Administering the Switch

This chapter describes how to perform one-time operations to administer the Catalyst 2960, 2960-S, or 2960-C switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.

note.gif

Noteblank.gif Stacking is supported only on Catalyst 2960-S switches running the LAN base image.


This chapter consists of these sections:

Identifying the Switch Image

The Catalyst 2960 and 2960-S switches run one of these images:

  • The LAN base software image provides enterprise-class intelligent services such as access control lists (ACLs) and quality of service (QoS) features. On a Catalyst 2960-S switch, stacking is also supported.
  • The LAN Lite image provides reduced functionality.

The Catalyst 2960-S ships with a universal image that includes cryptographic functionality. The software image on the switch is either the LAN base or LAN Lite image, depending on the switch model. To determine which image your switch is running:

  • Switches running the LAN Lite image do not support the FlexStack module. They do not have a FlexStack module slot on the rear of the switch.
  • On the front of the switch, the label in the top right corner ends in -L if the switch model runs the LAN base image and -S if the switch model runs the LAN Lite image.
  • Enter the show version privileged EXEC command. The line that shows the product ID also ends in either -L (if running the LAN base image) or -S (if running the LAN Lite image). For example, WS-C2960S-48PD-L is running LAN base; WS-C2960S-24TS-S is running LAN Lite image.
  • Enter the show license privileged EXEC command, and see which is the active image:
Switch# show license
Index 1 Feature: lanlite
Period left: 0 minute 0 second
Index 2 Feature: lanbase
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted

Managing the System Time and Date

You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods.

note.gif

Noteblank.gif For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference on Cisco.com.


These sections contain this configuration information:

Understanding the System Clock

The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time.

The system clock can then be set from these sources:

  • NTP
  • Manual configuration

The system clock can provide time to these services:

  • User show commands
  • Logging and debugging messages

The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time appears correctly for the local time zone.

The system clock keeps track of whether the time is authoritative or not (that is, whether it has been set by a time source considered to be authoritative). If it is not authoritative, the time is available only for display purposes and is not redistributed. For configuration information, see the “Configuring Time and Date Manually” section.

Understanding Network Time Protocol

The NTP is designed to time-synchronize a network of devices. NTP runs over User Datagram Protocol (UDP), which runs over IP. NTP is documented in RFC 1305.

An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two devices to within a millisecond of one another.

NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server receives its time through NTP from a stratum 1 time server, and so on. A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP speakers.

NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized. NTP also compares the time reported by several devices and does not synchronize to a device whose time is significantly different than the others, even if its stratum is lower.

The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP address of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, in that case, information flow is one-way only.

The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism.

Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.

Figure 5-1 shows a typical network example using NTP. Switch A is the NTP master, with Switches B, C, and D configured in NTP server mode, in server association with Switch A. Switch E is configured as an NTP peer to the upstream and downstream switches, Switch B and Switch F.

Figure 5-1 Typical NTP Network Configuration

 

101349.ps

If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is synchronized through NTP, when in fact it has learned the time by using other means. Other devices then synchronize to that device through NTP.

When multiple sources of time are available, NTP is always considered to be more authoritative. NTP time overrides the time set by any other method.

Several manufacturers include NTP software for their host systems, and a publicly available version for systems running UNIX and its various derivatives is also available. This software allows host systems to be time-synchronized as well.

NTP Version 4

NTP version 4 is implemented on the switch. NTPv4 is an extension of NTP version 3. NTPv4 supports both IPv4 and IPv6 and is backward-compatible with NTPv3.

NTPv4 provides these capabilities:

  • Support for IPv6.
  • Improved security compared to NTPv3. The NTPv4 protocol provides a security framework based on public key cryptography and standard X509 certificates.
  • Automatic calculation of the time-distribution hierarchy for a network. Using specific multicast groups, NTPv4 automatically configures the hierarchy of the servers to achieve the best time accuracy for the lowest bandwidth cost. This feature leverages site-local IPv6 multicast addresses.
note.gif

Noteblank.gif You can disable NTP packets from being received on routed ports and VLAN interfaces. You cannot disable NTP packets from being received on access ports. For details, see the “Disabling NTPv4 Services on a Specific Interface” section of the “Implementing NTPv4 in IPv6” chapter of the Cisco IOS IPv6 Configuration Guide, Release 12.4T.


