Catalyst 4500 Series Switch Cisco IOS Release XE 3.5.0E and 15.2.1
Administering the Switch
Downloads: This chapterpdf (PDF - 570.0KB) The complete bookPDF (PDF - 22.04MB) | Feedback

Table of Contents

Administering the Switch

Managing the System Time and Date

System Clock

Understanding Network Time Protocol

Configuring NTP

Default NTP Configuration

Configuring NTP Authentication

Configuring NTP Associations

Configuring NTP Broadcast Service

Configuring NTP Access Restrictions

Configuring the Source IP Address for NTP Packets

Displaying the NTP Configuration

Configuring Time and Date Manually

Setting the System Clock

Displaying the Time and Date Configuration

Configuring the Time Zone

Configuring Summer Time (Daylight Saving Time)

Managing Software Licenses Using Permanent Right-To-Use Features

About a PRTU License

Benefits of a PRTU License

Guidelines for the RTU License Model

Applying a PRTU License

Activating a PRTU License

Deactivating a PRTU License

Displaying Software License Information

Configuring a System Name and Prompt

Configuring a System Name

Understanding DNS

Default DNS Configuration

Setting Up DNS

Displaying the DNS Configuration

Creating a Banner

Default Banner Configuration

Configuring a Message-of-the-Day Login Banner

Configuring a Login Banner

Managing the MAC Address Table

Building the Address Table

MAC Addresses and VLANs

Default MAC Address Table Configuration

Changing the Address Aging Time

Removing Dynamic Address Entries

Configuring MAC Change Notification Traps

Configuring MAC Move Notification Traps

Configuring MAC Threshold Notification Traps

Adding and Removing Static Address Entries

Configuring Unicast MAC Address Filtering

Disabling MAC Address Learning on a VLAN

Configuring Disable MAC Address Learning

Usage Guidelines

Deployment Scenarios

Feature Compatibility

Feature Incompatibility

Partial Feature Incompatibility

Displaying Address Table Entries

Managing the ARP Table

Configuring Embedded CiscoView Support

Understanding Embedded CiscoView

Installing and Configuring Embedded CiscoView

Displaying Embedded CiscoView Information

Administering the Switch

This chapter describes how to perform one-time operations to administer the Catalyst 4500 Series switch.

This chapter also describes how to install and configure the Embedded CiscoView network management system to provide a graphical representation of a Catalyst 4500 series switch and to provide a GUI-based management and configuration interface.

This chapter includes the following major sections:


Note For complete syntax and usage information for the switch commands used in this chapter, see the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:

http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html

If a command is not in the Catalyst 4500 Series Switch Command Reference, you can locate it in the Cisco IOS library. See the Cisco IOS Command Reference and related publications at this location:

http://www.cisco.com/en/US/products/ps6350/index.html


Managing the System Time and Date

You can configure the system time and date on your switch manually or automatically by using Network Time Protocol (NTP).

These sections contain this configuration information:

System Clock

The core of the time service is the system clock, which monitors the date and time. This clock starts when the system starts.

The system clock can provide time to these services:

  • User show commands
  • Logging and debugging messages

The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time is correct for the local time zone.

The system clock keeps track of whether the time is authoritative or not (whether it was set by a time source considered to be authoritative). If it is not authoritative, the time is available only for display purposes and is not redistributed. For configuration information, see the “Configuring Time and Date Manually” section.

Understanding Network Time Protocol

The NTP is designed to synchronize a network of devices. NTP runs over User Datagram Protocol (UDP), which runs over IP. NTP is documented in RFC 1305.

An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two devices to within a millisecond of one another.

NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server receives its time through NTP from a stratum 1 time server, and so on. A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP speakers.

NTP avoids synchronizing to a device whose time might not have been synchronized. NTP also compares the time reported by several devices and does not synchronize to a device whose time is significantly different than the others, even if its stratum is lower.

The communications between devices running NTP (known as associations ) are usually statically configured; each device is given the IP address of all devices with which it should associate. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can be configured to send or receive broadcast messages; however, information flow is one-way only.

The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism.

Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.

Figure 1-1 shows a typical network example using NTP. Switch A is the NTP master, with Switches B, C, and D configured in NTP server mode, in server association with Switch A. Switch E is configured as an NTP peer to the upstream and downstream switches, Switch B and Switch F, respectively.

Figure 1-1 Typical NTP Network Configuration

 

If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is synchronized through NTP, when it is not. Other devices then synchronize to that device through NTP.

NTP time overrides the time set by any other method.

Several manufacturers include NTP software for their host systems, and a public version for systems running UNIX and its various derivatives is also available. This software allows host systems to be synchronized as well.

Default NTP Configuration

Table 1-1 shows the default NTP configuration.

 

Table 1-1 Default NTP Configuration

Feature
Default Setting

NTP authentication

Disabled. No authentication key is specified.

NTP peer or server associations

None configured.

NTP broadcast service

Disabled; no interface sends or receives NTP broadcast packets.

NTP access restrictions

No access control is specified.

NTP packet source IP address

The source address is set by the outgoing interface.

NTP is enabled on all interfaces by default. All interfaces receive NTP packets.

Configuring NTP Authentication

This procedure must be coordinated with the administrator of the NTP server; the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server.

To authenticate the associations (communications between devices running NTP that provide for accurate timekeeping) with other devices for security purposes, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

ntp authenticate

Enables the NTP authentication feature, which is disabled by default.

Step 3

ntp authentication-key number md5 value

Defines the authentication keys. By default, none are defined.

  • For number , specify a key number. The range is 1 to 4294967295.
  • md5 specifies that message authentication support is provided by using the message digest algorithm 5 (MD5).
  • For value , enter an arbitrary string of up to eight characters for the key.

The switch does not synchronize to a device unless both have one of these authentication keys, and the key number is specified by the ntp trusted-key key-number command.

Step 4

ntp trusted-key key-number

Specifies one or more key numbers (defined in Step 3) that a peer NTP device must provide in its NTP packets for this switch to synchronize to it.

By default, no trusted keys are defined.

For key-number , specify the key defined in Step 3.

This command provides protection against accidentally synchronizing the switch to a device that is not trusted.

Step 5

end

Returns to privileged EXEC mode.

Step 6

show running-config

Verifies your entries.

Step 7

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

To disable NTP authentication, use the no ntp authenticate global configuration command. To remove an authentication key, use the no ntp authentication-key number global configuration command. To disable authentication of the identity of a device, use the no ntp trusted-key key-number global configuration command.

This example shows how to configure the switch to synchronize only to devices providing authentication key 42 in the device’s NTP packets:

Switch# configure terminal
Switch(config)# ntp authenticate
Switch(config)# ntp authentication-key 42 md5 aNiceKey
Switch(config)# ntp trusted-key 42
Switch(config)# end
Switch#

Configuring NTP Associations

An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around).

To form an NTP association with another device, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

ntp peer ip-address [ version number ] [ key keyid ] [ source interface ] [ prefer ]
or
ntp server ip-address [ version number ] [ key keyid ] [ source interface ] [ prefer ]

Configures the switch system clock to synchronize a peer or to be synchronized by a peer (peer association).

or

Configures the switch system clock to be synchronized by a time server (server association).

No peer or server associations are defined by default.

  • For ip-address in a peer association, specify either the IP address of the peer providing, or being provided, the clock synchronization. For a server association, specify the IP address of the time server providing the clock synchronization.
  • (Optional) For number , specify the NTP version number. The range is 1 to 3. By default, Version 3 is selected.
  • (Optional) For keyid , enter the authentication key defined by entering the ntp authentication-key global configuration command.
  • (Optional) For interface , specify the interface from which to pick the IP source address. By default, the source IP address is taken from the outgoing interface.
  • (Optional) Enter the prefer keyword to make this peer or server the preferred one that provides synchronization. This keyword reduces switching back and forth between peers and servers.

Step 3

end

Returns to privileged EXEC mode.

Step 4

show running-config

Verifies your entries.

Step 5

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

You need to configure only one end of an association; the other device can automatically establish the association. If you are using the default NTP version (Version 3) and NTP synchronization does not occur, try using NTP Version 2. Many NTP servers on the Internet run Version 2.

To remove a peer or server association, use the no ntp peer ip-address or the no ntp server ip-address global configuration command.

This example shows how to configure the switch to synchronize its system clock with the clock of the peer at IP address 172.16.22.44 using NTP Version 2:

Switch# configure terminal
Switch(config)# ntp server 172.16.22.44 version 2
Switch(config)# end
Switch#

Configuring NTP Broadcast Service

The communications between devices running NTP (known as associations ) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can be configured to send or receive broadcast messages. However, the information flow is one-way only.

The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it. The switch can also receive NTP broadcast packets to synchronize its own clock. This section provides procedures for both sending and receiving NTP broadcast packets.

To configure the switch to send NTP broadcast packets to peers so that they can synchronize their clock to the switch, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Specifies the interface to send NTP broadcast packets, and enter interface configuration mode.

Step 3

ntp broadcast [ version number ] [ key keyid ] [ destination-address ]

Enables the interface to send NTP broadcast packets to a peer.

By default, this feature is disabled on all interfaces.

  • (Optional) For number , specify the NTP version number. The range is 1 to 3. If you do not specify a version, Version 3 is used.
  • (Optional) For keyid , specify the authentication key to use when sending packets to the peer.
  • (Optional) For destination-address , specify the IP address of the peer that is synchronizing its clock to this switch.

