Home » Cisco Manuals » Hubs & Switches » Cisco 2950 24 » Manual Viewer

Cisco 2950 24 Configuration Guide - Page 29

Security, Quality of Service and Class of Service - weight

UPC - 746320454498

Add to My Manuals
Save this manual to your list of manuals

Page 29 highlights

Chapter 1 Overview Features Table 1-1 Features (continued) Security • Bridge Protocol Data Unit (BPDU) Guard for shutting down a Port Fast-configured port when an invalid configuration occurs • Protected port option for restricting the forwarding of traffic to designated ports on the same switch • Password-protected access (read-only and read-write access) to management interfaces (CMS and CLI) for protection against unauthorized configuration changes • Multilevel security for a choice of security level, notification, and resulting actions • MAC-based port-level security for restricting the use of a switch port to a specific group of source addresses and preventing switch access from unauthorized stations1 • Terminal Access Controller Access Control System Plus (TACACS+), a proprietary feature for managing network security through a TACACS server • 802.1X port-based authentication to prevent unauthorized devices from gaining access to the network • Standard and extended IP access control lists (ACLs) for defining security policies1 Quality of Service and Class of Service Classification • IP Differentiated Services Code Point (IP DSCP) and class of service (CoS) marking priorities on a per-port basis for protecting the performance of mission-critical applications1 • Flow-based packet classification (classification based on information in the MAC, IP, and TCP/UDP headers) for high-performance quality of service at the network edge, allowing for differentiated service levels for different types of network traffic and for prioritizing mission-critical traffic in the network1 • Support for IEEE 802.1P CoS scheduling for classification and preferential treatment of high-priority voice traffic Policing • Traffic-policing policies on the switch port for allocating the amount of the port bandwidth to a specific traffic flow1 • Policing traffic flows to restrict specific applications or traffic flows to metered, predefined rates1 • Up to 60 policers on ingress Gigabit-capable Ethernet ports1 Up to six policers on ingress 10/100 ports1 Granularity of 1 Mbps on 10/100 ports and 8 Mbps on 10/100/1000 ports1 • Out-of-profile markdown for packets that exceed bandwidth utilization limits1 Egress Policing and Scheduling of Egress Queues • Four egress queues on all switch ports. Support for strict priority and weighted round-robin (WRR) CoS policies 78-11380-03 Catalyst 2950 Desktop Switch Software Configuration Guide 1-5

