Catalyst 1900 Series Installation and Configuration Guide
Configuring and Monitoring from the Switch Manager
Download this chapter
Configuring and Monitoring from the Switch ManagerConfiguring and Monitoring from the Switch Manager
give_us_feedback

Table Of Contents

Configuring and Monitoring from the Switch Manager

Navigating the Switch Manager

Making Changes from the Switch Manager

Assigning or Changing Basic Switch Information

Assigning or Changing the Switch Host Name and Description

Switch Host Name

Switch and Command-Switch IP Addresses

Changing the Switch Password

Privileged-Level Passwords

Cluster Member Passwords

Using the Switch Image to Monitor the Switch

System Status LED on the Switch Image

Redundant Power System LED on the Switch Image

Port LEDs and Modes on the Switch Image

Cluster Management Button

Link to Telnet to the Management Console

Links to Cisco Systems Resources

Changing the Port Settings

Enabling or Disabling a Port

Port Status

Changing the Port Duplex Mode

Full-Duplex Operation

Flow Control

Autonegotiation

Enabling or Disabling Flooding of Unknown MAC Addresses

Enabling or Disabling ECC on the 100-Mbps Ports

Assigning or Changing a Port Name or Description

Detailed Port Statistics

Managing the Switch Address Tables

Dynamic Address Table

Changing the Address Aging Time

Permanent Unicast Address Table

Permanent Multicast Address Table

Changing the Port Security Table

Securing a Port

Changing the Maximum Secure Address Count

Security Reject Count

Clearing Addresses on LinkDown

Changing the SNMP Settings

Assigning or Changing the SNMP Read Community Strings

Assigning or Changing the SNMP Write Community Strings

Assigning or Changing Trap Managers

Authentication Trap Generation

LinkUp/LinkDown Trap Generation

Broadcast Storm Trap Generation

Address Violation Trap Generation

Assigning or Changing Write Managers

Changing the Spanning-Tree Protocol Settings

Enabling or Disabling Spanning-Tree Protocol

Spanning-Tree Root Settings

Changing the Spanning-Tree Options for the Switch

Changing Spanning-Tree Settings for Bridge Group 1 and Its Ports

Port and Forwarding STP States

Changing the CDP Settings

Displaying CDP Neighbors

Changing the CDP Settings

Enabling or Disabling CDP on a Port

Port Monitoring (Switched Port Analyzer)

Changing the Console Port Settings and Upgrading the Firmware

Configuring the Switch Console Port

Management Console Inactivity Timeout

Modem Initialization String

Auto Baud

Auto Answer

Upgrading the Switch Firmware

Downloading Switch Firmware from a TFTP Server

Downloading Switch Firmware from a TFTP Client

Exception and Utilization Statistics

Resetting Port and Switch Statistics

Exception Statistics

Utilization Statistics

Changing the System Management Settings

Assigning or Changing IP Information

Domain Name System Servers

Routing Information Protocol

Switch Performance and Flooding and Traffic Control

Switching Modes

Store-and-Forward for Multicast Frames

Action Upon Address Violations

Network Port

Half-Duplex Back Pressure on 10-Mbps Ports

ECC on 10-Mbps Ports

Broadcast Storm Control

Managing Multicast Packets with CGMP

Changing the CGMP Settings

CGMP Fast Leave

Router Hold Time

IP Multicast Address Table

Router Ports Table


Configuring and Monitoring from the Switch Manager

This chapter explains how to use the switch manager to change the configuration settings and to monitor the switch. This chapter assumes that you have already performed these preliminary tasks that are described in this guide or in the Quick Start Guide: Catalyst 1900 Series Ethernet Switches:

"Connecting to the Console Port" section

"Assigning IP Information and a Password to the Switch" section

"Accessing the Switch Manager" section

Note   The switch manager online help also provides the procedures for changing the configuration settings and detailed descriptions of the fields.

Note   This chapter describes only standard-edition options. For information about the enterprise edition software features such as VLANs, see the Catalyst 1900 Series and Catalyst 2820 Series Enterprise Edition Software Configuration Guide.

Navigating the Switch Manager

At the top of each switch manager page is a menu bar. Figure 3-1 describes the functions of the pages accessible from this bar.

Note   On Netscape Communicator, when the cursor is above a topic on the menu bar, a pop-up briefly describes the options on that particular page.

Figure 3-1 Switch Manager Menu Bar

Making Changes from the Switch Manager

You can change the switch settings by entering information into fields, adding and removing list items, or selecting and deselecting check boxes. Click Apply to save your changes. Click Cancel to discard all your unsaved changes and to return the previous settings to the page.

Note   After you click Apply, you cannot revert to the previous settings.

Note   Wait approximately 1 minute for the changes to be saved to permanent storage before turning off the switch, or the changes might not be saved.

When you enter information in fields and select or deselect check boxes, the changes are saved and take effect immediately after you click Apply.

When you add items to or remove them from lists, the changes take effect immediately. It is not necessary to click Apply.

If you are using Microsoft Internet Explorer 5.0 to make configuration changes to the switch, be aware that this browser does not reflect the latest configuration changes. Make sure you click the browser Refresh button for every configuration change.

Assigning or Changing Basic Switch Information

You can assign or change basic descriptions about the switch. You can also assign an encrypted (secret) privileged-level password to the switch management interfaces and monitor network activity through the live switch image.