Step 4

end

Returns to privileged EXEC mode.

Step 5

show running-config

Verifies your entries.

Step 6

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command.

This example shows how to configure a port to send NTP Version 2 packets:

Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ntp broadcast version 2
Switch(config-if)# end
Switch#

To configure the switch to receive NTP broadcast packets from connected peers, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Specifies the interface to receive NTP broadcast packets, and enter interface configuration mode.

Step 3

ntp broadcast client

Enables the interface to receive NTP broadcast packets.

By default, no interfaces receive NTP broadcast packets.

Step 4

exit

Returns to global configuration mode.

Step 5

ntp broadcastdelay microseconds

(Optional) Changes the estimated round-trip delay between the switch and the NTP broadcast server.

The default is 3000 microseconds; the range is 1 to 999999.

Step 6

end

Returns to privileged EXEC mode.

Step 7

show running-config

Verifies your entries.

Step 8

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

To disable an interface from receiving NTP broadcast packets, use the no ntp broadcast client interface configuration command. To change the estimated round-trip delay to the default, use the
no ntp broadcastdelay global configuration command.

This example shows how to configure a port to receive NTP broadcast packets:

Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ntp broadcast client
Switch(config-if)# end
Switch#

Configuring NTP Access Restrictions

You can control NTP access on two levels as described in these sections:

Creating an Access Group and Assigning a Basic IP Access List

To control access to NTP services by using access lists, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

ntp access-group { query-only | serve-onl y | serve | peer } access-list-number

Creates an access group, and apply a basic IP access list.

The keywords have these meanings:

  • query-only —Allows only NTP control queries.
  • serve-only —Allows only time requests.
  • serve —Allows time requests and NTP control queries, but does not allow the switch to synchronize to the remote device.
  • peer —Allows time requests and NTP control queries and allows the switch to synchronize to the remote device.

For access-list-number , enter a standard IP access list number from 1 to 99.

Step 3

access-list access-list-number permit source [ source-wildcard ]

Creates the access list.

  • For access-list-number , enter the number specified in Step 2.
  • Enter the permit keyword to permit access if the conditions are matched.
  • For source , enter the IP address of the device that is permitted access to the switch.
  • (Optional) For source-wildcard , enter the wildcard bits to be applied to the source.

Note When creating an access list, remember that, by default, the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end.

Step 4

end

Returns to privileged EXEC mode.

Step 5

show running-config

Verifies your entries.

Step 6

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

The access group keywords are scanned in this order, from least restrictive to most restrictive:

1. peer —Allows time requests and NTP control queries and allows the switch to synchronize itself to a device whose address passes the access list criteria.

2. serve —Allows time requests and NTP control queries, but does not allow the switch to synchronize itself to a device whose address passes the access list criteria.

3. serve-only —Allows only time requests from a device whose address passes the access list criteria.

4. query-only —Allows only NTP control queries from a device whose address passes the access list criteria.

If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted.

To remove access control to the switch NTP services, use the
no ntp access-group { query-only | serve-only | serve | peer } global configuration command.

This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99. However, the switch restricts access to allow only time requests from access list 42:

Switch# configure terminal
Switch(config)# ntp access-group peer 99
Switch(config)# ntp access-group serve-only 42
Switch(config)# access-list 99 permit 172.20.130.5
Switch(config)# access list 42 permit 172.20.130.6
Switch(config)# end
Switch#

Disabling NTP Services on a Specific Interface

NTP services are enabled on all interfaces by default.

To disable NTP packets from being received on an interface, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Enters interface configuration mode, and specify the interface to disable.

Step 3

ntp disable

Disables NTP packets from being received on the interface.

By default, all interfaces receive NTP packets.

To reenable receipt of NTP packets on an interface, use the
no ntp disable interface configuration command.

Step 4

end

Returns to privileged EXEC mode.

Step 5

show running-config

Verifies your entries.

Step 6

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Configuring the Source IP Address for NTP Packets

When the switch sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. To use a particular source IP address for all NTP packets, use the ntp source global configuration command. The address is taken from the specified interface. This command is useful if the address on an interface cannot be used as the destination for reply packets.

To configure a specific interface from which the IP source address is to be taken, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

ntp source type number

Specifies the interface type and number from which the IP source address is taken.

By default, the source address is set by the outgoing interface.

Step 3

end

Returns to privileged EXEC mode.

Step 4

show running-config

Verifies your entries.

Step 5

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

The specified interface is used for the source address for all packets sent to all destinations. If a source address is to be used for a specific association, use the source keyword in the ntp peer or n tp server global configuration command as described in the “Configuring NTP Associations” section.

Displaying the NTP Configuration

Use the following privileged EXEC commands to display NTP information:

  • show ntp associations [ detail ]
  • show ntp status

For detailed information about the fields in these displays, see the
Cisco IOS Configuration Fundamentals Command Reference, Release 12.3 .

Configuring Time and Date Manually

If no other source of time is available, you can manually configure the time and date after the system is restarted. The time remains accurate until the next system restart. We recommend that you use manual configuration only as a last resort. If you have an outside source to which the switch can synchronize, you do not need to manually set the system clock.

These sections contain this configuration information:

Setting the System Clock

If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock.

To set the system clock, perform this task:

 

Command
Purpose

Step 1

clock set hh : mm : ss day month year
or
clock set hh : mm : ss month day year

Manually sets the system clock using one of these formats.

  • For hh : mm : ss , specify the time in hours (24-hour format), minutes, and seconds. The time specified is relative to the configured time zone.
  • For day , specify the day by date in the month.
  • For month , specify the month by name.
  • For year , specify the year (no abbreviation).

This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001:

Switch# clock set 13:32:00 23 July 2001

Displaying the Time and Date Configuration

To display the time and date configuration, use the show clock [ detail ] privileged EXEC command.

The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). If the system clock was set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes. Until the clock is authoritative and the authoritative flag is set, the flag prevents peers from synchronizing to the clock when the peers’ time is invalid.

The symbol that precedes the show clock display has this meaning:

  • *—Time is not authoritative.
  • (blank)—Time is authoritative.
  • .—Time is authoritative, but NTP is not synchronized.

Configuring the Time Zone

To manually configure the time zone, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

clock timezone zone hours-offset [ minutes-offset ]

Sets the time zone.

To set the time to UTC, use the no clock timezone global configuration command.

The switch keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.

  • For zone , enter the name of the time zone to be displayed when standard time is in effect. The default is UTC.
  • For hours-offset , enter the hours offset from UTC.
  • (Optional) For minutes-offset , enter the minutes offset from UTC.

Step 3

end

Returns to privileged EXEC mode.

Step 4

show running-config

Verifies your entries.

Step 5

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

The minutes-offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC. For example, the time zone for some sections of Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50 percent. The necessary command is clock timezone AST -3 30 .

Configuring Summer Time (Daylight Saving Time)

To configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

clock summer-time zone recurring [ week day month hh : mm week day month hh : mm [ offset ]]

Configures summer time to start and end on the specified days every year.

Summer time is disabled by default. If you specify clock summer-time zone recurring without parameters, the summer time rules default to the United States rules.

  • For zone , specify the name of the time zone (for example, PDT) to be displayed when summer time is in effect.
  • (Optional) For week , specify the week of the month (1 to 5 or last ).
  • (Optional) For day , specify the day of the week (Sunday, Monday...).
  • (Optional) For month , specify the month (January, February...).
  • (Optional) For hh : mm , specify the time (24-hour format) in hours and minutes.
  • (Optional) For offset , specify the number of minutes to add during summer time. The default is 60.

Step 3

end

Returns to privileged EXEC mode.

Step 4

show running-config

Verifies your entries.

Step 5

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time. If the starting month is after the ending month, the system assumes that you are in the southern hemisphere.

This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00:

Switch# configure terminal
Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00
Switch(config)# end
Switch#

If summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events), perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

clock summer-time zone date [ month date year hh : mm month date year hh : mm [ offset ]]
or
clock summer-time zone date [ date month year hh : mm date month year hh : mm [ offset ]]

Configures summer time to start on the first date and end on the second date.

To disable summer time, use the no clock summer-time global configuration command.

Summer time is disabled by default.

  • For zone , specify the name of the time zone (for example, PDT) to be displayed when summer time is in effect.
  • (Optional) For week , specify the week of the month (1 to 5 or last ).
  • (Optional) For day , specify the day of the week (Sunday, Monday...).
  • (Optional) For month , specify the month (January, February...).
  • (Optional) For hh : mm , specify the time (24-hour format) in hours and minutes.
  • (Optional) For offset , specify the number of minutes to add during summer time. The default is 60.

Step 3

end

Returns to privileged EXEC mode.

Step 4

show running-config

Verifies your entries.

Step 5

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time. If the starting month is after the ending month, the system assumes that you are in the southern hemisphere.

To disable summer time, use the no clock summer-time global configuration command.

This example shows how to set summer time to start on October 12, 2000, at 02:00, and end on April 26, 2001, at 02:00:

Switch# configure terminal
Switch(config)# clock summer-time pdt date 12 October 2000 2:00 26 April 2001 2:00
Switch#

Managing Software Licenses Using Permanent Right-To-Use Features

If you want to upgrade or downgrade from one license level to another, we recommend that you use the permanent right-to-use (PRTU) license instead of the node-locked license.

About a PRTU License

The Permanent Right-to-use (PRTU) license is not installable and it cannot be cleared; it is available by default.

