Changing software on cisco 3560g switch

1. Verify Current IOS Version · 2. Download Latest IOS Image from Cisco Website · 3. Delete Old IOS Software Image from Flash · 4. Copy the IOS. This appendix describes how to manipulate the Catalyst switch flash file system, Changing Directories and Displaying the Working Directory. Step 1: Tools Needed · Step 2: Backup switch IOS · Step 3: Upload new IOS · Step 4: Change the startup settings. Let the switch start with the new. COMODO AND PAYPAL Сообщаю Для вас, что.

You are commenting using your Google account. You are commenting using your Twitter account. You are commenting using your Facebook account. Notify me of new comments via email. Notify me of new posts via email. Home About. The Networking Corner. Share this: Share Reddit Facebook Email.

Like this: Like Loading You taught me something new with the. Jose Martinez November 16, at am Thanks for the comments! Zsolt Kardos May 23, at am Great guide! Romeo October 14, at pm You saved my day, thank you for sharing this all in one line command. Nay October 11, at pm Great article. Thanks for writing this article.

Lirouter Li October 28, at pm Great stuff! Jeff January 19, at am thanks for the how-to. One minor note that i found when upgrading the To change the boot file, you need to enter configuration mode first — eg: Switch configure terminal Switch config boot system flash:cipservicesk9-mz. Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:. Email required Address never made public.

Name required. RSS feed. By continuing to use this website, you agree to their use. To find out more, including how to control cookies, see here: Cookie Policy. Follow Following. The Networking Corner Join other followers. Sign me up. Already have a WordPress. Log in now. Post was not sent - check your email addresses! What is Catalyst Etherchannel. This optimization is accomplished by populating the index port only with the ports local to the physical switch. Support for PTP on native Layer 3 ports was introduced.

For new switches, if you push auto-QoS commands through startup-config, the command should include each of the following as part of the standard template. I didn't remember what I ordered and quickly forgot about the packages because, it was such a chaotic week. Support for this feature was introduced only on the switch models of the Cisco Catalyst Series Switches. Spanning-Tree: You can learn the basics of spanning-tree, see which ports are in blocking and forwarding mode but don't expect any fancy stuff.

The device supports address learning only on aggregate ports even though the physical-port keyword is provided in the CLI. I been running same configuration with previous catalyst during 5 years without a similar problem. Etherchannel: If you want to learn etherchannel you are better off with some real switches, you can enable it but there's no Lacp or Pagp support.

Encrypted traffic analytics ETA give the Cisco Catalyst 8 x 10Gb network module the ability to scrutinize, identify and take action against malware attacks and other network threats. Technical Cisco content is now found at Cisco Community, Cisco. Cost and complexity can be reduced with Cisco SD-Access by automating the policy.

Next-generation Cisco Catalyst Series Switches have been designed to meet the future demands in wiring closet networks. About Etherchannel Catalyst. Page Screen View. These models add even more flexibility to the interface choices that you can make in a single Cisco Catalyst Switch or in a stack of Cisco Catalyst Switches. Cisco: Cisco Catalyst X There are a number of options for security levels: Etherchannel.

The Catalyst Switch from Cisco is possibly the best user access layer switch ever produced by any manufacturer. There are a few differences between the two, other than EtherChannel is Cisco proprietary and Does anybody know how to aggregate two ports on the cisco catalyst switch LAG. Fast ship catalyst switches to the worldwide! We are planning to connect 2 stacked Catalyst to a Nutanix Cluster. The stackwise virtual allows the clustering of two chassis together into a single entity, to allow HA, scalability and management.

Configure the auto qos voip cisco-phone command manually on the switch interfaces. You can get the Catalyst models either in 24 or 48 port. One device that I am beginning to see a lot more of at my customer sites is the Cisco Catalyst PDF - Complete Book 3.

The Catalyst switch provides connectivity for wired endpoints and wireless endpoints by connecting wireless access points. Cisco Aironet. Overview and Review of the Catalyst and all its great features. The Catalyst Series is the. Catalyst Series switch pdf manual download. First, to configure logical etherchannel interface: Switch configure terminal Switch config interface port-channel 5 Then you need to assign the physical ports and specify LACP mode.

The next-generation Cisco Catalyst Series is designed to support a large number of EtherChannel hash variables to deliver optimal upstream egress forwarding decisions. Cisco Catalyst Configuration Example. The Series is the industry's. Port status on Cisc when Etherchannel. At Gbps, they are the industry's highest-density. Table 3 outlines the supported Layer 2 to Layer 4 EtherChannel hash algorithm. When I finally made my way to the office, I saw the boxes in the mail room and thought.

Fouroptional uplink network modules with GE or 10GE ports. PoE removes the need to supply wall. It is the next generation of the industry's most widely deployed switching platform. Dell server has 4 NIC and its connected with 3. I am setting up a 2 ethernet trunk between a Cisco switch and Fortinet E firewall. Cisco EtherChannel sample configuration interface Port-channel1 switchport switchport access vlan Cisco introduces new Catalyst X switches.

Ports configured in the on mode do not exchange PAgP packets. With its family pedigree, Catalyst Series switches offer simplicity without compromise - it is secure, always on, and IT simplified. Catalyst Series switches form the foundational building block for SoftwareDefined Access Figure 2. I have a 48 ports Catalyst switch and I would like to know if it is possible to be stacked with another but 24 ports? Thanks in advance to whoever can help.

This algorithm is explained in the Catalyst OS section. Only use the pagp learn-method command in this situation. Related Contents. Its top-of-the-line model comes with UPoE and mGig to power devices that require more than a gigabit per second speed. First is if we have 3, 5, 6, or 7 ports bundled in one channel. This video explaing how it is performed. I thought it would make a good blog entry to describe the differences of each, where they are used, and what platforms each is supported on. Configuring Resilient Ethernet Protocol.

PDF - Complete Book 5. We're sorry but dummies doesn't work properly without JavaScript enabled. The Catalyst Series includes our highest density fixed-access, stackable enterprise network switches. Configuring EtherChannels. Because they are simple, secure, and ultrapractical. In this video, I'm just upgrading my Catalyst and looking at some basic syntax changes. Catalyst Upgrade - YouTube. In any case, you should always anticipate needing to have some downtime when performing a software upgrade on a switch or switch stack including switches that support ISSU , even if.

I created a Port channel on each x going to seperate Stack member for resillency. On Catalyst Series Switches, a similar 8-bit hashing algorithm is used. OR if a etherchannel group must have the same link speeds the following. One, my pnp switch, has two TenGig interfaces connected to my seed switch which is already configured with an EtherChannel.

Find Cisco Catalyst 's customers Discover high - intent leads Compare Cisco Catalyst with the biggest competitors in the Networking Hardware market. This article explains the Errdisable feature on Cisco Catalyst switches. Cisco Catalyst The Cisco Catalyst CT-E is a port data only and the next generation of the industry's most widely deployed switching platform.

It was fine for weeks and then err-disabled. The switches ship with one power supply by. The assumption is wrong because of 2 reasons. Related Products. This white paper. When I start the switch, firstly it hangs during boot then I reset it multiple times and then the page see below appears. Limitations and Restrictions. Cisco Catalyst Series Switches.

Changing the 'interface bandwidth' setting CatalystX IOS test etherchannel load-balance interface. These leaf switches typically allow for a combination of 1, 10, 25, 40 and 50G access and up to G uplinks to the. Catalyst 1G modular-uplink Switches. Catalyst is running pvst, Comware is using mst. Repeat same commands in Switch-B as. If only one power. For whatever reason I had a really hard time getting the etherchannel to work. It's not a security video but I figured I'd record it anyways.

The switch then sends packets to the Catalyst switch using the same port in the EtherChannel from which it learned the source address. Please enable it to continue. FAQ: Cisco Catalyst By default, only VLAN 1 is configured on the switch, so if you connect hosts on an out-of-the-box switch they all belong to the same Layer 2 broadcast domain.

Siehe auch.

Rather valuable workbench tv not

COMODO AND PAYPAL

Сообщаю Для вас, что.

This data can then be analyzed for network management, client billing, or auditing. The aaa accounting system guarantee-first command guarantees system accounting as the first record, which is the default condition. In some situations, users might be prevented from starting a session on the console or terminal connection until after the system reloads, which can take more than 3 minutes.

To establish a console or Telnet session with the router if the AAA server is unreachable when the router reloads, use the no aaa accounting system guarantee-first command. This section describes how to enable and configure the RADIUS, which provides detailed accounting information and flexible administrative control over authentication and authorization processes.

Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information. When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur:. The user is prompted to enter a username and password. REJECT—The user is either not authenticated and is prompted to re-enter the username and password, or access is denied.

A standard RADIUS interface is typically used in a pulled model where the request originates from a network attached device and the response come from the queried servers. However, some basic configuration is required for these attributes:. Change of Authorization CoA requests, as described in RFC , are used in a push model to allow for session identification, host reauthentication, and session termination. The model is comprised of one request CoA-Request and two possible response codes:.

The Disconnect Request message, which is also referred to as Packet of Disconnect POD , is supported by the switch for session termination. Table shows the IETF attributes are supported for this feature. Table shows the possible values for the Error-Cause attribute. Table Error-Cause Values. To use the CoA interface, a session must already exist on the switch. CoA can be used to identify a session and enforce a disconnect request.

The update affects only the specified session. The CoA Request response code can be used to convey a command to the switch. The supported commands are listed in Table For disconnect and CoA requests targeted at a particular session, the switch locates the session based on one or more of the following attributes:. For disconnect and CoA requests targeted to a particular session, any one of these session identifiers can be used:. If more than one session identification attribute is included in the message, all the attributes must match the session or the switch returns a Disconnect- negative acknowledgement NAK or CoA-NAK with the error code Invalid Attribute Value.

