|
|
The Catalyst 2900 series XL switches, hereafter referred to as the Catalyst 2900 series switches, are supported by Cisco IOS software. The current release is Cisco IOS Release 11.2(8)SA4. This chapter describes how to use the switch command-line interface (CLI) to configure those features that have been added for the switch. For a complete description of the commands that support these features, see "Cisco IOS Commands." For more information on Cisco IOS Release 11.2(8), refer to the Cisco IOS Release 11.2 Command Summary.
The switches are preconfigured and begin forwarding packets as soon as they are attached to compatible devices.
All ports belong by default to virtual LAN (VLAN) 1. Access to the switch itself is also through VLAN 1. For management purposes, only devices connected to ports assigned to VLAN 1 can communicate with the switch. This applies to Telnet, web-based management, and SNMP.
This chapter describes how to complete the following configuration tasks:
Using the Enterprise Edition Software, you can complete the following configuration tasks:
The switch Flash memory stores the Cisco IOS software image, the startup configuration file, and helper files.
Cisco IOS Release 11.2(8)SA4-A and SA4-EN run on a variety of Catalyst 2900 series switches and modules. For a complete list, see the Release Notes for the Catalyst 2900 Series XL Cisco IOS Release 11.2(8)SA4.
If no IP information has been entered for the switch, the setup program prompts you for the IP address, subnet mask, and default gateway the first time you access the CLI. You can enter or change this information at any time through the CLI.
For management purposes, the switch belongs to VLAN 1, and the switch IP address and subnet mask are associated with VLAN 1.
Beginning in privileged EXEC mode, follow these steps to enter the IP information:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter interface configuration mode, and enter the port to which the IP information is assigned. | interface vlan 1 |
Step 3 Enter the IP address and subnet mask. | ip address ip_address subnet_mask |
Step 4 Enter the IP address of the default router. | ip default-gateway ip_address |
Step 5 Return to privileged EXEC mode. | end |
Step 6 Verify that the information was entered correctly by displaying the running configuration. If the information is incorrect, repeat the procedure. | show running-config |
The port commands control switch features that manage packet flooding, port security, EtherChannel port groups, and other switch activities. This section describes how to use the port commands to complete the following tasks:
Beginning in privileged EXEC mode, follow these steps to disable the flooding of multicast and unicast packets to a port:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter interface configuration mode, and enter the port to configure. | interface interface |
Step 3 Block multicast forwarding to the port. | port block multicast |
Step 4 Block unicast flooding to the port. | port block unicast |
Step 5 Return to privileged EXEC mode. | end |
Step 6 Verify your entries by entering the appropriate command once for the multicast option and once for the unicast option. | show port block {multicast | unicast} interface |
Autonegotiation is still enabled when one of the parameters has been manually set. The mix of autonegotiation and explicitly set parameters can produce unexpected results that affect performance. To maximize the performance of your switch, follow one of these guidelines when setting the speed and duplex parameters:
Beginning in privileged EXEC mode, follow these steps to set the speed and duplex parameters on a port:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter interface configuration mode, and enter the port to be configured. | interface interface |
Step 3 Enter the speed parameter for the port. You cannot enter the speed on Gigabit Ethernet ports. | speed {10 | 100 | auto} |
Step 4 Enter the duplex parameter for the port. | duplex {full | half | auto} |
Step 5 Return to privileged EXEC mode. | end |
Step 6 Verify your entries. | show running-config |
Broadcast-storm control blocks the forwarding of packets created by broadcast storms, the bursts of broadcast traffic that ports can generate. When you enable broadcast-storm control on a port, two threshold parameters define the beginning and the end of a broadcast storm. The rising parameter determines when the forwarding of broadcast packets from the port is blocked. The falling parameter determines when normal forwarding resumes. You can set the port to generate a trap when these thresholds are crossed, and you can disable the port during a broadcast storm.
Beginning in privileged EXEC mode, follow these steps to enable broadcast-storm control:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter interface configuration mode, and enter the port to configure. | interface interface |
Step 3 Enter the rising and falling thresholds. Thresholds can be from 0 to 4294967295 broadcast packets per second. | port storm-control [threshold {rising rising-number falling falling-number}] |
Step 4 Disable the port during a broadcast storm, or generate an SNMP trap when the traffic on the port crosses the rising or falling threshold. | port storm-control filter or port storm-control trap |
Step 5 Return to privileged EXEC mode. | end |
Step 6 Verify your entries. | show port storm-control [interface] |
Enabling a network port can reduce flooded traffic on your network. The network port receives all traffic with unknown destination addresses instead of the switch flooding them to all ports in the same VLAN. Space is then conserved in the dynamic address table because a network port does not learn source addresses from received packets.