Prior to IOS Release XE 3.4.2SG, when you upgraded from one license level to another (e.g., IP Base to Entservices), you visited http://www.cisco.com/go/license , obtained the desired license using your device’s PAK, and then applied the license on your device.


Note For details of the Cisco IOS activation process, see the Configuring the Cisco IOS Software Activation Feature guide at this URL: http://www.cisco.com/en/US/docs/ios/csa/configuration/guide/csa_commands.html


With IOS Release XE 3.4.2SG, the PRTU license feature simplifies the process by enabling you to do the following:

  • Upgrade from a lower license to a higher license using the license right-to-use activate feature name command.
  • Downgrade from a higher license to a lower license using the license right-to-use deactivate feature name command.
  • You cannot relocate a PRTU license to another device because the license is bundled with the image. So, by upgrading the IOS image, you obtain the PRTU license.

Benefits of a PRTU License

  • They are not associated with a specific switch.

With the node-locked license model, in a release prior to IOS Cisco XE 3.4.2SG, a license was applicable to a specific switch UID. Therefore, to activate a license on a new switch, you had to obtain a new license for the new UID. With PRTU licenses, logging on the Cisco server is un necessary to download and install the license. The license is available with the image.

  • They can be instantly activated on any supported switch.

With the node-locked license model, you open the Cisco Product License Registration Portal to obtain a license for a new switch that you purchase or an RMA switch that you need to replace. This process is often cumbersome and lengthy, and applying the license on the new switch is an error-prone activity. With PRTU licenses, you can apply a license on a switch and activate it immediately.

  • They can be applied without requiring an Internet connection.

With the node-locked license model, you need to access an Internet connection to obtain a license for your device’s UID. This may be difficult in some deployment scenarios where an Internet connection is unavailable. With PRTU licenses, you can apply a supported license on any switch at any time without requiring an Internet connection to interact with the Cisco Product License Registration Portal.

Guidelines for the RTU License Model

  • The PRTU license model is based on mutual trust between you and Cisco. When you apply an PRTU license, it is implied that you have first purchased the license from Cisco. This agreement is explained in detail in the EULA, which is displayed when you activate the license.
  • The PRTU license model does not replace the node-locked license model. Instead, it simplifies upgrading or moving your switch’s license. The node-licked license model is still available.
  • Although PRTU licenses are permanent, we also support evaluation licenses and all existing licenses.

Applying a PRTU License

To apply a PRTU license on a switch, follow these steps:


Step 1 Upgrade from one license level to another by using the Cisco sales ordering tool to purchase the license. You will receive an e-mail or paper confirmation that grants you permission to activate the license on your switch.

Step 2 Apply the license by entering the appropriate commands on your switch. If you are upgrading a license on a switch, enter the activation command to activate the higher license. If you are moving a license from one switch to another, enter the deactivation command on the first switch and the activation command on the second switch.


Note Prior to IOS Release XE 3.4.2SG, you provided the license file to a Cisco server, then obtained the new license file. With IOS Release XE 3.4.2SG, you do not require those operations. Once the IOS image is upgraded, you receive the license on the switch and activate it with the license right-to-use activate feature name command.


Step 3 Read and accept the EULA.

Step 4 If you change the license boot level, reboot.


Note When activating PRTU for the same license level as the existing one, a reboot is unnecessary.



 

Activating a PRTU License

To activate a PRTU license on a switch, use either of the following commands in privileged EXEC mode:

 

Command
Purpose

Step 1

license right-to-use activate feature-name

Activates a license on a switch and prompts for EULA.

Step 2

license right-to-use activate feature-name acceptEULA

Activates a license without prompting for EULA.

This step may be required in situations where deployments are automated using install scripts.

Deactivating a PRTU License

To deactivate a PRTU license on a switch, enter the following command in privileged EXEC mode:

 

Command
Purpose

license right-to-use deactivate feature-name

Deactivates a license on a switch.

Displaying Software License Information

To display information about the software licenses on your switch, use one of these methods:

  • Use Cisco License Manager to view license and device information. In the GUI, the discovery and polling features collect all the license and device information that appears in the Properties window. For detailed instructions, see the Cisco License Manager online help.
  • Use the Cisco IOS privileged EXEC commands in Table 2 .

 

Table 2 Commands for Displaying Software License Information

Command
Description

show license agent { counters | session }

Displays the information about the software license agent.

For information about the show license agent privileged EXEC command, see the Cisco Software Activation Tasks and Commands feature module.

show license [ all | detail [ feature-name | feature | file | statistics | status | udi | right-to-use | summary | permanent | in-use | image levels | evaluation | expiring]

Displays information about the software license.

For information about the show license privileged EXEC command, see the Cisco IOS Software Licensing feature module at this URL:

http://www.cisco.com/en/US/docs/ios/12_2/12_2se/feature/guide/se_cisl.html

show version

Displays the software licenses installed on the switch.

This is an example of output from the show license command:

Switch# show license detail
Index: 1 Feature: entservices Version: 1.0
License Type: Evaluation
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 3 days
License State: Active, Not in Use, EULA accepted
License Count: Non-Counted
License Priority: Low
Store Index: 0
Store Name: Dynamic Evaluation License Storage
Index: 2 Feature: entservices Version: 1.0
License Type: PermanentRightToUse
License State: Inactive
License Count: Non-Counted
Store Index: 1
Store Name: Dynamic Evaluation License Storage
Index: 3 Feature: ipbase Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Store Index: 1
Store Name: Primary License Storage
Index: 4 Feature: ipbase Version: 1.0
License Type: Evaluation
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
License State: Inactive
License Count: Non-Counted
License Priority: None
Store Index: 2
Store Name: Dynamic Evaluation License Storage
Index: 5 Feature: ipbase Version: 1.0
License Type: PermanentRightToUse
License State: Inactive
License Count: Non-Counted
Store Index: 3
Store Name: Dynamic Evaluation License Storage
 

This is an example of output from the show license feature command:

Switch# show license feature
Feature name Enforcement Evaluation Clear Allowed Enabled Right…
-—————————————————————————————————————-
entservices true true true false true
ipbase true true true true true
lanbase false false true false false
internal_service true false true false false
 

This is an example of output from the show license file command:

Switch# show license file
License Store: Primary License Storage
License Index: 1
License: 11 ipbase 1.0 LONG NORMAL STANDALONE EXCL INFINITE_KEYS INFINITE_KEYS NEVER NEVER NiL SLM_CODE CL_ND_LCK NiL *1DELA9XDSFSJXAH400 NiL NiL NiL 5_MINS WS-C4507R+EFOX1327G52D xLt5Q1e2VJi03pzp3GSE3PrvxwyfO,SLjP0SXuZOq0f4QTXyc1pSQY51xj31fh7ZfTD6AskNyeUYT8sCUesi9IVKB85wsZSX1HZiXwOd9RHp3mjmnhxFDnS0e6UxjgXgqvV:$AQEBIf8B///kh4dluXv+U+xjUPlzoc3++jpV9d8He4jOubafbkmmOtaOYAoB3inJLnlLyv50VCuRqwInXo3s+nsLU7rOtdOxoIxYZAo3LYmUJ+MFzsqlhKoJVlPyEvQ8H21MNUjVbhoN0gyIWsyiJaM8AQIkVBQFzhr10GYolVzdzfJfEPQIx6tZ++/Vtc/q3SF/5Ko8XCY=
Comment:
Hash: Z+EY3ce1csQlVpRGc5NNy5ypmds=
License Store: Dynamic License Storage
License Store: Primary License Storage
License Store: Dynamic License Storage
License Index: 0
License: 11 entservices 1.0 LONG TRIAL DISABLED 1440 DISABLED STANDALONE ADD INFINITE_KEYS INFINITE_KEYS NEVER NEVER NiL SLM_CODE DEMO NiL NiL Ni NiL NiL 5_MINS NiL BGf3gQnLuroDmnnMJMwWVa2ukR8kP2JZyinKpmOXpa32jwPuSBmHvcSRiSSaqBngV8$AQEBIQAB///FTlc+Qu1Xlg2Z+yB2StUHHymf2w5PEw+cYg/hTOKYCI+oXi0jwBZ2iLrYTKYwxSSRqwInXo3s+nsLU7rOtdOxoIxYZAo3LYmUJ+MFzsqlhKoJVlPyEvQ8H21MNUjVbhoN0gyIWsyiJaM8AQIkVBQFzhr10GYolVzdzfJfEPQIx6tZ++/Vtc/q3SF/5Ko8XCY=
Comment:
Hash: RmO9Kumi8BFKq0wCAx2CcUDE6rg=
License Index: 1
License: 12 entservices 1.0 LONG TRIAL DISABLED DISABLED DISABLED STANDALONE ADD INFINITE_KEYS INFINITE_KEYS 1 JAN 2006 1 JAN 2035 NiL NiL SLM_CODE DEMO NiL NiL Ni NiL NiL 5_MINS NOTLOCKEDNOTLOCKEDHBL l1nG2zXePlBt,ifk7ZReL80LqzvzgRUCelWrBp41FC3jOKer6ZMT7XC4834W3Ev7fm1eXoWaK58t:oDeH5RI1V3dVE2VpAnYb7WiKDz9En8PfrI7vewhayNbschEXBD9:tfPfir6GaALUFwsLxcqYzHuL2$AQEBIf8B///mCSo9+7kn+8zTC3WX1YS9if+g0e8AjRRu1Jq3Kye4y8wv4c+Y9FHJ7Ro/mw7ERwqRqwInXo3s+nsLU7rOtdOxoIxYZAo3LYmUJ+MFzsqlhKoJVlPyEvQ8H21MNUjVbhoN0gyIWsyiJaM8AQIkVBQFzhr10GYolVzdzfJfEPQIx6tZ++/Vtc/q3SF/5Ko8XCY=
Comment:
Hash: 9w09jAFGBzi2w6XQCljLOBe2p+Y=
License Index: 2
License: 11 ipbase 1.0 LONG TRIAL DISABLED 1440 DISABLED STANDALONE ADD INFINITE_KEYS INFINITE_KEYS NEVER NEVER NiL SLM_CODE DEMO NiL NiL Ni NiL NiL 5_MINS NiL YXNJUtpFJiC2Rpdt1SJNVQBCpQUBNt59tdkJJTgKwmLTKj:vmp,sVkMiiRYLfMHQfj$AQEBIf8B//kagzg0R7bT5rn6dVYVPUFmxB1UsblGgbkInHYo55DJzHE/Bqnlf9keNdSyzPbUhSRqwInXo3snsLU7rOtdOxoIxYZAo3LYmUJ+MFzsqlhKoJVlPyEvQ8H21MNUjVbhoN0gyIWsyiJaM8AQIkVBQFzhr10GYolVzdzfJfEPQIx6tZ++/Vtc/q3SF/5Ko8XCY=
Comment:
Hash: H6zsXVLv9TFlmTfFGm0tK4VHJ2Q=
License Index: 3
License: 12 ipbase 1.0 LONG TRIAL DISABLED DISABLED DISABLED STANDALONE ADD INFINITE_KEYS INFINITE_KEYS 1 JAN 2006 1 JAN 2035 NiL NiL SLM_CODE DEMO NiL NiL Ni NiL NiL 5_MINS NOTLOCKEDNOTLOCKEDHBL Zh0GdIANTlXwW6LJgQ95LB0aCazzbsjSOL4HUaqcySLcOvcLq,d04oTgS8pJbHIO3BaD0tgELHog9egQWj9bCJ3,sm2jRaJkgkhYKO9BrbWYLOA,mO3Qe2E,TPJou8fms:LtvrfctzLbujmB0XcB68MPLm$AQEBIf8B//+O8JwRWipzfjtWlAItclx+D6NLhKMyqS1hJoxCM1Txgw8BpmG5QQY5nCiE14CPvVKRqwInXo3s+nsLU7rOtdOxoIxYZAo3LYmUJ+MFzsqlhKoJVlPyEvQ8H21MNUjVbhoN0gyIWsyiJaM8AQIkVBQFzhr10GYolVzdzfJfEPQIx6tZ++/Vtc/q3SF/5Ko8XCY=
Comment:
Hash: S3Ks+G07ueugA9hMFPkXGTF12So=
 

