Catalyst 2960 - Cap4

CHAPTER 4
Administering the Switch

• Finding Feature Information, page 71
• Information About Administering the Switch, page 71
• How to Administer the Switch, page 77
• Configuration Examples for Switch Administration, page 96
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Information About Administering the Switch
System Time and Date Management
You can manage the system time and date on your switch using automatic configuration methods (RTC and
NTP), or manual configuration methods.
System Clock
The basis of the time service is the system clock. This clock runs from the moment the system starts up and
keeps track of the date and time.
The system clock can then be set from these sources:
• NTP
Software Configuration Guide, Cisco IOS Release 15.2(2)E (Catalyst 2960, 2960-S, 2960-SF and 2960-Plus Switches)
OL-32521-01 71
• Manual configuration
The system clock can provide time to these services:
• User show commands
• Logging and debugging messages
The system clock keeps track of time internally based on Coordinated Universal Time (UTC), also known as
Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time
(daylight saving time) so that the time appears correctly for the local time zone.
The system clock keeps track of whether the time is authoritative or not (that is, whether it has been set by a
time source considered to be authoritative). If it is not authoritative, the time is available only for display
purposes and is not redistributed.
Network Time Protocol
The NTP is designed to time-synchronize a network of devices. NTP runs over User Datagram Protocol
(UDP), which runs over IP. NTP is documented in RFC 1305.
An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic
clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient;
no more than one packet per minute is necessary to synchronize two devices to within a millisecond of one
another.
NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative
time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server
receives its time through NTP from a stratum 1 time server, and so on. A device running NTP automatically
chooses as its time source the device with the lowest stratum number with which it communicates through
NTP. This strategy effectively builds a self-organizing tree of NTP speakers.
NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device
that is not synchronized. NTP also compares the time reported by several devices and does not synchronize
to a device whose time is significantly different than the others, even if its stratum is lower.
The communications between devices running NTP (known as associations) are usually statically configured;
each device is given the IP address of all devices with which it should form associations. Accurate timekeeping
is possible by exchanging NTP messages between each pair of devices with an association. However, in a
LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces
configuration complexity because each device can simply be configured to send or receive broadcast messages.
However, in that case, information flow is one-way only.
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the
accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based
restriction scheme and an encrypted authentication mechanism.
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or
atomic clock. We recommend that the time service for your network be derived from the public NTP servers
available on the IP Internet.
Software Configuration Guide, Cisco IOS Release 15.2(2)E (Catalyst 2960, 2960-S, 2960-SF and 2960-Plus
Switches)
72 OL-32521-01
The Figure shows a typical network example using NTP. Switch A is the NTP master, with the Switch B, C,
and D configured in NTP server mode, in server association with Switch A. Switch E is configured as an NTP
peer to the upstream and downstream switches, Switch B and Switch F, respectively.
Figure 6: Typical NTP Network Configuration
If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is
synchronized through NTP, when in fact it has learned the time by using other means. Other devices then
synchronize to that device through NTP.
When multiple sources of time are available, NTP is always considered to be more authoritative. NTP time
overrides the time set by any other method.
Several manufacturers include NTP software for their host systems, and a publicly available version for
systems running UNIX and its various derivatives is also available. This software allows host systems to be
time-synchronized as well.
NTP Stratum
NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative
time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server
receives its time through NTP from a stratum 1 time server, and so on. A device running NTP automatically
chooses as its time source the device with the lowest stratum number with which it communicates through
NTP. This strategy effectively builds a self-organizing tree of NTP speakers.
OL-32521-01 73
NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device
that is not synchronized. NTP also compares the time reported by several devices and does not synchronize
to a device whose time is significantly different than the others, even if its stratum is lower.
NTP Associations
The communications between devices running NTP (known as associations) are usually statically configured;
each device is given the IP address of all devices with which it should form associations. Accurate timekeeping
is possible by exchanging NTP messages between each pair of devices with an association. However, in a
LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces
configuration complexity because each device can simply be configured to send or receive broadcast messages.
However, in that case, information flow is one-way only.
NTP Security