From the switch manager, you can open a Telnet session on the management console and contact Cisco Systems resources.

To display the (Figure 3-2), click HOME on the menu bar.

Figure 3-2 Home Page

Assigning or Changing the Switch Host Name and Description

You can assign or change the following information about the switch:

Name of the switch (maximum of 255 characters)

Physical location of the switch (maximum of 255 characters)

Name of the person responsible for managing the switch (maximum of 255 characters)

Switch Host Name

Caution   Do not use "-NN" (where NN is a number) in the name you define for the switch. When the switch joins a cluster, the command switch overwrites any name containing "-NN."

The name you assign to the switch is kept even when the switch joins or leaves a cluster. If the switch does not have a name before it joins a cluster, the command switch assigns it a name that consists of the command-switch name and a number that reflects when the switch was added to the cluster. For example, a command switch can name a Catalyst 1900 switch eng-cluster-5, where eng-cluster is the command-switch name and 5 means that it is the fifth switch to join the cluster. When the switch name is viewed from the Cluster Management applications, the name is truncated to 32 characters. If the switch leaves the cluster, the switch keeps the name given by the command switch.

When the switch is a cluster member, the Member Switch Host Name field also displays the switch name at the top of each switch manager page. Therefore, the names in the Host Name and Member Switch Host Name fields are identical.

Switch and Command-Switch IP Addresses

The Switch IP Address field displays the IP address of the switch itself, which is typically assigned after the switch is installed. (See the "Assigning IP Information and a Password to the Switch" section.) If the switch does not have an IP address, the Switch IP Address field displays 0.0.0.0. When the switch is a cluster member, the Command Switch IP field displays the command-switch IP address at the top of each switch manager page.

IP information identifies the switch on the network and is required to configure and monitor it as an individual switch. When you assign the switch its own IP address, you can manage it from its management interfaces (switch manager, management console, SNMP, or CLI). The switch retains its own IP address even when it joins or leaves a switch cluster.

If you do not assign an IP address to the switch, you must add the switch to a switch cluster and manage it through the command switch. Whether or not the switch has its own IP address, when the switch is a cluster member, it is managed and communicates with other member switches through the IP address of the command switch. If the switch leaves the cluster and it does not have its own IP address, you then must assign IP information to it to manage and monitor it as a nonmember switch.

Note   We recommend that you assign an IP address to the switch even if the switch is or will be a cluster member so that if the switch is removed from the cluster, it remains manageable as a nonmember switch.

For additional information, see the "Assigning or Changing IP Information" section. For information about IP information in switch clusters, refer to the Cisco IOS Desktop Switch Software Configuration Guide, Catalyst 2900 Series XL and Catalyst 3500 Series XL Cisco IOS Release 12.0(5)XP.

Changing the Switch Password

A privileged-level password (encrypted or unencrypted) is required to access the switch management interfaces (switch manager, management console through a Telnet session, or CLI).

The password you assign from the Assign/Change Password field on the is an encrypted (secret) privileged-level password. This password provides higher security and supersedes any existing unencrypted privileged-level password, including the unencrypted privileged-level password that is assigned from the [P] Console Password option on the . (For information about where you can assign privileged-level passwords, see the "Privileged-Level Passwords" section.)

Follow these steps to assign an encrypted privileged-level password to the switch or to change the existing switch password to an encrypted privileged-level password:

Step 1 Enter a new password in the Assign/Change Password field. The password can be 1 to 25 characters and is case sensitive. You can use any character found on the keyboard, including spaces and double-quotation marks. A multistring password (such as two words) is also valid.

Step 2 Reenter the same string in the Reconfirm Password field.

Step 3 Click Apply.

Step 4 Access the switch manager by using the newly assigned password.

Note   When the switch is shipped, no password is assigned to it. However, a privileged-level password is required to access the Catalyst 1900 Switch Manager or to use Telnet access from a remote station. If you do not assign a password, this access will not be available until the switch joins a cluster or until you assign the switch a privileged-level password from the management console (see the "Console Settings Menu" section) through a direct connection to the switch console port.

When your switch is a cluster member, the highest privileged-level password for the command switch is the privileged-level password to the switch. The command-switch password overwrites any switch-specific passwords. For more information about passwords in switch clusters, see the "Cluster Member Passwords" section.

Note   We do not recommend changing the password while the switch is a cluster member. This will cause a password mismatch, and you will have to manually enter the cluster member password to display the switch manager from the command switch.

If you have lost or forgotten the password, see the "Recovering from a Lost or Forgotten Password" section.

Privileged-Level Passwords

If you plan to manage the switch outside of a switch cluster, you can assign an unencrypted or encrypted privileged-level password to the switch to restrict access to its management interfaces ().

Table 3-1 Assigning Privileged-Level Passwords

Privileged-Level
Password
Assigned from...

Unencrypted

[P] Console Password option on the

[M] Modify password option on the

CLI

Encrypted

[E] Modify secret password option on the

CLI


Read and Write community strings operate as passwords to the switch when managing it from an SNMP management station. See the "Changing the SNMP Settings" section.

For information about the user-level passwords, refer to the online-only Catalyst 1900 Series and Catalyst 2820 Series Command Reference.

Cluster Member Passwords

When the switch joins a cluster, the highest privileged-level password (encrypted or unencrypted) of the command switch supersedes any existing password for the switch. Keep in mind the following considerations:

When you add the switch to a cluster, inform other users that they must now use the command-switch password to access the switch management interfaces.

