Home » Cisco Manuals » Hubs & Switches » Cisco WS-C2980G-A » Manual Viewer

Cisco WS-C2980G-A Software Guide - Page 480

Disabling Credentials Forwarding, set kerberos credentials forward, set kerberos clients mandatory

UPC - 746320423555

Add to My Manuals
Save this manual to your list of manuals

Page 480 highlights

Configuring Authentication Chapter 30 Configuring Switch Access Using AAA As an additional layer of security, you can configure the switch so that after users authenticate to it, these users can authenticate only to other services on the network with Kerberized clients. If you do not make Kerberos authentication mandatory and Kerberos authentication fails, the application attempts to authenticate users using the default method of authentication for that network service. For example, Telnet prompts for a password. To configure clients to forward user credentials as they connect to other hosts in the Kerberos realm, perform this task in privileged mode: Step 1 Step 2 Task Enable all clients to forward user credentials upon successful Kerberos authentication. (Optional) Configure Telnet to fail if clients cannot authenticate to the remote server. Command set kerberos credentials forward set kerberos clients mandatory This example shows how to configure clients to forward user credentials and verify the configuration: Console> (enable) set kerberos credentials forward Kerberos credentials forwarding enabled Console> (enable) show kerberos Kerberos Local Realm:CISCO.COM Kerberos server entries: Realm:CISCO.COM, Server:187.0.2.1, Port:750 Realm:CISCO.COM, Server:187.20.2.1, Port:750 Kerberos DomainRealm entries: Domain:cisco.com, Realm:CISCO.COM Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/[email protected] 0 933974942 1 1 8 00?91:107:423=:;9 Console> (enable) This example shows how to configure the switch so that Kerberos clients are mandatory for users to authenticate to other network services: Console> (enable) set kerberos clients mandatory Kerberos clients set to mandatory Console> (enable) Disabling Credentials Forwarding To disable the credentials forwarding configuration, perform this task in privileged mode: Task Command Disable the credentials forwarding configuration. clear kerberos credentials forward 30-36 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486-01

