-
Catalyst 5000 Family Software Configuration Guide (6.3 and 6.4)
-
Index
-
Preface
-
Product Overview
-
Using the Command-Line Interface
-
Configuring the Switch IP Address and Default Gateway
-
Using Redundant Supervisor Engines
-
Configuring Ethernet and Fast Ethernet Switching
-
Configuring Gigabit Ethernet Switching
-
Configuring Fast EtherChannel and Gigabit EtherChannel
-
Configuring Spanning Tree
-
Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast
-
Configuring VTP
-
Configuring VLANs
-
Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports
-
Configuring Dynamic Port VLAN Membership with VMPS
-
Configuring GVRP
-
Configuring QoS
-
Configuring Multicast Services
-
Configuring Broadcast/Multicast Suppression
-
Configuring Port Security
-
Configuring the IP Permit List
-
Configuring Protocol Filtering
-
Checking Port Status and Connectivity
-
Configuring CDP
-
Using Switch TopN Reports
-
Configuring UDLD
-
Configuring SNMP
-
Configuring RMON
-
Configuring SPAN
-
Configuring the Network Analysis Module
-
Administering the Switch
-
Configuring Switch Access Using AAA
-
Modifying the Switch Boot Configuration
-
Using the Flash File System
-
Working with System Software Images
-
Working with Configuration Files
-
Configuring System Message Logging
-
Configuring DNS
-
Configuring NTP
-
Configuring FDDI/CDDI Switching
-
Configuring FDDI 802.10 Trunks
-
Configuring Token Ring Switching
-
Configuring Token Ring Filters
-
Acronyms
-
Table Of Contents
Checking Port Status and Connectivity
Using Secure Shell Encryption for Telnet Sessions
Understanding Layer 2 Traceroute
Checking Port Status and Connectivity
This chapter describes how to check switch port status and connectivity on the Catalyst enterprise LAN switches.
Note
For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 5000 Family Command Reference.
This chapter consists of these sections:
•
Checking Module Status
The Catalyst enterprise LAN switches are multimodule systems. You can see what modules are installed, as well as the MAC address ranges and version numbers for each module, using the show module [mod_num] command. Specify a particular module number to see detailed information on that module.
Note
This example shows how to check module status on a Catalyst 5000 family switch. The output shows that there are two supervisor engine modules (one in standby mode), four additional modules (including an RSM/VIP2 in slots 4 and 5 and a two-slot 10BASE-T Ethernet module in slots 9 and 10), and a LightStream 1010 ASP installed in the chassis.
Console> (enable) show moduleMod Slot Ports Module-Type Model Status--- ---- ----- ------------------------- ------------------- --------1 1 4 100BaseFX MMF Supervisor WS-X5530 ok2 2 4 100BaseFX MMF Supervisor WS-X5530 standby4 4 Route Switch Ext Port5 5 1 Route Switch WS-X5302 ok7 7 1 Network Analysis/RMON WS-X5380 ok8 8 1 MM OC-3 ATM WS-X5155 ok9 9 10/100BaseTX Ethernet Ext WS-X523810 10 48 10/100BaseTX Ethernet WS-X5238 ok13 13 ASP/SRPMod Module-Name Serial-Num--- ------------------- --------------------1 000074515862 0001211499245 000074607577 000081754758 000034148559 0001157801410 00011578014Mod MAC-Address(es) Hw Fw Sw--- -------------------------------------- ------ ---------- -----------------1 00-e0-4f-ac-b0-00 to 00-e0-4f-ac-b3-ff 1.3 3.1.2 5.1(1)1 00-e0-1e-9b-2e-00 to 00-e0-1e-9b-31-ff 1.3 3.1.2 5.1(1)5 00-e0-1e-91-d5-14 to 00-e0-1e-91-d5-15 5.0 20.7 11.3(3a)WA4(5)7 00-e0-14-10-18-00 0.100 4.1.1 4.3(0.31)8 00-e0-1e-a9-20-b9 1.2 1.3 3.2(7)10 00-50-0f-08-c3-f0 to 00-50-0f-08-c4-1f 0.1 5.3(1)B 5.1(1)Mod Sub-Type Sub-Model Sub-Serial Sub-Hw--- -------- --------- ---------- ------1 NFFC WS-F5521 0011462777 1.11 uplink WS-U5538 0011464723 2.02 NFFC WS-F5521 0008936340 1.12 uplink WS-U5538 0007464204 2.0Console> (enable)This example shows how to check module status on a specific module:
Console> (enable) show module 4Mod Slot Ports Module-Type Model Status--- ---- ----- ------------------------- ------------------- --------4 4 12 100BaseFX MM Ethernet WS-X5201R okMod Module-Name Serial-Num--- ------------------- --------------------4 Backbone Links 00007285650Mod MAC-Address(es) Hw Fw Sw--- -------------------------------------- ------ ---------- -----------------4 00-e0-1e-38-48-cc to 00-e0-1e-38-48-d7 0.2 4.1(0.53-E 5.1(1)Console> (enable)Checking Port Status
You can see summary or detailed information on the switch ports using the show port [mod[/port]] command. To see summary information on all of the ports on the switch, enter the show port command with no arguments. Specify a particular module number to see information on the ports on that module only. Enter both the module number and the port number to see detailed information about the specified port.