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the
accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based
restriction scheme and an encrypted authentication mechanism.
NTP Implementation
Implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic
clock. We recommend that the time service for your network be derived from the public NTP servers available
on the IP Internet.
If the network is isolated from the Internet, NTP allows a device to act as if it is synchronized through NTP,
when in fact it has learned the time by using other means. Other devices then synchronize to that device
through NTP.
When multiple sources of time are available, NTP is always considered to be more authoritative. NTP time
overrides the time set by any other method.
Several manufacturers include NTP software for their host systems, and a publicly available version for
systems running UNIX and its various derivatives is also available. This software allows host systems to be
time-synchronized as well.
NTP Version 4
NTP version 4 is implemented on the switch. NTPv4 is an extension of NTP version 3. NTPv4 supports both
IPv4 and IPv6 and is backward-compatible with NTPv3.
NTPv4 provides these capabilities:
• Support for IPv6.
• Improved security compared to NTPv3. The NTPv4 protocol provides a security framework based on
public key cryptography and standard X509 certificates.
• Automatic calculation of the time-distribution hierarchy for a network. Using specific multicast groups,
NTPv4 automatically configures the hierarchy of the servers to achieve the best time accuracy for the
lowest bandwidth cost. This feature leverages site-local IPv6 multicast addresses.
Switches)
74 OL-32521-01
You can disable NTP packets from being received on routed ports and VLAN interfaces. You cannot
disable NTP packets from being received on access ports.
Note
DNS
The DNS protocol controls the Domain Name System (DNS), a distributed database with which you can map
hostnames to IP addresses. When you configure DNS on your switch, you can substitute the hostname for the
IP address with all IP commands, such as ping, telnet, connect, and related Telnet support operations.
IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. Domain
names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a
commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific
device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache
(or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify
the hostnames, specify the name server that is present on your network, and enable the DNS.
Default DNS Settings
Table 10: Default DNS Settings
Feature Default Setting
DNS enable state Enabled.
DNS default domain name None configured.
DNS servers No name server addresses are configured.
Login Banners
You can configure a message-of-the-day (MOTD) and a login banner. The MOTD banner is displayed on all
connected terminals at login and is useful for sending messages that affect all network users (such as impending
system shutdowns).
The login banner is also displayed on all connected terminals. It appears after the MOTD banner and before
the login prompts.
The MOTD and login banners are not configured.
Default Banner Configuration
The MOTD and login banners are not configured.
OL-32521-01 75
MAC Address Table
The MAC address table contains address information that the switch uses to forward traffic between ports.
All MAC addresses in the address table are associated with one or more ports. The address table includes
these types of addresses:
• Dynamic address—A source MAC address that the switch learns and then ages when it is not in use.
• Static address—A manually entered unicast address that does not age and that is not lost when the switch
resets.
The address table lists the destination MAC address, the associated VLAN ID, and port number associated
with the address and the type (static or dynamic).
MAC Address Table Creation
With multiple MAC addresses supported on all ports, you can connect any port on the switch to other network
devices. The switch provides dynamic addressing by learning the source address of packets it receives on
each port and adding the address and its associated port number to the address table. As devices are added or
removed from the network, the switch updates the address table, adding new dynamic addresses and aging
out those that are not in use.
The aging interval is globally configured. However, the switch maintains an address table for each VLAN,
and STP can accelerate the aging interval on a per-VLAN basis.
The switch sends packets between any combination of ports, based on the destination address of the received
packet. Using the MAC address table, the switch forwards the packet only to the port associated with the
destination address. If the destination address is on the port that sent the packet, the packet is filtered and not
forwarded. The switch always uses the store-and-forward method: complete packets are stored and checked
for errors before transmission.
MAC Addresses and VLANs
All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different
destinations in each. Unicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9,
10, and 1 in VLAN 5.
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another
until it is learned or statically associated with a port in the other VLAN.
Default MAC Address Table Settings
The following table shows the default settings for the MAC address table.
Table 11: Default Settings for the MAC Address
Aging time 300 seconds
Dynamic addresses Automatically learned
Switches)
76 OL-32521-01
Static addresses None configured
ARP Table Management
To communicate with a device (over Ethernet, for example), the software first must learn the 48-bit MAC
address or the local data link address of that device. The process of learning the local data link address from