For details about configuring NTPv4, see the “Implementing NTPv4 in IPv6” chapter of the Cisco IOS IPv6 Configuration Guide, Release 12.4T.

Configuring Time and Date Manually

If no other source of time is available, you can manually configure the time and date after the system is restarted. The time remains accurate until the next system restart. We recommend that you use manual configuration only as a last resort. If you have an outside source to which the switch can synchronize, you do not need to manually set the system clock.

note.gif

Noteblank.gif You must reset this setting if you have manually set the system clock and the stack master fails and different stack member resumes the role of stack master.


These sections contain this configuration information:

Setting the System Clock

If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock.

Beginning in privileged EXEC mode, follow these steps to set the system clock:

 

Command
Purpose

Step 1

clock set hh : mm : ss day month year

or

clock set hh : mm : ss month day year

Manually set the system clock using one of these formats.

  • For hh : mm : ss, specify the time in hours (24-hour format), minutes, and seconds. The time specified is relative to the configured time zone.
  • For day, specify the day by date in the month.
  • For month, specify the month by name.
  • For year, specify the year (no abbreviation).

This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001:

Switch# clock set 13:32:00 23 July 2001

Displaying the Time and Date Configuration

To display the time and date configuration, use the show clock [ detail ] privileged EXEC command.

The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes. Until the clock is authoritative and the authoritative flag is set, the flag prevents peers from synchronizing to the clock when the peers’ time is invalid.

The symbol that precedes the show clock display has this meaning:

  • *—Time is not authoritative.
  • (blank)—Time is authoritative.
  • .—Time is authoritative, but NTP is not synchronized.

Configuring the Time Zone

Beginning in privileged EXEC mode, follow these steps to manually configure the time zone:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

clock timezone zone hours-offset [ minutes-offset ]

Set the time zone.

The switch keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.

  • For zone, enter the name of the time zone to be displayed when standard time is in effect. The default is UTC.
  • For hours-offset, enter the hours offset from UTC.
  • (Optional) For minutes-offset, enter the minutes offset from UTC.

Step 3

end

Return to privileged EXEC mode.

Step 4

show running-config

Verify your entries.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

The minutes-offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC. For example, the time zone for some sections of Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and.5 means 50 percent. In this case, the necessary command is clock timezone AST -3 30.

To set the time to UTC, use the no clock timezone global configuration command.

Configuring Summer Time (Daylight Saving Time)

Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

clock summer-time zone recurring [ week day month hh : mm week day month hh : mm [ offset ]]

Configure summer time to start and end on the specified days every year.

Summer time is disabled by default. If you specify clock summer-time zone recurring without parameters, the summer time rules default to the United States rules.

  • For zone, specify the name of the time zone (for example, PDT) to be displayed when summer time is in effect.
  • (Optional) For week, specify the week of the month (1 to 5 or last).
  • (Optional) For day, specify the day of the week (Sunday, Monday...).
  • (Optional) For month, specify the month (January, February...).
  • (Optional) For hh : mm, specify the time (24-hour format) in hours and minutes.
  • (Optional) For offset, specify the number of minutes to add during summer time. The default is 60.

Step 3

end

Return to privileged EXEC mode.

Step 4

show running-config

Verify your entries.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time. If the starting month is after the ending month, the system assumes that you are in the southern hemisphere.

This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00:

Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00
 

Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events):

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

clock summer-time zone date [ month date year hh : mm month date year hh : mm [ offset ]]

or

clock summer-time zone date [ date month year hh : mm date month year hh : mm [ offset ]]

Configure summer time to start on the first date and end on the second date.

Summer time is disabled by default.

  • For zone, specify the name of the time zone (for example, PDT) to be displayed when summer time is in effect.
  • (Optional) For week, specify the week of the month (1 to 5 or last).
  • (Optional) For day, specify the day of the week (Sunday, Monday...).
  • (Optional) For month, specify the month (January, February...).
  • (Optional) For hh : mm, specify the time (24-hour format) in hours and minutes.
  • (Optional) For offset, specify the number of minutes to add during summer time. The default is 60.

Step 3

end

Return to privileged EXEC mode.