If the authorization state is changed successfully, a positive acknowledgement ACK is sent. A negative acknowledgement NAK indicates a failure to change the authorization state and can include attributes that indicate the reason for the failure. Use show commands to verify a successful CoA. This is a standard disconnect request that does not require a VSA. All CoA commands must include the session identifier between the switch and the CoA client.

The AAA server typically generates a session reauthentication request when a host with an unknown identity or posture joins the network and is associated with a restricted access authorization profile such as a guest VLAN. A reauthentication request allows the host to be placed in the appropriate authorization group when its credentials are known.

The current session state determines the switch response to the message. If the session is currently authenticated by IEEE If the session is currently authenticated by MAC authentication bypass MAB , the switch sends an access-request to the server, passing the same identity attributes used for the initial successful authentication. If session authentication is in progress when the switch receives the command, the switch terminates the process, and restarts the authentication sequence, starting with the method configured to be attempted first.

If the session is not yet authorized, or is authorized via guest VLAN, or critical VLAN, or similar policies, the reauthentication message restarts the access control methods, beginning with the method configured to be attempted first. The current authorization of the session is maintained until the reauthentication leads to a different authorization result. There are three types of CoA requests that can trigger session termination. A CoA Disconnect-Request terminates the session, without disabling the host port.

This command is useful when a host is known to be causing problems on the network, and you need to immediately block network access for the host. When a device with no supplicant, such as a printer, needs to acquire a new IP address for example, after a VLAN change , terminate the session on the host port with port-bounce temporarily disable and then re-enable the port. This command is a standard Disconnect-Request. If the session is located, the switch terminates the session.

After the session has been completely removed, the switch returns a Disconnect-ACK. If the switch fails-over to a standby switch before returning a Disconnect-ACK to the client, the process is repeated on the new active switch when the request is re-sent from the client. If the switch fails before returning a CoA-ACK to the client, the process is repeated on the new active switch when the request is re-sent from the client. If the switch fails after returning a CoA-ACK message to the client but before the operation has completed, the operation is restarted on the new active switch.

Note A Disconnect-Request failure following command re-sending could be the result of either a successful session termination before change-over if the Disconnect-ACK was not sent or a session termination by other means for example, a link failure that occurred after the original command was issued and before the standby switch became active. If the session is located, the switch disables the hosting port for a period of 10 seconds, re-enables it port-bounce , and returns a CoA-ACK. If the switch fails after returning a CoA-ACK message to the client but before the operation has completed, the operation is re-started on the new active switch.

The software uses the first method listed to authenticate, to authorize, or to keep accounts on users. If that method does not respond, the software selects the next method in the list. If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as a fail-over backup to the first one.

The timeout, retransmission, and encryption key values can be configured globally for all RADIUS servers, on a per-server basis, or in some combination of global and per-server settings. To apply these settings globally to all RADIUS servers communicating with the switch, use the three unique global configuration commands: radius-server timeout , radius-server retransmit , and radius-server key.

Note If you configure both global and per-server functions timeout, retransmission, and key commands on the switch, the per-server timer, retransmission, and key value commands override global timer, retransmission, and key value commands. You can configure the switch to use AAA server groups to group existing server hosts for authentication. This procedure is required.

Always configure the key as the last item in the radius-server host command. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key. To configure the switch to recognize more than one host entry associated with a single IP address, enter this command as many times as necessary, making sure that each UDP port number is different.

The switch software searches for hosts in the order in which you specify them. To remove the specified RADIUS server, use the no radius-server host hostname ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting:. This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting:.

These settings include the IP address of the switch and the key string to be shared by both the server and the switch. Beginning in privileged EXEC mode, follow these steps to configure login authentication. Before you can use this authentication method, you must define an enable password by using the enable password global configuration command. Before you can use this authentication method, you must define a line password. Use the password password line configuration command. You must enter username information in the database.

Use the username name password global configuration command. You must enter username information in the database by using the username password global configuration command. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.

Server groups also can include multiple host entries for the same server if each entry has a unique identifier the combination of the IP address and UDP port number , allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.

If you configure two different host entries on the same RADIUS server for the same service, for example, accounting , the second configured host entry acts as a fail-over backup to the first one. You use the server group server configuration command to associate a particular server with a defined group server. You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords.

This command puts the switch in a server group configuration mode. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. The second host entry acts as a fail-over backup to the first entry. The aaa authorization exec radius local command sets these authorization parameters:. The default is 3; the range 1 to The default is 5 seconds; the range is 1 to Specify the number of minutes a RADIUS server, which is not responding to authentication requests, to be skipped, thus avoiding the wait for the request to timeout before trying the next configured server.

The default is 0; the range is 1 to minutes. To return to the default setting for the retransmit, timeout, and deadtime, use the no forms of these commands. Vendor-specific attributes VSAs allow vendors to support their own extended attributes not suitable for general use.

The value is a string with this format:. Protocol is a value of the Cisco protocol attribute for a particular type of authorization. This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands:. If you enter this command without keywords, both accounting and authentication vendor-specific attributes are used.

To disable the key, use the no radius-server key global configuration command. This example shows how to specify a vendor-proprietary RADIUS host and to use a secret key of rad between the switch and the server:. Configure the switch as an authentication, authorization, and accounting AAA server to facilitate interaction with an external policy server. The client must match all the configured attributes for authorization. Optional Configure the switch to ignore the session-key. Optional Configure the switch to ignore the server-key.

Optional Configure the switch to ignore a CoA request to temporarily disable the port hosting a session. The purpose of temporarily disabling the port is to trigger a DHCP renegotiation from the host when a VLAN change occurs and there is no supplicant on the endpoint to detect the change.

Optional Configure the switch to ignore a nonstandard command requesting that the port hosting a session be administratively shut down. Shutting down the port results in termination of the session. To disable the AAA server functionality on the switch, use the no aaa server radius dynamic authorization global configuration command. This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party.

To use this feature, the cryptographic that is, supports encryption versions of the switch software must be installed on your switch. You must obtain authorization to use this feature and to download the cryptographic software files from Cisco. For more information, see the release notes for this release. Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts Institute of Technology MIT.

It uses the Data Encryption Standard DES cryptographic algorithm for encryption and authentication and authenticates requests for network resources. Kerberos uses the concept of a trusted third party to perform secure verification of users and services.

This trusted third party is called the key distribution center KDC. Kerberos verifies that users are who they claim to be and the network services that they use are what the services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users.

These tickets, which have a limited lifespan, are stored in user credential caches. The Kerberos server uses the tickets instead of usernames and passwords to authenticate users and network services. Note A Kerberos server can be a Catalyst switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol. The Kerberos credential scheme uses a process called single logon.

This process authenticates a user once and then allows secure authentication without encrypting another password wherever that user credential is accepted. This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts such as UNIX servers and PCs.

In this software release, Kerberos supports these network services:. Table lists the common Kerberos-related terms and definitions:. A process by which a user or service identifies itself to another service. For example, a client can authenticate to a switch or a switch can authenticate to another switch. A means by which the switch identifies what privileges the user has in a network or on the switch and what actions the user can perform.

A general term that refers to authentication tickets, such as TGTs 2 and service credentials. Kerberos credentials verify the identity of a user or service. If a network service decides to trust the Kerberos server that issued a ticket, it can be used in place of re-entering a username and password.

Credentials have a default lifespan of eight hours. An authorization level label for Kerberos principals. The Kerberos instance can be used to specify the authorization level for the user if authentication is successful. The server of each network service might implement and enforce the authorization mappings of Kerberos instances but is not required to do so.

Note The Kerberos principal and instance names must be in all lowercase characters. Note The Kerberos realm name must be in all uppercase characters. KDC 3. Key distribution center that consists of a Kerberos server and database program that is running on a network host.

A term that describes applications and services that have been modified to support the Kerberos credential infrastructure. A domain consisting of users, hosts, and network services that are registered to a Kerberos server. The Kerberos server is trusted to verify the identity of a user or network service to another user or network service. A daemon that is running on a network host. Users and network services register their identity with the Kerberos server.

Network services query the Kerberos server to authenticate to other network services. A password that a network service shares with the KDC. Also known as a Kerberos identity, this is who you are or what a service is according to the Kerberos server. Note The Kerberos principal name must be in all lowercase characters. A credential for a network service. The password is also shared with the user TGT.

Ticket granting ticket that is a credential that the KDC issues to authenticated users. A Kerberos server can be a Catalyst switch that is configured as a network security server and that can authenticate remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways, remote users attempting to access network services must pass through three layers of security before they can access network services.

To authenticate to network services by using a Catalyst switch as a Kerberos server, remote users must follow these steps:. Authenticating to a Boundary Switch. Authenticating to Network Services. This section describes the first layer of security through which a remote user must pass. The user must first authenticate to the boundary switch. This process then occurs:. The user opens an un-Kerberized Telnet connection to the boundary switch. The switch prompts the user for a username and password.

The switch attempts to decrypt the TGT by using the password that the user entered. A remote user who initiates a un-Kerberized Telnet session and authenticates to a boundary switch is inside the firewall, but the user must still authenticate directly to the KDC before getting access to the network services. The user must authenticate to the KDC because the TGT that the KDC issues is stored on the switch and cannot be used for additional authentication until the user logs on to the switch.

This section describes the second layer of security through which a remote user must pass. This section describes the third layer of security through which a remote user must pass. The user with a TGT must now authenticate to the network services in a Kerberos realm. So that remote users can authenticate to network services, you must configure the hosts and the KDC in the Kerberos realm to communicate and mutually authenticate users and network services.