an IP address is called address resolution.
The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC
addresses and the VLAN ID. Using an IP address, ARP finds the associated MAC address. When a MAC
address is found, the IP-MAC address association is stored in an ARP cache for rapid retrieval. Then the IP
datagram is encapsulated in a link-layer frame and sent over the network. Encapsulation of IP datagrams and
ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access
Protocol (SNAP). By default, standard Ethernet-style ARP encapsulation (represented by the arpa keyword)
is enabled on the IP interface.
ARP entries added manually to the table do not age and must be manually removed.
How to Administer the Switch
Configuring the Time and Date Manually
System time remains accurate through restarts and reboot, however, you can manually configure the time and
date after the system is restarted.
We recommend that you use manual configuration only when necessary. If you have an outside source to
which the switch can synchronize, you do not need to manually set the system clock.
You must reconfigure this setting if you have manually configured the system clock before the stack
master fails and a different stack member assumes the role of stack master.
Note
Setting the System Clock
If you have an outside source on the network that provides time services, such as an NTP server, you do not
need to manually set the system clock.
SUMMARY STEPS
1. Use one of the following:
• clock set hh:mm:ss day month year
• clock set hh:mm:ss month day year
OL-32521-01 77
DETAILED STEPS
Command or Action Purpose
Step 1 Use one of the following: Sets the system clock using one of these formats:
• clock set hh:mm:ss day month year • hh:mm:ss—Specifies the time in hours (24-hour format), minutes,
and seconds. The time specified is relative to the configured time
• clock set hh:mm:ss month day year zone.
Example:
Switch# clock set 13:32:00 23 March 2013
• day—Specifies the day by date in the month.
• month—Specifies the month by name.
• year—Specifies the year (no abbreviation).
Configuring the Time Zone
SUMMARY STEPS
1. configure terminal
2. clock timezone zone hours-offset [minutes-offset]
3. end
DETAILED STEPS
configure terminal Enters global configuration mode.
Example:
Switch# configure terminal
Step 1
clock timezone zone hours-offset Sets the time zone.
[minutes-offset]
Step 2
Internal time is kept in Coordinated Universal Time (UTC), so this command is used
only for display purposes and when the time is manually set.
Example:
Switch(config)# clock timezone
• zone—Enters the name of the time zone to be displayed when standard time
is in effect. The default is UTC. AST -3 30
• hours-offset—Enters the hours offset from UTC.
• (Optional) minutes-offset—Enters the minutes offset from UTC. This available
where the local time zone is a percentage of an hour different from UTC.
Step 3 end Returns to privileged EXEC mode.
Switches)
78 OL-32521-01
Example:
Switch(config)# end
The minutes-offset variable in the clock timezone global configuration command
is available for those cases where a local time zone is a percentage of an hour different
from UTC. For example, the time zone for some sections of Atlantic Canada (AST)
is UTC-3.5, where the 3 means 3 hours and .5 means 50 percent. In this case, the
necessary command is clock timezone AST -3 30. To set the time to UTC, use the
no clock timezone global configuration command.
Configuring Summer Time (Daylight Saving Time)
To configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the
week each year, perform this task:
SUMMARY STEPS
2. clock summer-time zone date date month year hh:mm date month year hh:mm [offset]]
3. clock summer-time zone recurring [week day month hh:mm week day month hh:mm [offset]]
4. end
DETAILED STEPS
Example:
Step 1
clock summer-time zone date date month Configures summer time to start and end on specified days every year.
year hh:mm date month year hh:mm [offset]]
Step 2
Example:
Switch(config)# clock summer-time PDT
date
10 March 2013 2:00 3 November 2013 2:00
Configures summer time to start and end on the specified days every year.
All times are relative to the local time zone. The start time is relative to
standard time.
clock summer-time zone recurring [week
day month hh:mm week day month hh:mm
[offset]]
Step 3
Example:
Switch(config)# clock summer-time
The end time is relative to summer time. Summer time is disabled by
default. If you specify clock summer-time zone recurring without
parameters, the summer time rules default to the United States rules.
PDT recurring 10 March 2013 2:00 3
OL-32521-01 79
If the starting month is after the ending month, the system assumes that
you are in the southern hemisphere.
November 2013 2:00
• zone—Specifies the name of the time zone (for example, PDT) to
be displayed when summer time is in effect.
• (Optional) week— Specifies the week of the month (1 to 4, first, or
last).
• (Optional) day—Specifies the day of the week (Sunday, Monday...).
• (Optional) month—Specifies the month (January, February...).
• (Optional) hh:mm—Specifies the time (24-hour format) in hours and
minutes.
• (Optional) offset—Specifies the number of minutes to add during
summer time. The default is 60.
end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Step 4
Configuring a System Name
SUMMARY STEPS
2. hostname name
3. end
DETAILED STEPS
Example:
Step 1
Switches)
80 OL-32521-01
Configures a system name. When you set the system name, it is also
used as the system prompt.
hostname name
Example:
Switch(config)# hostname
Step 2
The default setting is Switch.
The name must follow the rules for ARPANET hostnames. They must
start with a letter, end with a letter or digit, and have as interior characters
only letters, digits, and hyphens. Names can be up to 63 characters.