Step 4

show running-config

Verify your entries.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time. If the starting month is after the ending month, the system assumes that you are in the southern hemisphere.

To disable summer time, use the no clock summer-time global configuration command.

This example shows how to set summer time to start on October 12, 2000, at 02:00, and end on April 26, 2001, at 02:00:

Switch(config)# clock summer-time pdt date 12 October 2000 2:00 26 April 2001 2:00

Configuring a System Name and Prompt

You configure the system name on the switch to identify it. By default, the system name and prompt are Switch.

If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol [>] is appended. The prompt is updated whenever the system name changes.

If you are accessing a stack member through the stack master, you must use the session stack-member-number privileged EXEC command. The stack member number range is from 1 through 4. When you use this command, the stack member number is appended to the system prompt. For example, Switch-2# is the prompt in privileged EXEC mode for stack member 2, and the system prompt for the switch stack is Switch.

For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols.

These sections contain this configuration information:

Default System Name and Prompt Configuration

The default switch system name and prompt is Switch .

Configuring a System Name

Beginning in privileged EXEC mode, follow these steps to manually configure a system name:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

hostname name

Manually configure a system name.

The default setting is switch.

The name must follow the rules for ARPANET hostnames. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphens. Names can be up to 63 characters.

Step 3

end

Return to privileged EXEC mode.

Step 4

show running-config

Verify your entries.

Step 5

copy running-config startup-confi g

(Optional) Save your entries in the configuration file.

When you set the system name, it is also used as the system prompt.

To return to the default hostname, use the no hostname global configuration command.

Understanding DNS

The DNS protocol controls the Domain Name System (DNS), a distributed database with which you can map hostnames to IP addresses. When you configure DNS on your switch, you can substitute the hostname for the IP address with all IP commands, such as ping, telnet, connect, and related Telnet support operations.

IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.

To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, specify the name server that is present on your network, and enable the DNS.

These sections contain this configuration information:

Default DNS Configuration

Table 5-1 shows the default DNS configuration.

 

Table 5-1 Default DNS Configuration

Feature
Default Setting

DNS enable state

Enabled.

DNS default domain name

None configured.

DNS servers

No name server addresses are configured.

Setting Up DNS

Beginning in privileged EXEC mode, follow these steps to set up your switch to use the DNS:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

ip domain-name name

Define a default domain name that the software uses to complete unqualified hostnames (names without a dotted-decimal domain name).

Do not include the initial period that separates an unqualified name from the domain name.

At boot-up time, no domain name is configured; however, if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol (DHCP) server, then the default domain name might be set by the BOOTP or DHCP server (if the servers were configured with this information).

Step 3

ip name-server server-address1 [ server-address2... server-address6 ]

Specify the address of one or more name servers to use for name and address resolution.

You can specify up to six name servers. Separate each server address with a space. The first server specified is the primary server. The switch sends DNS queries to the primary server first. If that query fails, the backup servers are queried.

Step 4

ip domain-lookup

(Optional) Enable DNS-based hostname-to-address translation on your switch. This feature is enabled by default.

If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS).

Step 5

end

Return to privileged EXEC mode.

Step 6

show running-config

Verify your entries.

Step 7

copy running-config startup-config

(Optional) Save your entries in the configuration file.

If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.), a period followed by the default domain name is appended to the hostname before the DNS query is made to map the name to an IP address. The default domain name is the value set by the ip domain-name global configuration command. If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.

To remove a domain name, use the no ip domain-name name global configuration command. To remove a name server address, use the no ip name-server server-address global configuration command. To disable DNS on the switch, use the no ip domain-lookup global configuration command.

Displaying the DNS Configuration

To display the DNS configuration information, use the show running-config privileged EXEC command.

Creating a Banner

You can configure a message-of-the-day (MOTD) and a login banner. The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns).

The login banner also displays on all connected terminals. It appears after the MOTD banner and before the login prompts.

note.gif

Noteblank.gif For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.4 on Cisco.com.


These sections contain this configuration information:

Default Banner Configuration

The MOTD and login banners are not configured.

Configuring a Message-of-the-Day Login Banner

You can create a single or multiline message banner that appears on the screen when someone logs in to the switch.

Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

banner motd c message c

Specify the message of the day.