Section	Page
Catalyst2950Desktop Switch Software Configuration Guide	1
Contents	3
Preface	17
Audience	17
Purpose	17
Organization	18
Conventions	19
Related Publications	20
Obtaining Documentation	20
World Wide Web	20
Documentation CD-ROM	21
Ordering Documentation	21
Documentation Feedback	21
Obtaining Technical Assistance	21
Cisco.com	22
Technical Assistance Center	22
Cisco TAC Web Site	22
Cisco TAC Escalation Center	23
Overview	25
Features	25
Management Options	30
Management Interface Options	30
Advantages of Using CMS and Clustering Switches	31
Network Configuration Examples	32
Design Concepts for Using the Switch	32
Small to Medium-Sized Network Configuration	34
Collapsed Backbone and Switch Cluster Configuration	36
Large Campus Configuration	37
Getting Started with CMS	39
Features	40
Front Panel View	42
Cluster Tree	43
Front-Panel Images	44
Redundant Power System LED	45
Port Modes and LEDs	46
VLAN Membership Modes	47
Topology View	48
Topology Icons	50
Device and Link Labels	51
Colors in the Topology View	52
Topology Display Options	52
Menus and Toolbar	53
Menu Bar	53
Toolbar	58
Front Panel View Popup Menus	59
Device Popup Menu	59
Port Popup Menu	59
Topology View Popup Menus	60
Link Popup Menu	60
Device Popup Menus	61
Interaction Modes	63
Guide Mode	63
Expert Mode	63
Wizards	64
Tool Tips	64
Online Help	65
CMS Window Components	66
Host Name List	66
Tabs, Lists, and Tables	67
Icons Used in Windows	67
Buttons	67
Accessing CMS	68
Access Modes in CMS	69
Verifying Your Changes	70
Change Notification	70
Error Checking	70
Saving Your Changes	70
Using Different Versions of CMS	71
Where to Go Next	71
Using the Command-Line Interface	73
IOS Command Modes	73
Getting Help	75
Abbreviating Commands	75
Using no and default Forms of Commands	76
Understanding CLI Messages	76
Using Command History	77
Changing the Command History Buffer Size	77
Recalling Commands	77
Disabling the Command History Feature	77
Using Editing Features	78
Enabling and Disabling Editing Features	78
Editing Commands through Keystrokes	78
Editing Command Lines that Wrap	79
Searching and Filtering Output of show and more Commands	80
Accessing the CLI	81
Accessing the CLI from a Browser	81
Saving Configuration Changes	82
Where to Go Next	82
General Switch Administration	83
Basic IP Connectivity to the Switch	83
Switch Software Releases	84
Console Port Access	84
Telnet Access to the CLI	84
HTTP Access to CMS	85
SNMP Network Management Platforms	86
SNMP Versions	86
Using FTP to Access the MIB Files	87
Using SNMP to Access MIB Variables	87
Default Settings	88
Clustering Switches	95
Understanding Switch Clusters	96
Command Switch Characteristics	96
Standby Command Switch Characteristics	97
Candidate and Member Switches Characteristics	97
Planning a Switch Cluster	98
Automatic Discovery of Cluster Candidates and Members	98
Discovery through CDP Hops	99
Discovery through Non-CDP-Capable and Noncluster-Capable Devices	100
Discovery through the Same Management VLAN	101
Discovery through Different Management VLANs	102
Discovery of Newly Installed Switches	103
HSRP and Standby Command Switches	104
Virtual IP Addresses	105
Automatic Recovery of Cluster Configuration	105
Considerations for Cluster Standby Groups	106
IP Addresses	107
Host Names	108
Passwords	108
SNMP Community Strings	108
TACACS+	109
Access Modes in CMS	109
Management VLAN	109
LRE Profiles	110
Availability of Switch-Specific Features in Switch Clusters	110
Creating a Switch Cluster	110
Enabling a Command Switch	111
Adding Member Switches	112
Creating a Cluster Standby Group	114
Verifying a Switch Cluster	116
Using the CLI to Manage Switch Clusters	117
Catalyst1900 and Catalyst2820 CLI Considerations	117
Using SNMP to Manage Switch Clusters	118
Configuring the System	119
Changing IP Information	119
Manually Assigning and Removing Switch IP Information	120
Using DHCP-Based Autoconfiguration	120
Understanding DHCP-Based Autoconfiguration	121
DHCP Client Request Process	121
Configuring the DHCP Server	122
Configuring the TFTP Server	123
Configuring the Domain Name and the DNS	123
Configuring the Relay Device	124
Obtaining Configuration Files	125
Example Configuration	126
Changing the Password	128
Setting the System Date and Time	129
Configuring Daylight Saving Time	129
Configuring the Network Time Protocol	129
Configuring the Switch as an NTP Client	129
Enabling NTP Authentication	129
Configuring the Switch for NTP Broadcast-Client Mode	130
Configuring SNMP	130
Disabling and Enabling SNMP	130
Entering Community Strings	130
Adding Trap Managers	130
Configuring CDP	131
Configuring CDP for Extended Discovery	132
Managing the ARP Table	132
Managing the MAC Address Tables	133
MAC Addresses and VLANs	133
Changing the Address Aging Time	134
Removing Dynamic Address Entries	134
MAC Address Notification	135
Enabling Notification of Learned or Deleted MAC Addresses	135
Adding Secure Addresses	136
Removing Secure Addresses	136
Adding and Removing Static Address Entries	136
Configuring Static Addresses for EtherChannel Port Groups	137
Configuring TACACS+	138
Configuring the TACACS+ Server Host	138
Configuring Login Authentication	139