This is an example of output from the show license statistics command:

Switch# show license statistics
Administrative statistics
Install success count: 4
Install failure count: 1
Install duplicate count: 0
Comment add count: 0
Comment delete count: 0
Clear count: 0
Save count: 0
Save cred count: 0
Client status Request success count 1 Request failure count 0 Release count 0 Global Notify count 1
 

This is an example of output from the show license status command:

Switch# show license status
License Type Supported
permanent Non-expiring node locked license
extension Expiring node locked license
evaluation Expiring non node locked license
License Operation Supported install Install license clear Clear license annotate Comment license save Save license revoke Revoke license call-home License call-home Call-home Operation Supported show pak Display license pak via call-home install Install license via call-home revoke Revoke license via call-home resend Fetch license via call-home Device status Device Credential type: IMAGE Device Credential Verification: PASS Rehost Type: DC_OR_IC
 

When you enter the show license udi command on WS-C4507R+E, this output appears:

Switch# show license udi
Device# PID SN UDI
-—————————————————————————————————————
*0 WS-C4507R+E FOX1327G52D WS-C4507R+E:FOX1327G52D

Note The show license udi command output shows details on the current switch.


This is an example of the show license right-to-use command:

Switch# show license right-to-use
License Store: Primary License Storage
License Store: Dynamic License Storage
License Store: Primary License Storage
License Store: Dynamic License Storage
StoreIndex: 1 Feature: entservices Version: 1.0
License Type: PermanentRightToUse
License State: Inactive
License Count: Non-Counted
StoreIndex: 3 Feature: ipbase Version: 1.0
License Type: PermanentRightToUse
License State: Inactive
License Count: Non-Counted
 

This is an example of the show license summary command:

Switch# show license summary
Index 0 Feature: entservices
Period left: 8 weeks 3 days
License Type: Evaluation
License State: Active, Not in Use, EULA accepted
License Count: Non-Counted
License Priority: Low
Index 1 Feature: ipbase
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: lanbase
Period left: 0 seconds
Index 3 Feature: internal_service
Period left: 0 seconds
 

This is an example of the show license evaluation command:

Switch# show license evaluation
License Store: Primary License Storage
License Store: Dynamic License Storage
StoreIndex: 0 Feature: entservices Version: 1.0
License Type: Evaluation
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 3 days
License State: Active, Not in Use, EULA accepted
License Count: Non-Counted
License Priority: Low
StoreIndex: 2 Feature: ipbase Version: 1.0
License Type: Evaluation
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
License State: Inactive
License Count: Non-Counted
License Priority: None
 

This is an example of the show license image levels command:

Switch# show license image levels
Module name Image level Priority Configured Valid license
-————————————————————————————————-
WS-X45-SUP7-E entservices 1 NO entservices
ipbase 2 NO ipbase
lanbase 3 NO lanbase
 
Module Name Role Current Level Reboot Level
-————————————————————————————————-
WS-X45-SUP7-E Active ipbase ipbase
 

This is an example of the show license expiring command

Switch# show license expiring
License Store: Primary License Storage
License Store: Dynamic License Storage
StoreIndex: 0 Feature: entservices Version: 1.0
License Type: Evaluation
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 3 days
License State: Active, Not in Use, EULA accepted
License Count: Non-Counted
License Priority: Low
StoreIndex: 2 Feature: ipbase Version: 1.0
License Type: Evaluation
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
License State: Inactive
License Count: Non-Counted
License Priority: None
Switch#
 

This is an example of the show license in-use command

Switch# show license in-use
License Store: Primary License Storage
StoreIndex: 1 Feature: ipbase Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
License Store: Dynamic License Storage

Configuring a System Name and Prompt

You configure the system name on the switch to identify it. By default, the system name and prompt are Switch .

If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol [>] is appended. The prompt is updated whenever the system name changes.

For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.3 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.3 .

These sections contain this configuration information:

Configuring a System Name

To manually configure a system name, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

hostname name

Manually configures a system name.

The default setting is switch .

The name must follow the rules for ARPANET hostnames. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphens. Names can be up to 63 characters.

To return to the default hostname, use the no hostname global configuration command.

Step 3

end

Returns to privileged EXEC mode.

Step 4

show running-config

Verifies your entries.

Step 5

copy running-config startup-confi g

(Optional) Saves your entries in the configuration file.

When you set the system name, it is also used as the system prompt.

Understanding DNS

The DNS protocol controls the Domain Name System (DNS), a distributed database with which you can map hostnames to IP addresses. When you configure DNS on your switch, you can substitute the hostname for the IP address with all IP commands, such as ping , telnet , connect , and related Telnet support operations.

IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com . A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com .

To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, specify the name server that is present on your network, and enable the DNS.

These sections contain this configuration information:

Default DNS Configuration

Table 1-3 shows the default DNS configuration.

 

Table 1-3 Default DNS Configuration

Feature
Default Setting

DNS enable state

Enabled.

DNS default domain name

None configured.

DNS servers

No name server addresses are configured.

Setting Up DNS

To set up your switch to use the DNS, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

ip domain-name name

Defines a default domain name that the software uses to complete unqualified hostnames (names without a dotted-decimal domain name).

To remove a domain name, use the no ip domain-name name global configuration command.

Do not include the initial period that separates an unqualified name from the domain name.

At boot time, no domain name is configured; however, if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol (DHCP) server, then the default domain name might be set by the BOOTP or DHCP server (if the servers were configured with this information).

Step 3

ip name-server server-address1 [ server-address2 ... server-address6 ]

Specifies the address of one or more name servers to use for name and address resolution.

To remove a name server address, use the no ip name-server server-address global configuration command.

You can specify up to six name servers. Separate each server address with a space. The first server specified is the primary server. The switch sends DNS queries to the primary server first. If that query fails, the backup servers are queried.

Step 4

ip domain-lookup

(Optional) Enables DNS-based hostname-to-address translation on your switch. This feature is enabled by default.

To disable DNS on the switch, use the no ip domain-lookup global configuration command.

If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS).

Step 5

end

Returns to privileged EXEC mode.

Step 6

show running-config

Verifies your entries.

Step 7

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.), a period followed by the default domain name is appended to the hostname before the DNS query is made to map the name to an IP address. The default domain name is the value set by the ip domain-name global configuration command. If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.

Displaying the DNS Configuration

To display the DNS configuration information, use the show running-config privileged EXEC command.

Creating a Banner

You can configure a message-of-the-day (MOTD) and a login banner. The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns).

The login banner also displays on all connected terminals. It appears after the MOTD banner and before the login prompts.


Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.3.


The contain this configuration information:

Default Banner Configuration

The MOTD and login banners are not configured.

Configuring a Message-of-the-Day Login Banner

You can create a single or multiline message banner that appears on the screen when someone logs in to the switch.

To configure a MOTD login banner, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

banner motd c message c

Specifies the message of the day.

To delete the MOTD banner, use the no banner motd global configuration command.

For c , enter the delimiting character of your choice, for example, a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded.

Step 3

end

Returns to privileged EXEC mode.

Step 4

show running-config

Verifies your entries.

Step 5

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

This example shows how to configure a MOTD banner for the switch by using the pound sign (#) symbol as the beginning and ending delimiter:

Switch(config)# banner motd #
it is a secure site. Only authorized users are allowed.
For access, contact technical support.
#
Switch(config)#
 

This example shows the banner that appears from the previous configuration:

Unix> telnet 172.2.5.4
Trying 172.2.5.4...
Connected to 172.2.5.4.
Escape character is '^]'.
 
it is a secure site. Only authorized users are allowed.
For access, contact technical support.
 
User Access Verification
 
Password:

Configuring a Login Banner

You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt.

To configure a login banner, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

banner login c message c

Specifies the login message.

To delete the login banner, use the no banner login global configuration command.

For c , enter the delimiting character of your choice, for example, a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded.

Step 3

end

Returns to privileged EXEC mode.

Step 4

show running-config

Verifies your entries.

Step 5

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

This example shows how to configure a login banner for the switch by using the dollar sign ($) symbol as the beginning and ending delimiter:

Switch# configuration terminal
Switch(config)# banner login $
Access for authorized users only. Please enter your username and password.
$
Switch(config)# end
Switch#

Managing the MAC Address Table

The MAC address table contains address information that the switch uses to forward traffic between ports. All MAC addresses in the address table are associated with one or more ports. The address table includes these types of addresses:

  • Dynamic address—A source MAC address that the switch learns and then ages when it is not in use.
  • Static address—A manually entered unicast address that does not age and that is not lost when the switch resets.

The address table lists the destination MAC address, the associated VLAN ID, and port number associated with the address and the type (static or dynamic).


Note For complete syntax and usage information for the commands used in this section, see the command reference for this release.


These sections contain this configuration information:

Building the Address Table

With multiple MAC addresses supported on all ports, you can connect any port on the switch to individual workstations, repeaters, switches, routers, or other network devices. The switch provides dynamic addressing by learning the source address of packets it receives on each port and adding the address and its associated port number to the address table. As stations are added or removed from the network, the switch updates the address table, adding new dynamic addresses and aging out those that are not in use.

The aging interval is globally configured. However, the switch maintains an address table for each VLAN, and STP can accelerate the aging interval on a per-VLAN basis.

The switch sends packets between any combination of ports, based on the destination address of the received packet. Using the MAC address table, the switch forwards the packet only to the port associated with the destination address. If the destination address is on the port that sent the packet, the packet is filtered and not forwarded. The switch always uses the store-and-forward method: complete packets are stored and checked for errors before transmission.

MAC Addresses and VLANs

All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different destinations in each. Unicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 1 in VLAN 5.

Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN.

When PVLANs are configured, address learning depends on the type of MAC address:

  • Dynamic MAC addresses learned in one VLAN of a PVLAN are replicated in the associated VLANs. For example, a MAC address learned in a private-VLAN secondary VLAN is replicated in the primary VLAN.
  • Static MAC addresses configured in a primary or secondary VLAN are not replicated in the associated VLANs. When you configure a static MAC address in a PVLAN primary or secondary VLAN, you should also configure the same static MAC address in all associated VLANs.

For more information about PVLANs, see Chapter1, “Configuring Private VLANs”

Default MAC Address Table Configuration

Table 1-4 shows the default MAC address table configuration.

 

Table 1-4 Default MAC Address Table Configuration

Feature
Default Setting

Aging time

300 seconds

Dynamic addresses

Automatically learned

Static addresses

None configured

Changing the Address Aging Time

Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use. You can change the aging time setting for all VLANs or for a specified VLAN.

Setting too short an aging time can cause addresses to be prematurely removed from the table. When the switch receives a packet for an unknown destination, it floods the packet to all ports in the same VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time can cause the address table to be filled with unused addresses, which prevents new addresses from being learned. Flooding results, which can impact switch performance.

To configure the dynamic address table aging time, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

mac address-table aging-time [ 0 | 10-1000000 ] [ vlan vlan-id ]

Sets the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated.

To return to the default value, use the no mac address-table aging-time global configuration command.

The range is 10 to 1000000 seconds. The default is 300. You can also enter 0, which disables aging. Static address entries are never aged or removed from the table.

For vlan-id , valid IDs are 1 to 4094.

Step 3

end

Returns to privileged EXEC mode.

Step 4

show mac address-table aging-time

Verifies your entries.

Step 5

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Removing Dynamic Address Entries

To remove all dynamic entries, use the clear mac address-table dynamic command in EXEC mode. You can also remove a specific MAC address ( clear mac address-table dynamic address mac-address ), remove all addresses on the specified physical port or port channel
( clear mac address-table dynamic interface interface-id ), or remove all addresses on a specified VLAN ( clear mac address-table dynamic vlan vlan-id ).

To verify that dynamic entries have been removed, use the show mac address-table dynamic privileged EXEC command.

Configuring MAC Change Notification Traps

MAC change notification allows you to track users on a network by storing the MAC change activity on the switch. Whenever the switch learns or removes a MAC address, an SNMP notification can be generated and sent to the network management system. If you have many users entering and exiting the network, you can set a trap interval time to bundle the notification traps and reduce network traffic. The MAC notification history table stores the MAC address activity for each hardware port for which the trap is enabled. MAC address notifications are generated for dynamic and static MAC addresses; events are not generated for self addresses or multicast addresses.

To send MAC change notification traps to an NMS host, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

snmp-server host host-addr [ traps | informs ] { version { 1 | 2c | 3 }} [ auth | noauth | priv ] community-string [udp-port port] [notification-type]

Specifies the recipient of the trap message.

  • For host-addr , specify the name or address of the NMS.
  • Specify traps (the default) to send SNMP traps to the host. Specify informs to send SNMP informs to the host.
  • Specify the SNMP version to support. Version 1, the default, is not available with informs.
  • For community-string, specify the string to send with the notification operation. Though you can set this string by using the snmp-server host command, we recommend that you define this string by using the snmp-server community command before using the snmp-server host command.
  • For notification-type , use the mac-notification keyword.

Step 3

snmp-server enable traps mac-notification change

Enables the switch to send MAC change traps to the NMS.

To disable the switch from sending MAC change notification traps, use the
no snmp-server enable traps mac-notification change global configuration command.

Step 4

mac address-table notification change

Enables the MAC address change notification feature.

Step 5

mac address-table notification change
[ interval value ] | [ history-size value ]

Enters the trap interval time and the history table size.

  • (Optional) For interval value, specify the notification trap interval in seconds between each set of traps that are generated to the NMS. The range is 0 to 2147483647 seconds; the default is 1 second.
  • (Optional) For history-size value , specify the maximum number of entries in the MAC notification history table. The range is 0 to 500; the default is 1.

To disable the MAC change notification feature, use the no mac address-table notification change global configuration command.

Step 6

interface interface-id

Enters interface configuration mode, and specifies the interface on which to enable the SNMP MAC change notification trap.

Step 7

snmp trap mac-notification change { added | removed }

Enables the MAC change notification trap.

  • Enable the MAC change notification trap whenever a MAC address is added on this interface.
  • Enable the MAC change notification trap whenever a MAC address is removed from this interface.

To disable the MAC change notification traps on a specific interface, use the no snmp trap mac-notification change { added | removed } interface configuration command.

Step 8

end

Returns to privileged EXEC mode.

Step 9

show mac address-table notification change interface
show running-config

Verifies your entries.

Step 10

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

This example shows how to specify 172.69.59.93 as the network management system, enable the switch to send MAC change notification traps to the network management system, enable the MAC change notification feature, set the interval time to 60 seconds, set the history-size to 100 entries, and enable traps whenever a MAC address is added on the specified port:

Switch# configure terminal
Switch(config)# snmp-server host 172.69.59.93 private mac-notification
Switch(config)# snmp-server enable traps mac-notification change
Switch(config)# mac address-table notification change
Switch(config)# mac address-table notification change interval 60
Switch(config)# mac address-table notification change history-size 100
Switch(config)# interface fastethernet0/2
Switch(config-if)# snmp trap mac-notification change added
Switch(config-if)# end
Switch# show mac address-table notification change interface
MAC Notification Feature is Enabled on the switch
MAC Notification Flags For All Ethernet Interfaces :
----------------------------------------------------
Interface MAC Added Trap MAC Removed Trap
--------- -------------- ----------------
GigabitEthernet1/1 Enabled Enabled
GigabitEthernet1/2 Enabled Enabled
GigabitEthernet1/3 Enabled Enabled
GigabitEthernet1/4 Enabled Enabled
GigabitEthernet1/5 Enabled Enabled
GigabitEthernet1/6 Enabled Enabled
GigabitEthernet1/7 Enabled Enabled
GigabitEthernet1/8 Enabled Enabled
GigabitEthernet1/9 Enabled Enabled
GigabitEthernet1/10 Enabled Enabled
GigabitEthernet1/11 Enabled Enabled
GigabitEthernet1/12 Enabled Enabled
 
 
Switch#

Configuring MAC Move Notification Traps

When you configure MAC move notification, an SNMP notification is generated and sent to the network management system whenever a MAC address moves from one port to another within the same VLAN.

