. If you did not specify the configuration filename, the TFTP server, or if the configuration file could not be downloaded, the switch attempts to download a configuration file by using various combinations of filenames and TFTP server addresses. The files include the specified configuration filename (if any) and these files: network-config, cisconet.cfg, hostname.config, or hostname.cfg, where hostname is the switch’s current hostname. The TFTP server addresses used include the specified TFTP server address (if any) and the broadcast address (255.255.255.255). For the switch to successfully download a configuration file, the TFTP server must contain one or more configuration files in its base directory. The files can include these files: •
The configuration file named in the DHCP reply (the actual switch configuration file).
•
The network-confg or the cisconet.cfg file (known as the default configuration files).
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
3-5
Chapter 3
Assigning the Switch IP Address and Default Gateway
Assigning Switch Information
•
The router-confg or the ciscortr.cfg file (These files contain commands common to all switches. Normally, if the DHCP and TFTP servers are properly configured, these files are not accessed.)
If you specify the TFTP server name in the DHCP server-lease database, you must also configure the TFTP server name-to-IP-address mapping in the DNS-server database. If the TFTP server to be used is on a different LAN from the switch, or if it is to be accessed by the switch through the broadcast address (which occurs if the DHCP server response does not contain all the required information described previously), a relay must be configured to forward the TFTP packets to the TFTP server. For more information, see the “Configuring the Relay Device” section on page 3-6. The preferred solution is to configure the DHCP server with all the required information.
Configuring the DNS The DHCP server uses the DNS server to resolve the TFTP server name to an IP address. You must configure the TFTP server name-to-IP address map on the DNS server. The TFTP server contains the configuration files for the switch. You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from where the DHCP replies will retrieve them. You can enter up to two DNS server IP addresses in the lease database. The DNS server can be on the same or on a different LAN as the switch. If it is on a different LAN, the switch must be able to access it through a router.
Configuring the Relay Device You must configure a relay device, also referred to as a relay agent, when a switch sends broadcast packets that require a response from a host on a different LAN. Examples of broadcast packets that the switch might send are DHCP, DNS, and in some cases, TFTP packets. You must configure this relay device to forward received broadcast packets on an interface to the destination host. If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command. For example, in Figure 3-2, configure the router interfaces as follows: On interface 10.0.0.2: router(config-if)# ip helper-address 20.0.0.2 router(config-if)# ip helper-address 20.0.0.3 router(config-if)# ip helper-address 20.0.0.4
On interface 20.0.0.1 router(config-if)# ip helper-address 10.0.0.1
Catalyst 2960 Switch Software Configuration Guide
3-6
78-16881-02
Chapter 3
Assigning the Switch IP Address and Default Gateway Assigning Switch Information
Figure 3-2
Relay Device Used in Autoconfiguration
Switch (DHCP client)
Cisco router (Relay) 10.0.0.2
10.0.0.1
DHCP server
20.0.0.3
TFTP server
20.0.0.4
DNS server
49068
20.0.0.2
20.0.0.1
Obtaining Configuration Files Depending on the availability of the IP address and the configuration filename in the DHCP reserved lease, the switch obtains its configuration information in these ways: •
The IP address and the configuration filename is reserved for the switch and provided in the DHCP reply (one-file read method). The switch receives its IP address, subnet mask, TFTP server address, and the configuration filename from the DHCP server. The switch sends a unicast message to the TFTP server to retrieve the named configuration file from the base directory of the server and upon receipt, it completes its boot-up process.
•
The IP address and the configuration filename is reserved for the switch, but the TFTP server address is not provided in the DHCP reply (one-file read method). The switch receives its IP address, subnet mask, and the configuration filename from the DHCP server. The switch sends a broadcast message to a TFTP server to retrieve the named configuration file from the base directory of the server, and upon receipt, it completes its boot-up process.
•
Only the IP address is reserved for the switch and provided in the DHCP reply. The configuration filename is not provided (two-file read method). The switch receives its IP address, subnet mask, and the TFTP server address from the DHCP server. The switch sends a unicast message to the TFTP server to retrieve the network-confg or cisconet.cfg default configuration file. (If the network-confg file cannot be read, the switch reads the cisconet.cfg file.) The default configuration file contains the hostnames-to-IP-address mapping for the switch. The switch fills its host table with the information in the file and obtains its hostname. If the hostname is not found in the file, the switch uses the hostname in the DHCP reply. If the hostname is not specified in the DHCP reply, the switch uses the default Switch as its hostname. After obtaining its hostname from the default configuration file or the DHCP reply, the switch reads the configuration file that has the same name as its hostname (hostname-confg or hostname.cfg, depending on whether network-confg or cisconet.cfg was read earlier) from the TFTP server. If the cisconet.cfg file is read, the filename of the host is truncated to eight characters. If the switch cannot read the network-confg, cisconet.cfg, or the hostname file, it reads the router-confg file. If the switch cannot read the router-confg file, it reads the ciscortr.cfg file.
