Manuals / Brands / Baby / Model Vehicle / Cisco Systems / Baby / Model Vehicle

Cisco Systems 2960-S, 2960 Configuring IEEE 802.1x Port-Based Authentication

1 1004

Download 1004 pages, 17.17 Mb

CHAPTE R

10-1

Catalyst 2960 and 2960-S Switch Software Configuration Guide

OL-8603-09

10

Configuring IEEE 802.1x Port-Based Authentication

IEEE 802.1x port-based authentication prevents unauthorized d evices (clients) from gaining access to

the network. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.

Note Stacking is supported only on Catalyst 2960-S switches running the LAN base image.

The Catalyst 2960 switch command reference and the “RADIUS Co mmands” section in the Cisco IOS

Security Command Reference, Release 12.2, have command synta x and usage information.

This chapter includes these sections:

• Understanding IEEE 802.1x Port-Based Authentication, page 10-1

• Configuring 802.1x Authentication, page 10-36

• Displaying 802.1x Statistics and Status, page 10-71

Understanding IEEE 802.1x Port-Based Authentication

The standard defines a client-server-based access control and authentication protocol to prevent

unauthorized clients from connecting to a LAN through publ icly accessible ports.The authentication

server authenticates each client connected to a switch port before making available any switch or LAN

services.

Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication

Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP)

traffic through the port to which the client is connected. After authentication, norm al traffic passes

through the port.