remote-users
Example:
Switch(config)# end
Step 3
Setting Up DNS
If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you
configure a hostname that contains no periods (.), a period followed by the default domain name is appended
to the hostname before the DNS query is made to map the name to an IP address. The default domain name
is the value set by the ip domain-name global configuration command. If there is a period (.) in the hostname,
the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
SUMMARY STEPS
2. ip domain-name name
3. ip name-server server-address1 [server-address2 ... server-address6]
4. ip domain-lookup [nsap | source-interface interface]
5. end
DETAILED STEPS
Example:
Step 1
OL-32521-01 81
Defines a default domain name that the software uses to complete unqualified
hostnames (names without a dotted-decimal domain name).
ip domain-name name
Example:
Switch(config)# ip domain-name
Step 2
Do not include the initial period that separates an unqualified name from the
domain name.
Cisco.com At boot time, no domain name is configured; however, if the switch configuration
comes from a BOOTP or Dynamic Host Configuration Protocol (DHCP) server,
then the default domain name might be set by the BOOTP or DHCP server (if
the servers were configured with this information).
Specifies the address of one or more name servers to use for name and address
resolution.
ip name-server server-address1
[server-address2 ... server-address6]
Step 3
Example:
Switch(config)# ip
You can specify up to six name servers. Separate each server address with a
space. The first server specified is the primary server. The switch sends DNS
queries to the primary server first. If that query fails, the backup servers are
name-server 192.168.1.100 queried.
192.168.1.200 192.168.1.300
(Optional) Enables DNS-based hostname-to-address translation on your switch.
This feature is enabled by default.
ip domain-lookup [nsap |
source-interface interface]
Step 4
Example:
Switch(config)# ip domain-lookup
If your network devices require connectivity with devices in networks for which
you do not control name assignment, you can dynamically assign device names
that uniquely identify your devices by using the global Internet naming scheme
(DNS).
Example:
Switch(config)# end
To remove a domain name, use the no ip domain-namenameglobal configuration
command. To remove a name server address, use the no ip
name-serverserver-address global configuration command. To disable DNS on
the switch, use the no ip domain-lookup global configuration command.
What to Do Next
Configuring a Message-of-the-Day Login Banner
You can create a single or multiline message banner that appears on the screen when someone logs in to the
switch
SUMMARY STEPS
2. banner motd c message c
3. end
Switches)
82 OL-32521-01
DETAILED STEPS
Example:
Step 1
Step 2 banner motd c message c Specifies the message of the day.
Example:
Switch(config)# banner motd #
c—Enters the delimiting character of your choice, for example, a pound
sign (#), and press the Return key. The delimiting character signifies
the beginning and end of the banner text. Characters after the ending
This is a secure site. Only delimiter are discarded.
authorized users are allowed. message—Enters a banner message up to 255 characters. You cannot
use the delimiting character in the message.
For access, contact technical
support.
#
Example:
Switch(config)# end
To delete the MOTD banner, use the no banner motd global
configuration command.
Configuring a Login Banner
You can configure a login banner to be displayed on all connected terminals. This banner appears after the
MOTD banner and before the login prompt.
SUMMARY STEPS
2. banner login c message c
3. end
DETAILED STEPS
Example:
Step 1
OL-32521-01 83
Step 2 banner login c message c Specifies the login message.
Example:
Switch(config)# banner login $
c— Enters the delimiting character of your choice, for example, a pound
sign (#), and press the Return key. The delimiting character signifies
the beginning and end of the banner text. Characters after the ending
Access for authorized users only. delimiter are discarded.
Please enter your username and message—Enters a login message up to 255 characters. You cannot use
the delimiting character in the message.
password.
$
Example:
Switch(config)# end
To delete the login banner, use the no banner login global configuration
command.
Managing the MAC Address Table
Building the Address Table
With multiple MAC addresses supported on all ports, you can connect any port on the switch to individual
workstations, repeaters, switches, routers, or other network devices. The switch provides dynamic addressing
by learning the source address of packets it receives on each port and adding the address and its associated
port number to the address table. As stations are added or removed from the network, the switch updates the
address table, adding new dynamic addresses and aging out those that are not in use.
The aging interval is globally configured. However, the switch maintains an address table for each VLAN,
and STP can accelerate the aging interval on a per-VLAN basis.
The switch sends packets between any combination of ports, based on the destination address of the received
packet. Using the MAC address table, the switch forwards the packet only to the port associated with the
destination address. If the destination address is on the port that sent the packet, the packet is filtered and not
forwarded. The switch always uses the store-and-forward method: complete packets are stored and checked
for errors before transmission.
MAC Addresses and VLANs
All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different
destinations in each. Unicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9,
10, and 1 in VLAN 5.
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another