If the command switch does not have a password, no password is required when accessing the member switch from the command switch.

When the switch leaves the cluster, it retains the command-switch password. You can assign a different privileged-level (encrypted or unencrypted) password to the switch to manage and monitor it as a nonmember switch.

Note   We do not recommend changing the password while the switch is a cluster member. This will cause a password mismatch, and you will have to manually enter the cluster member password to display the switch manager from the command switch.

For password information about switch clusters, refer to the Cisco IOS Desktop Switch Software Configuration Guide, Catalyst 2900 Series XL and Catalyst 3500 Series XL Cisco IOS Release 12.0(5)XP.

Using the Switch Image to Monitor the Switch

If you are using a remote station, you can use the LEDs and the Mode button on the switch image to monitor the switch. The switch image on the shows the front-panel LED colors at the last polling interval and refreshes every 30 seconds.

System Status LED on the Switch Image

The colors of the system status (SYSTEM) LED on the switch image show that the switch is receiving power and functioning properly ().

Table 3-2 SYSTEM LED Description

Color
System Status

Solid green

Switch is operating normally.

Solid amber

Switch is receiving power but might not be functioning properly. One or more power-on self-test (POST) errors occurred. The message identifies which nonfatal test(s) failed.

Note   If a fatal error occurs, the switch is not operational, and no message is displayed. (See the "Powering Up and Using POST to Test the Switch" section and the "Understanding POST Failures" section.)


Redundant Power System LED on the Switch Image

The colors of the redundant power system (RPS) LED show the status () of a connected Cisco RPS (model PWR600-AC-RPS). For more information about the RPS, see the "Power Connectors" section.

Table 3-3 RPS LED Description

Color
RPS Status

Black (off)

RPS is off or is not installed.

Solid green

RPS is operational.

Blinking green

RPS and the switch AC power supply are both powered up.

Note   This is not a recommended configuration. For more information, see the "Power Connectors" section.

Solid amber

RPS is connected but is not functioning properly. One of the power supplies in the RPS could be powered down, or a fan on the RPS could have failed.


Port LEDs and Modes on the Switch Image

Each port has an LED above it. These LEDs, as a group or individually, display information about the switch and about individual ports (Table 3-4).

Table 3-4 Port LED Modes Summary

Mode
Determines...

Port status (default)

Status of individual ports

Bandwidth utilization

Percentage of the switch total bandwidth being used at any one time

Full-duplex operation

Which ports are operating in half- or full-duplex mode


Changing Between Modes

Click the Mode button on the switch image to change the mode of the port LEDs. The STAT (port status), UTL (switch utilization), and FDUP (port duplex mode) LEDs show which mode is active (Table 3-5). The selected mode remains on approximately for 30 seconds before returning to the default mode (port status). You can change the default mode from the on the management console.

Table 3-5 Changing Between Modes

For this Mode...
Push the Mode Button Until...

Port status (STAT)

Only the STAT LED is green.

Bandwidth utilization (UTL)

Only the UTL LED is green.

Full-duplex operation (FDUP)

Only the FDUP LED is green.


Port Status Mode

The port status mode is the default mode. In this mode, the colors of the LEDs above the ports show the status of those ports (). You cannot change the default mode from the switch manager; instead, you must use the on the management console. (See the "Console Settings Menu" section.)

Table 3-6 Port Status Mode LED Description

Color
Port Status

Blue (off)

No link.

Solid green

Link operational.

Alternating green
and amber

Link fault. Error frames can affect connectivity. Excessive collisions, CRC errors, and alignment and jabber errors are monitored for a link-fault indication.

Solid amber

Port is not forwarding. This could be because the port was disabled by management, suspended because of an address violation, or suspended by Spanning-Tree Protocol (STP) because of network loops.


Note   The LEDs are solid amber for approximately 30 seconds after power up during spanning-tree discovery.

Bandwidth Utilization Mode

In the UTL mode, the port LEDs as a group show the switch bandwidth being used at any one time. The more LEDs that are lit, the higher the bandwidth being used. The peak utilization is recorded in the bandwidth-capture interval, described in the "Bandwidth Usage Report" section.

Table 3-7 Bandwidth Utilization Scale with 12 and 24 10BaseT Ports

12 10BaseT Ports
24 10BaseT Ports
Port LEDs
Mbps Activity
Port LEDs
Mbps Activity

1 to 4

0.1 to < 1.5

1 to 8

0.1 to < 6

5 to 8

1.5 to < 20

9 to 16

6 to < 120

9 to 12

20 to 140

17 to 24

120 to 280


Full-Duplex Operation Mode

The colors of the LEDs in FDUP mode show which 10BaseT and 100BaseT ports are operating in full-duplex mode ().

Table 3-8 FDUP LED Description

Color
Full-Duplex

Blue

Half-duplex mode is operational.

Green

Full-duplex mode is operational.


Cluster Management Button

Click Cluster Management to display the Cluster Management applications on the command switch. This button is available only when the switch is a cluster member. For information about the Cluster Management applications, refer to the Cisco IOS Desktop Switch Software Configuration Guide, Catalyst 2900 Series XL and Catalyst 3500 Series XL Cisco IOS Release 12.0(5)XP.