• Device Roles, page 10-3

• Authentication Process, page 10-4

• Authentication Initiation and Message Exchange, page 10-6

• Authentication Manager, page 10-8

• Ports in Authorized and Unauthorized States, page 10-11

• 802.1x Host Mode, page 10-13

• Multidomain Authentication, page 10-13

Contents

Main Catalyst 2960 and 2960-S Switch Software Configuration Guide Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Audience Purpose Conventions Related Publications Obtaining Documentation, Obtaining Support, and Security Guidelines Overview Features Ease-of-Deployment and Ease-of-Use Features Page Performance Features Management Options Manageability Features Page Availability and Redundancy Features VLAN Features Security Features Page Page QoS and CoS Features Page Layer 3 Features Power over Ethernet Features Monitoring Features Default Settings After Initial Switch Configuration Page Network Configuration Examples Design Concepts for Using the Switch Page Page Small to Medium-Sized Network Using Catalyst 2960 and 2960-S Switches Long-Distance, High-Bandwidth Transport Configuration 1-24 Figure 1-4 Long-Distance, High-Bandwidth Transport Configuration Where to Go Next Before configuring the switch, review these sections for startup information: Using the Command-Line Interface Understanding Command Modes Page Understanding the Help System Understanding Abbreviated Commands Understanding no and default Forms of Commands Understanding CLI Error Messages Using Configuration Logging Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Accessing the CLI through a Console Connection or through Telnet Assigning the Switch IP Address and Default Gateway Understanding the Boot Process Assigning Switch Information Default Switch Information Understanding DHCP-Based Autoconfiguration DHCP Client Request Process Understanding DHCP-based Autoconfiguration and Image Update DHCP Autoconfiguration DHCP Auto-Image Update Limitations and Restrictions Configuring DHCP-Based Autoconfiguration DHCP Server Configuration Guidelines Configuring the TFTP Server Configuring the DNS Configuring the Relay Device Obtaining Configuration Files Example Configuration Configuring the DHCP Auto Configuration and Image Update Features Configuring DHCP Autoconfiguration (Only Configuration File) Configuring DHCP Auto-Image Update (Configuration File and Image) Page Configuring the Client Manually Assigning IP Information Checking and Saving the Running Configuration Configuring the NVRAM Buffer Size Modifying the Startup Configuration Default Boot Configuration Automatically Downloading a Configuration File Specifying the Filename to Read and Write the System Configuration Booting Manually Booting a Specific Software Image Controlling Environment Variables Scheduling a Reload of the Software Image Configuring a Scheduled Reload Displaying Scheduled Reload Information Configuring Cisco IOS Configuration Engine Understanding Cisco Configuration Engine Software Configuration Service Event Service NameSpace Mapper What You Should Know About the CNS IDs and Device Hostnames ConfigID DeviceID Hostname and DeviceID Using Hostname, DeviceID, and ConfigID Understanding Cisco IOS Agents Initial Configuration V Incremental (Partial) Configuration Synchronized Configuration Configuring Cisco IOS Agents Enabling Automated CNS Configuration Enabling the CNS Event Agent Page Enabling the Cisco IOS CNS Agent Enabling an Initial Configuration Page Page Enabling a Partial Configuration Displaying CNS Configuration Page Administering the Switch Identifying the Switch Image Managing the System Time and Date Understanding the System Clock Understanding Network Time Protocol Page Configuring NTP Default NTP Configuration Configuring NTP Authentication Configuring NTP Associations Configuring NTP Broadcast Service Page Configuring NTP Access Restrictions Creating an Access Group and Assigning a Basic IP Access List Page Disabling NTP Services on a Specific Interface Configuring the Source IP Address for NTP Packets Displaying the NTP Configuration Configuring Time and Date Manually Setting the System Clock Displaying the Time and Date Configuration Configuring the Time Zone Configuring Summer Time (Daylight Saving Time) Configuring a System Name and Prompt Default System Name and Prompt Configuration Configuring a System Name Understanding DNS Default DNS Configuration Setting Up DNS Displaying the DNS Configuration Creating a Banner Default Banner Configuration Configuring a Message-of-the-Day Login Banner Configuring a Login Banner Managing the MAC Address Table Building the Address Table MAC Addresses and VLANs MAC Addresses and Switch Stacks Default MAC Address Table Configuration Changing the Address Aging Time Removing Dynamic Address Entries Configuring MAC Address Change Notification Traps Page Configuring MAC Address Move Notification Traps Configuring MAC Threshold Notification Traps Adding and Removing Static Address Entries Configuring Unicast MAC Address Filtering Disabling MAC Address Learning on a VLAN Displaying Address Table Entries Managing the ARP Table Page Clustering Switches Understanding Switch Clusters Cluster Command Switch Characteristics Standby Cluster Command Switch Characteristics Candidate Switch and Cluster Member Switch Characteristics Planning a Switch Cluster Automatic Discovery of Cluster Candidates and Members Discovery Through CDP Hops Discovery Through Non-CDP-Capable and Noncluster-Capable Devices Discovery Through Different VLANs Discovery Through Different Management VLANs Discovery of Newly Installed Switches HSRP and Standby Cluster Command Switches Virtual IP Addresses Other Considerations for Cluster Standby Groups Automatic Recovery of Cluster Configuration IP Addresses Hostnames Passwords SNMP Community Strings Switch Clusters and Switch Stacks Page TACACS+ and RADIUS LRE Profiles Using the CLI to Manage Switch Clusters Using SNMP to Manage Switch Clusters 6-18 Figure 6-7 SNMP Management for a Cluster Managing Switch Stacks Understanding Stacks Page Stack Membership Page Master Election Stack MAC Address Member Numbers Member Priority Values Stack Offline Configuration Effects of Adding a Provisioned Switch to a Stack Page