until it is learned or statically associated with a port in the other VLAN.
Default MAC Address Table Settings
The following table shows the default settings for the MAC address table.
Switches)
84 OL-32521-01
Table 12: Default Settings for the MAC Address
Aging time 300 seconds
Dynamic addresses Automatically learned
Static addresses None configured
Changing the Address Aging Time
Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use.
You can change the aging time setting for all VLANs or for a specified VLAN.
Setting too short an aging time can cause addresses to be prematurely removed from the table. Then when the
switch receives a packet for an unknown destination, it floods the packet to all ports in the same VLAN as
the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time can
cause the address table to be filled with unused addresses, which prevents new addresses from being learned.
Flooding results, which can impact switch performance.
Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging time:
SUMMARY STEPS
2. mac address-table aging-time [0 | 10-1000000] [routed-mac | vlan vlan-id]
3. end
DETAILED STEPS
Example:
Step 1
Sets the length of time that a dynamic entry remains in the MAC
address table after the entry is used or updated.
mac address-table aging-time [0 | 10-1000000]
[routed-mac | vlan vlan-id]
Step 2
Example:
Switch(config)# mac address-table
The range is 10 to 1000000 seconds. The default is 300. You can also
enter 0, which disables aging. Static address entries are never aged or
removed from the table.
aging-time 500 vlan 2 vlan-id—Valid IDs are 1 to 4094.
OL-32521-01 85
Example:
Switch(config)# end
To return to the default value, use the no mac address-table
aging-time global configuration command.
Removing Dynamic Address Entries
To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC
mode. You can also remove a specific MAC address (clear mac address-table dynamic address macaddress),
remove all addresses on the specified physical port or port channel (clear mac address-table
dynamic interface interface-id), or remove all addresses on a specified VLAN (clear mac address-table
dynamic vlan vlan-id).
To verify that dynamic entries have been removed, use the show mac address-table dynamic privileged
EXEC command.
Configuring MAC Address Change Notification Traps
MAC address change notification tracks users on a network by storing the MAC address change activity.
When the switch learns or removes a MAC address, an SNMP notification trap can be sent to the NMS. If
you have many users coming and going from the network, you can set a trap-interval time to bundle the
notification traps to reduce network traffic. The MAC notification history table stores MAC address activity
for each port for which the trap is set. MAC address change notifications are generated for dynamic and secure
MAC addresses. Notifications are not generated for self addresses, multicast addresses, or other static addresses.
Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address change
notification traps to an NMS host:
SUMMARY STEPS
2. snmp-server host host-addr community-string notification-type { informs | traps } {version {1 | 2c | 3}}
{vrf vrf instance name}
3. snmp-server enable traps mac-notification change
4. mac address-table notification change
5. mac address-table notification change [interval value] [history-size value]
6. interface interface-id
7. snmp trap mac-notification change {added | removed}
8. end
Switches)
86 OL-32521-01
DETAILED STEPS
Example:
Step 1
snmp-server host host-addr community-string Specifies the recipient of the trap message.
notification-type { informs | traps } {version
{1 | 2c | 3}} {vrf vrf instance name}
Step 2
• host-addr—Specifies the name or address of the NMS.
Example:
Switch(config)# snmp-server host
• traps (the default)—Sends SNMP traps to the host.
• informs—Sends SNMP informs to the host.
• version—Specifies the SNMP version to support. Version 1, the
default, is not available with informs.
172.20.10.10 traps private
mac-notification
• community-string—Specifies the string to send with the notification
operation. Though you can set this string by using the snmp-server
host command, we recommend that you define this string by using
the snmp-server community command before using the snmp-server
host command.
• notification-type—Uses the mac-notification keyword.
• vrf vrf instance name—Specifies the VPN routing/forwarding instance
for this host.
Enables the switch to send MAC address change notification traps to the
NMS.
snmp-server enable traps mac-notification
change
Example:
Switch(config)# snmp-server enable
Step 3
traps
mac-notification change
mac address-table notification change Enables the MAC address change notification feature.
Example:
Step 4
notification change
mac address-table notification change Enters the trap interval time and the history table size.
[interval value] [history-size value]
Step 5
• (Optional) interval value—Specifies the notification trap interval in
seconds between each set of traps that are generated to the NMS. The
Example: range is 0 to 2147483647 seconds; the default is 1 second.
OL-32521-01 87
• (Optional) history-size value—Specifies the maximum number of
entries in the MAC notification history table. The range is 0 to 500;
the default is 1.
notification change interval 123
Switch(config)#mac address-table
notification change history-size 100
Enters interface configuration mode, and specifies the Layer 2 interface
on which to enable the SNMP MAC address notification trap.
interface interface-id
Example:
Switch(config)# interface
Step 6
gigabitethernet1/0/2
snmp trapmac-notification change {added Enables the MAC address change notification trap on the interface.
| removed}
Step 7
• Enables the trap when a MAC address is added on this interface.