Link to Telnet to the Management Console

Click Telnet to open a Telnet session on the management console. At the prompt, enter the switch password or, if applicable, the command-switch password.

Links to Cisco Systems Resources

The provides these links to connect to Cisco Systems resources:

Click Cisco Connection Online (CCO) to display the CCO home page (www.cisco.com), which contains links to the support sites for downloading the latest software and displaying the latest Cisco documentation.

Click Technical Assistance Center (TAC) to send e-mail to TAC (tac@cisco.com). You can also phone TAC at 800-553-2447 or 408-526-7209.

Click HTML Interface Development Group to send e-mail to the switch manager development group (cs-html@cisco.com).

Changing the Port Settings

You can change the settings of the 10- and 100-Mbps ports. To display the (Figure 3-3), click PORT on the menu bar, or click the port on the switch image.

Figure 3-3 Port Management Page

Note   The AUI port settings are displayed in the 10BaseT Ports Table, where the AUI port is port 13 on a 12-port switch or port 25 on a 24-port switch.

Enabling or Disabling a Port

Note   You access the switch manager from a management station that is connected to one of the switch ports. Therefore, make sure that you do not disable or otherwise misconfigure the port through which you are communicating with the switch. You might want to write down the port number to which you are connected. Make changes to the switch IP information with care.

By default, all ports are enabled to transmit and receive data. To disable a port:

Step 1 Deselect the Enable check box in the Status: Requested/Actual column.

Step 2 Click Apply.

A linkDown trap is sent to the management station if you configured an SNMP manager.

Step 3 Click Home to display the switch image. The port LED for a disabled port is amber.

To re-enable a port:

Step 1 Select the Enable check box in the Status: Requested/Actual column.

Step 2 Click Apply.

A linkUp trap is sent to the management station if you configured an SNMP manager.

Step 3 Click Home to display the switch image. If the enabled port is connected to a device, the port LED is green; otherwise, it is blue.

Port Status

The Status: Requested/Actual column also displays the port status in the gray area below the Enable check box. Security violations, management intervention, or actions of the Spanning-Tree Protocol (STP) can change the port status. No packets are forwarded to or from a disabled or suspended port. However, suspended ports do monitor incoming packets to look for an activating condition. For example, when a linkbeat returns, a port suspended for no linkbeat returns to the enabled state.

Each port is always in one of the states listed in .

Table 3-9 Port Status Descriptions

Port Status
Description

Enabled

Port can transmit and receive data.

Disabled-mgmt

Port is disabled by management action. Port must be manually re-enabled.

Suspended-no-linkbeat

Port is suspended because of no linkbeat. This is usually because the attached station is disconnected or powered-down. Port automatically returns to enabled state when the condition causing the suspension is removed.

Suspended-jabber

Port is suspended because attached station is jabbering. Port automatically returns to enabled state when the condition causing the suspension is removed.

Suspended-violation

Port is suspended because of an address violation. Port automatically returns to enabled state when the condition causing the suspension is removed.

Disabled-self-test

Port is disabled because it failed a self-test.

Disabled-violation

Port is disabled because of an address violation. Port must be manually enabled.

Reset

Port is in the reset state.


Changing the Port Duplex Mode

The default duplex mode depends on the port type:

Half duplex is the default for the 10-Mbps ports and the 100-Mbps fiber-optic ports.

Autonegotiate is the default for the 100BaseTX ports.

To change the port duplex mode:

Step 1 Select half duplex, full duplex, full duplex with flow control, or autonegotiate from the Duplex Mode: Requested/Actual drop-down list.

The default for the 10-Mbps ports and the 100-Mbps fiber-optic ports is half duplex. The default for the 100BaseTX ports is autonegotiate.

Note   The full duplex with flow control option is available only on the 100-Mbps ports. The autonegotiate option is available only on the 100BaseTX ports, not on the 10BaseT ports or the 100-Mbps fiber-optic ports.

Note   After you select Auto-negotiate as the 100BaseTX port duplex mode from this page and click Apply, "Auto-negotiate" displays in the Actual field while the switch and the other device negotiate the duplex mode. Click Port on the switch manager menu bar to display the final duplex state of the port.

Step 2 Click Apply.

Step 3 Click Home to display the switch image.

Step 4 Click the Mode button until the FDUP LED lights. If the port LED is blue (off), the port is running in half duplex. If the port LED is green, the port is running in full duplex.

Full-Duplex Operation

Full-duplex operation is the simultaneous transmission of data in both directions across a link. For example, a 100-Mbps port operating in full-duplex mode can provide up to 200 Mbps of bandwidth across the switched link.

Note   Both ends of the link must be configured for full-duplex operation. Because hubs operate only at half duplex, a full-duplex port on the switch cannot be connected to a hub.

Flow Control

Flow control is a function whereby the transmitting station does not send data or control information faster than the receiving station can accept it. This prevents the loss of outgoing packets during transmission. If the switch is transmitting packets faster than the attached device can receive and process them, the attached device sends pause-control frames when its port buffer becomes full. When you use the full-duplex with flow control option on a 100-Mbps port, the switch port responds to the pause-control frames sent from the attached device. The switch holds subsequent transmissions in the port queue for the time specified in the pause-control frame. When no more pause-control frames are received, or when the default time specified has passed, the switch resumes transmitting frames through the port.

Note   Although the Catalyst 1900 switches do not generate pause-control frames, the switches do respond appropriately to pause-control frames generated by other devices.