Beginning in privileged EXEC mode, complete these tasks to define a port as the network port:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter interface configuration mode, and enter the port to be configured. | interface interface |
Step 3 Define the port as the network port. | port network |
Step 4 Return to privileged EXEC mode. | end |
Step 5 Verify your entry. | show running-config |
Secured ports restrict the use of a port to a user-defined group of stations. When you assign secure addresses to a secure port, the switch does not forward any packets with source addresses outside the group. A secure address is associated with one port per VLAN. You can enter these addresses, or the switch can learn them. See "Adding Secure Addresses" section for more information.
When you secure a port, you can also define the number of addresses that the switch can learn. The switch does not learn addresses on this port after it has reached the number you enter.
Beginning in privileged EXEC mode, follow these steps to enable security on a port:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter interface configuration mode, and enter the port to configure. | interface interface |
Step 3 Enter the maximum number of addresses this port can learn. You can enter a number between 1 and 132. | port security max-mac-count address-number |
Step 4 Enable port security, and define the action to take for an address violation. | port security action {shutdown | trap} |
Step 5 Return to global configuration mode. | exit |
Step 6 Enter the IP address and community string of the SNMP trap host, and enable it to receive traps. | snmp-server host host-address community-string c2900 |
Step 7 Return to privilege EXEC mode. | end |
Step 8 Verify your entries. | show port security [interface] |
Fast EtherChannel and Gigabit EtherChannel port groups are high-speed links. The switch considers the group to be a single port, and protocols such as STP enable and disable the group as if it were a single port. All ports in the group have the same VLAN configuration.
You can create a port group that forwards based on the source or destination address of the received packet. Source-based forwarding groups can have up to eight ports. Destination-based forwarding groups can have any number of ports.
For more information on the difference between these two methods, see the Catalyst 2900 Series XL Installation and Configuration Guide.
Beginning in privileged EXEC mode, complete these tasks to create a two-port group:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter interface configuration mode, and enter the port of the first port to be added to the group. | interface interface |
Step 3 Assign the port to group 1 with destination-based forwarding. | port group 1 distribution destination |
Step 4 Enter the second port to be added to the group. | interface interface |
Step 5 Assign the port to group 1 with destination-based forwarding. | port group 1 distribution destination |
Step 6 Return to privileged EXEC modes. | end |
Step 7 Verify your entries. | show running-config |
The switch uses the MAC address tables to forward traffic between ports. These MAC tables include dynamic, secure, and static addresses. The address tables list the destination MAC address and the associated VLAN ID, module, and port number associated with the address.
Each switch maintains an address table of ports that belong to the VLAN and their associated addresses. An address can be learned in more than one VLAN, and a dynamic address learned in one VLAN can be entered as a secure address in another VLAN. An address that is learned in one VLAN is unknown in another VLAN until it is entered or learned.
You can also enter addresses and their ports and VLANs in the address table. The switch supports three kinds of MAC addresses:
This section describes how to use the CLI to complete the following address-table tasks:
To display the contents of the address table, enter the show mac-address-table command in privileged EXEC mode:
switch# show mac-address-table
Dynamic Addresses Count: 45
Secure Addresses (User-defined) Count: 1
Static Addresses (User-defined) Count: 0
System Self Addresses Count: 37
Total MAC addresses: 83
Non-static Address Table:
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- --------------------
0000.0c07.ac01 Dynamic 1 FastEthernet0/16
0000.0c07.ac01 Dynamic 2 FastEthernet0/16
0000.0c07.ac01 Dynamic 3 FastEthernet0/16
0010.0b3f.ac80 Dynamic 1 FastEthernet0/5
0010.0b3f.ac85 Dynamic 1 FastEthernet0/5
0010.0de1.c9c0 Dynamic 1 FastEthernet0/3
0010.0de1.c9c3 Dynamic 1 FastEthernet0/3
0020.afd0.ea97 Dynamic 1 FastEthernet0/16
A secure address is forwarded to one port per VLAN. Secure addresses do not age and can be either manually entered into the address table or learned.
You can enter a secure port address even when the port does not yet belong to the VLAN. When the port is later assigned to the VLAN, packets destined for that address are forwarded to the port.