Note
This example shows how to see information on the ports on a specific module only:
Console> (enable) show port 3Port Name Status Vlan Level Duplex Speed Type----- ------------------ ---------- ---------- ------ ------ ----- ------------3/1 connected 10 normal full 1000 1000BaseSX3/2 connected 10 normal full 1000 1000BaseSX3/3 connected 20 normal full 1000 1000BaseSX3/4 connected 40 normal full 1000 1000BaseSX3/5 notconnect 1 normal full 1000 No GBIC3/6 notconnect 1 normal full 1000 No GBICPort Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex----- -------- ----------------- ----------------- -------- -------- -------3/1 disabled No disabled 153/2 disabled No disabled 163/3 disabled No disabled 173/4 disabled No disabled 183/5 disabled No disabled 193/6 disabled No disabled 20Port Send FlowControl Receive FlowControl RxPause TxPause Unsupportedadmin oper admin oper opcodes----- -------- -------- -------- -------- ------- ------- -----------3/1 desired on desired on 0 0 03/2 desired on desired on 0 0 03/3 desired on desired on 0 0 03/4 desired on desired on 0 0 03/5 desired off off off 0 0 03/6 desired off off off 0 0 0Port Status Channel Channel Neighbor Neighbormode status device port----- ---------- --------- ----------- ------------------------- ----------3/1 connected off not channel3/2 connected off not channel3/3 connected off not channel3/4 connected off not channel3/5 notconnect off not channel3/6 notconnect off not channelPort Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize----- ---------- ---------- ---------- ---------- ---------3/1 - 0 0 0 03/2 - 0 0 0 03/3 - 0 0 0 03/4 - 0 0 0 03/5 - 0 0 0 03/6 - 0 0 0 0Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants----- ---------- ---------- ---------- ---------- --------- --------- ---------3/1 0 0 0 0 0 0 03/2 0 0 0 0 0 0 03/3 0 0 0 0 0 0 03/4 0 0 0 0 0 0 03/5 0 0 0 0 0 0 03/6 0 0 0 0 0 0 0Last-Time-Cleared--------------------------Fri Apr 30 1999, 18:54:17Console> (enable)This example shows how to see information on an individual port:
Console> (enable) show port 2/1Port Name Status Vlan Level Duplex Speed Type----- ------------------ ---------- ---------- ------ ------ ----- ------------2/1 connected trunk normal full 1000 1000BaseSXPort Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex----- -------- ----------------- ----------------- -------- -------- -------2/1 disabled No disabled 9Port Send FlowControl Receive FlowControl RxPause TxPause Unsupportedadmin oper admin oper opcodes----- -------- -------- -------- -------- ------- ------- -----------2/1 desired off off off 0 0 0Port Status Channel Channel Neighbor Neighbormode status device port----- ---------- --------- ----------- ------------------------- ----------2/1 connected auto not channelPort Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize----- ---------- ---------- ---------- ---------- ---------2/1 - 0 0 0 0Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants----- ---------- ---------- ---------- ---------- --------- --------- ---------2/1 0 0 0 0 0 0 0Last-Time-Cleared--------------------------Tue Dec 8 1998, 13:26:01Console> (enable)Checking Port Capabilities
You can display the capabilities of any port in a switch using the show port capabilities [[mod][/port]] command.