Section	Page
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide	1
Contents	3
Preface	23
Audience	23
Organization	23
Related Documentation	25
Conventions	26
Obtaining Documentation	27
Cisco.com	27
Documentation CD-ROM	27
Ordering Documentation	27
Documentation Feedback	28
Obtaining Technical Assistance	28
Cisco.com	28
Technical Assistance Center	29
Obtaining Additional Publications and Information	30
Product Overview	31
Catalyst 4000 Series Switches	31
Catalyst 2948G Switch	32
Catalyst 2980G Switch	33
Supervisor Engine Software	33
Using the Command-Line Interface	35
Switch CLI Overview	35
Accessing the Switch CLI	36
Accessing the CLI Through the Console Port	36
Accessing the CLI Through Telnet	37
Switch CLI Command Modes	37
Accessing Help	38
Command-Line Editing	39
History Substitution	40
Abbreviating a Command	40
Completing a Partial Command	40
Scrolling Through Command Output	40
Using Command Aliases	41
Specifying Modules, Ports, and VLANs	41
Specifying MAC Addresses	42
Specifying IP Addresses, Host Names, and IP Aliases	42
ROM Monitor CLI	43
Example of a Catalyst4003 Bootup Display	43
Configuring the Switch IP Address and Default Gateway	45
Understanding How the Switch Management Interfaces Work	45
Understanding How Automatic IP Configuration Works	46
Automatic IP Configuration Overview	46
Understanding DHCP	47
Understanding RARP	48
Preparing to Configure the IP Address and Default Gateway	48
Default IP Address and Default Gateway Configuration	49
Setting the In-Band (sc0) Interface IP Address	49
Setting the Management Ethernet (me1) Interface IP Address	50
Configuring Default Gateways	50
Configuring the SLIP (sl0) Interface on the Console Port	52
Using DHCP or RARP to Obtain an IP Address Configuration	53
Renewing and Releasing a DHCP-Assigned IP Address	54
Configuring Ethernet and Fast Ethernet Switching	57
Understanding How Ethernet Works	57
Ethernet Overview	57
Switching Frames Between Segments	58
Building the Address Table	58
Default Ethernet and Fast Ethernet Configurations	58
Configuring Ethernet and Fast Ethernet Ports	59
Setting Ethernet and Fast Ethernet Port Names	59
Setting Ethernet and Fast Ethernet Port Priority Levels	60
Setting Ethernet and Fast Ethernet Port Speeds	60
Setting Ethernet and Fast Ethernet Port Duplex Modes	61
Setting Ethernet and Fast Ethernet Port Debounce Timers	62
Configuring errdisable State Ethernet and Fast Ethernet Port Timeout Periods	63
Checking Ethernet and Fast Ethernet Port Connectivity	64
Configuring Gigabit Ethernet Switching	65
Understanding How Gigabit Ethernet Works	65
Understanding How Gigabit Ethernet Flow Control Works	65
Understanding How Port Negotiation Works	67
Understanding How Oversubscribed Gigabit Ethernet Works	67
Default Gigabit Ethernet Configuration	70
Configuring Gigabit Ethernet Ports	71
Assigning Gigabit Ethernet Port Names	71
Configuring Gigabit Ethernet Port Priority Levels	71
Configuring Flow Control on Gigabit Ethernet Ports	72
Enabling Port Negotiation on Gigabit Ethernet Ports	73
Disabling Port Negotiation	73
Configuring errdisable State Gigabit Ethernet Port Timeout Periods	73
Checking Gigabit Ethernet Port Connectivity	74
Configuring Fast EtherChannel and Gigabit EtherChannel	75
Understanding How EtherChannel Works	75
EtherChannel Overview	76
Understanding Frame Distribution	76
Hardware Support for EtherChannel	76
PAgP and LACP	76
EtherChannel Configuration Guidelines and Restrictions	77
Guidelines for Configuring a Port	77
Guidelines for Configuring VLANs and Trunks	78
EtherChannel Interaction with other Features	78
Understanding the PAgP	79
PAgP Modes	79
Understanding Administrative Groups and EtherChannel IDs	80
Configuring EtherChannel Using PAgP	80
Creating an EtherChannel	81
Defining an EtherChannel Administrative Group	81
Setting the EtherChannel Spanning Tree Port Cost	82
Setting the EtherChannel Spanning Tree Port VLAN Cost	83
Removing an EtherChannel Bundle	83
Displaying EtherChannel Configuration Information	84
Displaying EtherChannel Traffic Statistics	85
Displaying EtherChannel PAgP Statistics	86
EtherChannel Configuration Examples	86
Configuration Example of a Four-Port Fast EtherChannel	86
Configuration Example of Two-Port Gigabit EtherChannel	88
Understanding the LACP	90
LACP Modes	90
LACP Parameters	91
Configuring EtherChannel Using LACP	92
Specifying the EtherChannel Protocol	92
Specifying the System Priority	93
Specifying the Port Priority	93
Specifying an Administrative Key Value	93
Changing the Channel Mode	94
Specifying the Channel Path Cost	95