Note   Flow control on full-duplex ports is only available on the 100-Mbps ports. For information about using the half-duplex back pressure option on the 10-Mbps ports, see the "Half-Duplex Back Pressure on 10-Mbps Ports" section.

Autonegotiation

When you use the autonegotiate option on a 100BaseTX port, it automatically configures for full-duplex operation if the connected device also supports full duplex. If the attached device does not autonegotiate, the port automatically configures itself to half duplex.

Note   Duplex negotiation is only available on the 100BaseTX ports.

Enabling or Disabling Flooding of Unknown MAC Addresses

By default, all switch ports are enabled to forward unicast and multicast packets with unknown destination Media Access Control (MAC) addresses. You can enable or disable flooding on a per-port basis.

A unicast packet is information addressed to one recipient from one sender. This type of traffic typically comprises the bulk of traffic on an Ethernet LAN. A multicast packet is information sent to multiple recipients from one sender. This lightens the load on the sender and on the network because only one data stream is sent, rather than one per recipient. A broadcast packet is information sent to all nodes within a single network segment and can be a major source of congestion.

The switch forwards each unicast or multicast packet it receives according to the entries stored in the switch content-addressable memory (CAM) table. The table entries are mappings of the MAC addresses of destination end-stations and of the associated switch ports through which incoming packets are forwarded to those destination end-stations.

If the destination address is not listed in the table, the switch forwards the packet to all switch ports except the port from which the packet was received. When the destination end-station replies, the switch adds the MAC address and its associated forwarding port to the table.

If the associated port is the same port on which the packet is received, the packet is not forwarded (filtered).

Flooding is the forwarding of unicast or multicast packets with unknown destination addresses to all the switch ports. (A broadcast packet is always forwarded [flooded] to all ports.) Flooding adds traffic on the switch ports. In some configurations, flooding could be unnecessary. For example, there are no unknown destinations on switch ports with only statically assigned addresses or single stations attached. In this case, you can disable flooding on these ports.

You can assign a network port to which all unknown unicast addresses are forwarded. For more information, see the "Network Port" section.

The switch can store up to 1024 address entries in memory.

For more information about address management, see the "Managing the Switch Address Tables" section. For information about multicast packet control, see the "Managing Multicast Packets with CGMP" section. For information about broadcast packet control, see the "Broadcast Storm Control" section.

To disable flooding on a port:

Step 1 Deselect the unicast or multicast check box for the port.

Step 2 Click Apply.

To enable flooding on a port:

Step 1 Select the unicast or multicast check box for the port.

Step 2 Click Apply.

Enabling or Disabling ECC on the 100-Mbps Ports

By default, enhanced congestion control (ECC) is disabled on all 100-Mbps ports. This option reduces congestion on the switch and keeps the switch from dropping frames because of full transmit queues. The ECC option can be enabled on half-duplex ports and can be configured on a per-port basis on the 100-Mbps ports.

For information about ECC on the 10-Mbps ports, see the "ECC on 10-Mbps Ports" section. ECC on the 10-Mbps ports is set on a global basis, not on a per-port basis.

To enable ECC on a 100-Mbps port:

Step 1 Select one of the following modes from the Enhanced Congestion Control drop-down list.

Adaptive—Causes the port to operate under the ECC Disabled setting if the transmit queue is not full. If the queue is full, the port uses the ECC Aggressive setting.

Disabled—Causes the port to operate under the standard IEEE 802.3 backoff algorithm for retransmitting frames.

Moderately Aggressive—Causes the port to use a modified backoff algorithm to more aggressively retransmit frames and empty the queue.

Aggressive—Is the highest acceleration rate configurable for ECC. The port uses a modified backoff algorithm to more aggressively retransmit frames and empty the queue than when set at ECC Moderately Aggressive.

Step 2 Click Apply.

Assigning or Changing a Port Name or Description

To assign a name or description to a port:

Step 1 In the Port Name/Description column, enter the port name or a description
(up to 60 characters).

Step 2 Click Apply.

Detailed Port Statistics

The (Figure 3-4) displays the receive and transmit statistics for the port you select. You can use this page to help identify performance or connectivity problems, which are listed under the Errors area of the page. For example, Frame Check Sequence (FCS) and alignment errors could be the result of cabling problems such as the following:

Cabling distance exceeded

Split pairs

Defective patch-panel ports

Wrong cable type

Misconfigured full-duplex connection

To display this page, click View... for a particular port on the . The errors are described in .

Figure 3-4 Detailed Port Statistics Page

Table 3-10 Error Descriptions

Error
Description

FCS errors

Number of frames received on a particular interface that are an integral number of octets in length but do not pass the Frame Check Sequence (FCS) test.

Alignment errors

Number of frames received on a particular interface that are not an integral number of octets in length and do not pass the FCS test.

Giant frames

Number of frames received on a particular interface that exceed the permitted frame size.

Address violations

Number of times this secure port receives a source address that duplicates a static address configured on another port plus the number of times a source address was seen on this port that does not match any addresses secured for the port.

Late collisions

Number of times the port detects a collision on a particular interface later than 512 bit-times into the transmission of a packet.

Excessive deferrals

Number of frames the port defers transmission for an excessive period of time.

Jabber errors

Number of times the jabber function was invoked because a frame received from this port exceeded a certain time duration.