This example shows you how to display the port capabilities for switch ports:
Console> (enable) show port capabilities 1Model WS-X5509Port 1/1Type 100BaseTXSpeed 100Duplex half,fullTrunk encap type ISLTrunk mode on,off,desirable,auto,nonegotiateChannel 1/1-2Broadcast suppression percentage(0-100)Flow control noSecurity yesMembership static,dynamicFast start yesRewrite no--------------------------------------------------------------Model WS-X5509Port 1/2Type 100BaseTXSpeed 100Duplex half,fullTrunk encap type ISLTrunk mode on,off,desirable,auto,nonegotiateChannel 1/1-2Broadcast suppression percentage(0-100)Flow control noSecurity yesMembership static,dynamicFast start yesRewrite noConsole> (enable) show port capabilities 7/1Model WS-X5014Port 7/1Type 10BaseTSpeed 10Duplex half,fullTrunk encap type noTrunk mode offChannel noBroadcast suppression percentage(0-100)Flow control noSecurity yesMembership static,dynamicFast start yesRewrite noConsole> (enable) show port capabilities 8Model WS-X5155Port 8/1Type OC3 MMF ATMSpeed 155Duplex fullTrunk encap type LANETrunk mode onChannel noBroadcast suppression noFlow control noSecurity noMembership staticFast start noRewrite noConsole> (enable)Using Telnet
You can access the switch command-line interface (CLI) using Telnet. In addition, you can use Telnet from the switch to access other devices in the network. Up to eight simultaneous Telnet sessions are possible.
Before you can open a Telnet session to the switch, you must first set the IP address (and in some cases the default gateway) for the switch. For information about setting the IP address and default gateway, see Chapter 3, "Configuring the Switch IP Address and Default Gateway."
To use Telnet to connect to another device on the network from the switch, perform this task in privileged mode:
This example shows how to connect from the switch to a remote host using Telnet:
Console> (enable) telnet labsparcTrying 172.16.10.3...Connected to labsparc.Escape character is '^]'.UNIX(r) System V Release 4.0 (labsparc)login:To change the logout timer value (the number of minutes after which an idle session is disconnected), perform this task in privileged mode:
Change the logout timer value (a timeout value of 0 prevents idle sessions from being disconnected automatically).
set logout timeout
This example shows how to set the logout timer value to 10 minutes:
Console> (enable) set logout 10Sessions will be automatically logged out after 10 minutes of idle time.Console> (enable)This example shows how to set the logout timer value to 0, preventing idle sessions from being disconnected automatically:
Console> (enable) set logout 0Sessions will not be automatically logged out.Console> (enable)Using Secure Shell Encryption for Telnet Sessions
Note
The secure shell encryption feature provides security for Telnet sessions to the switch. Secure shell encryption is supported for remote logins to the switch only. Telnet sessions initiated from the switch cannot be encrypted. To use this feature, you must install the application on the client accessing the switch, and you must configure secure shell encryption on the switch.
The current implementation of Secure Shell encryption supports SSH version 1, both the DES and 3DES encryption methods, and can be used with RADIUS and TACACS+ authentication. To configure authentication with secure shell encryption, use the telnet keyword in the set authentication commands.
Note
To enable secure shell encryption on the switch, perform this task in privileged mode:
This example shows how to create the RSA host key:
Console> (enable) set crypto key rsa 1024Generating RSA keys.... [OK]Console> (enable)The nbits value specifies the RSA key size. Valid key size range is 512 to 2048 bits. A key size with a larger number provides higher security but takes longer to generate.
Monitoring User Sessions
You can display the currently active user sessions on the switch using the show users command. The command output displays all active console port and Telnet sessions on the switch.