Specifying the Channel VLAN Cost	95
Clearing LACP Statistics	95
Displaying EtherChannel Traffic Utilization	95
Disabling an EtherChannel	96
Displaying Spanning Tree-Related Information for EtherChannels	96
Configuring Spanning Tree	97
Understanding How STPs Work	98
Understanding How a Topology Is Created	98
Understanding How a Switch or Port Becomes the Root Switch or Root Port	99
Understanding BPDUs	100
Calculating and Assigning Port Costs	100
Understanding Spanning Tree Port States	101
Understanding How PVST+ and MISTP Modes Work	107
PVST+ Mode	108
Rapid PVST+	108
MISTP Mode	108
MISTP-PVST+ Mode	109
Understanding How Bridge Identifiers Work	109
MAC Address Allocation	109
MAC Address Reduction	109
Understanding How MST Works	110
Rapid Spanning Tree Protocol	112
MST-to-SST Interoperability	113
Common Spanning Tree	114
MST Instances	114
MST Configuration	114
MST Region	115
Message Age and Hop Count	117
MST-to-PVST+ Interoperability	117
Understanding How BPDU Skewing Works	118
Using PVST+	118
Default PVST+ Configuration	119
Setting the PVST+ Bridge ID Priority	119
Configuring the PVST+ Port Cost	121
Configuring PVST+ Port Priority	121
Configuring the PVST+ Default Port Cost Mode	122
Configuring the PVST+ Port VLAN Cost	122
Configuring the PVST+ Port VLAN Priority	123
Disabling the PVST+ Mode on a VLAN	124
Using Rapid PVST+	124
Using MISTP-PVST+ or MISTP	126
Default MISTP Mode Configuration	126
Setting the MISTP-PVST+ Mode or MISTP Mode	127
Configuring the MISTP Bridge ID Priority	128
Enabling an MISTP Instance	132
Mapping VLANs to an MISTP Instance	132
Disabling MISTP-PVST+ or MISTP	135
Configuring a Root Switch	135
Configuring a Primary Root Switch	135
Configuring a Secondary Root Switch	136
Configuring a Root Switch to Improve Convergence	137
Using Root Guard—Preventing Switches from Becoming Root	139
Displaying Spanning Tree BPDU Statistics	139
Configuring Spanning Tree Timers	140
Configuring the Hello Time	140
Configuring the Forward Delay Time	141
Configuring the Maximum Aging Time	141
Configuring MST	142
Enabling MST	142
Mapping and Unmapping VLANs to an MST Instance	150
Configuring Spanning Tree BPDU Skewing	153
Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop G...	157
Understanding How PortFast Works	157
Understanding How PortFast BPDU Guard Works	158
Understanding How PortFast BPDU Filtering Works	158
Understanding How UplinkFast Works	159
Understanding How BackboneFast Works	160
Understanding How Loop Guard Works	162
Configuring PortFast	164
Enabling PortFast on an Access Port	164
Enabling PortFast on a Trunk Port	165
Disabling PortFast	166
Resetting PortFast	167
Configuring PortFast BPDU Guard	167
Enabling PortFast BPDU Guard	167
Disabling PortFast BPDU Guard	168
Configuring PortFast BPDU Filtering	169
Enabling PortFast BPDU Filtering	169
Disabling PortFast BPDU Filtering	170
Configuring UplinkFast	171
Enabling UplinkFast	171
Disabling UplinkFast	172
Configuring BackboneFast	173
Enabling BackboneFast	173
Displaying BackboneFast Statistics	173
Disabling BackboneFast	174
Configuring Loop Guard	174
Enabling Loop Guard	174
Disabling Loop Guard	175
Configuring VTP	177
Understanding How VTP Version 1 and Version 2 Work	177
Understanding the VTP Domain	178
Understanding VTP Modes	178
Understanding VTP Advertisements	179
Understanding VTP Version 2	179
Understanding VTP Pruning	180
Default VTP Version 1 and Version 2 Configuration	181
VTP Version 1 and Version 2 Configuration Guidelines	182
Configuring VTP Version 1 and Version 2	182
Configuring a VTP Server	183
Configuring a VTP Client	183
Configuring VTP (VTP Transparent Mode)	184
Disabling VTP Using the Off Mode	185
Enabling VTP Version 2	185
Disabling VTP Version 2	186
Enabling VTP Pruning	187
Disabling VTP Pruning	188
Displaying VTP Statistics	188
Understanding How VTP Version 3 Works	189
VTP Version 3 Authentication	189
VTP Version 3 Per-Port Configuration	190
VTP Version 3 Domains, Modes, and Partitions	190
VTP Version 3 Modes	194
VTP Version 3 Databases	195
Default VTP Version 3 Configuration	198
Configuring VTP Version 3	198
Enabling VTP Version 3	198
Changing VTP Version 3 Modes	199
Configuring VTP Version 3 Passwords	203
Configuring a VTP Version 3 Takeover	204
Disabling VTP Version 3 on a Per-Port Basis	205
VTP Version 3 show Commands	205
Configuring VLANs	207
Understanding How VLANs Work	207
VLAN Ranges	209
Configurable VLAN Parameters	210
VLAN Default Configuration	210
VLAN Configuration Guidelines	211
Configuring VLANs on the Switch	212
Creating or Modifying an Ethernet VLAN	212