Effects of Replacing a Provisioned Switch in a Stack Effects of Removing a Provisioned Switch from a Stack Stack Software Compatibility Recommendations Stack Protocol Version Compatibility Major Version Number Incompatibility Among Switches Minor Version Number Incompatibility Among Switches Understanding Auto-Upgrade and Auto-Advise Auto-Upgrade and Auto-Advise Example Messages 7-12 Incompatible Software and Member Image Upgrades Stack Configuration Files Additional Considerations for System-Wide Configuration on Switch Stacks Stack Management Connectivity Stack Through an IP Address Stack Through an SSH Session Stack Through Console Ports Specific Members Stack Configuration Scenarios Data Recovery After Stack Topology Changes Configuring the Switch Stack Default Switch Stack Configuration Enabling Persistent MAC Address Page Assigning Stack Member Information Assigning a Member Number Setting the Member Priority Value Provisioning a New Member for a Stack Changing the Stack Membership Accessing the CLI of a Specific Member Displaying Stack Information Troubleshooting Stacks Manually Disabling a Stack Port Re-Enabling a Stack Port While Another Member Starts Understanding the show switch stack-ports summary Output Page Configuring SDM Templates Understanding the SDM Templates SDM Templates and Switch Stacks Configuring the Switch SDM Template Default SDM Template SDM Template Configuration Guidelines Setting the SDM Template Page Page Configuring Switch-Based Authentication Preventing Unauthorized Access to Your Switch Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Setting or Changing a Static Enable Password Protecting Enable and Enable Secret Passwords with Encryption Page Disabling Password Recovery Setting a Telnet Password for a Terminal Line Configuring Username and Password Pairs Configuring Multiple Privilege Levels Setting the Privilege Level for a Command Changing the Default Privilege Level for Lines Logging into and Exiting a Privilege Level Controlling Switch Access with TACACS+ Understanding TACACS+ Page TACACS+ Operation Configuring TACACS+ Default TACACS+ Configuration Identifying the TACACS+ Server Host and Setting the Authentication Key Configuring TACACS+ Login Authentication Page Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting Establishing a Session with a Router if the AAA Server is Unreachable Displaying the TACACS+ Configuration Controlling Switch Access with RADIUS Understanding RADIUS Page RADIUS Operation RADIUS Change of Authorization Overview Change-of-Authorization Requests RFC 5176 Compliance Preconditions CoA Request Response Code Session Identification CoA ACK Response Code CoA NAK Response Code CoA Request Commands Session Reauthentication Session Reauthentication in a Switch Stack Session Termination CoA Disconnect-Request CoA Request: Disable Host Port CoA Request: Bounce-Port Stacking Guidelines for Session Termination Stacking Guidelines for CoA-Request Bounce-Port Stacking Guidelines for CoA-Request Disable-Port Configuring RADIUS Default RADIUS Configuration Identifying the RADIUS Server Host Page Page Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Starting RADIUS Accounting Establishing a Session with a Router if the AAA Server is Unreachable Configuring Settings for All RADIUS Servers Configuring the Switch to Use Vendor-Specific RADIUS Attributes Page Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Configuring CoA on the Switch Monitoring and Troubleshooting CoA Functionality Configuring RADIUS Server Load Balancing Displaying the RADIUS Configuration Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Secure Shell Understanding SSH SSH Servers, Integrated Clients, and Supported Versions Limitations Configuring SSH Setting Up the Switch to Run SSH Configuring the SSH Server Displaying the SSH Configuration and Status Configuring the Switch for Secure Socket Layer HTTP Understanding Secure HTTP Servers and Clients Certificate Authority Trustpoints Page CipherSuites Configuring Secure HTTP Servers and Clients Default SSL Configuration SSL Configuration Guidelines Configuring a CA Trustpoint Configuring the Secure HTTP Server Configuring the Secure HTTP Client Displaying Secure HTTP Server and Client Status Configuring the Switch for Secure Copy Protocol Information About Secure Copy Page Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Page Device Roles Authentication Process 10-5 Figure 10-2 shows the authentication process. Figure 10-2 Authentication Flowchart The switch re-authenticates a client when one of these situations occurs: Authentication Initiation and Message Exchange Page Authentication Manager Port-Based Authentication Methods Per-User ACLs and Filter-Ids Authentication Manager CLI Commands Ports in Authorized and Unauthorized States 802.1x Authentication and Switch Stacks 802.1x Host Mode Multidomain Authentication Page 802.1x Multiple Authentication Mode MAC Move MAC Replace 802.1x Accounting 802.1x Accounting Attribute-Value Pairs 802.1x Readiness Check 802.1x Authentication with VLAN Assignment Using 802.1x Authentication with Per-User ACLs 802.1x Authentication with Downloadable ACLs and Redirect URLs Page Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs VLAN ID-based MAC Authentication 802.1x Authentication with Guest VLAN 802.1x Authentication with Restricted VLAN 802.1x Authentication with Inaccessible Authentication Bypass Support on Multiple-Authentication Ports Authentication Results Feature Interactions 802.1x Authentication with Voice VLAN Ports 802.1x Authentication with Port Security 802.1x Authentication with Wake-on-LAN 802.1x Authentication with MAC Authentication Bypass 802.1x User Distribution 802.1x User Distribution Configuration Guidelines Network Admission Control Layer 2 802.1x Validation Flexible Authentication Ordering Open1x Authentication Using Voice Aware 802.1x Security 802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT) Guidelines 4 1 2 3 5 Using IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute Common Session ID Configuring 802.1x Authentication Default 802.1x Authentication Configuration 802.1x Authentication Configuration Guidelines 802.1x Authentication VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass MAC Authentication Bypass Maximum Number of Allowed Devices Per Port Configuring 802.1x Readiness Check Configuring Voice Aware 802.1x Security Page Configuring 802.1x Violation Modes Configuring 802.1x Authentication Configuring the Switch-to-RADIUS-Server Communication Configuring the Host Mode Page Configuring Periodic Re-Authentication Manually Re-Authenticating a Client Connected to a Port Changing the Quiet Period Changing the Switch-to-Client Retransmission Time Setting the Switch-to-Client Frame-Retransmission Number Setting the Re-Authentication Number Enabling MAC Move Enabling MAC Replace Configuring 802.1x Accounting Configuring a Guest VLAN Configuring a Restricted VLAN Page Configuring the Inaccessible Authentication Bypass Feature Page Page Configuring 802.1x Authentication with WoL Configuring MAC Authentication Bypass Configuring 802.1x User Distribution Configuring NAC Layer 2 802.1x Validation Configuring an Authenticator and a Supplicant Switch with NEAT Configuring NEAT with Auto Smartports Macros Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs Configuring Downloadable ACLs Configuring a Downloadable Policy Page Configuring VLAN ID-based MAC Authentication Configuring Flexible Authentication Ordering Configuring Open1x Disabling 802.1x Authentication on the Port Resetting the 802.1x Authentication Configuration to the Default Values Displaying 802.1x Statistics and Status Page Configuring Web-Based Authentication Understanding Web-Based Authentication Device Roles Host Detection Session Creation Authentication Process Local Web Authentication Banner Page Web Authentication Customizable Web Pages Guidelines Web-based Authentication Interactions with Other Features Port Security LAN Port IP Gateway IP ACLs Context-Based Access Control 802.1x Authentication Configuring Web-Based Authentication Default Web-Based Authentication Configuration Web-Based Authentication Configuration Guidelines and Restrictions Web-Based Authentication Configuration Task List Configuring the Authentication Rule and Interfaces Configuring AAA Authentication Configuring Switch-to-RADIUS-Server Communication Page Configuring the HTTP Server Customizing the Authentication Proxy Web Pages Page Specifying a Redirection URL for Successful Login Configuring an AAA Fail Policy Configuring the Web-Based Authentication Parameters Configuring a Web Authentication Local Banner Removing Web-Based Authentication Cache Entries Displaying Web-Based Authentication Status Page Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs Switch Ports Access Ports Trunk Ports Switch Virtual Interfaces EtherChannel Port Groups Dual-Purpose Uplink Ports Power over Ethernet Ports Supported Protocols and Standards Powered-Device Detection and Initial Power Allocation Power Management Modes Power Monitoring and Power Policing Maximum Power Allocation (Cutoff Power) on a PoE Port Page Connecting Interfaces Using the Switch USB Ports (Catalyst 2960-S Switches Only) USB Mini-Type B Console Port Console Port Change Logs Configuring the Console Media Type Configuring the USB Inactivity Timeout USB Type A Port 12-15 This is sample output from the show usb port command: Using Interface Configuration Mode The switch supports these interface types: Procedures for Configuring Interfaces Configuring a Range of Interfaces Page Configuring and Using Interface Range Macros Using the Ethernet Management Port (Catalyst 2960-S Only) Understanding the Ethernet Management Port Supported Features on the Ethernet Management Port Configuring the Ethernet Management Port TFTP and the Ethernet Management Port Configuring Ethernet Interfaces Default Ethernet Interface Configuration Page Setting the Type of a Dual-Purpose Uplink Port Configuring Interface Speed and Duplex Mode Speed and Duplex Configuration Guidelines Setting the Interface Speed and Duplex Parameters Configuring IEEE 802.3x Flow Control Configuring Auto-MDIX on an Interface Configuring a Power Management Mode on a PoE Port Budgeting Power for Devices Connected to a PoE Port Page Configuring Power Policing Adding a Description for an Interface Configuring Layer 3 SVIs Configuring the System MTU Monitoring and Maintaining the Interfaces Monitoring Interface Status Clearing and Resetting Interfaces and Counters Shutting Down and Restarting the Interface Page Configuring VLANs Understanding VLANs Supported VLANs VLAN Port Membership Modes Configuring Normal-Range VLANs Token Ring VLANs Normal-Range VLAN Configuration Guidelines Configuring Normal-Range VLANs Default Ethernet VLAN Configuration Creating or Modifying an Ethernet VLAN Deleting a VLAN Assigning Static-Access Ports to a VLAN Configuring Extended-Range VLANs Default VLAN Configuration Extended-Range VLAN Configuration Guidelines Creating an Extended-Range VLAN Page Displaying VLANs Configuring VLAN Trunks Trunking Overview IEEE 802.1Q Configuration Considerations Default Layer 2 Ethernet Interface VLAN Configuration Configuring an Ethernet Interface as a Trunk Port Interaction with Other Features Configuring a Trunk Port Defining the Allowed VLANs on a Trunk Changing the Pruning-Eligible List Configuring the Native VLAN for Untagged Traffic Configuring Trunk Ports for Load Sharing Load Sharing Using STP Port Priorities Page Load Sharing Using STP Path Cost Configuring VMPS Understanding VMPS Dynamic-Access Port VLAN Membership Default VMPS Client Configuration VMPS Configuration Guidelines Configuring the VMPS Client Entering the IP Address of the VMPS Configuring Dynamic-Access Ports on VMPS Clients Reconfirming VLAN Memberships Changing the Reconfirmation Interval Changing the Retry Count Monitoring the VMPS Troubleshooting Dynamic-Access Port VLAN Membership VMPS Configuration Example 13-29 Figure 13-4 Dynamic Port VLAN Membership Configuration Page Configuring VTP Understanding VTP The VTP Domain VTP Modes VTP Advertisements VTP Version 2 VTP Version 3 VTP Pruning Page VTP and Switch Stacks Configuring VTP Default VTP Configuration VTP Configuration Guidelines Domain Names Passwords VTP Version Configuration Requirements Configuring VTP Mode Page Page Configuring a VTP Version 3 Password Configuring a VTP Version 