Managing the Switch Address Tables

The switches use source address tables (filters) to efficiently forward packets between the switch ports. Address filtering applies only to incoming (received) traffic on the switch. The source address tables list the source addresses (sending end-stations) and the associated switch port(s) through which packets are forwarded to the destination end-stations.

Packets with static addresses are usually received on any source port. The switch also supports source-port filtering on unicast and multicast addresses. This enhanced filtering enables the switch to only forward packets from source addresses when they are received on specified switch ports. These source addresses are referred to as restricted static addresses.

The switch can store up to 1024 address entries in memory.

For additional traffic control options, see the following sections:

"Enabling or Disabling Flooding of Unknown MAC Addresses" section

"Switch Performance and Flooding and Traffic Control" section

"Broadcast Storm Control" section

"Managing Multicast Packets with CGMP" section

To display the (Figure 3-5), click Address on the menu bar.

Figure 3-5 Address Table Management Page

Dynamic Address Table

The switch provides dynamic addressing by learning the source MAC address of each packet received on each switch port and then adding the address and its associated forwarding switch port number to the Dynamic Address Table. As end-stations are added or removed from the network, the switch updates the table, adding new entries and removing unused ones.

To delete a specific entry from the Dynamic Address Table:

Step 1 Select the entry you want to delete.

Step 2 Click Remove.

Changing the Address Aging Time

As the switch reaches the maximum address limit of 1024 address entries in memory, switch performance can degrade. Address aging helps prevent this by allowing the switch to keep only dynamic addresses that remain active over a specified period of time.

During a topology change, if the Port Fast mode option on the is disabled, addresses are aged more quickly by using the Forward delay option on the . When the topology stabilizes, the address-aging value again takes effect.

To assign the length of time the switch stores an inactive entry, after which it is removed from the table:

Step 1 Enter the number of seconds (10 to 1000000; where 1000000 seconds is approximately 11 1/2 days) in the Aging Time field. The default is 300 seconds (5 minutes).

This value applies to all dynamic addresses in the Dynamic Address Table.

Step 2 Click Apply.

Permanent Unicast Address Table

The entries in the Permanent Unicast Address Table allow MAC addresses to be permanently associated with a switch port. Unlike the Dynamic Address Table, the entries in the Permanent Unicast Address Table are manually entered or sticky-learned. (See the "Securing a Port" section.)

If the address table is full, an error message is generated. You can change the size of the address table by using the . (See the "Changing the Maximum Secure Address Count" section.) For additional information about port security, see the "Changing the Port Security Table" section.

You can assign a network port to which all unknown unicast addresses are forwarded. For more information, see the "Network Port" section.

Note   Only unicast addresses can be added. An attempt to add a multicast or broadcast address generates an error message.

To add a secure address to the Permanent Unicast Address Table:

Step 1 Select a switch port from the New Address scroll list.

Step 2 Enter the source MAC address in the MAC Address field. Use six hexadecimal octets, spaces are optional (such as hh hh hh hh hh hh or hhhhhhhhhhhh).

Step 3 Click Add.

Static entries do not age out and must be manually removed from the table. To delete an entry from the table:

Step 1 Select the entry you want to delete.

Step 2 Click Remove.

Permanent Multicast Address Table

The entries in the Permanent Multicast Address Table allow multicast addresses to be permanently associated with the switch port(s) that receive packets destined for those multicast addresses. Using the Permanent Multicast Address Table reduces the amount of multicast flooding on the switch. Unlike the Dynamic Address Table, the entries in the Permanent Multicast Address Table entries are manually entered.

If the address table is full, an error message is generated. You can change the size of the address table by using the . (See the "Changing the Maximum Secure Address Count" section.)

For additional information, see the

"Changing the Port Security Table" section

"Managing Multicast Packets with CGMP" section

To add a secure address to the Permanent Multicast Address Table:

Step 1 Select a switch port from the New Address scroll list.

Step 2 Enter the multicast MAC address in the MAC Address field. Use six hexadecimal octets, spaces are optional (such as hh hh hh hh hh hh or hhhhhhhhhhhh).

Step 3 Click Register.

Static entries do not age out and must be manually removed from the table. To delete an entry from the table:

Step 1 Select the entry you want to delete.

Step 2 Click Unregister.

Changing the Port Security Table

You can use the (Figure 3-6) to prevent the switch from forwarding packets from unauthorized users and to send SNMP traps if security violations occur. To display this page, click Port Security Table from the .

Figure 3-6 Port Security Table Page

Securing a Port

By default, port security is disabled (Security check box is not selected). Secure ports restrict the use of a switch port to a specific group of source addresses (sending end-stations). When you assign source addresses to a secure port, the switch does not forward any packets from addresses outside that group.

The source addresses on a secure port are manually assigned (static) or sticky-learned. Sticky-learning takes place when the address table for a secure port does not contain a full complement of static addresses. The port sticky-learns the source address of incoming packets and automatically assigns them as static addresses.

Note   This option must be disabled on the network port. For more information about the network port, see the "Network Port" section.

To enable port security on a port:

Step 1 Select the check box in the Security column for the port.

Step 2 Click Apply.

To disable port security on a port:

Step 1 Deselect the check box in the Security column for the port.

Step 2 Click Apply.

Changing the Maximum Secure Address Count

If the port is not a secure port, the value in the Maximum Secure Addresses field is 0. A secure port can have from 1 to 132 secure addresses associated with it.