Example:
Switch(config-if)# snmp trap
• Enables the trap when a MAC address is removed from this interface.
mac-notification change added
Example:
Switch(config-if)# end
To disable MAC address-change notification traps, use the no snmp-server
enable traps mac-notification change global configuration command.
To disable the MAC address-change notification traps on a specific
interface, use the no snmp trap mac-notification change{added|removed}
interface configuration command. To disable the MAC address-change
notification feature, use the no mac address-table notification change
global configuration command.
You can verify your settings by entering the show mac address-table
notification change interface and the show mac address-table
notification change privileged EXEC commands.
Configuring MAC Address Move Notification Traps
When you configure MAC-move notification, an SNMP notification is generated and sent to the network
management system whenever a MAC address moves from one port to another within the same VLAN.
Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address-move
notification traps to an NMS host:
Switches)
88 OL-32521-01
SUMMARY STEPS
2. snmp-server host host-addr {traps | informs} {version {1 | 2c | 3}} community-string notification-type
3. snmp-server enable traps mac-notification move
4. mac address-table notification mac-move
5. end
DETAILED STEPS
Example:
Step 1
snmp-server host host-addr {traps | Specifies the recipient of the trap message.
informs} {version {1 | 2c | 3}}
community-string notification-type
Step 2
Example:
• version—Specifies the SNMP version to support. Version 1, the
default, is not available with informs.
mac-notification
• community-string—Specifies the string to send with the notification
operation. Though you can set this string by using the snmp-server
host command, we recommend that you define this string by using
the snmp-server community command before using the
snmp-server host command.
Enables the switch to send MAC address move notification traps to the
NMS.
snmp-server enable traps mac-notification
move
Example:
Switch(config)# snmp-server enable
Step 3
traps
mac-notification move
mac address-table notification mac-move Enables the MAC address move notification feature.
Example:
Step 4
notification mac-move
OL-32521-01 89
Example:
Switch(config)# end
To disable MAC address-move notification traps, use the no snmp-server
enable traps mac-notification move global configuration command. To
disable the MAC address-move notification feature, use the no mac
address-table notification mac-move global configuration command.
You can verify your settings by entering the show mac address-table
notification mac-move privileged EXEC commands.
Configuring MAC Threshold Notification Traps
When you configure MAC threshold notification, an SNMP notification is generated and sent to the network
management system when a MAC address table threshold limit is reached or exceeded.
SUMMARY STEPS
2. snmp-server host host-addr {traps | informs} {version {1 | 2c | 3}} community-string notification-type
3. snmp-server enable traps mac-notification threshold
4. mac address-table notification threshold
5. mac address-table notification threshold [limit percentage] | [interval time]
6. end
DETAILED STEPS
Example:
Step 1
snmp-server host host-addr {traps | informs} Specifies the recipient of the trap message.
{version {1 | 2c | 3}} community-string
notification-type
Step 2
Example:
• version—Specifies the SNMP version to support. Version 1,
the default, is not available with informs.
mac-notification
• community-string—Specifies the string to send with the
notification operation. You can set this string by using the
Switches)
90 OL-32521-01
snmp-server host command, but we recommend that you
define this string by using the snmp-server community
command before using the snmp-server host command.
snmp-server enable traps mac-notification Enables MAC threshold notification traps to the NMS.
threshold
Step 3
Example:
Switch(config)# snmp-server enable traps
mac-notification threshold
mac address-table notification threshold Enables the MAC address threshold notification feature.
Example:
Step 4
notification threshold
Enters the threshold value for the MAC address threshold usage
monitoring.
mac address-table notification threshold [limit
percentage] | [interval time]
Step 5
Example:
• (Optional) limit percentage—Specifies the percentage of the
MAC address table use; valid values are from 1 to 100 percent.
The default is 50 percent.
notification threshold interval 123 • (Optional) interval time—Specifies the time between
notifications; valid values are greater than or equal to 120
seconds. The default is 120 seconds.
notification threshold limit 78
Example:
Switch(config)# end
Step 6
OL-32521-01 91
What to Do Next
Adding and Removing Static Address Entries
SUMMARY STEPS
2. mac address-table static mac-addr vlan vlan-id interface interface-id
3. end
DETAILED STEPS
Example:
Step 1
mac address-table static mac-addr vlan Adds a static address to the MAC address table.
vlan-id interface interface-id
Step 2
• mac-addr—Specifies the destination MAC unicast address to add to the
address table. Packets with this destination address received in the
Example: specified VLAN are forwarded to the specified interface.
Switch(config)# mac address-table • vlan-id—Specifies the VLAN for which the packet with the specified
MAC address is received. Valid VLAN IDs are 1 to 4094. static c2f3.220a.12f4 vlan 4
interface gigabitethernet 1/0/1
• interface-id—Specifies the interface to which the received packet is
forwarded. Valid interfaces include physical ports or port channels. For
static multicast addresses, you can enter multiple interface IDs. For static
unicast addresses, you can enter only one interface at a time, but you can