For c, enter the delimiting character of your choice, for example, a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded.

For message, enter a banner message up to 255 characters. You cannot use the delimiting character in the message.

Step 3

end

Return to privileged EXEC mode.

Step 4

show running-config

Verify your entries.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To delete the MOTD banner, use the no banner motd global configuration command.

This example shows how to configure a MOTD banner for the switch by using the pound sign (#) symbol as the beginning and ending delimiter:

Switch(config)# banner motd #
This is a secure site. Only authorized users are allowed.
For access, contact technical support.
#
Switch(config)#
 

This example shows the banner that appears from the previous configuration:

Unix> telnet 172.2.5.4
Trying 172.2.5.4...
Connected to 172.2.5.4.
Escape character is '^]'.
 
This is a secure site. Only authorized users are allowed.
For access, contact technical support.
 
User Access Verification
 
Password:

Configuring a Login Banner

You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt.

Beginning in privileged EXEC mode, follow these steps to configure a login banner:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

banner login c message c

Specify the login message.

For c, enter the delimiting character of your choice, for example, a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded.

For message, enter a login message up to 255 characters. You cannot use the delimiting character in the message.

Step 3

end

Return to privileged EXEC mode.

Step 4

show running-config

Verify your entries.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To delete the login banner, use the no banner login global configuration command.

This example shows how to configure a login banner for the switch by using the dollar sign ($) symbol as the beginning and ending delimiter:

Switch(config)# banner login $
Access for authorized users only. Please enter your username and password.
$
Switch(config)#

Managing the MAC Address Table

The MAC address table contains address information that the switch uses to forward traffic between ports. All MAC addresses in the address table are associated with one or more ports. The address table includes these types of addresses:

  • Dynamic address: a source MAC address that the switch learns and then ages when it is not in use.
  • Static address: a manually entered unicast address that does not age and that is not lost when the switch resets.

The address table lists the destination MAC address, the associated VLAN ID, and port number associated with the address and the type (static or dynamic).

note.gif

Noteblank.gif For complete syntax and usage information for the commands used in this section, see the command reference for this release.


These sections contain this configuration information:

Building the Address Table

With multiple MAC addresses supported on all ports, you can connect any port on the switch to individual workstations, repeaters, switches, routers, or other network devices. The switch provides dynamic addressing by learning the source address of packets it receives on each port and adding the address and its associated port number to the address table. As stations are added or removed from the network, the switch updates the address table, adding new dynamic addresses and aging out those that are not in use.

The aging interval is globally configured on a standalone switch or on the switch stack. However, the switch maintains an address table for each VLAN, and STP can accelerate the aging interval on a per-VLAN basis.

The switch sends packets between any combination of ports, based on the destination address of the received packet. Using the MAC address table, the switch forwards the packet only to the port associated with the destination address. If the destination address is on the port that sent the packet, the packet is filtered and not forwarded. The switch always uses the store-and-forward method: complete packets are stored and checked for errors before transmission.

MAC Addresses and VLANs

All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different destinations in each. Unicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 1 in VLAN 5.

Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN.

MAC Addresses and Switch Stacks

The MAC address tables on all stack members are synchronized. At any given time, each stack member has the same copy of the address tables for each VLAN. When an address ages out, the address is removed from the address tables on all stack members. When a switch joins a switch stack, that switch receives the addresses for each VLAN learned on the other stack members. When a stack member leaves the switch stack, the remaining stack members age out or remove all addresses learned by the former stack member.

Default MAC Address Table Configuration

Table 5-2 shows the default MAC address table configuration.

 

Table 5-2 Default MAC Address Table Configuration

Feature
Default Setting

Aging time

300 seconds

Dynamic addresses

Automatically learned

Static addresses

None configured

Changing the Address Aging Time

Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use. You can change the aging time setting for all VLANs or for a specified VLAN.

Setting too short an aging time can cause addresses to be prematurely removed from the table. Then when the switch receives a packet for an unknown destination, it floods the packet to all ports in the same VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time can cause the address table to be filled with unused addresses, which prevents new addresses from being learned. Flooding results, which can impact switch performance.

Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging time:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

mac address-table aging-time [ 0 | 10-1000000 ] [ vlan vlan-id ]

Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated.