Limiting the number of devices that can connect to a secure port has the following advantages:

Dedicated bandwidth—If the size of the address table is set to 1, the attached device is guaranteed the full 10 Mbps or 100 Mbps of the port.

Added security—Devices cannot connect to the port without your knowledge.

Note   The size of the address table for an unsecured port cannot be modified.

To change the number of addresses to the secure port:

Step 1 Enter a number (1 to 132) in the Maximum Secure Addresses column.

Step 2 Click Apply.

Security Reject Count

The Security Reject Count (SRC) column displays the number of unauthorized addresses seen on the secure port.

Secure ports generate address-security violations under the following conditions:

The address table of a secure port is full and the address of an incoming packet is not found in the table.

An incoming packet has a source address statically assigned to another port.

If a security violation occurs, the port can be suspended or disabled. When a port is disabled, you must manually re-enable the port. When a port is suspended, it is re-enabled when a packet containing a valid address is received. You can also choose to ignore the violation. You can define the action taken by the switch either by using the or by using the MIB objects.

On the following switch manager pages, you can specify the action the switch takes if packets with unauthorized addresses arrive on the port:

On the , you can enable or disable trap generation.

On the , you can assign the switch to ignore, suspend, or disable the port if an address violation occurs. (For more information, see the "Action Upon Address Violations" section.)

Clearing Addresses on LinkDown

By default, the secure port keeps its association with all static addresses even if it loses link (Clear Addresses on LinkDown check box is not selected). You can enable a secure port to clear its address associations on linkDown.

Note   This option is applicable only to secure ports (Security check box is selected).

To enable the secure port to clear its address table on linkDown:

Step 1 Select the check box in the Clear Addresses on LinkDown column for the port.

Step 2 Click Apply.

To disable the secure port from clearing its address table on linkDown:

Step 1 Deselect the check box in the Clear Addresses on LinkDown column for the port.

Step 2 Click Apply.

Changing the SNMP Settings

Simple Network Management Protocol (SNMP) provides the means to manage and monitor the switch through the Management Information Base (MIB) objects. Additional information about SNMP and MIB objects is in the "Simple Network Management Protocol" section and the "Accessing MIB Files" section.

For information about how the command switch uses SNMP to manage the switch in the cluster, refer to the Cisco IOS Desktop Switch Software Configuration Guide, Catalyst 2900 Series XL and Catalyst 3500 Series XL Cisco IOS Release 12.0(5)XP.

To display the (Figure 3-7), click SNMP on the menu bar.

Figure 3-7 SNMP Management Page

Assigning or Changing the SNMP Read Community Strings

The default for the first Read community string is public. You can assign up to four community strings to serve as passwords that enable the switch to validate SNMP read (Get) requests from a management station.

When the switch joins a cluster, the command switch propagates its first Read community string as the last Read community string for the member switch. If the joining Catalyst 1900 switch already has four Read community strings, the command switch overrides that fourth community string with its own first community string. When the switch leaves the cluster, the command-switch community string is deleted.

The command-switch string contains up to 27 characters and a suffix "@esNN" where NN is the member switch number.

Caution   Do not use "@es" in the community strings you define for the switch. When the switch joins a cluster, any community string containing "@es" is deleted.

To add or change a SNMP Read community string:

Step 1 Enter up to 32 characters in the Read Community String field. The default for the first Read community string is public.

Step 2 Click Add.

To remove a SNMP Read community string:

Step 1 Select the community string from the Current list.

Step 2 Click Remove.

Assigning or Changing the SNMP Write Community Strings

The default for the first Write community string is private. You can assign up to four community strings to serve as passwords that enable the switch to validate SNMP read-write (Set) requests from a management station. The write managers you assign to the switch can use any of the switch Write community strings.

When the switch joins a cluster, the command switch assigns its first Write community string as the last Write community string for the member switch. If the joining Catalyst 1900 switch already has four Write community strings, the command switch overrides that fourth community string with its own first community string. When the switch leaves the cluster, the command-switch community string is deleted.

The command-switch string contains up to 27 characters and a suffix "@esNN" where NN is the member switch number.

Caution   Do not use "@es" in the community strings you define for the switch. When the switch joins a cluster, any community string containing "@es" is deleted.

To add or change a SNMP Write community string:

Step 1 Enter up to 32 characters in the Write Community String field. The default for the first Write community string is private.

Step 2 Click Add.

To remove a SNMP Write community string:

Step 1 Select the community string from the Current list.

Step 2 Click Remove.

Assigning or Changing Trap Managers

A trap manager, or trap client, is an SNMP management station that receives traps, which are the system alerts generated by the switch. If no trap manager is defined, no traps are issued.

You can assign up to four trap managers and their accompanying community strings. A trap manager can use its accompanying community string only; it cannot use the community string of another trap manager.

Trap manager settings can be configured from the switch or, if the switch is a cluster member, from the command switch.

After you have assigned the trap manager(s), the switch generates, by default, the following traps:

warmStart

coldStart

linkDown

linkUp

authenticationFailure

newRoot

topologyChange

logonIntruder

switchDiagnostic

addressViolation

broadcastStormControl

rpsFailed

ipAddressChange

For more information about traps, see the "Simple Network Management Protocol" section and the "Accessing MIB Files" section.