To do this, you must identify them to each other. You also create entries for the users in the KDC database. When you add or create entries for the hosts and users, follow these guidelines:. To set up a Kerberos-authenticated server-client system, follow these steps:. The switch then handles authentication and authorization. No accounting is available in this configuration. Set the login authentication to use the local username database. The default keyword applies the local user database authentication to all ports.

Configure user AAA authorization for all network-related service requests. Enter the local database, and establish a username-based authentication system. To use this feature, you must install the cryptographic encrypted software image on your switch.

You must obtain authorization to use this feature and to download the crypto graphic software files from Cisco. Note For complete syntax and usage information for the commands used in this section, see the command reference for this release and the command reference for Cisco IOS Release SSH is a protocol that provides a secure, remote connection to a device. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated.

SSH also supports these user authentication methods:. This section has this configuration information:. Follow these steps to set up your switch to run SSH:. Download the cryptographic software image from Cisco. This step is required. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server. Configure user authentication for local or remote access. This procedure is required if you are configuring the switch as an SSH server.

We recommend that a minimum modulus size of bits. When you generate RSA keys, you are prompted to enter a modulus length. A longer modulus length might be more secure, but it takes longer to generate and to use. Show the version and configuration information for your SSH server. To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available session 0 to session 4.

After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes. Repeat this step when configuring both parameters. Optional Configure the virtual terminal line settings. Show the status of the SSH server connections on the switch. Shows the version and configuration information for the SSH server. To use this feature, the cryptographic encrypted software image must be installed on your switch.

For more information about the crypto image, see the release notes for this release. The HTTP 1. Certificate authorities CAs manage certificate requests and issue certificates to participating network devices. These services provide centralized security key and certificate management for the participating devices. Specific CA servers are referred to as trustpoints. The client usually a Web browser , in turn, has a public key that allows it to authenticate the certificate.

Because a self-certified self-signed certificate does not provide adequate security, the connecting client generates a notification that the certificate is self-certified, and the user has the opportunity to accept or reject the connection. This option is useful for internal network topologies such as testing. If you do not configure a CA trustpoint, when you enable a secure HTTP connection, either a temporary or a persistent self-signed certificate for the secure HTTP server or client is automatically generated.

Note The certificate authorities and trustpoints must be configured on each device individually. Copying them from other devices makes them invalid on the switch. If a self-signed certificate has been generated, this information is included in the output of the show running-config privileged EXEC command. This is a partial sample output from that command displaying a self-signed certificate.

You can remove this self-signed certificate by disabling the secure HTTP server and entering the no crypto pki trustpoint TP-self-signed global configuration command. If you later re-enable a secure HTTP server, a new self-signed certificate is generated. Note The values that follow TP self-signed depend on the serial number of the device. Authenticating the client provides more security than server authentication by itself. A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection.

When connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both. For example, Netscape Communicator 4. For the best possible encryption, you should use a client browser that supports bit encryption, such as Microsoft Internet Explorer Version 5. The more secure and more complex CipherSuites require slightly more processing time. This list defines the CipherSuites supported by the switch and ranks them from fastest to slowest in terms of router processing load speed :.

RSA in conjunction with the specified encryption and digest algorithm combinations is used for both key generation and authentication on SSL connections. This usage is independent of whether or not a CA trustpoint is configured. Cluster member switches must run standard HTTP. Before you configure a CA trustpoint, you should ensure that the system clock is set.

If the clock is not set, the certificate is rejected due to an incorrect date. A CA trustpoint is more secure than a self-signed certificate. Specify the hostname of the switch required only if you have not previously configured a hostname. The hostname is required for security keys and certificates. Specify the IP domain name of the switch required only if you have not previously configured an IP domain name. The domain name is required for security keys and certificates.

Optional Generate an RSA key pair. RSA key pairs are required before you can obtain a certificate for the switch. RSA key pairs are generated automatically. You can use this command to regenerate the keys, if needed. Specify a local configuration name for the CA trustpoint and enter CA trustpoint configuration mode. Specify the URL to which the switch should send certificate requests.

Configure the switch to request a certificate revocation list CRL to ensure that the certificate of the peer has not been revoked. Optional Specify that the trustpoint should be used as the primary default trustpoint for CA requests. Exit CA trustpoint configuration mode and return to global configuration mode. Authenticate the CA by getting the public key of the CA. Use the same name used in Step 5. Obtain the certificate from the specified CA trustpoint.

This command requests a signed certificate for each RSA key pair. Use the no crypto ca trustpoint name global configuration command to delete all identity information and certificates associated with the CA. If you are using a certificate authority for certification, you should use the previous procedure to configure the CA trustpoint on the switch before enabling the HTTP server.

If you have not configured a CA trustpoint, a self-signed certificate is generated the first time that you enable the secure HTTP server. After you have configured the server, you can configure options path, access list to apply, maximum number of connections, or timeout policy that apply to both standard and secure HTTP servers. You should see one of these lines in the output:.

The default port number is Valid options are or any number in the range to If you do not have a reason to specify a particularly CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support. This is the default. The default is for the client to request a certificate from the server, but the server does not attempt to authenticate the client. Specify the CA trustpoint to use to get an X. Note Use of this command assumes you have already configured a CA trustpoint according to the previous procedure.

The path specifies the location of the HTTP server files on the local system usually located in system flash memory. The range is 1 to 16; the default value is 5. Optional Specify how long a connection to the HTTP server can remain open under the defined circumstances:. Display the status of the HTTP secure server to verify the configuration. Use the no ip http server global configuration command to disable the standard HTTP server. Use the no ip http secure-server global configuration command to disable the secure HTTP server.

Use the no ip http secure-port and the no ip http secure-ciphersuite global configuration commands to return to the default settings. Use the no ip http secure-client-auth global configuration command to remove the requirement for client authentication. If you configure a port other than the default port, you must also specify the port number after the URL. For example:. A certificate authority is required for secure HTTP client certification.

This procedure assumes that you have previously configured a CA trustpoint on the switch. Using this command assumes that you have already configured a CA trustpoint by using the previous procedure. The command is optional if client authentication is not needed or if a primary trustpoint has been configured. If you do not have a reason to specify a particular CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support.

Use the no ip http client secure-trustpoint name to remove a client trustpoint configuration. Use the no ip http client secure-ciphersuite to remove a previously configured CipherSuite specification for the client. Shows the generated self-signed certificate for secure HTTP connections. The Secure Copy Protocol SCP feature provides a secure and authenticated method for copying switch configurations or switch image files. Note When using SCP, you cannot enter the password into the copy command.

You must enter the password when prompted. To configure the Secure Copy feature, you should understand these concepts. SCP also requires that authentication, authorization, and accounting AAA authorization be configured so the router can determine whether the user has the correct privilege level.

An authorized administrator can also do this from a workstation. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. Log in to Save Content. PDF - Complete Book Updated: April 15, Chapter: Configuring Switch-Based Authentication. Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst switch.

To prevent unauthorized access into your switch, you should configure one or more of these security features: At a minimum, you should configure passwords and privileges at each switch port. These passwords are locally stored on the switch. When users attempt to access the switch through a port or line, they must enter the password specified for the port or line before they can access the switch.

For an additional layer of security, you can also configure username and password pairs, which are locally stored on the switch. If you want to use username and password pairs, but you want to store them centrally on a server instead of locally, you can store them in a database on a security server.

Multiple networking devices can then use the same database to obtain user authentication and, if necessary, authorization information. You can also enable the login enhancements feature, which logs both failed and unsuccessful login attempts. Login enhancements can also be configured to block future login attempts after a set number of unsuccessful attempts are made. Enable secret password and privilege level No password is defined. Line password No password is defined.

Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode. Enter Crtl-v. Step 4 show running-config Verify your entries.

Step 5 copy running-config startup-config Optional Save your entries in the configuration file. The password is not encrypted and provides access to level 15 traditional privileged EXEC mode access : Switch config enable password l1u2c3k4y5 Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol TFTP server, you can use either the enable password or enable secret global configuration commands.

Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords: Command Purpose Step 1 configure terminal Enter global configuration mode. Optional For level , the range is from 0 to Level 1 is normal user EXEC mode privileges.

The default level is 15 privileged EXEC mode privileges. Optional For encryption-type , only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you copy from another switch configuration. Step 3 service password-encryption Optional Encrypt the password when the password is defined or when the configuration is written.

Beginning in privileged EXEC mode, follow these steps to disable password recovery: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no service password-recovery Disable password recovery. Step 4 show version Verify the configuration by checking the last few lines of the command output. Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use.

Step 3 configure terminal Enter global configuration mode. Step 4 line vty 0 15 Configure the number of Telnet sessions lines , and enter line configuration mode. Step 5 password password Enter a Telnet password for the line or lines. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config Optional Save your entries in the configuration file.

This example shows how to set the Telnet password to let45me67in89 : Switch config line vty 10 Switch config-line password let45me67in89 Configuring Username and Password Pairs You can configure username and password pairs, which are locally stored on the switch.

Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password: Command Purpose Step 1 configure terminal Enter global configuration mode. For name , specify the user ID as one word. Spaces and quotation marks are not allowed. Optional For level , specify the privilege level the user has after gaining access. If the stack member number of the provisioned switch matches the stack member number in the provisioned configuration on the stack, and.

If the switch type of the provisioned switch matches the switch type in the provisioned configuration on the stack. The switch stack applies the provisioned configuration to the provisioned switch and adds it to the stack.

The stack member numbers match but the switch types do not match. If the stack member number of the provisioned switch matches the stack member number in the provisioned configuration on the stack, but. The switch type of the provisioned switch does not match the switch type in the provisioned configuration on the stack. The switch stack applies the default configuration to the provisioned switch and adds it to the stack. The provisioned configuration is changed to reflect the new information.