The range is 10 to 1000000 seconds. The default is 300. You can also enter 0, which disables aging. Static address entries are never aged or removed from the table.

For vlan-id, valid IDs are 1 to 4094.

Step 3

end

Return to privileged EXEC mode.

Step 4

show mac address-table aging-time

Verify your entries.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To return to the default value, use the no mac address-table aging-time global configuration command.

Removing Dynamic Address Entries

To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode. You can also remove a specific MAC address (clear mac address-table dynamic address mac-address), remove all addresses on the specified physical port or port channel (clear mac address-table dynamic interface interface-id), or remove all addresses on a specified VLAN (clear mac address-table dynamic vlan vlan-id).

To verify that dynamic entries have been removed, use the show mac address-table dynamic privileged EXEC command.

Configuring MAC Address Change Notification Traps

MAC address change notification tracks users on a network by storing the MAC address change activity. When the switch learns or removes a MAC address, an SNMP notification trap can be sent to the NMS. If you have many users coming and going from the network, you can set a trap-interval time to bundle the notification traps to reduce network traffic. The MAC notification history table stores MAC address activity for each port for which the trap is set. MAC address change notifications are generated for dynamic and secure MAC addresses. Notifications are not generated for self addresses, multicast addresses, or other static addresses.

Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address change notification traps to an NMS host:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

snmp-server host host-addr { traps | informs } { version { 1 | 2c | 3 }} community-string notification-type

Specify the recipient of the trap message.

  • For host-addr, specify the name or address of the NMS.
  • Specify traps (the default) to send SNMP traps to the host. Specify informs to send SNMP informs to the host.
  • Specify the SNMP version to support. Version 1, the default, is not available with informs.
  • For community-string, specify the string to send with the notification operation. Though you can set this string by using the snmp-server host command, we recommend that you define this string by using the snmp-server community command before using the snmp-server host command.
  • For notification-type, use the mac-notification keyword.

Step 3

snmp-server enable traps mac-notification change

Enable the switch to send MAC address change notification traps to the NMS.

Step 4

mac address-table notification change

Enable the MAC address change notification feature.

Step 5

mac address-table notification change [ interval value ] [ history-size value ]

Enter the trap interval time and the history table size.

  • (Optional) For interval value, specify the notification trap interval in seconds between each set of traps that are generated to the NMS. The range is 0 to 2147483647 seconds; the default is 1 second.
  • (Optional) For history-size value, specify the maximum number of entries in the MAC notification history table. The range is 0 to 500; the default is 1.

Step 6

interface interface-id

Enter interface configuration mode, and specify the interface on which to enable the SNMP MAC address notification trap.

Step 7

snmp trap mac-notification change { added | removed }

Enable the MAC address change notification trap on the interface.

  • Enable the trap when a MAC address is added on this interface.
  • Enable the trap when a MAC address is removed from this interface.

Step 8

end

Return to privileged EXEC mode.

Step 9

show mac address-table notification change interface

show running-config

Verify your entries.

Step 10

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable MAC address-change notification traps, use the no snmp-server enable traps mac-notification change global configuration command. To disable the MAC address-change notification traps on a specific interface, use the no snmp trap mac-notification change { added | removed } interface configuration command. To disable the MAC address-change notification feature, use the no mac address-table notification change global configuration command.

This example shows how to specify 172.20.10.10 as the NMS, enable the switch to send MAC address notification traps to the NMS, enable the MAC address-change notification feature, set the interval time to 123 seconds, set the history-size to 100 entries, and enable traps whenever a MAC address is added on the specified port.

Switch(config)# snmp-server host 172.20.10.10 traps private mac-notification
Switch(config)# snmp-server enable traps mac-notification change
Switch(config)# mac address-table notification change
Switch(config)# mac address-table notification change interval 123
Switch(config)# mac address-table notification change history-size 100
Switch(config)# interface gigabitethernet1/0/2
Switch(config-if)# snmp trap mac-notification change added
 

You can verify your settings by entering the show mac address-table notification change interface and the show mac address-table notification change privileged EXEC commands.

Configuring MAC Address Move Notification Traps

When you configure MAC-move notification, an SNMP notification is generated and sent to the network management system whenever a MAC address moves from one port to another within the same VLAN.

Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address-move notification traps to an NMS host:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

snmp-server host host-addr { traps | informs } { version { 1 | 2c | 3 }} community-string notification-type

Specify the recipient of the trap message.

  • For host-addr, specify the name or address of the NMS.
  • Specify traps (the default) to send SNMP traps to the host. Specify informs to send SNMP informs to the host.
  • Specify the SNMP version to support. Version 1, the default, is not available with informs.
  • For community-string, specify the string to send with the notification operation. Though you can set this string by using the snmp-server host command, we recommend that you define this string by using the snmp-server community command before using the snmp-server host command.
  • For notification-type, use the mac-notification keyword.

Step 3

snmp-server enable traps mac-notification move

Enable the switch to send MAC address move notification traps to the NMS.

Step 4

mac address-table notification mac-move

Enable the MAC address move notification feature.

Step 5

end

Return to privileged EXEC mode.

Step 6

show mac address-table notification mac-move

show running-config

Verify your entries.

Step 7

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable MAC address-move notification traps, use the no snmp-server enable traps mac-notification move global configuration command. To disable the MAC address-move notification feature, use the no mac address-table notification mac-move global configuration command.

This example shows how to specify 172.20.10.10 as the NMS, enable the switch to send MAC address move notification traps to the NMS, enable the MAC address move notification feature, and enable traps when a MAC address moves from one port to another.

Switch(config)# snmp-server host 172.20.10.10 traps private mac-notification
Switch(config)# snmp-server enable traps mac-notification move
Switch(config)# mac address-table notification mac-move
 

You can verify your settings by entering the show mac address-table notification mac-move privileged EXEC commands.

Configuring MAC Threshold Notification Traps

When you configure MAC threshold notification, an SNMP notification is generated and sent to the network management system when a MAC address table threshold limit is reached or exceeded.

Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address table threshold notification traps to an NMS host:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

snmp-server host host-addr { traps | informs } { version { 1 | 2c | 3 }} community-string notification-type

Specify the recipient of the trap message.

  • For host-addr, specify the name or address of the NMS.
  • Specify traps (the default) to send SNMP traps to the host. Specify informs to send SNMP informs to the host.
  • Specify the SNMP version to support. Version 1, the default, is not available with informs.
  • For community-string, specify the string to send with the notification operation. Though you can set this string by using the snmp-server host command, we recommend that you define this string by using the snmp-server community command before using the snmp-server host command.
  • For notification-type, use the mac-notification keyword.

Step 3

snmp-server enable traps mac-notification threshold

Enable the switch to send MAC threshold notification traps to the NMS.

Step 4

mac address-table notification threshold

Enable the MAC address threshold notification feature.

Step 5

mac address-table notification threshold [ limit percentage ] | [ interval time ]

Enter the threshold value for the MAC address threshold usage monitoring.

  • (Optional) For limit percentage, specify the percentage of the MAC address table use; valid values are from 1 to 100 percent. The default is 50 percent.
  • (Optional) For interval time, specify the time between notifications; valid values are greater than or equal to 120 seconds. The default is 120 seconds.

Step 6

end

Return to privileged EXEC mode.

Step 7

show mac address-table notification threshold
show running-config

Verify your entries.

Step 8

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable MAC address-threshold notification traps, use the no snmp-server enable traps mac-notification threshold global configuration command. To disable the MAC address-threshold notification feature, use the no mac address-table notification threshold global configuration command.

This example shows how to specify 172.20.10.10 as the NMS, enable the MAC address threshold notification feature, set the interval time to 123 seconds, and set the limit to 78 per cent.

Switch(config)# snmp-server host 172.20.10.10 traps private mac-notification
Switch(config)# snmp-server enable traps mac-notification threshold
Switch(config)# mac address-table notification threshold
Switch(config)# mac address-table notification threshold interval 123
Switch(config)# mac address-table notification threshold limit 78
 

You can verify your settings by entering the show mac address-table notification threshold privileged EXEC commands.

Adding and Removing Static Address Entries

A static address has these characteristics:

  • It is manually entered in the address table and must be manually removed.
  • It can be a unicast or multicast address.
  • It does not age and is retained when the switch restarts.