Beginning in privileged EXEC mode, follow these steps to enter a secure address:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter the MAC address, its associated port, and the VLAN ID. | mac-address-table secure hw-addr interface |
Step 3 Return to privileged EXEC mode. | end |
Step 4 Verify your entry. | show mac-address-table secure |
Beginning in privileged EXEC mode, follow these steps to enter a static address in the address table:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter the MAC address, the input port, the ports to which it can be forwarded, and the VLAN ID of those ports. | mac-address-table static hw-addr in-port out-port-list vlan vlan-id |
Step 3 Return to privileged EXEC mode. | end |
Step 4 Verify your entry. | show mac-address-table static |
The address table retains dynamic addresses for a configurable amount of time (the aging time). This value is valid for all dynamic addresses in all VLANs, and the default is 300 seconds. Beginning in privileged EXEC mode, complete the following tasks to define the aging time for the address table.
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter the number of seconds that dynamic addresses are to be retained in the address table. You can enter a number from 10 to 1000000. | mac-address-table aging-time seconds |
Step 3 Return to privileged EXEC mode. | end |
Step 4 Verify your entry. | show mac-address-table aging-time |
The following parameters are entered in global configuration mode per VLAN:
The following parameters are entered on a per-port, per-VLAN basis in interface configuration mode:
 | Caution Enabling this option on a port connected to a switch or hub could prevent STP from detecting and disabling loops in your network. |
Disable Port Fast with the no version of this command. Beginning in privileged EXEC mode, follow these steps to enable Port Fast option:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter interface configuration mode, and enter the port to be configured. | interface interface |
Step 3 Enable the Port Fast feature for the port. | spanning-tree portfast |
Step 4 Return to privileged EXEC mode. | end |
Step 5 Verify your entry. | show running-config |
CGMP reduces flooding by limiting the forwarding of IP multicast and broadcast packets. The Fast Leave option reduces the amount of time required for CGMP to remove groups that are no longer active.
Beginning in privileged EXEC mode, complete these tasks to enable CGMP Fast Leave option:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enable CGMP and CGMP Fast Leave. | cgmp leave-processing |
Step 3 Return to privileged EXEC mode. | end |
Step 4 Verify your entry. | show running-config |
A VLAN is an administratively defined broadcast domain. Stations can receive packets sent by other stations in the same VLAN. A VLAN enhances performance by limiting traffic; it allows the transmission of traffic among stations that belong to it and blocks traffic from stations in other VLANs. The Catalyst 2900 series switch locally supports up to 64 active VLANs with IDs from 1 to 1001.
Table 1-1 shows the VLAN features supported in this IOS software release.
| Feature | IOS Release11.2(8)SA4-A | IOS Release11.2(8)SA4-EN |
|---|---|---|
Assign ports for static-access VLAN membership. | Yes | Yes |
Assign ports for multi-VLAN membership. | Yes | Yes |
Add, modify, and delete VLANs from VLAN Trunk Protocol (VTP) database. | No | Yes |
Configure VLAN trunk ports. | No | Yes |
Assign ports for dynamic VLAN membership. | No | Yes |
Supports Inter-Switch Link and IEEE 802.1Q VLAN tagging. | No | Yes |
In the standard edition software, all ports are static-access ports and are assigned to VLAN 1 by default. Static-access ports can belong to only one VLAN; multi-VLAN ports can belong to more than one VLAN. You use the switchport mode, switchport access, and switchport multi commands to assign ports to VLANs. These VLANs exist without the use of the VTP database.
Using Enterprise Edition Software, you can assign ports as static-access, multi-VLAN, dynamic-access, or trunks. A dynamic-access port can belong only to one VLAN at a time. A trunk port is by default a member of every VLAN known to VTP and carries the traffic of multiple VLANs. Unlike in the standard edition software, you should use the vlan command to create a new VLAN (except for the default VLANs 1 and 1002 to 1005) in the VTP database. If you use the switchport command to add a static-access or multi-VLAN port to a VLAN, the new VLAN is automatically added to the database. However, trunk ports are not automatically added to the database using the switchport command.