The stack member number is not found in the provisioned configuration. The stack member number of the provisioned switch is in conflict with an existing stack member. The stack master assigns a new stack member number to the provisioned switch. The stack member numbers and the switch types match:.

If the new stack member number of the provisioned switch matches the stack member number in the provisioned configuration on the stack, and. The stack member numbers match, but the switch types do not match:. The stack member number of the provisioned switch is not found in the provisioned configuration. If you add a provisioned switch that is a different type than specified in the provisioned configuration to a powered-down switch stack and then apply power, the switch stack rejects the now incorrect switch stack-member-number provision type global configuration command in the startup configuration file.

However, during stack initialization, the nondefault interface configuration information in the startup configuration file for the provisioned interfaces potentially of the wrong type are executed. Depending on how different the actual switch type is from the previously provisioned switch type, some commands are rejected, and some commands are accepted.

Note If the switch stack does not contain a provisioned configuration for a new switch, the switch joins the stack with the default interface configuration. The switch stack then adds to its running configuration a switch stack-member-number provision type global configuration command that matches the new switch. When a provisioned switch in a switch stack fails, is removed from the stack, and is replaced with another switch, the stack applies either the provisioned configuration or the default configuration to it.

If you remove a provisioned switch from the switch stack, the configuration associated with the removed stack member remains in the running configuration as provisioned information. To completely remove the configuration, use the no switch stack-member-number provision global configuration command. All stack members must run the same Cisco IOS software version to ensure compatibility in the stack protocol version among the members.

The stack protocol version has a major version number and a minor version number for example 1. Switches with the same Cisco IOS software version have the same stack protocol version. All features function properly across the stack. These switches with the same software version as the master immediately join the stack. If an incompatibility exists, a system message describes the cause of the incompatibility on the specific stack members.

The master sends the message to all members. Switches with different Cisco IOS software versions likely have different stack protocol versions. Switches with different major version numbers are incompatible and cannot exist in the same stack. Switches with the same major version number but with a different minor version number as the master are considered partially compatible. When connected to a stack, a partially compatible switch enters v ersion-mismatch mode and cannot join the stack as a fully functioning member.

The software detects the mismatched software and tries to upgrade or downgrade the switch in version-mismatch mode with the stack image or with a tar file image from the stack flash memory. The software uses the automatic upgrade auto-upgrade and the automatic advise auto-advise features. The port LEDs on switches in version-mismatch mode will also stay off.

Pressing the Mode button does not change the LED mode. Note Auto-advise and auto-copy identify which images are running by examining the info file and by searching the directory structure on the switch stack. If you download your image by using the copy tftp: command instead of by using the archive download-sw privileged EXEC command, the correct directory structure is not properly created. When the software detects mismatched software and tries to upgrade the switch in version-mismatch mode, two software processes are involved: automatic upgrade and automatic advise.

Auto-copy occurs if auto-upgrade is enabled, if there is enough flash memory in the switch in version-mismatch mode, and if the software image running on the stack is suitable for the switch in version-mismatch mode. Note A switch in version-mismatch mode might not run all released software. For example, new switch hardware is not recognized in earlier versions of software.

In that case, the auto-extract process searches all switches in the stack, whether they are in version-mismatch mode or not, for the tar file needed to upgrade the switch stack or the switch in version-mismatch mode. The tar file can be in any flash file system in the stack including the switch in version-mismatch mode. If a tar file suitable for the switch in version-mismatch mode is found, the process extracts the file and automatically upgrades that switch. The auto-upgrade auto-copy and auto-extract processes start a few minutes after the mismatched software is detected.

When the auto-upgrade process is complete, the switch that was in version-mismatch mode reloads and joins the stack as a fully functioning member. If you have both cables connected during the reload, network downtime does not occur because the stack operates on two rings. The auto-advise software does not give suggestions when the stack software and the software of the switch in version-mismatch mode do not contain the same feature sets.

The same events occur when cryptographic and noncryptographic images are running. When you add a switch that has a different minor version number to the stack, the software displays messages in sequence assuming that there are no other system messages generated by the switch. This example shows that the stack detected a new switch that is running a different minor version number than the stack.

Auto-copy launches, finds suitable software to copy from a member to the switch in version-mismatch mode, upgrades the switch in version-mismatch mode, and then reloads it:. Auto-copy launches but cannot find software in the stack to copy to the switch in version-mismatch mode to make it compatible with the stack.

The auto-advise process launches and recommends that you download a tar file from the network to the switch in version-mismatch mode:. You can upgrade a switch that has an incompatible software image by using the archive copy-sw privileged EXEC command to copy the software image from an existing member.

That switch automatically reloads with the new image and joins the stack as a fully functioning member. The master has the saved and running configuration files for the stack. All members periodically receive synchronized copies of the configuration files from the master. If the master becomes unavailable, any member assuming the role of master has the latest configuration files. A new, out-of-box switch joining a stack uses the system-level settings of that stack.

If a switch is moved to a different stack, it loses its saved configuration file and uses the system-level configuration of the new stack. The interface-specific configuration of each member is associated with its member number.

A stack member keeps its number unless it is manually changed or it is already used by another member in the same stack. If you r eplace a failed member with an identical model, the replacement member automatically uses the same interface-specific configuration. You do not need to reconfigure the interface settings. The replacement switch must have the same member number as the failed switch. You back up and restore the stack configuration in the same way as you do for a standalone switch configuration.

You manage the stack and the member interfaces through the master. You cannot manage members as individual switches. The stack is managed through a system-level IP address. You can still manage the stack through the same IP address even if you remove the master or any other stack member from the stack, provided there is IP connectivity. Note Members keep their IP addresses when you remove them from a stack. To avoid having two devices with the same IP address in your network, change the IP address of the switch that you removed from the stack.

The Secure Shell S SH connectivity to the stack can be lost if a master running the cryptographic version fails and is replaced by a switch that is running a noncryptographic version. We recommend that a switch running the cryptographic version of the software be the master. You can connect to the master through the console port of one or more members. Be careful when using multiple CLI sessions to the master. Commands that you enter in one session are not displayed in the other sessions.

Therefore, it is possible that you might not be able to identify the session from which you entered a command. We recommend that you use only one CLI session when managing the stack. If you want to configure a specific member port, you must include the stack member number in the CLI notation.

Most of the scenarios in Table assume at least two switches are connected through their ports. Table Switch Stack Configuration Scenarios. Master election specifically determined by existing masters. Only one of the two masters becomes the new stack master. Master election specifically determined by the member priority value.

Connect two switches through their ports. Use the switch stack-member-number priority new- priority-number global configuration command to set one member with a higher member priority value. Restart both members at the same time. The member with the higher priority value is elected master. Master election specifically determined by the configuration file.

Assuming that both members have the same priority value:. Make sure that one member has a default configuration and that the other member has a saved nondefault configuration file. The member with the saved configuration file is elected master. Master election specifically determined by the MAC address. Assuming that both members have the same priority value, configuration file, and software image, restart both stack members at the same time.

The member with the lower MAC address is elected master. Assuming that one member has a higher priority value than the other member:. Ensure that both members have the same member number. If necessary, use the switch current-stack-member-number renumber new-stack-member-number global configuration command.

The member with the higher priority value keeps its member number. The other member has a new stack member number. Power off the new switch. Through their ports, connect the new switch to a powered-on stack. Power on the new switch. The master is kept. The new switch is added to the stack. One of the remaining stack members becomes the new master. All other members in the stack remain members and do not restart.

Through their ports, connect ten switches. Power on all switches. Two switches become masters. One master has stack members. The other master remains a standalone switch. Use the Mode button and port LEDs on the switches to identify which switches are masters and which switches belong to each master. For information about the Mode button and the LEDs, see the hardware installation guide.

Table shows the default switch stack configuration. Table Default Switch Stack Configuration. When a master is removed from the stack and a new master takes over, the MAC address of the new master to become the new stack MAC address. During this time period, if the previous master rejoins the stack, the stack continues to use that MAC address as the stack MAC address, even if the switch is now a member and not a master.

If the previous master does not rejoin the stack during this period, the stack uses the MAC address of the new master as the stack MAC address. This procedure is optional. Enable a time delay after a stack-master change before the stack MAC address changes to that of the new stack master. If the previous stack master rejoins the stack during this period, the stack uses that MAC address as the stack MAC address.

If you enter the no stack-mac persistent timer command after a new stack master takes over, before the time expires, the stack uses the current master MAC address. Verify that the stack MAC address timer is enabled.

The output shows stack-mac persistent timer and the time in minutes. The output shows Mac persistency wait time with the number of minutes configured and the stack MAC address. Optional Save your entries in the configuration file. Use the no stack-mac persistent timer global configuration command to disable the persistent MAC address feature. This example shows how to configure the persistent MAC address feature for a 7-minute time delay and to verify the configuration:.

Note This task is available only from the master. Beginning in privileged EXEC mode, follow these steps to assign a member number to a member. Specify the current member number and the new member number for the member. The range is 1 to. You can display the current member number by using the show switch user EXEC command. Beginning in privileged EXEC mode, follow these steps to assign a priority value to a member: This procedure is optional.

Specify the member number and the new priority for the member. The member number range is 1 to. The priority value range is 1 to You can display the current priority value by using the show switch user EXEC command. Beginning in privileged EXEC mode, follow these steps to provision a new member for a stack. Specify the member number for the provisioned switch. By default, no switches are provisioned. For stack-member-number , the range is 1 to.