Specifying TACACS+ Authorization for Privileged EXEC Access and Network Services	140
Starting TACACS+ Accounting	140
Configuring a Switch for Local AAA	141
Controlling Switch Access with RADIUS	142
Understanding RADIUS	142
RADIUS Operation	143
Configuring RADIUS	144
Default RADIUS Configuration	144
Identifying the RADIUS Server Host	145
Configuring RADIUS Login Authentication	147
Defining AAA Server Groups	149
Configuring RADIUS Authorization for Privileged EXEC Access and Network Services	151
Starting RADIUS Accounting	152
Configuring Settings for All RADIUS Servers	153
Configuring the Switch to Use Vendor-Specific RADIUS Attributes	153
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication	154
Displaying the RADIUS Configuration	155
Configuring 802.1X Port-Based Authentication	157
Understanding 802.1X Port-Based Authentication	157
Device Roles	158
Authentication Initiation and Message Exchange	159
Ports in Authorized and Unauthorized States	160
Supported Topologies	161
Configuring 802.1X Authentication	162
Default 802.1X Configuration	162
802.1X Configuration Guidelines	163
Enabling 802.1X Authentication	164
Configuring the Switch-to-RADIUS-Server Communication	165
Enabling Periodic Re-Authentication	166
Manually Re-Authenticating a Client Connected to a Port	167
Changing the Quiet Period	167
Changing the Switch-to-Client Retransmission Time	168
Setting the Switch-to-Client Frame-Retransmission Number	169
Enabling Multiple Hosts	169
Resetting the 802.1X Configuration to the Default Values	170
Displaying 802.1X Statistics and Status	170
Configuring VLANs	171
Overview	171
Management VLANs	173
Changing the Management VLAN for a New Switch	173
Changing the Management VLAN Through a Telnet Connection	174
Assigning VLAN Port Membership Modes	174
VLAN Membership Combinations	176
Assigning Static-Access Ports to a VLAN	177
Using VTP	177
The VTP Domain	177
VTP Modes and Mode Transitions	177
VTP Advertisements	178
VTP Version 2	179
VTP Pruning	179
VTP Configuration Guidelines	180
Domain Names	180
Passwords	180
Upgrading from Previous Software Releases	181
VTP Version	181
Default VTP Configuration	181
Configuring VTP	182
Configuring VTP Server Mode	182
Configuring VTP Client Mode	182
Disabling VTP (VTP Transparent Mode)	183
Enabling VTP Version 2	184
Disabling VTP Version 2	184
Enabling VTP Pruning	185
Monitoring VTP	185
VLANs in the VTP Database	185
Token Ring VLANs	186
VLAN Configuration Guidelines	186
Default VLAN Configuration	186
Configuring VLANs in the VTP Database	187
Adding a VLAN	188
Modifying a VLAN	188
Deleting a VLAN from the Database	188
Assigning Static-Access Ports to a VLAN	189
How VLAN Trunks Work	190
IEEE 802.1Q Configuration Considerations	191
Trunks Interacting with Other Features	191
Configuring a Trunk Port	192
CLI: Disabling a Trunk Port	192
CLI: Defining the Allowed VLANs on a Trunk	193
Changing the Pruning-Eligible List	193
Configuring the Native VLAN for Untagged Traffic	194
Load Sharing Using STP	194
Load Sharing Using STP Port Priorities	195
Configuring STP Port Priorities and Load Sharing	195
Load Sharing Using STP Path Cost	197
How the VMPS Works	198
Dynamic Port VLAN Membership	199
VMPS Database Configuration File	199
VMPS Configuration Guidelines	201
Default VMPS Configuration	201
Configuring Dynamic VLAN Membership	201
Configuring Dynamic Ports on VMPS Clients	202
Reconfirming VLAN Memberships	203
Changing the Reconfirmation Interval	203
Changing the Retry Count	203
Administering and Monitoring the VMPS	204
Troubleshooting Dynamic Port VLAN Membership	204
Dynamic Port VLAN Membership Configuration Example	204
Configuring STP	207
Understanding Basic STP Features	207
Supported STP Instances	208
STP Overview	208
Election of the Root Switch	209
Bridge Protocol Data Units	209
STP Timers	210
Creating the STP Topology	210
STP Interface States	211
Blocking State	212
Listening State	213
Learning State	213
Forwarding State	213
Disabled State	213
MAC Address Allocation	214
STP Address Management	214
STP and IEEE 802.1Q Trunks	214
STP and Redundant Connectivity	214
Accelerated Aging to Retain Connectivity	215
Understanding Advanced STP Features	215
Understanding Port Fast	216
Understanding BPDU Guard	216
Understanding UplinkFast	217
Understanding Cross-Stack UplinkFast	218
How CSUF Works	219
Events that Cause Fast Convergence	220
Limitations	221
Connecting the Stack Ports	221
Understanding BackboneFast	223
Understanding Root Guard	225
Configuring Basic STP Features	226
Default STP Configuration	226
Disabling STP	227
Configuring the Root Switch	227
Configuring a Secondary Root Switch	229
Configuring STP Port Priority	230
Configuring STP Path Cost	231
Configuring the Switch Priority of a VLAN	232
Configuring the Hello Time	233
Configuring the Forwarding-Delay Time for a VLAN	233
Configuring the Maximum-Aging Time for a VLAN	234
Configuring STP for Use in a Cascaded Cluster	234
Displaying STP Status	235
Configuring Advanced STP Features	236
Configuring Port Fast	236
Configuring BPDU Guard	237
Configuring UplinkFast for Use with Redundant Links	238
Configuring Cross-Stack UplinkFast	239