Creating or Modifying a Normal-Range Ethernet VLAN	213
Creating or Modifying an Extended-Range VLAN	215
Assigning Switch Ports to a VLAN	216
Mapping 802.1Q VLANs to ISL VLANs	217
Clearing 802.1Q-to-ISL VLAN Mappings	218
Deleting a VLAN	218
Configuring Auxiliary VLANs	219
Understanding Auxiliary VLANs	219
Configuring Private VLANs	222
Private VLAN Configuration Guidelines	223
Creating a Private VLAN	225
Viewing the Port Capability of a Private VLAN Port	228
Deleting a Private VLAN	228
Deleting an Isolated or Community VLAN	229
Deleting a Private VLAN Mapping	229
Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports	231
Understanding How VLAN Trunks Work	231
Trunking Overview	231
Trunking Modes and Encapsulation Types	232
Trunking Support	233
802.1Q Trunk Restrictions	234
Default Trunk Configuration	235
Configuring a Trunk Link	235
Configuring an 802.1Q Trunk	235
Defining the Allowed VLANs on a Trunk	236
Disabling a Trunk Port	237
Disabling VLAN 1 on a Trunk Link	238
Example VLAN Trunk Configurations	239
802.1Q Trunk over a Gigabit EtherChannel Link Example	239
Load-Sharing VLAN Traffic over Parallel Trunks Example	243
802.1Q Nonegotiate Trunk Configuration Example	249
Configuring Dynamic VLAN Membership with VMPS	253
Understanding How VMPS Works	253
VMPS and Dynamic Port Hardware and Software Requirements	254
Default VMPS and Dynamic Port Configuration	255
Configuration Guidelines for Dynamic Ports and VMPS	255
Configuring VMPS	256
Creating the VMPS Database	256
Configuring the VMPS Server	259
Configuring VMPS Clients	260
Monitoring VMPS	261
Maintaining VMPS	261
Configuring Static Ports	262
Troubleshooting VMPS and Dynamic Port VLAN Membership	263
Troubleshooting VMPS	263
Troubleshooting Dynamic Ports	263
VMPS Example	264
Dynamic Port VLAN Membership with Auxiliary VLANs	266
Configuration Guidelines	267
Configuring Dynamic Port VLAN Membership with Auxiliary VLANs	267
Configuring GVRP	269
Understanding How GVRP Works	269
GVRP Hardware and Software Requirements	269
Default GVRP Configuration	270
GVRP Configuration Guidelines	270
Configuring GVRP on the Switch	270
Enabling GVRP Globally	270
Enabling GVRP on Individual 802.1Q Trunk Ports	271
Enabling GVRP Dynamic VLAN Creation	272
Configuring GVRP Registration	272
Sending GVRP VLAN Declarations from Blocking Ports	274
Setting the GARP Timers	274
Displaying GVRP Statistics	275
Clearing GVRP Statistics	276
Disabling GVRP on Individual 802.1Q Trunk Ports	276
Disabling GVRP Globally	276
Configuring QoS	277
Understanding How QoS Works	277
QoS Overview	277
Understanding QoS Terminology	278
Understanding Classification and Marking at the Ingress Port	279
Understanding Scheduling	279
Software Requirements	280
QoS Default Configuration	280
Configuring QoS on the Switch	280
Enabling QoS Globally	281
Configuring the Default CoS Value for the Switch	281
Reverting to the Default Switch CoS Value	281
Mapping CoS Values to Transmit Queues and Drop Thresholds	282
Reverting to the Default CoS-to-Transmit Queue and Drop Threshold Mapping	282
Displaying QoS Information	283
Reverting to QoS Defaults	283
Disabling QoS	283
Configuring Multicast Services	285
Understanding How Multicasting Works	285
Understanding Multicasting and Multicast Services Operation	285
Joining a Multicast Group	286
Leaving a Multicast Group	286
Understanding GMRP Operation	287
Configuring CGMP	288
CGMP Hardware and Software Requirements	288
Default CGMP Configuration	288
Enabling CGMP	288
Enabling CGMP Leave Processing	289
Enabling CGMP Fast-Leave Processing	289
Displaying Multicast Router Information	290
Displaying Multicast Group Information	290
Displaying CGMP Statistics	291
Disabling CGMP Leave Processing	292
Disabling CGMP Fast-Leave Processing	292
Disabling CGMP	292
Configuring GMRP	293
GMRP Software Requirements	293
Default GMRP Configuration	293
Enabling GMRP Globally	293
Enabling GMRP on Individual Switch Ports	294
Disabling GMRP on Individual Switch Ports	294
Enabling GMRP Forward-All Option	295
Disabling GMRP Forward-All Option	295
Configuring GMRP Registration	296
Setting the GARP Timers	297
Displaying GMRP Statistics	298
Clearing GMRP Statistics	299
Disabling GMRP	299
Configuring Multicast Router Ports and Group Entries	299
Specifying Multicast Router Ports	300
Configuring Multicast Groups	300
Disabling Multicast Router Ports	301
Disabling Multicast Group Entries	301
Filtering IGMP Traffic	301
Using IGMP Traffic Filtering	302
IGMP Software Requirements	302
Default IGMP Filter Configuration	302
IGMP Multicast Filter Activation	303