Enter a member number that is not already used in the stack. See Step 1. For type , enter the model number of the member. Verify the correct numbering of interfaces in the configuration. Verify the status of the provisioned switch. For stack-member-number , enter the same number as in Step 2. To remove provisioned information and to avoid receiving an error message, remove the specified switch from the stack before you use the no form of this command.

This example shows how to provision a switch with a stack member number of 2 for the stack. The show running-config command output shows the interfaces associated with the provisioned switch:. If you remove powered-on members but do not want to partition the stack:. Step 1 Power off the newly created stacks. Step 2 Reconnect them to the original stack through their ports.

Step 3 Power on the switches. Note This task is only for debugging purposes, and is only available from the master. The stack member number range is 1 to. You can access specific members by using the session stack-member-number privileged EXEC command. The member number is appended to the system prompt. For example, the prompt for member 2 is Switch-2 , and system prompt for the master is Switch.

Enter exi t to return to the CLI session on the master. Only the show and debug commands are available on a specific member. To display saved configuration changes after resetting a specific member or the stack, use these privileged EXEC commands:. Table Commands for Displaying Stack Information. Display all stack information, such as the stack protocol version. Display summary information about the stack, including the status of provisioned switches and switches in version-mismatch mode.

Display detailed information about the stack ring. If a port is flapping and causing instability in the stack ring, to disable the port, enter the switch stack-member-number stack port port-number disable privileged EXEC command. To re-enable the port, enter the switch stack-member-number stack port port-number enable command. Note Be careful when using the switch stack-member-number stack port port-number disable command.

When you disable the port, the stack operates at half bandwidth. When you enter the switch stack-member-number stack port port-number disable privileged EXEC command and. Port 1 on Switch 1 is connected to Port 2 on Switch 4. While Port 1 on Switch 1 is disabled and Switch 1 is still powered on:.

Disconnect the stack cable between Port 1 on Switch 1 and Port 2 on Switch 4. Remove Switch 4 from the stack. Add a switch to replace Switch 4 and assign it switch-number 4. Reconnect the cable between Port 1 on Switch 1 and Port 2 on Switch 4 the replacement switch. Re-enable the link between the switches. Power on Switch 4.

Table show switch stack-ports summary Command Output. Switch number of the active member at the other end of the cable. If the switch cannot detect the cable length, the value is no cable. The cable might not be connected, or the link might be unreliable. The link partner is a port on a neighbor switch. This shows if the port is in the same state as its link partner.

If a large number of changes occur in a short period of time, link flapping can occur. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. Log in to Save Content. PDF - Complete Book Updated: April 15, Chapter: Managing Switch Stacks. Managing S witch Stacks This chapter provides the concepts and procedures to manage Catalyst stacksks. Understanding S tacks A switch stack is a set of up to Catalyst switches connected through their ports.

From the master, you configure: System-level global features that apply to all members Interface-level features for each member Every member is uniquely identified by its own stack member number. You can use these methods to manage stacks: Network Assistant available on Cisco. Adding powered-on switches m erging causes the masters of the merging stacks to elect a master from among themselves.

The new master keeps its role and configuration and so do its members.

Changing software on cisco 3560g switch what is error 1364 mysql workbench

How To Upgrade IOS on a Cisco 3560 Switch Using a tar File

HOW TO STOP VNC SERVER IN LINUX

Сообщаю Для вас, что.

The example assumes that the neighbor interface is configured to support IEEE By default, a trunk port sends traffic to and receives traffic from all VLANs. To restrict the traffic a trunk carries, use the switchport trunk allowed vlan remove vlan-list interface configuration command to remove specific VLANs from the allowed list. The same is true for any VLAN that has been disabled on the port. Beginning in privileged EXEC mode, follow these steps to modify the allowed list of a trunk:.

Specify the port to be configured, and enter interface configuration mode. For explanations about using the add , all , except , and remove keywords, see the command reference for this release. Do not enter any spaces between comma-separated VLAN parameters or in hyphen-specified ranges.

The pruning-eligible list applies only to trunk ports. Each trunk port has its own eligibility list. VTP pruning must be enabled for this procedure to take effect. Select the trunk port for which VLANs should be pruned, and enter interface configuration mode. Configure the list of VLANs allowed to be pruned from the trunk. For explanations about using the add , except , none , and remove keywords, see the command reference for this release.

Valid IDs are 2 to VLANs that are pruning-ineligible receive flooded traffic. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command. A trunk port configured with IEEE By default, the switch forwards untagged traffic in the native VLAN configured for the port.

For information about IEEE Define the interface that is configured as the IEEE Configure the VLAN that is sending and receiving untagged traffic on the trunk port. For vlan-id , the range is 1 to Load sharing divides the bandwidth supplied by parallel trunks connecting switches. To avoid loops, STP normally blocks all but one parallel link between switches.

Using load sharing, you divide the traffic between the links according to which VLAN the traffic belongs. For load sharing using STP port priorities, both load-sharing links must be connected to the same switch. For load sharing using STP path costs, each load-sharing link can be connected to the same switch or to two different switches. When two ports on the same switch form a loop, the switch uses the STP port priority to decide which port is enabled and which port is in a blocking state.

You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN. One trunk port sends or receives all traffic for the VLAN. Figure shows two trunks connecting supported switches. In this example, the switches are configured as follows:. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs.

No duplication of traffic occurs over any trunk port. Beginning in privileged EXEC mode, follow these steps to configure the networ k shown in Figure Define the interface to be configured as a trunk, and enter interface configuration mode. Repeat Steps 7 through 11 on Switch A for a second port in the switch.

Repeat Steps 7 through 11 on Switch B to configure the trunk ports that connect to the trunk ports configured on Switch A. Define the interface to set the STP port priority, and enter interface configuration mode. Assign the port priority of 16 for VLANs 8 through Assign the port priority of 16 for VLANs 3 through 6. The VLANs keep the traffic separate and maintain redundanc y in the event of a lost link. These VLAN path costs are assigned:. Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure :.

Configure the port as a trunk port. The trunk defaults to ISL trunking. Repeat Steps 2 through 5 on a second interface in Switch A. Verify your entries. In the display, make sure that the interfaces are configured as trunk ports. Define the interface on which to set the STP cost, and enter interface configuration mode.

Set the spanning-tree path cost to 30 for VLANs 2 through 4. Repeat Steps 9 through 13 on the other configured trunk interface on Switch A, and set the spanning-tree path cost to 30 for VLANs 8, 9, and In the display, verify that the path costs are set correctly for both trunk interfaces. The server response is based on this mapping and whether or not the server is in open or secure mode.

In secure mode, the server shuts down the port when an illegal host is detected. In open mode, the server simply denies the host access to the port. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new host address. If the switch receives a port-shutdown response from the VMPS, it disables the port. If the client switch was not previously configured, it uses the domain name from the first VTP packet it receives on its trunk port from the VMPS.

The VMPS verifies that the domain name in the packet matches its own domain name before accepting the request and responds to the client with the assigned VLAN number for the client. If the link goes down on a dynamic-access port, the port returns to an isolated state and does not belong to a VLAN.

Dynamic-access ports can be used for direct host connections, or they can connect to a network. A maximum of 20 MAC addresses are allowed per port on the switch. Table shows the default VMPS and dynamic-access port configuration on client switches. These guidelines and restrictions apply to dynamic-access port VLAN membership:.

You must turn off trunking on the port before the dynamic-access setting takes effect. You must first enter the IP address of the server to configure the switch as a client. Note If the VMPS is being defined for a cluster of switches, enter the address on the command switch. You can enter up to three secondary server addresses. If you are configuring a port on a cluster member switch as a dynamic-access port, first use the rcommand privileged EXEC command to log in to the cluster member switch.

Specify the switch port that is connected to the end station, and enter interface configuration mode. Configure the port as eligible for dynamic VLAN membership. The dynamic-access port must be connected to an end station. Verify your entries in the Operational Mode field of the display. To return an interface to its default switchport mode dynamic auto , use the no switchport mode interface configuration command. To reset the access mode to the default VLAN for the switch, use the no switchport access vlan interface configuration command.

You can set the number of minutes after which reconfirmation occurs. If you are configuring a member switch in a cluster, this parameter must be equal to or greater than the reconfirmation setting on the command switch. You must also first use the rcommand privileged EXEC command to log in to the member switch. Beginning in privileged EXEC mode, follow these steps to change the reconfirmation interval:. Enter the number of minutes between reconfirmations of the dynamic VLAN membership.

The range is 1 to The default is 60 minutes. To return the switch to its default setting, use the no vmps reconfirm global configuration command. Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server:. Change the retry count. The retry range is 1 to 10; the default is 3. Verify your entry in the Server Retry Count field of the display.

To return the switch to its default setting, use the no vmps retry global configuration command. The switch displays this information about the VMPS:. This is an example of output for the show vmps privileged EXEC command:. The VMPS shuts down a dynamic-access port under these conditions :. To re-enable a disabled dynamic-access port, enter the shutdown interface configuration command followed by the no shutdown interface configuration command. In this example, these assumptions apply:.

Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. Log in to Save Content. PDF - Complete Book Updated: April 15, VTP is required. If you want to modify the VLAN configuration, use the commands described in these sections and in the command reference for this release. Normal-range VLANs are identified with a number between 1 and These are extended-range VLANs and configuration options are limited.

The switch supports spanning-tree instances. Depending on the topology of the network, this could create a loop in the new VLAN that would not be broken, particularly if there are several adjacent switches that all have run out of spanning-tree instances. You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances.

Step 8 copy running-config startup-config Optional Save your entries in the configuration file. This example shows how to configure a port as an access port in VLAN 2: Switch configure terminal Enter configuration commands, one per line. You cannot include extended-range VLANs in the pruning eligible range. You should save this configuration to the startup configuration so that the switch boots up in VTP transparent mode.