To display the active user sessions on the switch, perform this task in privileged mode:
This example shows the output of the show users command when local authentication is enabled for console and Telnet sessions (the asterisk [*] indicates the current session):
Console> (enable) show usersSession User Location-------- ---------------- -------------------------consoletelnet sam-pc.bigcorp.com* telnet jake-mac.bigcorp.comConsole> (enable)This example shows the output of the show users command when TACACS+ authentication is enabled for console and Telnet sessions:
Console> (enable) show usersSession User Location-------- ---------------- -------------------------console samtelnet jake jake-mac.bigcorp.comtelnet tim tim-nt.bigcorp.com* telnet suzy suzy-pc.bigcorp.comConsole> (enable)This example shows how to display information about user sessions using the noalias keyword to display the IP addresses of connected hosts:
Console> (enable) show users noaliasSession User Location-------- ---------------- -------------------------consoletelnet 10.10.10.12* telnet 10.10.20.46Console> (enable)To disconnect an active user session, perform this task in privileged mode:
This example shows how to disconnect an active console port session and an active Telnet session:
Console> (enable) show usersSession User Location-------- ---------------- -------------------------console samtelnet jake jake-mac.bigcorp.comtelnet tim tim-nt.bigcorp.com* telnet suzy suzy-pc.bigcorp.comConsole> (enable) disconnect consoleConsole session disconnected.Console> (enable) disconnect tim-nt.bigcorp.comTelnet session from tim-nt.bigcorp.com disconnected. (1)Console> (enable) show usersSession User Location-------- ---------------- -------------------------telnet jake jake-mac.bigcorp.com* telnet suzy suzy-pc.bigcorp.comConsole> (enable)Using Ping
These sections describe how to use IP ping:
Understanding How Ping Works
You can use IP ping to test connectivity to remote hosts. If you attempt to ping a host in a different IP subnetwork, you must define a static route to the network or configure a router to route between those subnets.
The ping command is configurable from normal executive and privileged executive mode. In normal executive mode, the ping command supports the -s parameter, which allows you to specify the packet size and packet count. In privileged executive mode, the ping command allows you to specify the packet size, packet count, and the wait time.
Table 21-1 lists the ping default values.
Table 21-1 Ping Default Values
5
0=continuous ping
56
56
2
2
Host IP Address
-
Ping will return one of the following responses:
•
•
•
•
•
To stop a ping in progress, press Ctrl-C.
Executing Ping
To ping another device on the network from the switch, perform one of these tasks in normal or privileged mode:
Ping a remote host.
ping host
Ping a remote host using ping options.
ping -s host [packet_size] [packet_count]
This example shows how to ping a remote host from normal executive mode:
Console> ping labsparclabsparc is aliveConsole>ping 72.16.10.312.16.10.3 is aliveConsole>This example shows how to ping a remote host using the ping -s option:
Console> ping -s 12.20.5.3 800 10PING 12.20.2.3: 800 data bytes808 bytes from 12.20.2.3: icmp_seq=0. time=2 ms808 bytes from 12.20.2.3: icmp_seq=1. time=3 ms808 bytes from 12.20.2.3: icmp_seq=2. time=2 ms808 bytes from 12.20.2.3: icmp_seq=3. time=2 ms808 bytes from 12.20.2.3: icmp_seq=4. time=2 ms808 bytes from 12.20.2.3: icmp_seq=5. time=2 ms808 bytes from 12.20.2.3: icmp_seq=6. time=2 ms808 bytes from 12.20.2.3: icmp_seq=7. time=2 ms808 bytes from 12.20.2.3: icmp_seq=8. time=2 ms808 bytes from 12.20.2.3: icmp_seq=9. time=3 ms----17.20.2.3 PING Statistics----10 packets transmitted, 10 packets received, 0% packet lossround-trip (ms) min/avg/max = 2/2/3Console>This example shows how to enter a ping command in privileged mode specifying the number of packets, the packet size, and the timout period:
Console> (enable) pingTarget IP Address []: 12.20.5.19Number of Packets [5]: 10Datagram Size [56]: 100Timeout in seconds [2]: 10Source IP Address [12.20.2.18]: 12.20.2.18!!!!!!!!!!----12.20.2.19 PING Statistics----10 packets transmitted, 10 packets received, 0% packet lossround-trip (ms) min/avg/max = 1/1/1Console> (enable)Using Layer 2 Traceroute
These sections describe how to use Layer 2 traceroute:
•
Understanding Layer 2 Traceroute
The Layer 2 traceroute utility allows you to identify the physical path that a packet takes when going from a source to a destination. The Layer 2 traceroute utility determines the path by looking at the forwarding engine tables of the switches in the path.