Configuring BackboneFast	240
Configuring Root Guard	240
Configuring the Switch Ports	241
Changing the Port Speed and Duplex Mode	241
Connecting to Devices That Do Not Autonegotiate	242
Setting Speed and Duplex Parameters	242
Configuring IEEE 802.3X Flow Control	243
Configuring Flooding Controls	244
Enabling Storm Control	244
Disabling Storm Control	245
Configuring Protected Ports	245
Enabling Port Security	246
Defining the Maximum Secure Address Count	247
Enabling Port Security	247
Disabling Port Security	248
Understanding the EtherChannel	248
Understanding Port-Channel Interfaces	249
Understanding the Port Aggregation Protocol	250
PAgP Modes	250
Physical Learners and Aggregate-Port Learners	251
PAgP Interaction with Other Features	252
Understanding Load Balancing and Forwarding Methods	252
Default EtherChannel Configuration	253
EtherChannel Configuration Guidelines	254
Configuring EtherChannels	254
Configuring EtherChannel Load Balancing	256
Configuring the PAgP Learn Method and Priority	257
Displaying EtherChannel and PAgP Status	257
Configuring UniDirectional Link Detection	258
Understanding SPAN	258
SPAN Concepts and Terminology	259
SPAN Session	259
Traffic Types	259
Source Port	260
Destination Port	260
SPAN Traffic	261
SPAN Interaction with Other Features	261
Configuring SPAN	262
SPAN Configuration Guidelines	262
Creating a SPAN Session and Specifying Ports to Monitor	263
Removing Ports from a SPAN Session	264
Displaying SPAN Status	265
Configuring IGMP Snooping and MVR	267
Understanding and Configuring IGMP Snooping	267
Enabling or Disabling IGMP Snooping	268
CLI: Enabling or Disabling IGMP Snooping	268
Immediate-Leave Processing	269
CLI: Enabling IGMP Immediate-Leave Processing	269
Setting the Snooping Method	270
Joining a Multicast Group	270
Statically Configuring a Host to Join a Group	271
CLI: Statically Configuring a Interface to Join a Group	272
Leaving a Multicast Group	272
CLI: Configuring a Multicast Router Port	273
Understanding Multicast VLAN Registration	273
Using MVR in a Multicast Television Application	274
Configuration Guidelines and Limitations	276
Default MVR Configuration	276
Configuring MVR Global Parameters	276
Configuring MVR Interfaces	278
Displaying MVR	280
Configuring Network Security with ACLs	283
Understanding ACLs	283
ACLs	284
Handling Fragmented and Unfragmented Traffic	285
Understanding Access Control Parameters	286
Guidelines for Configuring ACLs on the Catalyst 2950 Switches	287
Configuring ACLs	288
Unsupported Features	288
Creating Standard and Extended IP ACLs	289
ACL Numbers	289
Creating a Numbered Standard ACL	290
Creating a Numbered Extended ACL	291
Creating Named Standard and Extended ACLs	294
Including Comments About Entries in ACLs	296
Applying the ACL to an Interface or Terminal Line	297
Displaying ACLs	298
Displaying Access Groups	299
Examples for Compiling ACLs	300
Creating Named MAC Extended ACLs	302
Creating MAC Access Groups	303
Configuring QoS	305
Understanding QoS	306
Basic QoS Model	307
Classification	308
Classification Based on QoS ACLs	309
Classification Based on Class Maps and Policy Maps	309
Policing and Marking	310
Mapping Tables	311
Queueing and Scheduling	312
How Class of Service Works	312
Port Priority	312
Port Scheduling	312
CoS and WRR	312
Configuring QoS	313
Default QoS Configuration	313
Configuration Guidelines	314
Configuring Classification Using Port Trust States	314
Configuring the Trust State on Ports within the QoS Domain	315
Configuring the CoS Value for an Interface	317
Configuring a QoS Policy	317
Classifying Traffic by Using ACLs	318
Classifying Traffic by Using Class Maps	321
Classifying, Policing, and Marking Traffic by Using Policy Maps	322
Configuring CoS Maps	325
Configuring the CoS-to-DSCP Map	325
Configuring the DSCP-to-CoS Map	326
Configuring CoS and WRR	327
CLI: Configuring CoS Priority Queues	328
Configuring WRR	328
Displaying QoS Information	329
QoS Configuration Examples	329
QoS Configuration for the Common Wiring Closet	330
QoS Configuration for the Intelligent Wiring Closet	331
Troubleshooting	333
Avoiding Configuration Conflicts	333
Avoiding Autonegotiation Mismatches	334
Troubleshooting CMS Sessions	335
Copying Configuration Files to Troubleshoot Configuration Problems	336
Recovery Procedures	337
Recovering from Lost Member Connectivity	337
Recovering from a Command Switch Failure	337
Replacing a Failed Command Switch with a Cluster Member	338
Replacing a Failed Command Switch with Another Switch	339
Recovering from a Failed Command Switch Without HSRP	340
Recovering from a Lost or Forgotten Password	341
Recovering from Corrupted Software	342
Debug Commands	343
Enabling Debugging on a Specific Feature	343
Enabling All-System Diagnostics	344
Redirecting Debug and Error Message Output	344
Error Messages for Security and QoS Configurations	345
System Messages	349
How to Read System Messages	349
Error Message Traceback Reports	351
Error Messages and Recovery Procedures	351
Chassis Message	351
CMP Messages	351
Environment Messages	352
GigaStack Messages	352
Link Message	353
RTD Messages	353
Storm Control Messages	354