Otherwise, you lose the extended-range VLAN configuration if the switch resets. STP is enabled by default on extended-range VLANs, but you can disable it by using the no spanning-tree vlan vlan-id global configuration command. When the maximum number of spanning-tree instances are on the switch, spanning tree is disabled on any newly created VLANs. Although the switch supports a total of normal-range and extended-range VLANs, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware.

If you try to create an extended-range VLAN and there are not enough hardware resources available, an error message is generated, and the extended-range VLAN is rejected. Step 8 copy running-config startup config Save your entries in the switch startup configuration file. Step 2 configure terminal Enter global configuration mode. Step 5 exit Return to global configuration mode. Step 9 interface interface-id Specify the interface ID for the routed port that you shut down in Step 4, and enter interface configuration mode.

Step 10 no shutdown Re-enable the routed port. Step 12 copy running-config startup config Save your entries in the switch startup configuration file. IEEE If you do not intend to trunk across those links, use the switchport mode a ccess interface configuration command to disable trunking. To enable trunking to a device that does not support DTP, use the switchport mode trunk and switchport nonegotiate interface configuration commands to cause the interface to become a trunk but to not generate DTP frames.

Use the switchport trunk encapsulation isl or switchport trunk encapsulation dot1q interface to select the encapsulation type on the trunk port. Table Layer 2 Interface Modes Mode Function switchport mode access Puts the interface access port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. Encapsulation Types Table lists the Ethernet trunk encapsulation types and keywords. Make sure your network is loop-free before you disable spanning tree.

Interaction with Other Features Trunking interacts with other features in these ways: A trunk port cannot be a secure port. A trunk port cannot be a tunnel port. Trunk ports can be grouped into EtherChannel port groups, but all trunks in the group must have the same configuration. When a group is first created, all ports follow the parameters set for the first port to be added to the group. If you change the configuration of one of these parameters, the switch propagates the setting you entered to all ports in the group: — allowed-VLAN list.

If you try to enable IEEE If you try to change the mode of an IEEE A port in dynamic mode can negotiate with its neighbor to become a trunk port. Step 2 interface interface-id Specify the port to be configured for trunking, and enter interface configuration mode. This is the default. Step 5 switchport access vlan vlan-id Optional Specify the default VLAN, which is used if the interface stops trunking.

Step 8 show interfaces interface-id switchport Display the switchport configuration of the interface in the Administrative Mode and the Administrative Trunking Encapsulation fields of the display. Step 9 show interfaces interface-id trunk Display the trunk configuration of the interface. Step 10 copy running-config startup-config Optional Save your entries in the configuration file. Switch configure terminal Enter configuration commands, one per line.

Beginning in privileged EXEC mode, follow these steps to modify the allowed list of a trunk: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. All VLANs are allowed by default. Step 7 copy running-config startup-config Optional Save your entries in the configuration file.

Step 2 interface interface-id Select the trunk port for which VLANs should be pruned, and enter interface configuration mode. Step 6 copy running-config startup-config Optional Save your entries in the configuration file. Step 3 switchport trunk native vlan vlan-id Configure the VLAN that is sending and receiving untagged traffic on the trunk port.

Configuring Trunk Ports for Load Sharing Load sharing divides the bandwidth supplied by parallel trunks connecting switches. In this example, the switches are configured as follows: VLANs 8 through 10 are assigned a port priority of 16 on Trunk 1. VLANs 3 through 6 retain the default port priority of on Trunk 1.

VLANs 3 through 6 are assigned a port priority of 16 on Trunk 2. VLANs 8 through 10 retain the default port priority of on Trunk 2. Step 2 vtp domain domain-name Configure a VTP administrative domain. The domain name can be 1 to 32 characters. Step 7 configure terminal Enter global configuration mode. Step 10 switchport mode trunk Configure the port as a trunk port. Step 13 Repeat Steps 7 through 11 on Switch A for a second port in the switch.

Step 14 Repeat Steps 7 through 11 on Switch B to configure the trunk ports that connect to the trunk ports configured on Switch A. Step 16 configure terminal Enter global configuration mode on Switch A. Step 18 spanning-tree vlan port-priority 16 Assign the port priority of 16 for VLANs 8 through Interfaces configured in a range must be the same type and must be configured with the same feature options.

Enter the show interfaces privileged EXEC command to see a list of all interfaces on or configured for the switch. A report is provided for each interface that the device supports or for the specified interface. You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters. When you enter the interface-range configuration mode, all command parameters that you enter are attributed to all interfaces within that range until you exit this mode.

Beginning in privileged EXEC mode, follow these steps to configure a range of interfaces with the same parameters:. Specify the range of interfaces VLANs or physical ports to be configured, and enter interface-range configuration mode. Use the normal configuration commands to apply the configuration parameters to all interfaces in the range.

Each command is executed as it is entered. Verify the configuration of the interfaces in the range. When using the interface range global configuration command, note these guidelines:. Note When you use the interface range command with port channels, the first and last port-channel number must be active port channels. This example shows how to use a comma to add different interface type strings to the range to enable Fast Ethernet ports 1 to 3 and Gigabit Ethernet ports 1 and 2 to receive flow-control pause frames:.

If you enter multiple configuration commands while you are in interface-range mode, each command is executed as it is entered. The commands are not batched and executed after you exit interface-range mode. If you exit interface-range configuration mode while the commands are being executed, some commands might not be executed on all interfaces in the range.

Wait until the command prompt reappears before exiting interface-range configuration mode. You can create an interface range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro. Beginning in privileged EXEC mode, follow these steps to define an interface range macro:.

You can now use the normal configuration commands to apply the configuration to all interfaces in the defined macro. Show the defined interface range macro configuration. When using the define interface-range global configuration command, note these guidelines:. This example shows how to create a multiple-interface macro named macro1 :. Table shows the Ethernet interface default configuration. Note To configure Layer 2 parameters, if the interface is in Layer 3 mode, you must enter the switchport interface configuration command without any parameters to put the interface into Layer 2 mode.

This shuts down the interface and then re-enables it, which might generate messages on the device to which the interface is connected. When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration. Layer 2 or switching mode switchport command.

Switchport mode dynamic auto supports DTP Layer 2 interfaces only. Flow control is set to receive : off. It is always off for sent packets. Disabled on all Ethernet ports. Port blocking unknown multicast and unknown unicast traffic. Disabled not blocked Layer 2 interfaces only. Disabled Layer 2 interfaces only. This is regardless of whether auto-MIDX is enabled on the switch port.

Disabled on SFP module ports; enabled on all other ports. Note Only Catalyst switches have dual-purpose uplinks ports. Beginning in privileged EXEC mode, follow these steps to select which dual-purpose uplink to activate so that you can set the speed and duplex. This procedure is optional. Specify the dual-purpose uplink port to be configured, and enter interface configuration mode.

Select the interface and type of a dual-purpose uplink port. The keywords have these meanings:. To return to the default setting, use the media-type auto interface or the no media-type interface configuration commands. If you configure auto-select , you cannot configure the speed and duplex interface configuration commands. When the switch powers on or when you enable a dual-purpose uplink port through the shutdown and the no shutdown interface configuration commands, the switch gives preference to the SFP module interface.

In all other situations, the switch selects the active link based on which type first links up. In full-duplex mode, two stations can send and receive traffic at the same time. These sections describe how to configure the interface speed and duplex mode:. When configuring an interface speed and duplex mode, note these guidelines:. Duplex options are not supported. These modules support full- and half- duplex options but do not support autonegotiation. For information about which SFP modules are supported on your switch, see the product release notes.

Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface:. Specify the physical interface to be configured, and enter interface configuration mode. Enter the appropriate speed parameter for the interface:. Display the interface speed and duplex mode configuration. Use the no speed and no duplex interface configuration commands to return the interface to the default speed and duplex settings autonegotiate.

To return all interface settings to the defaults, use the default interface interface-id interface configuration command. Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port by sending a pause frame to stop sending until the condition clears.

Upon receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data packets during the congestion period. Note Ports on the switch can receive, but not send, pause frames. The default state is off. When set to desired , an interface can operate with an attached device that is required to send flow-control packets or with an attached device that is not required to but can send flow-control packets.

These rules apply to flow control settings on the device:. Note For details on the command settings and the resulting flow control resolution on local and remote ports, see the flowcontrol interface configuration command in the command reference for this release. Beginning in privileged EXEC mode, follow these steps to configure flow control on an interface :. To disable flow control, use the flowcontrol receive off interface configuration command. This example shows how to turn on flow control on a port:.

When automatic medium-dependent interface crossover auto-MDIX is enabled on an interface, the interface automatically detects the required cable connection type straight through or crossover and configures the connection appropriately. When connecting switches without the auto-MDIX feature, you must use straight-through cables to connect to devices such as servers, workstations, or routers and crossover cables to connect to other switches or repeaters.

With auto-MDIX enabled, you can use either type of cable to connect to other devices, and the interface automatically corrects for any incorrect cabling. For more information about cabling requirements, see the hardware installation guide. Auto-MDIX is enabled by default. When you enable auto-MDIX, you must also set the interface speed and duplex to auto so that the feature operates correctly.

Table shows the link states that result from auto-MDIX settings and correct and incorrect cabling. Configure the interface to autonegotiate speed with the connected device. Configure the interface to autonegotiate duplex mode with the connected device. Verify the operational state of the auto-MDIX feature on the interface. To disable auto-MDIX, use the no mdix auto interface configuration command. This example shows how to enable auto-MDIX on a port:. For most situations, the default configuration auto mode works well, providing plug-and-play operation.