3 Primary Server Enabling the VTP Version Enabling VTP Pruning Configuring VTP on a Per-Port Basis Adding a VTP Client Switch to a VTP Domain Monitoring VTP Configuring Voice VLAN Understanding Voice VLAN Cisco IP Phone Voice Traffic Cisco IP Phone Data Traffic Configuring Voice VLAN Default Voice VLAN Configuration Voice VLAN Configuration Guidelines Configuring a Port Connected to a Cisco 7960 IP Phone Configuring Cisco IP Phone Voice Traffic Configuring the Priority of Incoming Data Frames Page Page Configuring STP Understanding Spanning-Tree Features STP Overview Spanning-Tree Topology and BPDUs Bridge ID, Switch Priority, and Extended System ID Spanning-Tree Interface States Blocking State Listening State Learning State Forwarding State Disabled State How a Switch or Port Becomes the Root Switch or Root Port Spanning Tree and Redundant Connectivity Spanning-Tree Address Management Accelerated Aging to Retain Connectivity Spanning-Tree Modes and Protocols Supported Spanning-Tree Instances Spanning-Tree Interoperability and Backward Compatibility STP and IEEE 802.1Q Trunks Spanning Tree and Switch Stacks Configuring Spanning-Tree Features Default Spanning-Tree Configuration Spanning-Tree Configuration Guidelines Page Changing the Spanning-Tree Mode Disabling Spanning Tree Configuring the Root Switch Page Configuring a Secondary Root Switch Configuring Port Priority Page Configuring Path Cost Configuring the Switch Priority of a VLAN Configuring Spanning-Tree Timers Configuring the Hello Time Configuring the Forwarding-Delay Time for a VLAN Configuring the Maximum-Aging Time for a VLAN Configuring the Transmit Hold-Count Displaying the Spanning-Tree Status Configuring MSTP Understanding MSTP Multiple Spanning-Tree Regions IST, CIST, and CST Operations Within an MST Region Operations Between MST Regions IEEE 802.1s Terminology Hop Count Boundary Ports IEEE 802.1s Implementation Port Role Naming Change Interoperation Between Legacy and Standard Switches Detecting Unidirectional Link Failure MSTP and Switch Stacks Interoperability with IEEE 802.1D STP Understanding RSTP Port Roles and the Active Topology Rapid Convergence Synchronization of Port Roles Bridge Protocol Data Unit Format and Processing Processing Superior BPDU Information Processing Inferior BPDU Information Topology Changes Configuring MSTP Features Default MSTP Configuration MSTP Configuration Guidelines Specifying the MST Region Configuration and Enabling MSTP Page Configuring the Root Switch Configuring a Secondary Root Switch Configuring Port Priority Page Configuring Path Cost Configuring the Switch Priority Configuring the Hello Time Configuring the Forwarding-Delay Time Configuring the Maximum-Aging Time Configuring the Maximum-Hop Count Specifying the Link Type to Ensure Rapid Transitions Designating the Neighbor Type Restarting the Protocol Migration Process Displaying the MST Configuration and Status Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Understanding BPDU Guard Understanding BPDU Filtering Understanding UplinkFast Page Understanding Cross-Stack UplinkFast How CSUF Works Events that Cause Fast Convergence Understanding BackboneFast Page Page Understanding EtherChannel Guard Understanding Root Guard Understanding Loop Guard Configuring Optional Spanning-Tree Features Default Optional Spanning-Tree Configuration Optional Spanning-Tree Configuration Guidelines Enabling Port Fast Enabling BPDU Guard Enabling BPDU Filtering Enabling UplinkFast for Use with Redundant Links Enabling Cross-Stack UplinkFast Enabling BackboneFast Enabling EtherChannel Guard Enabling Root Guard Enabling Loop Guard Displaying the Spanning-Tree Status Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Flex Links VLAN Flex Link Load Balancing and Support Flex Link Multicast Fast Convergence Learning the Other Flex Link Port as the mrouter Port Generating IGMP Reports Leaking IGMP Reports Configuration Examples Page MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Default Configuration Configuring Flex Links Page Configuring VLAN Load Balancing on Flex Links Configuring the MAC Address-Table Move Update Feature Page Monitoring Flex Links and the MAC Address-Table Move Update Configuring DHCP Features and IP Source Guard Features Understanding DHCP Snooping DHCP Server DHCP Relay Agent DHCP Snooping Page Option-82 Data Insertion Page Circuit ID Suboption Frame Format Remote ID Suboption Frame Format DHCP Snooping Binding Database Circuit ID Suboption Frame Format (for user-configured string): Remote ID Suboption Frame Format (for user-configured string): DHCP Snooping and Switch Stacks Configuring DHCP Snooping Default DHCP Snooping Configuration DHCP Snooping Configuration Guidelines Page Configuring the DHCP Relay Agent Enabling DHCP Snooping and Option 82 Page Enabling the DHCP Snooping Binding Database Agent Displaying DHCP Snooping Information Understanding IP Source Guard Source IP Address Filtering Source IP and MAC Address Filtering IP Source Guard for Static Hosts Configuring IP Source Guard Default IP Source Guard Configuration IP Source Guard Configuration Guidelines Enabling IP Source Guard Configuring IP Source Guard for Static Hosts Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port Page 20-20 20-21 This example displays all active IP or MAC binding entries for all interfaces: This example displays the count of all IP device tracking host entries for all interfaces: Displaying IP Source Guard Information Understanding DHCP Server Port-Based Address Allocation Configuring DHCP Server Port-Based Address Allocation Default Port-Based Address Allocation Configuration Port-Based Address Allocation Configuration Guidelines Enabling DHCP Server Port-Based Address Allocation Page Displaying DHCP Server Port-Based Address Allocation Page Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Page Interface Trust States and Network Security Rate Limiting of ARP Packets Relative Priority of ARP ACLs and DHCP Snooping Entries Logging of Dropped Packets Configuring Dynamic ARP Inspection Default Dynamic ARP Inspection Configuration Dynamic ARP Inspection Configuration Guidelines Configuring Dynamic ARP Inspection in DHCP Environments Page Configuring