enter the command multiple times with the same MAC address and
VLAN ID.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z
to exit global configuration mode.
end
Example:
Switch(config)# end
Step 3
Configuring Unicast MAC Address Filtering
SUMMARY STEPS
2. mac address-table static mac-addr vlan vlan-id drop
3. end
Switches)
92 OL-32521-01
DETAILED STEPS
Example:
Step 1
Enables unicast MAC address filtering and configure the switch to
drop a packet with the specified source or destination unicast static
address.
mac address-table static mac-addr vlan vlan-id
drop
Example:
Step 2
• mac-addr—Specifies a source or destination unicast MAC
address (48-bit). Packets with this MAC address are dropped.
static c2f3.220a.12f4 vlan 4 drop • vlan-id—Specifies the VLAN for which the packet with the
specified MAC address is received. Valid VLAN IDs are 1 to
4094.
Example:
Switch(config)# end
Step 3
Disabling MAC Address Learning on a VLAN Guidelines
By default, MAC address learning is enabled on all VLANs on the switch. You can control MAC address
learning on a VLAN to manage the available MAC address table space by controlling which VLANs, and
therefore which ports, can learn MAC addresses. Before you disable MAC address learning, be sure that you
are familiar with the network topology and the switch system configuration. Disabling MAC address learning
on a VLAN could cause flooding in the network.
Follow these guidelines when disabling MAC address learning on a VLAN:
• Use caution before disabling MAC address learning on a VLAN with a configured switch virtual interface
(SVI). The switch then floods all IP packets in the Layer 2 domain.
• You can disable MAC address learning on a single VLAN ID (for example, no mac address-table
learning vlan 223) or on a range of VLAN IDs (for example, no mac address-table learning vlan
1-20, 15.)
• We recommend that you disable MAC address learning only in VLANs with two ports. If you disable
MAC address learning on a VLAN with more than two ports, every packet entering the switch is flooded
in that VLAN domain.
• You cannot disable MAC address learning on a VLAN that is used internally by the switch. If the VLAN
ID that you enter is an internal VLAN, the switch generates an error message and rejects the command.
To view internal VLANs in use, enter the show vlan internal usage privileged EXEC command.
OL-32521-01 93
• If you disable MAC address learning on a VLAN configured as a private-VLAN primary VLAN, MAC
addresses are still learned on the secondary VLAN that belongs to the private VLAN and are then
replicated on the primary VLAN. If you disable MAC address learning on the secondary VLAN, but
not the primary VLAN of a private VLAN, MAC address learning occurs on the primary VLAN and is
replicated on the secondary VLAN.
• You cannot disable MAC address learning on an RSPAN VLAN. The configuration is not allowed.
• If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning is
not disabled on that port. If you disable port security, the configured MAC address learning state is
enabled.
Disabling MAC Address Learning on a VLAN
Beginning in privileged EXEC mode, follow these steps to disable MAC address learning on a VLAN:
SUMMARY STEPS
2. no mac address-table learning vlan vlan-id
3. end
4. show mac address-table learning[vlanvlan-id]
5. copy running-config startup-config
DETAILED STEPS
Step 1 configure terminal Enter global configuration mode.
Disable MAC address learning on the specified VLAN or
VLANs. You can specify a single VLAN ID or a range of
Step 2 no mac address-table learning vlan vlan-id
VLAN IDs separated by a hyphen or comma. Valid VLAN IDs
are 1 to 4094.
Step 3 end
Step 4 showmac address-table learning[vlanvlan-id]
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
What to Do Next
To reenable MAC address learning on a VLAN. use the default mac address-table learning vlanvlan-id
global configuration command. You can also reenable MAC address learning on a VLAN by entering the the
mac address-table learning vlan vlan-id global configuration command. The first(default) command returns
to a default condition and therefore does not appear in the output from the show running-configcommand.
Switches)
94 OL-32521-01
The second command causes the configuration to appear in the show running-config privileged EXEC
command display.
Switch(config)# no mac address-table learning vlan 200
You can display the MAC address learning status of all VLANs or a specified VLAN by entering theshow
mac-address-table learning [vlan vlan-id] privileged EXEC command.
Displaying Address Table Entries
You can display the MAC address table by using one or more of the privileged EXEC commands described
in this table:
Table 13: Commands for Displaying the MAC Address Table
Command Description
Displays the Layer 2 multicast entries for all VLANs
or the specified VLAN.
show ip igmp snooping groups
Displays MAC address table information for the
specified MAC address.
show mac address-table address
Displays the aging time in all VLANs or the specified
VLAN.
show mac address-table aging-time
Displays the number of addresses present in all
VLANs or the specified VLAN.
show mac address-table count
show mac address-table dynamic Displays only dynamic MAC address table entries.
Displays the MAC address table information for the
specified interface.
show mac address-table interface
Displays MAC address learning status of all VLANs
or the specified VLAN.
show mac address-table learning
Displays the MAC notification parameters and history
table.
show mac address-table notification
show mac address-table static Displays only static MAC address table entries.
Displays the MAC address table information for the
specified VLAN.
show mac address-table vlan
OL-32521-01 95
Configuration Examples for Switch Administration