Information is displayed about all Catalyst 5000 family switches that are in the path from the source to the destination.
Configuration Guidelines
Follow these configuration guidelines when using the Layer 2 traceroute utility:
•
•
•
•
•
•
•
•
Executing Layer 2 Traceroute
To identify a Layer 2 path, perform one of these tasks in privileged mode.
This example shows the source and destination MAC addresses specified, with no VLAN specified, and the detail option specified. For each Catalyst 5000 family switch found in the path, the output shows the device type, device name, device IP address, in port name, in port speed, in port duplex mode, out port name, out port speed, and out port duplex mode.
Console> (enable) l2trace 00-01-22-33-44-55 10-22-33-44-55-66 detaill2trace vlan number is 10.00-01-22-33-44-55 found in C5500 named wiring-1 on port 4/1 10Mb half duplexC5500:wiring-1:192.168.242.10:4/1 10Mb half duplex -> 5/2 100MB full duplexC5000:backup-wiring-1:192.168.242.20:1/1 100Mb full duplex -> 3/1 100MB full duplexC5000:backup-core-1:192.168.242.30:4/1 100 MB full duplex -> 1/1 100MB full duplexC6000:core-1:192.168.242.40:1/1 100MB full duplex -> 2/1 10MB half duplex.10-22-33-44-55-66 found in C6000 named core-1 on port 2/1 10MB half duplex.Console> (enable)Using IP Traceroute
These sections describe how to use IP traceroute:
Understanding IP Traceroute
You can use IP traceroute to identify the path that packets take through the network on a hop-by-hop basis. The command output displays all network layer (Layer 3) devices, such as routers, that the traffic passes through on the way to the destination.
Switches can participate as the source or destination of the traceroute command but will not appear as a hop in the traceroute command output.
The traceroute command uses the time-to-live (TTL) field in the IP header to cause routers and servers to generate specific return messages. Traceroute starts by sending a User Datagram Protocol (UDP) datagram to the destination host with the TTL field set to 1. If a router finds a TTL value of 1 or 0, it drops the datagram and sends back an Internet Control Message Protocol (ICMP) time-exceeded message to the sender. The traceroute facility determines the address of the first hop by examining the source address field of the ICMP time-exceeded message.
To identify the next hop, traceroute sends a UDP packet with a TTL value of 2. The first router decrements the TTL field by 1 and sends the datagram to the next router. The second router sees a TTL value of 1, discards the datagram, and returns the time-exceeded message to the source. This process continues until the TTL is incremented to a value large enough for the datagram to reach the destination host (or until the maximum TTL is reached).
To determine when a datagram reaches its destination, traceroute sets the UDP destination port in the datagram to a very large value that the destination host is unlikely to be using. When a host receives a datagram with an unrecognized port number, it sends an ICMP port unreachable error to the source. This message indicates to the traceroute facility that it has reached the destination.
Executing IP Traceroute
To trace the path that packets take through the network, perform this task in privileged mode:
This example shows how to use the traceroute command:
Console> (enable) traceroute 10.1.1.100traceroute to 10.1.1.100 (10.1.1.100), 30 hops max, 40 byte packets1 10.1.1.1 (10.1.1.1) 1 ms 2 ms 1 ms2 10.1.1.100 (10.1.1.100) 2 ms 2 ms 2 msConsole> (enable)This example shows how to perform a traceroute with six queries to each hop with packets of 1400 bytes each:
Console> (enable) traceroute -q 6 10.1.1.100 1400traceroute to 10.1.1.100 (10.1.1.100), 30 hops max, 1440 byte packets1 10.1.1.1 (10.1.1.1) 2 ms 2 ms 2 ms 1 ms 2 ms 2 ms2 10.1.1.100 (10.1.1.100) 2 ms 4 ms 3 ms 3 ms 3 ms 3 msConsole> (enable)