ARP ACLs for Non-DHCP Environments Page Limiting the Rate of Incoming ARP Packets Performing Validation Checks Configuring the Log Buffer Page Displaying Dynamic ARP Inspection Information Page Configuring IGMP Snooping and MVR Understanding IGMP Snooping IGMP Versions Joining a Multicast Group Page Leaving a Multicast Group Immediate Leave IGMP Configurable-Leave Timer IGMP Report Suppression IGMP Snooping and Switch Stacks Configuring IGMP Snooping Default IGMP Snooping Configuration Enabling or Disabling IGMP Snooping Setting the Snooping Method Configuring a Multicast Router Port Configuring a Host Statically to Join a Group Enabling IGMP Immediate Leave Configuring the IGMP Leave Timer Configuring TCN-Related Commands Controlling the Multicast Flooding Time After a TCN Event Recovering from Flood Mode Disabling Multicast Flooding During a TCN Event Configuring the IGMP Snooping Querier Disabling IGMP Report Suppression Displaying IGMP Snooping Information Understanding Multicast VLAN Registration Using MVR in a Multicast Television Application Configuring MVR Default MVR Configuration MVR Configuration Guidelines and Limitations Configuring MVR Global Parameters Configuring MVR Interfaces Page Displaying MVR Information Configuring IGMP Filtering and Throttling Default IGMP Filtering and Throttling Configuration Configuring IGMP Profiles Applying IGMP Profiles Setting the Maximum Number of IGMP Groups Configuring the IGMP Throttling Action Displaying IGMP Filtering and Throttling Configuration Configuring Port-Based Traffic Control Configuring Storm Control Understanding Storm Control Page Default Storm Control Configuration Configuring Storm Control and Threshold Levels Page Configuring Small-Frame Arrival Rate Configuring Protected Ports Default Protected Port Configuration Protected Port Configuration Guidelines Configuring a Protected Port Configuring Port Blocking Default Port Blocking Configuration Blocking Flooded Traffic on an Interface Configuring Port Security Understanding Port Security Secure MAC Addresses Security Violations Default Port Security Configuration Port Security Configuration Guidelines Page Enabling and Configuring Port Security Page Page Page Enabling and Configuring Port Security Aging Port Security and Switch Stacks Displaying Port-Based Traffic Control Settings Page Page Configuring UDLD Understanding UDLD Modes of Operation Methods to Detect Unidirectional Links Page Configuring UDLD Default UDLD Configuration Enabling UDLD Globally Enabling UDLD on an Interface Resetting an Interface Disabled by UDLD Displaying UDLD Status Page Configuring CDP Understanding CDP CDP and Switch Stacks Configuring CDP Default CDP Configuration Configuring the CDP Characteristics Disabling and Enabling CDP Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP Page Configuring LLDP, LLDP-MED, and Wired Location Service Understanding LLDP, LLDP-MED, and Wired Location Service LLDP LLDP-MED Wired Location Service Page Configuring LLDP, LLDP-MED, and Wired Location Service Default LLDP Configuration Enabling LLDP Configuring LLDP Characteristics Configuring LLDP-MED TLVs Configuring Network-Policy TLV Configuring Location TLV and Wired Location Service Page Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Page Configuring SPAN and RSPAN Understanding SPAN and RSPAN Local SPAN Remote SPAN SPAN and RSPAN Concepts and Terminology SPAN Sessions Monitored Traffic Source Ports Source VLANs VLAN Filtering Destination Port RSPAN VLAN SPAN and RSPAN Interaction with Other Features SPAN and RSPAN and Switch Stacks Configuring SPAN and RSPAN Default SPAN and RSPAN Configuration Configuring Local SPAN SPAN Configuration Guidelines Creating a Local SPAN Session Page Creating a Local SPAN Session and Configuring Incoming Traffic Page Specifying VLANs to Filter Configuring RSPAN RSPAN Configuration Guidelines Configuring a VLAN as an RSPAN VLAN Creating an RSPAN Source Session Creating an RSPAN Destination Session Creating an RSPAN Destination Session and Configuring Incoming Traffic Page Specifying VLANs to Filter Displaying SPAN and RSPAN Status Configuring RMON Understanding RMON Configuring RMON Default RMON Configuration Configuring RMON Alarms and Events Page Collecting Group History Statistics on an Interface Collecting Group Ethernet Statistics on an Interface Displaying RMON Status Configuring System Message Logging Understanding System Message Logging Configuring System Message Logging System Log Message Format Page Default System Message Logging Configuration Disabling Message Logging Setting the Message Display Destination Device Synchronizing Log Messages Page Enabling and Disabling Time Stamps on Log Messages Enabling and Disabling Sequence Numbers in Log Messages Defining the Message Severity Level Limiting Syslog Messages Sent to the History Table and to SNMP Enabling the Configuration-Change Logger Configuring UNIX Syslog Servers Logging Messages to a UNIX Syslog Daemon Configuring the UNIX System Logging Facility Displaying the Logging Configuration Configuring SNMP Understanding SNMP SNMP Versions SNMP Manager Functions SNMP Agent Functions SNMP Community Strings Using SNMP to Access MIB Variables SNMP Notifications SNMP ifIndex MIB Object Values Configuring SNMP Default SNMP Configuration SNMP Configuration Guidelines Disabling the SNMP Agent Configuring Community Strings Configuring SNMP Groups and Users Page Page Configuring SNMP Notifications Page Page Setting the CPU Threshold Notification Types and Values Setting the Agent Contact and Location Information Limiting TFTP Servers Used Through SNMP SNMP Examples Displaying SNMP Status Configuring Network Security with ACLs Understanding ACLs Supported ACLs Port ACLs Router ACLs Handling Fragmented and Unfragmented Traffic ACLs and Switch Stacks Configuring IPv4 ACLs Creating Standard and Extended IPv4 ACLs Access List Numbers Creating a Numbered Standard ACL Creating a Numbered Extended ACL Page Page Page Resequencing ACEs in an ACL Creating Named Standard and Extended ACLs Page Using Time Ranges with ACLs Including Comments in ACLs Applying an IPv4 ACL to a Terminal Line Applying an IPv4 ACL to an Interface Hardware and Software Treatment of