To configure MAC move notification, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

snmp-server host host-addr [ traps | informs ] { version { 1 | 2c | 3 }} [ auth | noauth | priv ] community-string [udp-port port] [notification-type]

Specifies the recipient of the trap message.

  • For host-addr , specify the name or address of the NMS.
  • Specify traps (the default) to send SNMP traps to the host. Specify informs to send SNMP informs to the host.
  • Specify the SNMP version to support. Version 1, the default, is not available with informs.
  • For community-string, specify the string to send with the notification operation. Though you can set this string by using the snmp-server host command, we recommend that you define this string by using the snmp-server community command before using the snmp-server host command.
  • For notification-type , use the mac-notification keyword.

Step 3

snmp-server enable traps mac-notification move

Enables the switch to send MAC move notification traps to the NMS.

To disable the switch from sending MAC notification traps, use the
no snmp-server enable traps mac-notification move global configuration command.

Step 4

mac address-table notification mac-move

Enables the MAC-move notification feature.

To disable this feature, use the
no mac-address-table notification mac-move global configuration command.

Step 5

end

Returns to privileged EXEC mode.

Step 6

show mac address-table notification mac-move
show running-config

Displays the MAC-move notification status.

Step 7

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

This example shows how to specify 172.69.59.93 as the network management system, enable the switch to send MAC move notification traps to the NMS, enable the MAC move notification feature, and enable traps whenever a MAC address moves from one port to another:

Switch# configure terminal
Switch(config)# snmp-server host 171.69.59.93 private mac-notification
Switch(config)# snmp-server enable traps mac-notification move
Switch(config)# mac address-table notification mac-move
Switch(config)# end
Switch# show mac address-table notification mac-move
MAC Move Notification: Enabled

Configuring MAC Threshold Notification Traps

When you configure MAC threshold notification, an SNMP notification is generated and sent to the network management system when a MAC address table (MAT) threshold limit is reached or exceeded.

To configure MAC address threshold notification, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

snmp-server host host-addr [ traps | informs ] { version { 1 | 2c | 3 }} [ auth | noauth | priv ] community-string [udp-port port] [notification-type]

Specifies the recipient of the trap message.

  • For host-addr , specify the name or address of the NMS.
  • Specify traps (the default) to send SNMP traps to the host. Specify informs to send SNMP informs to the host.
  • Specify the SNMP version to support. Version 1, the default, is not available with informs.
  • For community-string, specify the string to send with the notification operation. Though you can set this string by using the snmp-server host command, we recommend that you define this string by using the snmp-server community command before using the snmp-server host command.
  • For notification-type , use the mac-notification keyword.

Step 3

snmp-server enable traps mac-notification threshold

Enables the switch to send MAC threshold notification traps to the NMS.

To disable the switch from sending MAC threshold notification traps, use the
no snmp-server enable traps mac-notification threshold global configuration command.

Step 4

mac address-table notification threshold

Enables the MAC address threshold notification feature.

To disable this feature, use the
no address-table notification threshold global configuration command.

Step 5

mac address-table notification threshold
[ limit percentage ] | [ interval time ]

Enters the threshold value for the MAT usage monitoring.

  • (Optional) For limit percentage, specify the percentage of the MAT utilization; valid values are from 1 to 100 percent. Default is 50 percent.
  • (Optional) For interval time, specify the time between notifications; valid values are greater than or equal to 120 seconds. Default is 120 seconds.

Step 6

end

Returns to privileged EXEC mode.

Step 7

show mac address-table notification threshold
show running-config

Displays the MAC utilization threshold notification status.

Step 8

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

This example shows how to specify 172.69.59.93 as the network management system, enable the MAC threshold notification feature, enable the switch to send MAC threshold notification traps to the NMS, set the interval to 123 seconds, and set the limit to 78 percent:

Switch# configure terminal
Switch(config)# snmp-server host 171.69.59.93 private mac-notification
Switch(config)# snmp-server enable traps mac-notification threshold
Switch(config)# mac address-table notification threshold
Switch(config)# mac address-table notification threshold interval 123
Switch(config)# mac address-table notification threshold limit 78
Switch(config)# end
Switch# show mac-address-table notification threshold
Status limit Interval
-------------+-----------+-------------
enabled 78 123
Switch#

Adding and Removing Static Address Entries

A static address has these characteristics:

  • It is manually entered in the address table and must be manually removed.
  • It can be a unicast or multicast address.
  • It does not age and is retained when the switch restarts.

You can add and remove static addresses and define the forwarding behavior for them. The forwarding behavior defines how a port that receives a packet forwards it to another port for transmission. Because all ports are associated with at least one VLAN, the switch acquires the VLAN ID for the address from the ports that you specify. You can specify a different list of destination ports for each source port.

A packet with a static address that arrives on a VLAN where it has not been statically entered is flooded to all ports and not learned.

You add a static address to the address table by specifying the destination MAC unicast address and the VLAN from which it is received. Packets received with this destination address are forwarded to the interface specified with the interface-id option.

When you configure a static MAC address in a private-VLAN primary or secondary VLAN, you should also configure the same static MAC address in all associated VLANs. Static MAC addresses configured in a private-VLAN primary or secondary VLAN are not replicated in the associated VLAN. For more information about PVLANs, see Chapter1, “Configuring Private VLANs”

To add a static address, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

mac address-table static mac-addr vlan vlan-id interface interface-id

Adds a static address to the MAC address table.

  • For mac-addr , specify the destination MAC unicast address to add to the address table. Packets with this destination address received in the specified VLAN are forwarded to the specified interface.
  • For vlan-id , specify the VLAN for which the packet with the specified MAC address is received. Valid VLAN IDs are 1 to 4094.
  • For interface-id , specify the interface to which the received packet is forwarded. Valid interfaces include physical ports or port channels.

You can specify static multicast addresses for multiple interface IDs. However, you cannot assign static unicast MAC address to multiple interfaces with the same MAC address and VLAN ID.

To remove static entries from the address table, use the
no mac address-table static mac-addr vlan vlan-id [ interface interface-id ] global configuration command.

Step 3

end

Returns to privileged EXEC mode.

Step 4

show mac address-table static

Verifies your entries.

Step 5

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination address, the packet is forwarded to the specified port:

Switch# configure terminal
Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 interface gigabitethernet0/1
Switch(config)# end
Switch#

Configuring Unicast MAC Address Filtering

When unicast MAC address filtering is enabled, the switch drops packets with specific source or destination MAC addresses. This feature is disabled by default and only supports unicast static addresses.

When using unicast address filtering, consider these guidelines:

  • Multicast MAC addresses, broadcast MAC addresses, and router MAC addresses are not supported. If you specify one of these addresses when entering the mac address-table static vlan drop global configuration command, one of these messages appears:
% Only unicast addresses can be configured to be dropped
 
% CPU destined address cannot be configured as drop address
 
  • Packets that are forwarded to the CPU are also not supported.
  • If you add a unicast MAC address as a static address and configure unicast MAC address filtering, the switch either adds the MAC address as a static address or drops packets with that MAC address, depending on which command was entered last. The second command that you entered overrides the first command.

For example, if you enter the mac address-table static vlan interface global configuration command followed by the mac address-table static vlan drop command, the switch drops packets with the specified MAC address as a source or destination.

If you enter the mac address-table static vlan drop global configuration command followed by the mac address-table static vlan interface command, the switch adds the MAC address as a static address.

You enable unicast MAC address filtering and configure the switch to drop packets with a specific address by specifying the source or destination unicast MAC address and the VLAN from which it is received.

To configure the switch to drop a source or destination unicast static address, perform this task:

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

mac address-table static mac-addr vlan vlan-id drop

Enables unicast MAC address filtering and configure the switch to drop a packet with the specified source or destination unicast static address.

  • For mac-addr , specify a source or destination unicast MAC address. Packets with this MAC address are dropped.
  • For vlan-id , specify the VLAN for which the packet with the specified MAC address is received. Valid VLAN IDs are 1 to 4094.

To disable unicast MAC address filtering, use the no mac address -table static vlan global configuration command.

Step 3

end

Returns to privileged EXEC mode.

Step 4

show mac address-table static

Verifies your entries.

Step 5

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

This example shows how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3.220a.12f4. When a packet is received in VLAN 4 with this MAC address as its source or destination, the packet is dropped:

Switch# configure terminal
Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 drop
Switch(config)# end
Switch#

Note To filter MAC addresses on a secondary VLAN, specify the corresponding primary VLAN in the above configuration. If the specified VLAN is a primary VLAN, all matching packets received in this primary VLAN and associated secondary VLANs are dropped.


Disabling MAC Address Learning on a VLAN

By default, MAC address learning is enabled on all VLANs on the switch. By controlling which VLANs can learn MAC addresses, you can manage the available MAC address table space. By disabling learning on a VLAN, you can conserve the MAC address table space because all the MAC addresses seen on this VLAN are not learned.

Before disabling MAC address learning, you should understand the network topology and features deployed. Many Layer 2 features use MAC addresses and may not work properly if learning is disabled. Because disabling learning causes flooding of packets, you need to understand the impact of flooding on the network.