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
3-7
Chapter 3
Assigning the Switch IP Address and Default Gateway
Assigning Switch Information
Note
The switch broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies, if all attempts to read the configuration file through unicast transmissions fail, or if the TFTP server name cannot be resolved to an IP address.
Example Configuration Figure 3-3 shows a sample network for retrieving IP information by using DHCP-based autoconfiguration. Figure 3-3
DHCP-Based Autoconfiguration Network Example
Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004
Cisco router 10.0.0.10
DHCP server
10.0.0.2
DNS server
10.0.0.3
TFTP server (tftpserver)
111394
10.0.0.1
Table 3-2 shows the configuration of the reserved leases on the DHCP server. Table 3-2
DHCP Server Configuration
Switch A
Switch B
Switch C
Switch D
Binding key (hardware address)
00e0.9f1e.2001
00e0.9f1e.2002
00e0.9f1e.2003
00e0.9f1e.2004
IP address
10.0.0.21
10.0.0.22
10.0.0.23
10.0.0.24
Subnet mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Router address
10.0.0.10
10.0.0.10
10.0.0.10
10.0.0.10
DNS server address
10.0.0.2
10.0.0.2
10.0.0.2
10.0.0.2
TFTP server name
tftpserver or 10.0.0.3
tftpserver or 10.0.0.3
tftpserver or 10.0.0.3
tftpserver or 10.0.0.3
Boot filename (configuration file) (optional)
switcha-confg
switchb-confg
switchc-confg
switchd-confg
Hostname (optional)
switcha
switchb
switchc
switchd
DNS Server Configuration The DNS server maps the TFTP server name tftpserver to IP address 10.0.0.3.
Catalyst 2960 Switch Software Configuration Guide
3-8
78-16881-02
Chapter 3
Assigning the Switch IP Address and Default Gateway Assigning Switch Information
TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the hostname to be assigned to the switch based on its IP address. The base directory also contains a configuration file for each switch (switcha-confg, switchb-confg, and so forth) as shown in this display: prompt> cd /tftpserver/work/ prompt> ls network-confg switcha-confg switchb-confg switchc-confg switchd-confg prompt> cat network-confg ip host switcha 10.0.0.21 ip host switchb 10.0.0.22 ip host switchc 10.0.0.23 ip host switchd 10.0.0.24
DHCP Client Configuration No configuration file is present on Switch A through Switch D. Configuration Explanation In Figure 3-3, Switch A reads its configuration file as follows: •
It obtains its IP address 10.0.0.21 from the DHCP server.
•
If no configuration filename is given in the DHCP server reply, Switch A reads the network-confg file from the base directory of the TFTP server.
•
It adds the contents of the network-confg file to its host table.
•
It reads its host table by indexing its IP address 10.0.0.21 to its hostname (switcha).
•
It reads the configuration file that corresponds to its hostname; for example, it reads switch1-confg from the TFTP server.
Switches B through D retrieve their configuration files and IP addresses in the same way.
Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs): Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface vlan vlan-id
Enter interface configuration mode, and enter the VLAN to which the IP information is assigned. The range is 1 to 4094.
Step 3
ip address ip-address subnet-mask
Enter the IP address and subnet mask.
Step 4
exit
Return to global configuration mode.
Catalyst 2960 Switch Software Configuration Guide 78-16881-02
3-9
Chapter 3
Assigning the Switch IP Address and Default Gateway
Checking and Saving the Running Configuration
Step 5
Command
Purpose
ip default-gateway ip-address
Enter the IP address of the next-hop router interface that is directly connected to the switch where a default gateway is being configured. The default gateway receives IP packets with unresolved destination IP addresses from the switch. Once the default gateway is configured, the switch has connectivity to the remote networks with which a host needs to communicate. Note
When your switch is configured to route with IP, it does not need to have a default gateway set.
Step 6
end
Return to privileged EXEC mode.
Step 7
show interfaces vlan vlan-id
Verify the configured IP address.
Step 8
show ip redirects
Verify the configured default gateway.
Step 9
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To remove the switch IP address, use the no ip address interface configuration command. If you are removing the address through a Telnet session, your connection to the switch will be lost. To remove the default gateway address, use the no ip default-gateway global configuration command. For information on setting the switch system name, protecting access to privileged EXEC commands, and setting time and calendar services, see Chapter 6, “Administering the Switch.”
Checking and Saving the Running Configuration You can check the configuration settings you entered or changes you made by entering this privileged EXEC command: Switch# show running-config Building configuration... Current configuration: 1363 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch A ! enable secret 5 $1$ej9.$DMUvAUnZOAmvmgqBEzIxE0 ! . 