For a dynamic-access port, you must configure a VLAN Membership Policy Server (VMPS) on another switch, such as a Catalyst 5000, to hold a database of MAC address-to-VLAN mappings. You must also use vmps commands to locally configure the VMPS server address. When the Catalyst 2900 series switch receives the first packet from a new host on its dynamic-access port, the switch uses the VLAN Query Protocol (VQP) to send the source MAC address to the VMPS. The VMPS provides the VLAN name to which this port must be assigned. The VLAN name must exist in the local VTP database before the dynamic-access port can be assigned to the VLAN.
Trunk ports become a member of a VLAN if the VLAN is in both the allowed list and in the VTP database. The allowed VLAN list contains the VLAN IDs that receive and transmit traffic on the trunk. By default, all possible VLANs (VLAN IDs 1-1005) are allowed in the list, but the trunk port can only transmit and receive packets on 64 of these VLANs at once. You can configure the allowed VLAN list for more control over VLAN membership of a trunk port.
This section describes how to use the CLI to complete the following VLAN tasks:
All ports are static-access ports. A static-access port belongs to VLAN 1 by default.
Beginning in privileged EXEC mode, follow these steps to assign a port for static-access VLAN membership:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter interface configuration mode, and enter the port to be added to the VLAN. | interface interface |
Step 3 Enter the VLAN membership mode for static-access ports. | switchport mode access |
Step 4 Assign the port to a VLAN. | switchport access vlan 2 |
Step 5 Return to privileged EXEC mode. | end |
Step 6 Verify your entries. | show interface interface-id switchport |
A multi-VLAN port belongs to more than one VLAN. The switch does not encapsulate packets on a multi-VLAN port.
| Caution To avoid loss of connectivity, do not connect multi-VLAN ports to hubs or switches. Connect multi-VLAN ports to routers or servers. |
Beginning in privileged EXEC mode, follow these steps to assign ports for multi-VLAN membership:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter interface configuration mode, and enter the port to be added to the VLAN. | interface interface |
Step 3 Enter the VLAN membership mode for multi-VLAN ports. | switchport mode multi |
Step 4 Assign the port to more than one VLAN. | switchport multi vlan add vlan-list |
Step 5 Return to privileged EXEC mode. | end |
Step 6 Verify your entries. | show interface interface-id switchport |
VTP is a Layer-2 messaging protocol that maintains VLAN configuration consistency throughout the network. VTP manages the addition, deletion, and modification of VLANs network-wide by allowing each device to send advertisements on its trunk ports. These advertisements include the VTP management domain of the device, its configuration revision number, the VLANs it received advertisements about, and certain VLAN parameters. By receiving these advertisements, all devices in the same management domain learn about new VLANs now configured in the transmitting device. These advertisements automatically communicate the changes you make to all the other switches in the network.
VTP minimizes configuration inconsistencies that can arise when changes are made. These inconsistencies can result in security violations because VLANs cross-connect when duplicate names are used and internally disconnect when VLANs are incorrectly mapped between one LAN type and another.
Beginning in privileged EXEC mode, follow these steps to configure VTP:
| Task | Command |
|---|---|
Step 1 Enter VLAN database mode. | vlan database |
Step 2 Enter a unique VTP domain name, and optionally enter a password. | vtp domain domain-name password password-value |
Step 3 Enable the switch to run in server mode. | vtp server |
Step 4 Enable the VTP administrative domain to operate with VTP version 2. | vtp v2-mode |
Step 5 Enable VTP pruning globally in the administrative domain. | vtp pruning |
Step 6 Return to privileged EXEC mode. | exit |
Step 7 Enter global configuration mode. | configure terminal |
Step 8 Enable SNMP VTP trap notification if you want to receive these traps. | snmp-server enable traps vtp |
Step 9 Enter the IP address and community string of the SNMP trap host, and enter it to receive VTP traps. | snmp-server host host-address community-string vtp |
Step 10 Return to privileged EXEC mode. | end |
Step 11 Verify your entries. | show vtp status |
The VLAN database includes VLAN 1 and 1002 through 1005 by default. You can add VLAN configurations to the database by entering the VLAN database configuration mode.
Beginning in privileged EXEC mode, follow these steps to add Ethernet VLANs to the database:
| Task | Command |
Step 1 Enter VLAN database mode. | vlan database |
Step 2 Add an Ethernet VLAN with default media characteristics. | vlan vlan-id name vlan-name |
Step 3 Add an Ethernet VLAN with a specific MTU size. | vlan vlan-id name vlan-name mtu mtu-size |
Step 4 Add an Ethernet VLAN in a suspended state. | vlan vlan-id name vlan-name state suspend |
Step 5 Implement the proposed new database, propagate it throughout the administrative domain, and return to privileged EXEC mode. | exit |
Step 6 Verify your entries. | show vlan id vlan-id |
You can modify VLAN characteristics in the database.