These sections contain this information:

Configuring Disable MAC Address Learning

To disable MAC address learning on a VLAN, perform this task:

 

Command
Purpose

Step 1

Switch# configure terminal

Enters global configuration mode.

Step 2

Switch(config)# no mac address-table learning vlan vlan-id range

Disables MAC address learning on the specified VLAN or VLANs. You can specify a single VLAN ID or a range of VLAN IDs separated by a hyphen or comma. Valid VLAN IDs are 1 to 4094.

You can reenable MAC address learning on a VLAN by entering the
mac address-table learning vlan global configuration command.

Step 3

Switch(config)# end

Returns to privileged EXEC mode.

Step 4

Switch# show mac address-table learning [ vlan vlan-id range ]

Displays the MAC address learning status of all VLANs or a specified VLAN.

Step 5

Switch# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

This example shows how to disable learning on any VLAN or range of VLANs:

Switch# configure terminal
Switch(config)# no mac address-table learning vlan 9-16
Switch(config)# end
Switch#
 
Switch# show mac address-table learning
Learning disabled on vlans: 9-11,13-16
 
Switch# show mac address-table learning vlan 10-15
Learning disabled on vlans: 10-11,13-15

Usage Guidelines


Note These guidelines are advisory only. Contact the Cisco solution provider team for specific solution implementations.


When disabling MAC address learning on a VLAN, consider these guidelines:

  • If learning is disabled on a VLAN with an SVI interface, it floods every IP packet in the Layer 2 domain. Because this flooding may be undesirable, you should disable MAC address learning on a SVI VLAN carefully.
  • If you provide a VLAN range that includes reserved VLAN (such as 1000-1006), the command is accepted and disable learning is enabled for all VLANs except for 1002-005 (that is, 1000-1001,1006). However, if you specify an invalid range (such as 1-5000), the command fails and disable learning is not enabled on any of the VLANs.
  • With PVLANs, you need to disable learning on the primary VLAN and all secondary VLANs associated with that primary VLANs. Otherwise, you encounter traffic flooding in one direction and unicast flooding in the other direction.
  • To disable MAC address learning on a VLAN, consider the flooding implications.

Deployment Scenarios

This section includes these deployment scenarios:

Metro (Point to Point Links)

In this topology, you have two ports on a VLAN; traffic enters one and must exit the other. On a point-to-point link in metro networks, numerous MAC addresses are on these types of ports by disabling learning on the VLAN to which these two ports belong, many entries in the MAC address table space can be saved. Because there is only one egress port for the traffic, you can flood the packet and avoid having to learn all the MAC addresses seen on this port. This process saves considerable space in the MAC address table.

To obtain source learning, packets are bridged as Layer 2 flood packets. Replicated packets use a distinct dedicated bandwidth. Regardless of the number of ports in a flood set, a flood packet always consumes replication packet bandwidth, which consumes some multicast and broadcast packet-processing bandwidth (Figure 1-2).

Figure 1-2 Disabling MAC Address Learning: Point-to-Point Links

 

Network Load Balancers

In this topology, you have two devices, one active and one standby. To perform load balancing, both devices must receive all packets. You could place both devices on the same VLAN. If learning can be disabled on this VLAN, the packet is flooded and both devices receive all traffic destined to any MAC address on the VLAN. You also can assign a multicast MAC address to both load balancers to ensure that all packets reach them. (Figure 1-3).

Figure 1-3 Disabling MAC Address Learning: Network Load Balancers

 

Layer 2 Firewall or Cache

In this topology, a rewritten Layer 3 packet is routed back to a Layer 2 firewall (or cache) before exiting. When the packet reenters the switch from the firewall, it possesses the switch’s MAC address because the packet was previously routed. If the ingress port is a switch port, the switch learns the router’s MAC address. For a routed port or SVI, however, the switch does not learn the address. Source misses are generated continuously for all arriving data packets and the switch shows a very high CPU utilization.

By disabling learning on the VLAN that the firewall or cache egress is connected to, you will routinely suppress the source miss and do not observe high CPU utilization (Figure 1-4).

Figure 1-4 Disabling MAC Address Learning: Layer 2 Firewall/Cache

 

Feature Compatibility

The following features are compatible with disabling MAC address learning on a VLAN:

  • EtherChannel—The learning disable feature has no impact on EtherChannel provided that the MAC learning state is either disabled or enabled for a VLAN on EtherChannel ports.
  • Switch Virtual Interface (SVI, Layer 3 on a VLAN)— The learning disable feature has no impact on SVI. Although disabling MAC address learning on a SVI VLAN causes flooding, it does not impact any Layer 3 feature.
  • REP—The learning disable feature has no impact on REP provided that the MAC learning state is either disabled or enabled for an active VLAN on a port where REP is running.
  • Unicast, Multicast, and Broadcast—When you enable learning on a VLAN, learning is disabled on all types of traffic.
  • DAI, ESMP, and IGMP snooping— These features do not interact with the learning disable feature.
  • Control packets— Control packets arrive at the CPU even if learning is disabled.
  • RSPAN— Learning on a VLAN and on an RSPAN are compatible.
  • VLAN translation—To disable learning on a VLAN that is being translated, you must disable learning on the translated VLAN.

Feature Incompatibility

The following features are incompatible with disabling MAC address learning and do not work properly when the feature is enabled:

  • 802.1X—The 802.1X class of features does not work when learning is disabled because some of these features require source miss, which is ignored.
  • Port security— Port security VLANs requires learning to be enabled. To secure MAC addresses, packets must first arrive at the CPU. However, if you disable learning on a VLAN, SA suppression ensures that packets do not operate this way.
  • Unicast flood blocking— When unicast flood blocking is enabled on a port, it is removed from the VLAN flood set. If learning is disabled on the same VLAN, the host connected to that port do not receive traffic.
  • DHCP snooping—To send the packet out the correct port once a DHCP request has been resolved, DHCP snooping must learn the MAC address. If you disable learning, the switch do not know on which port to exit the packet; the two features are incompatible.
  • Broadcast storm control— This feature does not interact with the learning disable feature.
  • Flooding of packets in a VLAN domain in which learning is disabled through PVL.

Partial Feature Incompatibility

Although the following features are partially incompatible with disabling MAC address learning, they still retain a large portion of their functionality:

  • FlexLink—FlexLink functions and upstream convergence is not impacted. However, downstream fast convergence uses a MAC table to send dummy multicast packets for each learned MAC address upstream to expedite downstream convergence. This situation does not happen if you enabled learning disable. FlexLink downstream convergence occurs naturally, but it is slower if learning is enabled on that VLAN.
  • PVLAN—To observe correct behavior, you must disable learning on the primary VLAN and all secondary VLANs associated with the primary VLAN.

Note To avoid confusion, configure PVLAN similarly on both the primary and secondary VLANs in the PVLAN space.


  • Spanning Tree (STP)—Except for the UplinkFast feature, per-VLAN spanning tree functionality is not impacted. To achieve faster downstream convergence, UplinkFast forwards dummy multicast packets using learned MAC addresses. This action is not possible unless MAC learning is enabled.

Displaying Address Table Entries

You can display the MAC address table by using one or more of the privileged EXEC commands described in Table 1-5 .

 

Table 1-5 Commands for Displaying the MAC Address Table

Command
Description

show ip igmp snooping groups

Displays the Layer 2 multicast entries for all VLANs or the specified VLAN.

show mac address-table address

Displays MAC address table information for the specified MAC address.

show mac address-table aging-time

Displays the aging time in all VLANs or the specified VLAN.

show mac address-table count

Displays the number of addresses present in all VLANs or the specified VLAN.

show mac address-table dynamic

Displays only dynamic MAC address table entries.

show mac address-table interface

Displays the MAC address table information for the specified interface.

show mac address-table notification

Displays the MAC notification parameters and history table.

show mac address-table static

Displays only static MAC address table entries.

show mac address-table vlan

Displays the MAC address table information for the specified VLAN.

Managing the ARP Table

To communicate with a device (over Ethernet, for example), the software first must learn the 48-bit MAC address or the local data link address of that device. The process of learning the local data link address from an IP address is called address resolution .

The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC addresses and the VLAN ID. Using an IP address, ARP finds the associated MAC address. When a MAC address is found, the IP-MAC address association is stored in an ARP cache for rapid retrieval and the IP datagram is encapsulated in a link-layer frame and sent over the network. Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol (SNAP). By default, standard Ethernet-style ARP encapsulation (represented by the arpa keyword) is enabled on the IP interface.

ARP entries added manually to the table do not age and must be manually removed.

For CLI procedures, see the Cisco IOS Release 12.3 documentation on Cisco.com.

Configuring Embedded CiscoView Support

The Catalyst 4500 series switch supports CiscoView web-based administration using the Catalyst Web Interface (CWI) tool. CiscoView is a device management application that can be embedded on the switch flash and provides dynamic status, monitoring, and configuration information for your switch. CiscoView displays a physical view of your switch chassis with color-coded modules and ports and monitoring capabilities that display the switch status, performance, and other statistics. Configuration capabilities allow comprehensive changes to devices, if the required security privileges have been granted. The configuration and monitoring capabilities for the Catalyst 4500 series of switches mirror those available in CiscoView in all server-based CiscoWorks solutions, including CiscoWorks LAN Management Solution (LMS) and CiscoWorks Routed WAN Management Solution (RWAN).