No further configuration is required. However, use the following procedure to give a PoE port higher priority, to make it data only, or to specify a maximum wattage to disallow high-power powered devices on a port. Note When you make PoE configuration changes, the port being configured drops power. Depending on the new configuration, the state of the other PoE ports, and the state of the power budget, the port might not be powered up again. For example, port 1 is in the auto and on state, and you configure it for static mode.

The switch removes power from port 1, detects the powered device, and repowers the port. If port 1 is in the auto and on state and you configure it with a maximum wattage of 10 W, the switch removes power from the port and then redetects the powered device. The switch repowers the port only if the powered device is a Class 1, Class 2, or a Cisco-only powered device. Specify the physical port to be configured, and enter interface configuration mode.

Configure the PoE mode on the port. Note If a port has a Cisco powered device connected to it, do not use the power inline never command to configure the port. A false link-up can occur, placing the port into an error-disabled state. The switch allocates power to a port configured in static mode before it allocates power to a port configured in auto mode.

Display PoE status for a switch or for the specified interface. For information about the output of the show power inline user EXEC command, see the command reference for this release. When Cisco powered devices are connected to PoE ports, the switch uses Cisco Discovery Protocol CDP to determine the actual power consumption of the devices, and the switch adjusts the power budget accordingly.

For these devices, when the switch grants a power request, the switch adjusts the power budget according to the powered-device IEEE classification. If the powered device is a Class 0 class status unknown or a Class 3, the switch budgets 15, milliwatts for the device, regardless of the actual amount of power needed.

If the powered device reports a higher class than its actual consumption or does not support power classification defaults to Class 0 , the switch can power fewer devices because it uses the IEEE class information to track the global power budget. By using the power inline consumption wattage configuration command, you can override the default power requirement specified by the IEEE classification. The difference between what is mandated by the IEEE classification and what is actually needed by the device is reclaimed into the global power budget for use by additional devices.

You can then extend the switch power budget and use it more effectively. For example, if the switch budgets 15, milliwatts on each PoE port, you can connect only 24 Class 0 powered devices. If your Class 0 device power requirement is actually milliwatts, you can set the consumption wattage to milliwatts and connect up to 48 devices.

The total PoE output power available on a port or port switch is , milliwatts. Note When you manually configure the power budget, you must also consider the power loss over the cable between the switch and the powered device. When you enter the power inline consumption default wattage or the no power inline consumption default global configuration command, or the power inline consumption wattage or the no power inline consumption interface configuration command this caution message appears:.

If the power supply is over-subscribed to by up to 20 percent, the switch continues to operate but its reliability is reduced. If the power supply is subscribed to by more than 20 percent, the short-circuit protection circuitry triggers and shuts the switch down. Beginning in privileged EXEC mode, follow these steps to configure the amount of power budgeted to a powered device connected to each PoE port on a switch:.

Configure the power consumption of powered devices connected to each the PoE port on the switch. Note When you use this command, we recommend you also enable power policing. To return to the default setting, use the no power inline consumption default global configuration command. Beginning in privileged EXEC mode, follow these steps to configure amount of power budgeted to a powered device connected to a specific PoE port:. Configure the power consumption of a powered device connected to a PoE port on the switch.

To return to the default setting, use the no power inline consumption interface configuration command. For information about the output of the show power inline consumption privileged EXEC command, see the command reference for this release. Note Power policing is supported only on Catalyst C switches. By default, the switch monitors the real-time power consumption of connected powered devices. You can configure the switch to police the power usage.

By default, policing is disabled. Beginning in privileged EXEC mode, follow these steps to enable policing of the real-time power consumption of a powered device connected to a PoE port:. If the real-time power consumption exceeds the maximum power allocation on the port, configure the switch to take one of these actions:.

Note You can enable error detection for the PoE error-disabled cause by using the errdisable detect cause inline-power global configuration command. You can also enable the timer to recover from the PoE error-disabled state by using the errdisable recovery cause inline-power interval interval global configuration command. If you do not enter the action keywords, the default action shuts down the port and puts the port in the error-disabled state. Optional Enable error recovery from the PoE error-disabled state, and configure the PoE recover mechanism variables.

For interval interval , specify the time in seconds to recover from the error-disabled state. The range is 30 to Display the power monitoring status, and verify the error recovery settings. To disable policing of the real-time power consumption, use the no power inline police interface configuration command.

To disable error recovery for PoE error-disabled cause, use the no errdisable recovery cause inline-power global configuration command. For information about the output from the show power inline police privileged EXEC command, see the command reference for this release. You can configure the power management, budgeting, and policing on the Catalyst C compact switch PoE ports the same as with any other PoE switch.

The show env power inline privileged EXEC command provides information about powering options and power backup on your switch:. You can see the available power and the power required by each connected device by entering the show power inline privileged EXEC command. Enter the show power inline police privileged EXEC command to see power monitoring status.

Use the show power inline police command to see power monitoring status. The show power inline dynamic-priority command shows the power priority of each port:. You can add a description about an interface to help you remember its function. The description appears in the output of these privileged EXEC commands: show configuration , show running-config , and show interfaces.

Beginning in privileged EXEC mode, follow these steps to add a description for an interface:. Specify the interface for which you are adding a description, and enter interface configuration mode. Add a description up to characters for an interface. Use the no description interface configuration command to delete the description. This example shows how to add a description on a port and how to verify the description:.

The switch supports these types of Layer 3 interfaces:. Note When you create an SVI, it does not become active until it is associated with a physical port. There is no defined limit to the number of SVIs and routed ports that can be configured in a switch.

However, the interrelationship between the number of SVIs and routed ports and the number of other features being configured might have an impact on CPU usage because of hardware limitations. If the switch is using maximum hardware resources, attempts to create a routed port or SVI have these results:. All Layer 3 interfaces require an IP address to route traffic. This procedure shows how to configure an interface as a Layer 3 interface and how to assign an IP address to an interface.

Note If the physical port is in Layer 2 mode the default , you must enter the no switc hport interface configuration command to put the interface into Layer 3 mode. Entering a no switchport command disables and then re-enables the interface, which might generate messages on the device to which the interface is connected. Furthermore, when you put an interface that is in Layer 2 mode into Layer 3 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration.

Specify the interface to be configured as a Layer 3 interface, and enter interface configuration mode. To remove an IP address from an interface, use the no ip address interface configuration command.

This example shows how to configure a port as a routed port and to assign it an IP address:. You can use this command to exclude the monitoring port status when determining the status of the SVI. Specify a Layer 2 interface physical port or port channel , and enter interface configuration mode.

Exclude the access or trunk port when defining the status of an SVI line state up or down. This example shows how to configure an access or trunk port in an SVI to be excluded from the status calculation:. The default maximum transmission unit MTU size for frames received and transmitted on all interfaces is bytes.

You can increase the MTU size to support jumbo frames on all Gigabit Ethernet interfaces by using the system mtu jumbo global configuration command. You can change the MTU size for routed ports by using the system mtu routing global configuration command. If you change the system MTU size to a value smaller than the currently configured routing MTU size, the configuration change is accepted, but not applied until the next switch reset. If you do not configure the system mtu jumbo command, the setting of the system mtu command applies to all Gigabit Ethernet interfaces.

When you change the system or jumbo MTU size, you must reset the switch before the new configuration takes effect. The system mtu routing command does not require a switch reset to take effect. Frames sizes that can be received by the switch CPU are limited to bytes, no matter what value was entered with the system mtu or system mtu jumbo commands.

Although frames that are forwarded or routed are typically not received by the CPU, in some cases packets are sent to the CPU, such as traffic sent to control traffic, SNMP, Telnet, or routing protocols. Routed packets are subjected to MTU checks on the output ports. The MTU value used for routed ports is derived from the applied system mtu value not the system mtu jumbo value. The range is to bytes; the default is bytes. Optional Change the system MTU for routed ports.

Although larger packets can be accepted, they cannot be routed. If you enter a value that is outside the allowed range for the specific type of interface, the value is not accepted. Once the switch reloads, you can verify your settings by entering the show system mtu privileged EXEC command.

This example shows how to set the maximum packet size for a Gigabit Ethernet port to bytes:. This example shows the response when you try to set Gigabit Ethernet interfaces to an out-of-range number:. It applies any other available power to the lower-priority switches. Using quotation marks before and after the name is optional, but you must use quotation marks if you want to include spaces in the port name.

The name can have up to 16 characters. The default mode for RPS ports is active. Set the priority of the RPS port. The range is from 1 to 6, where 1 is the highest priority and 6 is the lowest priority. To return to the default name setting no configured name , use the power rps port rps-port-id name user EXEC command with no space between the quotation marks.

To return to the default port mode, use the power rps port rps-port-id active command. To return to the default port priority, use the power rps port rps-port-id priority command. For more information about using the power rps user EXEC command, see the command reference for this release. These sections contain interface monitoring and maintenance information:. Commands entered at the privileged EXEC prompt display information about the interface, including the versions of the software and the hardware, the configuration, and statistics about the interfaces.

Table lists some of these interface monitoring commands. You can display the full list of show commands by using the show? Table Show Commands fo r Interfaces. Optional Display the status and configuration of all interfaces or a specific interface. Optional Display interface status or a list of interfaces in an error-disabled state. Optional Display administrative and operational status of switching ports.

You can use this command to find out if a port is in routing or in switching mode. Optional Display the description configured on an interface or all interfaces and the interface status. Optional Display the usability status of all interfaces configured for IP routing or the specified interface.

Optional Display the input and output packets by the switching path for the interface. Optional Display speed, duplex, and inline power settings on the interface. Optional Display temperature, voltage, or amount of current on the interface. Display physical and operational status about an SFP module. Display the running configuration in RAM for the interface.