Configuring Port IP Multicast Filtering	304
Configuring Port Security	309
Understanding How Port Security Works	309
Allowing Traffic Based on the Host MAC Address	309
Restricting Traffic Based on the Host MAC Address	310
Blocking Unicast Flood Packets on Secure Ports	311
Port Security Configuration Guidelines	311
Configuring Port Security on the Switch	311
Enabling Port Security	311
Setting the Maximum Number of Secure MAC Addresses	312
Setting the Port Security Age Time	313
Clearing MAC Addresses	313
Configuring Unicast Flood Blocking on Secure Ports	314
Enabling MAC Address Notification	315
Setting the Security Violation Action	316
Setting the Shutdown Time	317
Disabling Port Security	317
Restricting Traffic for a Host MAC Address	318
Monitoring Port Security	318
Configuring Unicast Flood Blocking	321
Understanding How Unicast Flood Blocking Works	321
Configuration Guidelines for Unicast Flood Blocking	322
Configuring Unicast Flood Blocking on the Switch	322
Enabling Unicast Flood Blocking	322
Disabling Unicast Flood Blocking	323
Displaying Unicast Flood Blocking	323
Configuring the IP Permit List	325
Understanding How the IP Permit List Works	325
IP Permit List Default Configuration	326
Configuring the IP Permit List on the Switch	326
Adding IP Addresses to the IP Permit List	326
Enabling the IP Permit List	327
Disabling the IP Permit List	328
Clearing an IP Permit List Entry	328
Configuring Protocol Filtering	331
Understanding How Protocol Filtering Works	331
Default Protocol Filtering Configuration	332
Configuring Protocol Filtering on the Switch	332
Configuring Protocol Filtering	332
Disabling Protocol Filtering	333
Checking Status and Connectivity	335
Checking Module Status	335
Checking Port Status	336
Displaying the Port MAC Address	338
Displaying Port Capabilities	339
Using Telnet	340
Changing the Login Timer	340
Using Secure Shell Encryption for Telnet Sessions	341
Monitoring User Sessions	342
Using Ping	343
Understanding How Ping Works	343
Executing Ping	344
Using Layer 2 Traceroute	345
Layer 2 Traceroute Usage Guidelines	345
Identifying a Layer2 Path	345
Using IP Traceroute	346
Understanding How IP Traceroute Works	346
Executing IP Traceroute	346
Configuring CDP	349
Understanding How CDP Works	349
Default CDP Configuration	350
Configuring CDP on the Switch	350
Setting the CDP Global Enable State	350
Setting the CDP Enable State on a Port	350
Setting the CDP Message Interval	352
Setting the CDP Holdtime	352
Displaying CDP Neighbor Information	353
Using Switch TopN Reports	355
Understanding How Switch TopN Reports Works	355
Running Switch TopN Reports Without the Background Option	356
Running Switch TopN Reports with the Background Option	356
Running and Viewing Switch TopN Reports	357
Configuring UDLD	361
Understanding How UDLD Works	361
UDLD Software and Hardware Requirements	362
Default UDLD Configuration	362
Configuring UDLD on the Switch	363
Enabling UDLD Globally	363
Enabling UDLD on Individual Ports	364
Disabling UDLD on Individual Ports	364
Disabling UDLD Globally	364
Specifying the UDLD Message Interval	365
Enabling UDLD Aggressive Mode	365
Displaying the UDLD Configuration	366
Configuring SNMP	369
SNMP Terminology	369
Understanding How SNMP Works	371
Security Models and Levels	372
SNMP ifindex Persistence Feature	372
Understanding How SNMPv1 and SNMPv2c Work	373
SNMPv1 and SNMPv2c Default Configuration	374
Configuring SNMPv1 and SNMPv2c from an NMS	374
Configuring SNMPv1 and SNMPv2c from the CLI	374
SNMPv1 and SNMPv2c Enhancements in Software Release 7.5(1)	376
Understanding SNMPv3	379
Benefits of SNMPv3	379
SNMP Entity	379
Configuring SNMPv3 from an NMS	382
Configuring SNMPv3 from the CLI	382
Using CiscoWorks2000	385
Configuring RMON	387
Understanding How RMON Works	387
Enabling RMON	388
Viewing RMON Data	388
Supported RMON and RMON2 MIB Objects	388
Configuring SPAN and RSPAN	391
Understanding How SPAN and RSPAN Work	391
SPAN Session	391
Destination Port	392
Source Port	392
Reflector Port	393
Ingress SPAN	393
Egress SPAN	393
VSPAN	393
Trunk VLAN Filtering	394
SPAN Traffic	394
SPAN and RSPAN Session Limits	394
Configuring SPAN	394
Understanding How SPAN Works	394
SPAN Configuration Guidelines	395
Configuring SPAN	396
Configuring RSPAN	398
RSPAN Software and Hardware Requirements	398
Understanding How RSPAN Works	398
RSPAN Configuration Guidelines	399
Configuring RSPAN	400
RSPAN Configuration Examples	403
Administering the Switch	409
Setting the System Name and System Prompt	409
Configuring the System Name and Prompt	410