Match case Limit results 1 per page

1-5

Catalyst 2950 Desktop Switch Software Configuration Guide

78-11380-03

Chapter 1

Overview

Features

Security

•

Bridge Protocol Data Unit (BPDU) Guard for shutting down a Port Fast-configured port when an invalid configuration

occurs

•

Protected port option for restricting the forwarding of traffic to designated ports on the same switch

•

Password-protected access (read-only and read-write access) to management interfaces (CMS and CLI) for protection

against unauthorized configuration changes

•

Multilevel security for a choice of security level, notification, and resulting actions

•

MAC-based port-level security for restricting the use of a switch port to a specific group of source addresses and

preventing switch access from unauthorized stations

•

Terminal Access Controller Access Control System Plus (TACACS+), a proprietary feature for managing network

security through a TACACS server

•

802.1X port-based authentication to prevent unauthorized devices from gaining access to the network

•

Standard and extended IP access control lists (ACLs) for defining security policies

Quality of Service and Class of Service

Classification

•

IP Differentiated Services Code Point (IP DSCP) and class of service (CoS) marking priorities on a per-port basis for

protecting the performance of mission-critical applications

•

Flow-based packet classification (classification based on information in the MAC, IP, and TCP/UDP headers) for

high-performance quality of service at the network edge, allowing for differentiated service levels for different types of

network traffic and for prioritizing mission-critical traffic in the network

•

Support for IEEE 802.1P CoS scheduling for classification and preferential treatment of high-priority voice traffic

Policing

•

Traffic-policing policies on the switch port for allocating the amount of the port bandwidth to a specific traffic flow

•

Policing traffic flows to restrict specific applications or traffic flows to metered, predefined rates

•

Up to 60 policers on ingress Gigabit-capable Ethernet ports

Up to six policers on ingress 10/100 ports

Granularity of 1 Mbps on 10/100 ports and 8 Mbps on 10/100/1000 ports

•

Out-of-profile markdown for packets that exceed bandwidth utilization limits

Egress Policing and Scheduling of Egress Queues

•

Four egress queues on all switch ports. Support for strict priority and weighted round-robin (WRR) CoS policies

Table 1-1

Features (continued)