Beginning in privileged EXEC mode, follow these steps to modify an existing Ethernet VLAN in the database:
| Task | Command |
Step 1 Enter VLAN database mode. | vlan database |
Step 2 Modify an existing Ethernet VLAN by changing its MTU size and SAID value. | vlan vlan-id mtu mtu-size said said-value |
Step 3 Implement the proposed new database, propagate it throughout the administrative domain, and return to privileged EXEC mode. | exit |
Step 4 Verify your entries. | show vlan id vlan-id |
You can remove VLANs from the database. However, you cannot delete VLAN 1 or 1002 to 1005.
Beginning in privileged EXEC mode, follow these steps to remove an Ethernet VLAN from the database:
| Task | Command |
Step 1 Enter VLAN database mode. | vlan database |
Step 2 Remove an existing VLAN by its VLAN ID. | no vlan vlan-id |
Step 3 Implement the proposed new database, propagate it throughout the administrative domain, and return to privileged EXEC mode. | exit |
Step 4 Verify your entries. | show vlan brief |
A trunk is a point-to-point link between two switches or between a switch and a router. Trunks carry the traffic of multiple VLANs and allow you to extend VLANs from one switch to another. On a trunk port, the switch encapsulates all packets to identify (or tag) the VLAN to which the traffic belongs.
By default, a Catalyst 2900 series trunk port is a member of all active Ethernet VLANs up to 64 VLANs. You can further control the VLAN membership of a trunk port by modifying the allowed list to restrict the traffic a trunk carries. This list of allowed VLANs does not affect any port but the trunk port associated with it.
Beginning in privileged EXEC mode, follow these steps to configure a VLAN trunk:
| Task | Command |
Step 1 Add a VLAN to the database. | |
Step 2 Enter global configuration mode. | configure terminal |
Step 3 Enter interface configuration mode, and enter the port to be added to the VLAN. | interface interface |
Step 4 Enter the VLAN membership mode for trunk ports. | switchport mode trunk |
Step 5 Enter the encapsulation format on the trunk port. | switchport trunk encapsulation {isl | dot1q} |
Step 6 Restrict the list of VLANs enabled to receive and transmit traffic on the trunk. | switchport trunk allowed vlan remove vlan-list |
Step 7 For 802.1Q trunks, enter the native VLAN for untagged traffic. | switchport trunk native vlan vlan-id |
Step 8 Return to privileged EXEC mode. | end |
Step 9 Verify your entries. | show interface interface-id switchport |
By assigning ports to dynamic VLAN membership, you can move a connection from a port on one switch to a port on another switch in the network without reconfiguring the port. Before configuring dynamic-access ports, you must configure a VLAN Membership Policy Server (VMPS), such as the Catalyst 5000 switch, so that it is active and accessible by the Catalyst 2900 series switches.
A dynamic-access port can only belong to only one VLAN at a time.
| Caution Dynamic-access ports are designed to work with end stations. Loss of connectivity can occur if you connect dynamic-access ports to switches or routers running bridging protocols. |
Beginning in privileged EXEC mode, follow these steps to configure dynamic VLAN membership:
| Task | Command |
|---|---|
Step 1 Add a VLAN to the database. | |
Step 2 Enter global configuration mode. | configure terminal |
Step 3 Enter the primary VMPS IP address to be queried. | vmps server ipaddress primary |
Step 4 Enter the secondary VMPS IP addresses that the switch queries if no responses are received from the primary VMPS. | vmps server ipaddress |
Step 5 Enter the interface configuration mode, and enter the port to be added to the VLAN. | interface interface |
Step 6 Enter the VLAN membership mode for static-access ports. | switchport mode access |
Step 7 Configure the port to be a dynamic-access port. | switchport access vlan dynamic |
Step 8 Return to global configuration mode. | exit |
Step 9 Enable SNMP VMPS trap notification, if you want to receive these traps. | snmp-server enable traps vlan-membership |
Step 10 Enter the IP address and community string of the SNMP trap host, and enable it to receive VMPS traps. | snmp-server host host-address community-string vlan-membership |
Step 11 Return to privileged EXEC mode. | end |
Step 12 Verify your entries. | show vmps show interface interface switchport |
|
|