Match case Limit results 1 per page

30-36

Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide

—

Release 8.1

78-15486-01

Chapter 30

Configuring Switch Access Using AAA

Configuring Authentication

As an additional layer of security, you can configure the switch so that after users authenticate to it, these

users can authenticate only to other services on the network with Kerberized clients. If you do not make

Kerberos authentication mandatory and Kerberos authentication fails, the application attempts to

authenticate users using the default method of authentication for that network service. For example,

Telnet prompts for a password.

To configure clients to forward user credentials as they connect to other hosts in the Kerberos realm,

perform this task in privileged mode:

This example shows how to configure clients to forward user credentials and verify the configuration:

Console> (enable)

set kerberos credentials forward

Kerberos credentials forwarding enabled

Console> (enable)

show kerberos

Kerberos Local Realm:CISCO.COM

Kerberos server entries:

Realm:CISCO.COM,

Server:187.0.2.1,

Port:750

Realm:CISCO.COM,

Server:187.20.2.1, Port:750

Kerberos Domain<->Realm entries:

Domain:cisco.com,

Realm:CISCO.COM

Kerberos Clients NOT Mandatory

Kerberos Credentials Forwarding Enabled

Kerberos Pre Authentication Method set to None

Kerberos config key:

Kerberos SRVTAB Entries

Srvtab Entry 1:host/[email protected] 0 933974942 1 1 8 00?91:107:423=:;9

Console> (enable)

This example shows how to configure the switch so that Kerberos clients are mandatory for users to

authenticate to other network services:

Console> (enable)

set kerberos clients mandatory

Kerberos clients set to mandatory

Console> (enable)

Disabling Credentials Forwarding

To disable the credentials forwarding configuration, perform this task in privileged mode:

Task

Command

Step 1

Enable all clients to forward user credentials upon

successful Kerberos authentication.

set kerberos credentials forward

Step 2

(Optional) Configure Telnet to fail if clients cannot

authenticate to the remote server.

set kerberos clients mandatory

Task

Command

Disable the credentials forwarding configuration.

clear kerberos credentials forward