IP ACLs Troubleshooting ACLs IPv4 ACL Configuration Examples Numbered ACLs Extended ACLs Named ACLs Time Range Applied to an IP ACL Commented IP ACL Entries Creating Named MAC Extended ACLs Applying a MAC ACL to a Layer 2 Interface Displaying IPv4 ACL Configuration Page Page Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Using Cisco IOS IP SLAs to Measure Network Performance IP SLAs Responder and IP SLAs Control Protocol Response Time Computation for IP SLAs Configuring IP SLAs Operations Default Configuration Configuring the IP SLAs Responder Monitoring IP SLAs Operations Configuring QoS Understanding QoS Page Basic QoS Model Classification Page 33-7 Figure 33-3 Classification Flowchart Classification Based on QoS ACLs Classification Based on Class Maps and Policy Maps Policing and Marking Policing on Physical Ports Mapping Tables Queueing and Scheduling Overview Weighted Tail Drop SRR Shaping and Sharing 33-15 Queueing and Scheduling on Ingress Queues Figure 33-7 shows the queueing and scheduling flowchart for ingress ports. Figure 33-7 Queueing and Scheduling Flowchart for Ingress Ports WTD Thresholds Buffer and Bandwidth Allocation Priority Queueing Queueing and Scheduling on Egress Queues Page Buffer and Memory Allocation WTD Thresholds Shaped or Shared Mode Packet Modification Configuring Auto-QoS Generated Auto-QoS Configuration VOIP Device Specifics Enhanced Auto-QoS for Video, Trust, and Classification Auto-QoS Configuration Migration Global Auto-QoS Configuration 33-26 The switch automatically maps DSCP values to an ingress queue and to a threshold ID. Note Catalyst 2960-S switches do not support ingress queueing. Table 33-5 Generated Auto-QoS Configuration (continued) 33-27 The switch automatically maps DSCP values to an egress queue and to a threshold ID. Table 33-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command {voip} Enhanced Automatically Generated Command{Video|Trust|Classify} Auto-QoS Generated Configuration For VoIP Devices Auto-QoS Generated Configuration For Enhanced Video, Trust, and Classify Devices 33-30 33-31 This is the enhanced configuration for the auto qos voip cisco-phone command: This is the enhanced configuration for the auto qos voip cisco-softphone command: Effects of Auto-QoS on the Configuration Auto-QoS Configuration Guidelines Auto-QoS Enhanced Considerations Enabling Auto-QoS Troubleshooting Auto QoS Commands Displaying Auto-QoS Information Configuring Standard QoS Default Standard QoS Configuration Default Ingress Queue Configuration Default Egress Queue Configuration Default Mapping Table Configuration Standard QoS Configuration Guidelines QoS ACL Guidelines Policing Guidelines General QoS Guidelines Enabling QoS Globally Configuring Classification Using Port Trust States Configuring the Trust State on Ports within the QoS Domain Page Configuring the CoS Value for an Interface Configuring a Trusted Boundary to Ensure Port Security Enabling DSCP Transparency Mode Configuring the DSCP Trust State on a Port Bordering Another QoS Domain Page Configuring a QoS Policy Classifying Traffic by Using ACLs Page Page Classifying Traffic by Using Class Maps Page Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps Page Page Page 33-57 This example shows how to configure default traffic class to a policy map: 33-58 Classifying, Policing, and Marking Traffic by Using Aggregate Policers Note To use policing and marking, the switch must be running the LAN Base image. Page Page Configuring DSCP Maps Configuring the CoS-to-DSCP Map Configuring the IP-Precedence-to-DSCP Map Configuring the Policed-DSCP Map Configuring the DSCP-to-CoS Map Configuring the DSCP-to-DSCP-Mutation Map Page Configuring Ingress Queue Characteristics Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds Page Allocating Buffer Space Between the Ingress Queues Allocating Bandwidth Between the Ingress Queues Configuring the Ingress Priority Queue Configuring Egress Queue Characteristics Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set Page Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID Page Configuring SRR Shaped Weights on Egress Queues Configuring SRR Shared Weights on Egress Queues Configuring the Egress Expedite Queue Limiting the Bandwidth on an Egress Interface Displaying Standard QoS Information Page Configuring Static IP Unicast Routing Understanding IP Routing Types of Routing IP Routing and Switch Stacks Steps for Configuring Routing Enabling IP Unicast Routing Assigning IP Addresses to SVIs Configuring Static Unicast Routes Monitoring and Maintaining the IP Network Page Configuring IPv6 Host Functions Understanding IPv6 IPv6 Addresses Supported IPv6 Host Features 128-Bit Wide Unicast Addresses DNS for IPv6 ICMPv6 Neighbor Discovery IPv6 Stateless Autoconfiguration and Duplicate Address Detection IPv6 Applications Dual IPv4 and IPv6 Protocol Stacks SNMP and Syslog Over IPv6 HTTP(S) Over IPv6 IPv6 and Switch Stacks Configuring IPv6 Default IPv6 Configuration Configuring IPv6 Addressing and Enabling IPv6 Host Page Configuring IPv6 ICMP Rate Limiting Configuring Static Routes for IPv6 Displaying IPv6 Page 35-13 This is an example of the output from the show ipv6 neighbor privileged EXEC command: This is an example of the output from the show ipv6 route privileged EXEC command: This is an example of the output from the show ipv6 traffic privileged EXEC command. Page Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD Messages MLD Queries Multicast Client Aging Robustness Multicast Router Discovery MLD Reports MLD Done Messages and Immediate-Leave Topology Change Notification Processing MLD Snooping in Switch Stacks Configuring IPv6 MLD Snooping Default MLD Snooping Configuration MLD Snooping Configuration Guidelines Enabling or Disabling MLD Snooping Configuring a Static Multicast Group Configuring a Multicast Router Port Enabling MLD Immediate Leave Configuring MLD Snooping Queries Disabling MLD Listener Message Suppression Displaying MLD Snooping Information Configuring EtherChannels and Link-State Tracking Understanding EtherChannels EtherChannel Overview Page Port-Channel Interfaces Port Aggregation Protocol PAgP Modes PAgP Interaction with Virtual Switches and Dual-Active Detection