These sections describe the Embedded CiscoView support available with Cisco IOS Release 12.1(20)EW and later releases:

Understanding Embedded CiscoView

The Embedded CiscoView network management system is a web-based interface that uses HTTP and SNMP to provide a graphical representation of the switch and to provide a GUI-based management and configuration interface.

Installing and Configuring Embedded CiscoView

To install and configure Embedded CiscoView, perform this task:

 

Command
Purpose

Step 1

Switch# dir device_name

Displays the contents of the device.

If you are installing Embedded CiscoView for the first time, or if the CiscoView directory is empty, skip to Step 5.

Step 2

Switch# delete device_name :cv/*

Removes existing files from the CiscoView directory.

Step 3

Switch# squeeze device_name :

Recovers the space in the file system.

Step 4

Switch# copy tftp bootflash

Copies the tar file to bootflash.

Step 5

Switch# archive tar /xtract tftp:// ip address of tftp server /ciscoview.tar device_name :cv

Extracts the CiscoView files from the tar file on the TFTP server to the CiscoView directory.

Step 6

Switch# dir device_name :

Displays the contents of the device.

In a redundant configuration, repeat Step 1 through Step 6 for the file system on the redundant supervisor engine.

Step 7

Switch# configure terminal

Enters global configuration mode.

Step 8

Switch(config)# ip http server

Enables the HTTP web server.

Step 9

Switch(config)# snmp-server community string ro

Configures the SNMP password for read-only operation.

Step 10

Switch(config)# snmp-server community string rw

Configures the SNMP password for read/write operation.


Note The default password for accessing the switch web page is the enable-level password of the switch.


The following example shows how to install and configure Embedded CiscoView on your switch:

Switch# dir
Directory of bootflash:/
Directory of bootflash:/
1 -rw- 9572396 Dec 30 2002 01:05:01 +00:00 cat4000-i9k2s-mz.121-19.EW
2 -rw- 9604192 Jan 3 2003 07:46:49 +00:00 cat4000-i5k2s-mz.121-19.EW
3 -rw- 1985024 Jan 21 2003 03:31:20 +00:00 Cat4000IOS.v4-0.tar
4 -rw- 1910127 Jan 23 2003 04:23:39 +00:00 cv/Cat4000IOS-4.0.sgz
5 -rw- 7258 Jan 23 2003 04:23:46 +00:00 cv/Cat4000IOS-4.0_ace.html
6 -rw- 405 Jan 23 2003 04:23:46 +00:00 cv/Cat4000IOS-4.0_error.html
7 -rw- 2738 Jan 23 2003 04:23:46 +00:00 cv/Cat4000IOS-4.0_install.html
8 -rw- 20450 Jan 23 2003 04:23:46 +00:00 cv/Cat4000IOS-4.0_jks.jar
9 -rw- 20743 Jan 23 2003 04:23:46 +00:00 cv/Cat4000IOS-4.0_nos.jar
10 -rw- 12383 Jan 23 2003 04:23:46 +00:00 cv/applet.html
11 -rw- 529 Jan 23 2003 04:23:46 +00:00 cv/cisco.x509
12 -rw- 2523 Jan 23 2003 04:23:46 +00:00 cv/identitydb.obj
13 -rw- 1173 Mar 19 2003 05:50:26 +00:00 post-2003.03.19.05.50.07-passed.txt
 
32578556 bytes total (38199688 bytes free)
Switch#
Switch# del cv/*
Delete filename [cv/*]?
Delete bootflash:cv/Cat4000IOS-4.0.sgz? [confirm]y
Delete bootflash:cv/Cat4000IOS-4.0_ace.html? [confirm]y
Delete bootflash:cv/Cat4000IOS-4.0_error.html? [confirm]y
Delete bootflash:cv/Cat4000IOS-4.0_install.html? [confirm]y
Delete bootflash:cv/Cat4000IOS-4.0_jks.jar? [confirm]y
Delete bootflash:cv/Cat4000IOS-4.0_nos.jar? [confirm]y
Delete bootflash:cv/applet.html? [confirm]y
Delete bootflash:cv/cisco.x509? [confirm]y
Delete bootflash:cv/identitydb.obj? [confirm]y
Switch#
 
Switch# squeeze bootflash:
All deleted files will be removed. Continue? [confirm]y
Squeeze operation may take a while. Continue? [confirm]y
Squeeze of bootflash complete
Switch#
Switch# copy tftp bootflash
Address or name of remote host []? 10.5.5.5
Source filename []? Cat4000IOS.v5-1.tar
Destination filename [Cat4000IOS.v5-1.tar]?
Accessing tftp://10.5.5.5/Cat4000IOS.v5-1.tar...
Loading Cat4000IOS.v5-1.tar from 10.5.5.5 (via FastEthernet2/1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 2031616 bytes]
 
2031616 bytes copied in 11.388 secs (178400 bytes/sec)
Switch#
Switch# dir
Directory of bootflash:/
 
Directory of bootflash:/
1 -rw- 9572396 Dec 30 2002 01:05:01 +00:00 cat4000-i9k2s-mz.121-19.EW
2 -rw- 9604192 Jan 3 2003 07:46:49 +00:00 cat4000-i5k2s-mz.121-19.EW
3 -rw- 1985024 Jan 21 2003 03:31:20 +00:00 Cat4000IOS.v4-0.tar
4 -rw- 1173 Mar 19 2003 05:50:26 +00:00 post-2003.03.19.05.50.07-passed.txt
5 -rw- 2031616 Mar 26 2003 05:33:12 +00:00 Cat4000IOS.v5-1.tar
 
32578556 bytes total (38199688 bytes free)
 
Switch#
Switch# archive tar /xtract Cat4000IOS.v5-1.tar /cv
extracting Cat4000IOS-5.1.sgz (1956591 bytes)
extracting Cat4000IOS-5.1_ace.html (7263 bytes)
extracting Cat4000IOS-5.1_error.html (410 bytes)
extracting Cat4000IOS-5.1_install.html (2743 bytes)
extracting Cat4000IOS-5.1_jks.jar (20450 bytes)
extracting Cat4000IOS-5.1_nos.jar (20782 bytes)
extracting applet.html (12388 bytes)
extracting cisco.x509 (529 bytes)
extracting identitydb.obj (2523 bytes)
Switch#
Switch# dir
 
Directory of bootflash:/
1 -rw- 9572396 Dec 30 2002 01:05:01 +00:00 cat4000-i9k2s-mz.121-19.EW
2 -rw- 9604192 Jan 3 2003 07:46:49 +00:00 cat4000-i5k2s-mz.121-19.EW
3 -rw- 1985024 Jan 21 2003 03:31:20 +00:00 Cat4000IOS.v4-0.tar
4 -rw- 1173 Mar 19 2003 05:50:26 +00:00 post-2003.03.19.05.50.07-passed.txt
5 -rw- 2031616 Mar 26 2003 05:33:12 +00:00 Cat4000IOS.v5-1.tar
6 -rw- 1956591 Mar 26 2003 05:36:11 +00:00 cv/Cat4000IOS-5.1.sgz
7 -rw- 7263 Mar 26 2003 05:36:19 +00:00 cv/Cat4000IOS-5.1_ace.html
8 -rw- 410 Mar 26 2003 05:36:19 +00:00 cv/Cat4000IOS-5.1_error.html
9 -rw- 2743 Mar 26 2003 05:36:19 +00:00 cv/Cat4000IOS-5.1_install.html
10 -rw- 20450 Mar 26 2003 05:36:19 +00:00 cv/Cat4000IOS-5.1_jks.jar
11 -rw- 20782 Mar 26 2003 05:36:19 +00:00 cv/Cat4000IOS-5.1_nos.jar
12 -rw- 12388 Mar 26 2003 05:36:19 +00:00 cv/applet.html
13 -rw- 529 Mar 26 2003 05:36:19 +00:00 cv/cisco.x509
14 -rw- 2523 Mar 26 2003 05:36:19 +00:00 cv/identitydb.obj
 
32578556 bytes total (7358284 bytes free)
 
Switch#
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip http server
Switch(config)# snmp-server community public ro
Switch(config)# snmp-server community public rw
Switch(config)# exit
Switch# wr
Building configuration...
Compressed configuration from 2735 bytes to 1169 bytes[OK]
Switch# show ciscoview ?
package ADP Package Details
version ADP version
| Output modifiers
<
 

For more information about web access to the switch, refer to the “Using the Cisco Web Browser” chapter in the Cisco IOS Configuration Fundamentals Configuration Guide at this URL:

http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/12_4t/cf_12_4t_book.html

Displaying Embedded CiscoView Information

To display the Embedded CiscoView information, enter the following commands:

 

Command
Purpose

Switch# show ciscoview package

Displays information about the Embedded CiscoView files.

Switch# show ciscoview version

Displays the Embedded CiscoView version.

The following example shows how to display the Embedded CiscoView file and version information:

Switch# show ciscoview package
File source:
CVFILE SIZE(in bytes)
------------------------------------------------
Cat4000IOS-5.1.sgz 1956591
Cat4000IOS-5.1_ace.html 7263
Cat4000IOS-5.1_error.html 410
Cat4000IOS-5.1_install.html 2743
Cat4000IOS-5.1_jks.jar 20450
Cat4000IOS-5.1_nos.jar 20782
applet.html 12388
cisco.x509 529
identitydb.obj 2523
 
Switch# show ciscoview version
Engine Version: 5.3.4 ADP Device: Cat4000IOS ADP Version: 5.1 ADK: 49
Switch#