To assign a trap manager and its community string:

Step 1 In the IP Address field, enter the IP address of the SNMP management station that can issue trap requests to the switch. Use dotted quad format (nnn.nnn.nnn.nnn).

If the switch is connected to a Domain Name System (DNS) server, you can enter the name of the trap manager instead.

Step 2 Enter a community string (up to 32 characters) in the Trap Manager Community String field.

Step 3 Click Add.

To remove a trap manager:

Step 1 Select the manager from the Current list.

Step 2 Click Remove.

Authentication Trap Generation

By default, authentication trap generation is enabled (Enable Authentication Trap Generation check box is selected). This option enables the switch to generate authentication traps, which alert a management station of SNMP requests not accompanied by a valid community string.

Note   Even if this option is enabled, no traps are generated if no trap manager addresses or names are assigned. (See the "Assigning or Changing Trap Managers" section.)

To disable authentication trap generation:

Step 1 Deselect the Enable check box.

Step 2 Click Apply.

LinkUp/LinkDown Trap Generation

By default, linkUp/linkDown trap generation is enabled (Enable LinkUp/LinkDown Trap Generation check box is selected). This option enables the switch to generate linkDown traps when a port is suspended or disabled for any of these reasons:

Secure address violation (address mismatch or duplication)

Network connection error (loss of linkbeat or jabber error)

Port disabled by management action

The switch generates linkUp traps when a port is enabled for any of these reasons:

Presence of linkbeat

Management intervention

Recovery from an address violation or any other error

Note   No more than one trap is sent every 5 seconds per port. The last trap generated in the 5-second interval is the one sent.

To disable linkUp/linkDown trap generation:

Step 1 Deselect the Enable check box.

Step 2 Click Apply.

Broadcast Storm Trap Generation

By default, broadcast storm trap generation is disabled (Enable Broadcast Storm Trap Generation check box is not selected). When this option is enabled, the switch generates SNMP alerts when the broadcast threshold is exceeded. The alert generated is the trapbroadcastStorm. A trap is generated every 30 seconds.

For information about broadcast storm control, see the "Broadcast Storm Control" section.

To enable broadcast storm trap generation:

Step 1 Select the Enable check box.

Step 2 Click Apply.

Address Violation Trap Generation

By default, address violation trap generation is enabled (Enable Address Violation Trap Generation check box is selected). This option enables the switch to generate SNMP alerts if an address violation occurs.

To disable address violation trap generation:

Step 1 Deselect the Enable check box.

Step 2 Click Apply.

Assigning or Changing Write Managers

A write manager is an SNMP management station that can issue write requests to the switch. You can assign up to four write managers. The switch allows write requests from only the specified write managers or from the command switch. The write managers you assign can use any of the switch Write community strings.

Caution   If no write manager is assigned to the switch, any management station can modify the switch MIB objects.

Note   The write manager option is not available from the command switch. To use this option, use the or the .

To assign a write manager:

Step 1 Enter the IP address in the IP Address field. Use dotted quad format (nnn.nnn.nnn.nnn).

If the switch is connected to a DNS server, you can enter the name of the write manager instead.

Step 2 Click Add.

To remove a write manager:

Step 1 Select the manager from the Current list.

Step 2 Click Remove.

Changing the Spanning-Tree Protocol Settings

The Spanning-Tree Protocol (STP) constructs network topologies that do not contain loops. When the network configuration changes, STP transparently reconfigures bridges and switches to avoid the creation of loops. STP avoids loops by placing ports in a forwarding or blocking state and establishes redundant paths (in the event of lost connections).

The following are two examples for using STP:

Redundant connectivity—You can create a redundant backbone with STP by connecting two of the ports on a switch to another device or to two different devices. STP automatically disables one port but enables it if the other port is lost. If one link is high-speed and the other low-speed, STP uses the high-speed link. If the speed of the two links is the same, the port priority and port ID are added together, and the link with the lowest value is disabled.

Accelerated address aging—Dynamic addresses are aged and dropped from the address table after a configurable period of time. The default for aging dynamic addresses is 5 minutes. However, a reconfiguration of the spanning tree can cause many station locations to change. Because this could mean that many stations are unreachable for 5 minutes or more, the address-aging time is accelerated so that station addresses can be dropped from the address table and then relearned. The accelerated-aging value is the same as the forward-delay parameter value when STP reconfigures.

A separate spanning-tree instance runs on each bridge group, and each bridge group participates in a separate spanning tree. Each switch in a spanning tree adopts the Hello, Max age, and Delay parameters of the root bridge regardless of how it is configured. Overlapping ports (ports that belong to more than one bridge group) participate in all spanning trees to which they belong. All ports on the switch support STP, and STP is managed through the standard Bridge MIB.

Note   From the switch manager, you can only configure the STP settings for bridge group 1 (the management bridge group) or VLAN 1 (the management VLAN).

Overlapping ports should be connected to end nodes only, not to other bridges. To configure the STP settings for other bridge groups on the switch, use the on the management console.

For more information about bridge groups and to configure bridge groups, see the and the "Spanning Tree Configuration Menu" on page 31. For information about VLANs, refer to the Catalyst 1900 Series and Catalyst 2820 Series Enterprise Edition Software Configuration Guide.

To display the (), click STP on the menu bar.

Figure 3-8 Spanning-Tree Management Page

Enabling or Disabling Spanning-Tree Protocol

<