PAgP Interaction with Other Features Link Aggregation Control Protocol LACP Modes LACP Interaction with Other Features EtherChannel On Mode Load Balancing and Forwarding Methods Page EtherChannel and Switch Stacks Configuring EtherChannels Default EtherChannel Configuration EtherChannel Configuration Guidelines Configuring Layer 2 EtherChannels Page Configuring EtherChannel Load Balancing Configuring the PAgP Learn Method and Priority Page Configuring LACP Hot-Standby Ports Configuring the LACP System Priority Configuring the LACP Port Priority Displaying EtherChannel, PAgP, and LACP Status Understanding Link-State Tracking Page 37-22 Figure 37-6 Typical Link-State Tracking Configuration Configuring Link-State Tracking Default Link-State Tracking Configuration Link-State Tracking Configuration Guidelines Configuring Link-State Tracking Displaying Link-State Tracking Status Troubleshooting Recovering from a Software Failure Recovering from a Lost or Forgotten Password Procedure with Password Recovery Enabled Page Procedure with Password Recovery Disabled Page Preventing Switch Stack Problems Recovering from a Command Switch Failure Replacing a Failed Command Switch with a Cluster Member Page Replacing a Failed Command Switch with Another Switch Recovering from Lost Cluster Member Connectivity Preventing Autonegotiation Mismatches Troubleshooting Power over Ethernet Switch Ports Disabled Port Caused by Power Loss Disabled Port Caused by False Link Up SFP Module Security and Identification Monitoring SFP Module Status Using Ping Understanding Ping Executing Ping Using Layer 2 Traceroute Understanding Layer 2 Traceroute Usage Guidelines Displaying the Physical Path Using IP Traceroute Understanding IP Traceroute Executing IP Traceroute Using TDR Understanding TDR Running TDR and Displaying the Results Using Debug Commands Enabling Debugging on a Specific Feature Enabling All-System Diagnostics Redirecting Debug and Error Message Output Using the show platform forward Command Using the crashinfo Files Basic crashinfo Files Extended crashinfo Files Using On-Board Failure Logging Understanding OBFL Configuring OBFL Displaying OBFL Information Memory Consistency Check Routines Displaying TCAM Memory Consistency Check Errors Troubleshooting Tables Troubleshooting CPU Utilization Possible Symptoms of High CPU Utilization Verifying the Problem and Cause Troubleshooting Power over Ethernet (PoE) Page Page Troubleshooting Switch Stacks Page Page Configuring Online Diagnostics Understanding How Online Diagnostics Work Scheduling Online Diagnostics Configuring Health-Monitoring Diagnostics Running Online Diagnostic Tests Starting Online Diagnostic Tests Displaying Online Diagnostic Tests and Test Results 39-5 This example sh ows how to display the online diagnostics that are configured on a switch: This example shows how to display the online diagnostic resu lts for a switch: This exampl e shows how to display the online diagnos tic test status: Table 39-1 show diagnostic Commands 39-6 This example shows how to display the online diagnostic test schedule for a switch: A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems Setting the Default File System Displaying Information about Files on a File System Changing Directories and Displaying the Working Directory Creating and Removing Directories Copying Files Deleting Files Creating, Displaying, and Extracting tar Files Creating a tar File Displaying the Contents of a tar File Extracting a tar File Displaying the Contents of a File Working with Configuration Files Guidelines for Creating and Using Configuration Files Configuration File Types and Location n Creating a Configuration File By Using a Text Editor Copying Configuration Files By Using TFTP Preparing to Download or Upload a Configuration File B y Using TFTP Downloading the Configuration File By Using TFTP Uploading the Configuration File By Using TFTP Copying Configuration Files By Using FTP Preparing to Download or Upload a Configuration File By Using FTP Downloading a Configuration File By Using FTP Page Uploading a Configuration File By Using FTP Copying Configuration Files By Using RCP Preparing to Download or Upload a Configuration File By Using RCP Downloading a Configuration File By Using RCP Uploading a Configuration File By Using RCP Clearing Configuration Information Clearing the Startup Configuration File Deleting a Stored Configuration File Replacing and Rolling Back Configurations Understanding Configuration Replacement and Rollback Archiving a Configuration Replacing a Configuration Rolling Back a Configuration Configuring the Configuration Archive Performing a Configuration Replacement or Rollback Operation Working with Software Images Image Location on the Switch tar File Format of Images on a Server or Cisco.com Copying Image Files By Using TFTP Preparing to Download or Upload an Image File By Using TFTP Downloading an Image File By Using TFTP Page Uploading an Image File By Using TFTP Copying Image Files By Using FTP Preparing to Download or Upload an Image File By Using FTP Downloading an Image File By Using FTP Page Uploading an Image File By Using FTP Copying Image Files By Using RCP Preparing to Download or Upload an Image File By Using RCP Downloading an Image File By Using RCP Page Uploading an Image File By Using RCP Copying an Image File from One Stack Member to Another Page B Supported MIBs MIB List Page Page Using FTP to Access the MIB Files C Unsupported Commands in Cisco IOS Release 12.2(55)SE Access Control Lists Boot Loader Commands Debug Commands IGMP Snooping Commands Interface Commands Unsupported Interface Configuration Commands MAC Address Commands Miscellaneous Network Address Translation (NAT) Commands QoS Unsupported Interface Configuration Commands Unsupported Policy-Map Configuration Command RADIUS SNMP SNMPv3 Spanning Tree VLAN Unsupported VLAN Database Commands VTP Page A Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Configuration Compatibility Issues Page Page Page Feature Behavior Incompatibilities Page INDEX A Page B C Page Page D Page Page Page E F G H I Page Page J L M Page Page Page N O P Page Page Q Page R Page Page S Page Page Page Page Page T Page U V Page W