You can add and remove static addresses and define the forwarding behavior for them. The forwarding behavior defines how a port that receives a packet forwards it to another port for transmission. Because all ports are associated with at least one VLAN, the switch acquires the VLAN ID for the address from the ports that you specify. You can specify a different list of destination ports for each source port.

A packet with a static address that arrives on a VLAN where it has not been statically entered is flooded to all ports and not learned.

You add a static address to the address table by specifying the destination MAC unicast address and the VLAN from which it is received. Packets received with this destination address are forwarded to the interface specified with the interface-id option.

Beginning in privileged EXEC mode, follow these steps to add a static address:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

mac address-table static mac-addr vlan vlan-id interface interface-id

Add a static address to the MAC address table.

  • For mac-addr, specify the destination MAC unicast address to add to the address table. Packets with this destination address received in the specified VLAN are forwarded to the specified interface.
  • For vlan-id, specify the VLAN for which the packet with the specified MAC address is received. Valid VLAN IDs are 1 to 4094.
  • For interface-id, specify the interface to which the received packet is forwarded. Valid interfaces include physical ports or port channels. For static multicast addresses, you can enter multiple interface IDs. For static unicast addresses, you can enter only one interface at a time, but you can enter the command multiple times with the same MAC address and VLAN ID.

Step 3

end

Return to privileged EXEC mode.

Step 4

show mac address-table static

Verify your entries.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To remove static entries from the address table, use the no mac address-table static mac-addr vlan vlan-id [ interface interface-id ] global configuration command.

This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination address, the packet is forwarded to the specified port:

Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 interface gigabitethernet1/0/1

Configuring Unicast MAC Address Filtering

When unicast MAC address filtering is enabled, the switch drops packets with specific source or destination MAC addresses. This feature is disabled by default and only supports unicast static addresses.

Follow these guidelines when using this feature:

  • Multicast MAC addresses, broadcast MAC addresses, and router MAC addresses are not supported. If you specify one of these addresses when entering the mac address-table static mac-addr vlan vlan-id drop global configuration command, one of these messages appears:
% Only unicast addresses can be configured to be dropped
 
% CPU destined address cannot be configured as drop address
 
  • Packets that are forwarded to the CPU are also not supported.
  • If you add a unicast MAC address as a static address and configure unicast MAC address filtering, the switch either adds the MAC address as a static address or drops packets with that MAC address, depending on which command was entered last. The second command that you entered overrides the first command.

For example, if you enter the mac address-table static mac-addr vlan vlan-id interface interface-id global configuration command followed by the mac address-table static mac-addr vlan vlan-id drop command, the switch drops packets with the specified MAC address as a source or destination.

If you enter the mac address-table static mac-addr vlan vlan-id drop global configuration command followed by the mac address-table static mac-addr vlan vlan-id interface interface-id command, the switch adds the MAC address as a static address.

You enable unicast MAC address filtering and configure the switch to drop packets with a specific address by specifying the source or destination unicast MAC address and the VLAN from which it is received.

Beginning in privileged EXEC mode, follow these steps to configure the switch to drop a source or destination unicast static address:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

mac address-table static mac-addr vlan vlan-id drop

Enable unicast MAC address filtering and configure the switch to drop a packet with the specified source or destination unicast static address.

  • For mac-addr, specify a source or destination unicast MAC address. Packets with this MAC address are dropped.
  • For vlan-id, specify the VLAN for which the packet with the specified MAC address is received. Valid VLAN IDs are 1 to 4094.

Step 3

end

Return to privileged EXEC mode.

Step 4

show mac address-table static

Verify your entries.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable unicast MAC address filtering, use the no mac address -table static mac-addr vlan vlan-id global configuration command.

This example shows how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3.220a.12f4. When a packet is received in VLAN 4 with this MAC address as its source or destination, the packet is dropped:

Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 drop

Disabling MAC Address Learning on a VLAN

By default, MAC address learning is enabled on all VLANs on the switch. You can control MAC address learning on a VLAN to manage the available MAC address table space by controlling which VLANs, and therefore which ports, can learn MAC addresses. Before you disable MAC address learning, be sure that you are familiar with the network topology and the switch system configuration. Disabling MAC address learning on a VLAN could cause flooding in the network.