Example: Setting the System Clock
This example shows how to manually set the system clock:
Switch# clock set 13:32:00 23 July 2013
Examples: Configuring Summer Time
This example (for daylight savings time) shows how to specify that summer time starts on March 10 at 02:00
and ends on November 3 at 02:00:
Switch(config)# clock summer-time PDT recurring PST date
10 March 2013 2:00 3 November 2013 2:00
This example shows how to set summer time start and end dates:
Switch(config)#clock summer-time PST date
20 March 2013 2:00 20 November 2013 2:00
Example: Configuring a MOTD Banner
This example shows how to configure a MOTD banner by using the pound sign (#) symbol as the beginning
and ending delimiter:
Switch(config)# banner motd #
This is a secure site. Only authorized users are allowed.
For access, contact technical support.
#
Switch(config)#
This example shows the banner that appears from the previous configuration:
Unix> telnet 192.0.2.15
Trying 192.0.2.15...
Connected to 192.0.2.15.
Escape character is '^]'.
This is a secure site. Only authorized users are allowed.
For access, contact technical support.
User Access Verification
Password:
Switches)
96 OL-32521-01
Example: Configuring a Login Banner
This example shows how to configure a login banner by using the dollar sign ($) symbol as the beginning
and ending delimiter:
Switch(config)# banner login $
Access for authorized users only. Please enter your username and password.
$
Switch(config)#
Example: Configuring MAC Address Change Notification Traps
This example shows how to specify 172.20.10.10 as the NMS, enable MAC address notification traps to the
NMS, enable the MAC address-change notification feature, set the interval time to 123 seconds, set the
history-size to 100 entries, and enable traps whenever a MAC address is added on the specified port:
Switch(config)# snmp-server host 172.20.10.10 traps private mac-notification
Switch(config)# snmp-server enable traps mac-notification change
Switch(config)# mac address-table notification change
Switch(config)# mac address-table notification change interval 123
Switch(config)# mac address-table notification change history-size 100
Switch(config)# interface gigabitethernet1/2/1
Switch(config-if)# snmp trap mac-notification change added
Example: Configuring MAC Threshold Notification Traps
This example shows how to specify 172.20.10.10 as the NMS, enable the MAC address threshold notification
feature, set the interval time to 123 seconds, and set the limit to 78 per cent:
Switch(config)# snmp-server host 172.20.10.10 traps private mac-notification
Switch(config)# snmp-server enable traps mac-notification threshold
Switch(config)# mac address-table notification threshold
Switch(config)# mac address-table notification threshold interval 123
Switch(config)# mac address-table notification threshold limit 78
Example: Adding the Static Address to the MAC Address Table
This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet
is received in VLAN 4 with this MAC address as its destination address, the packet is forwarded to the specified
port:
Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 interface gigabitethernet1/1/1
OL-32521-01 97
Example: Configuring Unicast MAC Address Filtering
This example shows how to enable unicast MAC address filtering and how to configure drop packets that
have a source or destination address of c2f3.220a.12f4. When a packet is received in VLAN 4 with this MAC
address as its source or destination, the packet is dropped:
Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 drop
Switches)
98 OL-32521-01

Catalyst 2960 - Cap4

Uploaded by

Copyright:

Available Formats

Catalyst 2960 - Cap4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Catalyst 2960 - Cap4

Uploaded by

Copyright:

Available Formats

CHAPTER 4

Administering the Switch

Configuration Examples for Switch Administration

You might also like