Display the hardware configuration, software version, the names and sources of configuration files, and the boot images. Display the operational state of the auto-MDIX feature on the interface. Table lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces.

Table Clear Commands fo r Interfaces. Reset the hardware logic on an asynchronous serial line. The clear counters command clears all current interface counters from the interface unless you specify optional arguments that clear only a specific interface type from a specific interface number. Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays. This information is communicated to other network servers through all dynamic routing protocols.

The interface is not mentioned in any routing updates. Beginning in privileged EXEC mode, follow these steps to shut down an interface:. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. Log in to Save Content. PDF - Complete Book Updated: April 15, Chapter: Configuring Interface Characteristics.

Configuring Interface Characteristics This chapter defines the types of Catalyst and C interfaces and describes how to configure them. Understanding Interface Types This section describes the different types of supported interfaces with references to chapters that contain more detailed information about configuring these interfaces. Add ports to a VLAN by using the switchport interface configuration commands: Identify the interface.

For a trunk port, set trunk characteristics, and, if desired, define the VLANs to which it can belong. For an access port, set and define the VLAN to which it belongs. VLAN membership of dynamic access ports is learned through incoming packets. By default, a dynamic access port is not a member of any VLAN. Traffic forwarding to and from the port is enabled only when the port VLAN membership is discovered. These trunk port types are supported: In an ISL trunk port, all received packets are expected to be encapsulated with an ISL header, and all transmitted packets are sent with an ISL header.

Native non-tagged frames received from an ISL trunk port are dropped. An All other traffic is sent with a VLAN tag. The VLAN interface exists and is not administratively down. The switch does not reply to the power-consumption messages. The switch can only supply power to or remove power from the PoE port.

Cisco intelligent power management —The powered device and the switch negotiate through power-negotiation CDP messages for an agreed power-consumption level. The negotiation allows a high-power Cisco powered device, which consumes more than 7 W, to operate at its highest power mode. The powered device first boots up in low-power mode, consumes less than 7 W, and negotiates to obtain enough power to operate in high-power mode. The device changes to high-power mode only when it receives confirmation from the switch.

IEEE For more information, see the standard. The switch classifies the detected IEEE device within a power consumption class. Based on the available power in the power budget, the switch determines if a port can be powered.

Table lists these levels. Power Management Modes Supported PoE modes: auto —The switch automatically detects if the connected device requires power. If the switch discovers a powered device connected to the port and if the switch has enough power, it grants power, updates the power budget, turns on power to the port on a first-come, first-served basis, and updates the LEDs.

For LED information, see the hardware installation guide. The switch allocates the port configured maximum wattage, and the amount is never adjusted through the IEEE class or by CDP messages from the powered device. Because power is pre-allocated, any powered device that uses less than or equal to the maximum wattage is guaranteed to be powered when it is connected to the static port. The port no longer participates in the first-come, first-served model.

Use this mode only when you want to make sure power is never applied to a PoE-capable port, making the port a data-only port. The switch senses the power consumption of the connected device as follows: 1. Manually when you set the user-defined power level that the switch budgets for the port by using the power inline consumption default wattage global or interface configuration command 2. Manually when you set the user-defined power level that limits the power allowed on the port by using the power inline auto max max-wattage or the power inline static max max-wattage interface configuration command 3.

Power Consumption Values You can configure the initial power allocation and the maximum power allocation on a port. The Catalyst CPD-8PT switch can provide power to end devices through the eight downlink ports in one of two ways: When the switch receives power from the auxiliary power input, it acts like any other PoE switch and can supply power to end devices connected to the eight downlink ports according to the total power budget.

Possible end devices are IP phones, video cameras, and access points. To enable the power on the pairs, follow these steps: Command Purpose Step 1 interface terminal Changes the mode to global configuration. Step 3 [no] power inline four-pair forced Automatically enables or disables power on both signal and spare pairs from a switch port.

Step 4 end Exits configuration mode. Configuring Power Consumption for Powered Devices on an Interface When the switch detects a powered device on an interface, it provides the default power to the device. Step 2 [no] power inline consumption milli-watts Sets the PoE consumption in milliwatts of the powered device connected to a specific interface. Step 3 end Exits configuration mode. The following examples show how to enable or disable the power negotiation protocols: Switch config [no] lldp run Switch config [no] cdp run Note The Power Device PD and Power Source Equipment PSE should run the same power negotiation protocol to negotiate power.

The routing function can be enabled on all SVIs and routed ports. The switch routes only IP traffic. When IP routing protocol parameters and address configuration are added to an SVI or routed port, any IP traffic received from these ports is routed. When configuring fallback bridging, you assign SVIs or routed ports to bridge groups with each SVI or routed port assigned to only one bridge group.

All interfaces in the same group belong to the same bridge domain. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line console 0 Configure the console. Step 3 media-type rj45 Configure the console media type to always be RJ Step 5 show running-configuration Verify your settings. Step 6 copy running-config startup-config Optional Save your entries in the configuration file. Switch configure terminal Switch config line console 0 Switch config-line media-type rj45 This configuration terminates an active USB console media type.

Switch configure terminal Switch config line console 0 Switch config-line no media-type rj45 Configuring the USB Inactivity Timeout The configurable inactivity timeout reactivates the RJ console port if the USB console port is activated but no input activity occurs on it for a specified time period.

Step 2 line console 0 Configure the console port. Step 3 usb-inactivity-timeout timeout-minutes Specify an inactivity timeout for the console port. Step 4 show running-configuration Verify your setting. Step 5 copy running-config startup-config Optional Save your entries in the configuration file.

Step 2 boot system flash usbflash0: image Configure the switch to boot from the USB flash device. Step 3 show running-configuration Verify your setting. Step 4 copy running-config startup-config Optional Save your entries in the configuration file.

Switch configure terminal Switch config boot system flash usbflash0: cc-universalk9-mz To disable booting from flash, enter the no form of the command. Type —Port types depend on those supported on the switch. Module number — The module or slot number on the switch always 0. Port number—The interface number on the switch. Procedures for Configuring Interfaces These general instructions apply to all interface configuration processes. Step 1 Enter the configure terminal command at the privileged EXEC prompt: Switch configure terminal Enter configuration commands, one per line.

Switch config Step 2 Enter the interface global configuration command. Configuring a Range of Interfaces You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters. Beginning in privileged EXEC mode, follow these steps to configure a range of interfaces with the same parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. You can use the interface range command to configure up to five port ranges or a previously defined macro.

In a comma-separated port-range , you must enter the interface type for each entry and enter spaces before and after the comma. In a hyphen-separated port-range , you do not need to re-enter the interface type, but you must enter a space before the hyphen. Step 3 Use the normal configuration commands to apply the configuration parameters to all interfaces in the range. Step 5 show interfaces [ interface-id ] Verify the configuration of the interfaces in the range. When using the interface range global configuration command, note these guidelines: Valid entries for port-range, depending on port types on the switch: — vlan vlan-ID - vlan-ID , where the VLAN ID is 1 to — port-channel port-channel-number - port-channel-number , where the port-channel-number is 1 to 48 Note When you use the interface range command with port channels, the first and last port-channel number must be active port channels.

You must add a space between the first interface number and the hyphen when using the interface range command. The interface range command only works with VLAN interfaces that have been configured with the interface vlan command. VLAN interfaces not displayed by the show running-config command cannot be used with the interface range command. All interfaces defined in a range must be the same type all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs , but you can enter multiple ranges in a command.

Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration. Beginning in privileged EXEC mode, follow these steps to define an interface range macro: Command Purpose Step 1 configure terminal Enter global configuration mode. A macro can contain up to five comma-separated interface ranges. Each interface-range must consist of the same port type. Step 5 show running-config include define Show the defined interface range macro configuration.

When using the define interface-range global configuration command, note these guidelines: Valid entries for interface-range, depending on port types on the switch: — vlan vlan-ID - vlan-ID , where the VLAN ID is 1 to — port-channel port-channel-number - port-channel-number , where the port-channel-number is 1 to 48 Note When you use the interface range command with port channels, the first and last port-channel number must be active port channels.

You must add a space between the first interface number and the hyphen when entering an interface-rang. The VLAN interfaces must have been configured with the interface vlan command. VLAN interfaces not displayed by the show running-config command cannot be used as interface-ranges.

All interfaces defined as in a range must be the same type all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs , but you can combine multiple interface types in a macro. Port enable state All ports are enabled.

Port description None defined. Speed Autonegotiate. Duplex mode Autonegotiate. Flow control Flow control is set to receive : off. Broadcast, multicast, and unicast storm control Disabled. Protected port Disabled Layer 2 interfaces only. Port security Disabled Layer 2 interfaces only.

Port Fast Disabled. Keepalive messages Disabled on SFP module ports; enabled on all other ports. Step 2 interface interface-id Specify the dual-purpose uplink port to be configured, and enter interface configuration mode. The keywords have these meanings: auto-select — The switch dynamically selects the type.

When link up is achieved, the switch disables the other type until the active link goes down. When the active link goes down, the switch enables both types until one of them links up.

Changing software on cisco 3560g switch mysql workbench 8 export table structure

How to Replace Failed Switch in a Cisco Switch Stack - NO OUTAGE OR STACK REBOOT

Следующая статья cisco router web monitoring software

Другие материалы по теме

  • Vnc remote linux server
  • Tightvnc only shows lockscreen tigervnc
  • Mdf vs plywood workbench
  • 3 комментариев к “Changing software on cisco 3560g switch”

    1. Nikree :

      galway all ireland hurling winscp

    2. Tojajin :

      splashtop adds device but not computer

    3. Maugore :

      comodo personal firewall software


    Оставить отзыв