Follow these guidelines when disabling MAC address learning on a VLAN:

  • Disabling MAC address learning on a VLAN is supported only if the switch is running the IP Services or LAN base image.
  • Use caution before disabling MAC address learning on a VLAN with a configured switch virtual interface (SVI). The switch then floods all IP packets in the Layer 2 domain.
  • You can disable MAC address learning on a single VLAN ID (for example, no mac address-table learning vlan 223) or on a range of VLAN IDs (for example, no mac address-table learning vlan 1-20, 15).
  • We recommend that you disable MAC address learning only in VLANs with two ports. If you disable MAC address learning on a VLAN with more than two ports, every packet entering the switch is flooded in that VLAN domain.
  • You cannot disable MAC address learning on a VLAN that is used internally by the switch. If the VLAN ID that you enter is an internal VLAN, the switch generates an error message and rejects the command. To view internal VLANs in use, enter the show vlan internal usage privileged EXEC command.
  • If you disable MAC address learning on a VLAN configured as a private-VLAN primary VLAN, MAC addresses are still learned on the secondary VLAN that belongs to the private VLAN and are then replicated on the primary VLAN. If you disable MAC address learning on the secondary VLAN, but not the primary VLAN of a private VLAN, MAC address learning occurs on the primary VLAN and is replicated on the secondary VLAN.
  • You cannot disable MAC address learning on an RSPAN VLAN. The configuration is not allowed.
  • If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning is not disabled on that port. If you disable port security, the configured MAC address learning state is enabled.

Beginning in privileged EXEC mode, follow these steps to disable MAC address learning on a VLAN:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

no mac address-table learning vlan vlan-id

Disable MAC address learning on the specified VLAN or VLANs. You can specify a single VLAN ID or a range of VLAN IDs separated by a hyphen or comma. Valid VLAN IDs are 1 to 4094.

Step 3

end

Return to privileged EXEC mode.

Step 4

show mac address-table learning [ vlan vlan-id ]

Verify the configuration.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To reenable MAC address learning on a VLAN, use the default mac address -table learning vlan vlan-id global configuration command. You can also reenable MAC address learning on a VLAN by entering the mac address -table learning vlan vlan-id global configuration command. The first (default) command returns to a default condition and therefore does not appear in the output from the show running-config command. The second command causes the configuration to appear in the show running-config privileged EXEC command display.

This example shows how to disable MAC address learning on VLAN 200:

Switch(config)# no mac address-table learning vlan 200
 

You can display the MAC address learning status of all VLANs or a specified VLAN by entering the show mac-address-table learning [ vlan vlan-id ] privileged EXEC command.

Displaying Address Table Entries

You can display the MAC address table by using one or more of the privileged EXEC commands described in Table 5-3 :

 

Table 5-3 Commands for Displaying the MAC Address Table

Command
Description

show ip igmp snooping groups

Displays the Layer 2 multicast entries for all VLANs or the specified VLAN.

show mac address-table address

Displays MAC address table information for the specified MAC address.

show mac address-table aging-time

Displays the aging time in all VLANs or the specified VLAN.

show mac address-table count

Displays the number of addresses present in all VLANs or the specified VLAN.

show mac address-table dynamic

Displays only dynamic MAC address table entries.

show mac address-table interface

Displays the MAC address table information for the specified interface.

show mac address-table learning

Displays MAC address learning status of all VLANs or the specified VLAN.

show mac address-table notification

Displays the MAC notification parameters and history table.

show mac address-table static

Displays only static MAC address table entries.

show mac address-table vlan

Displays the MAC address table information for the specified VLAN.

Managing the ARP Table

To communicate with a device (over Ethernet, for example), the software first must learn the 48-bit MAC address or the local data link address of that device. The process of learning the local data link address from an IP address is called address resolution.

The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC addresses and the VLAN ID. Using an IP address, ARP finds the associated MAC address. When a MAC address is found, the IP-MAC address association is stored in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network. Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol (SNAP). By default, standard Ethernet-style ARP encapsulation (represented by the arpa keyword) is enabled on the IP interface.

ARP entries added manually to the table do not age and must be manually removed.

note.gif

Noteblank.gif For CLI procedures, see the Cisco IOS Release 12.4 documentation on Cisco.com.