Table Of Contents
Checking Status and Connectivity
Checking the Module Status
Checking the Port Status
Displaying the Port MAC Address
Displaying the Duplicate MAC Entries in the CAM Table
Displaying Port Capabilities
Configuring the MAC Utilization Load Interval
Overview
Setting the MAC Utilization Load Interval
Displaying MAC Utilization Statistics
Clearing MAC Utilization Counters
Checking the 10-Gigabit Ethernet Link Status
Checking the Cable Status Using TDR
Using Telnet
Using Secure Shell Encryption for Telnet Sessions
Monitoring User Sessions
Using Ping
Understanding How Ping Works
Executing Ping
Using Layer 2 Traceroute
Layer 2 Traceroute Usage Guidelines
Identifying a Layer 2 Path
Using IP Traceroute
Understanding How IP Traceroute Works
Executing IP Traceroute
Using System Warnings on Port Counters
Executing System Warnings on Port Counters
Backplane Traffic
Low Remaining Memory
Detected Memory Corruption
NVRAM Logs
Inband Errors
UDP Errors
Executing Hardware Level Warnings on Port Counters
Executing Spanning-Tree Warnings on Port Counters
Blocking to Listening Transitions
BPDU Skewing
SNMP
Configuring Packet-Buffer Error Handling
Configuring EtherChannel/Link Error Handling
Configuring IEEE 802.3ah Ethernet OAM
Overview
Ethernet OAM Configuration Guidelines and Restrictions
Executing Ethernet OAM
Enabling or Disabling Ethernet OAM
Specifying the Ethernet OAM Port Mode
Denying or Permitting Ethernet OAM Remote Loopback Tests
Enabling or Disabling the Ethernet OAM Remote Loopback Test
Specifying the Number of Packets and the Packet Size for the Ethernet OAM Remote Loopback Test and Running the Test
Enabling or Disabling Ethernet OAM Link Monitoring
Specifying the Window Size for Link Events for Ethernet OAM Link Monitoring
Specifying the Low-Threshold Error Count and the Associated Action for Ethernet OAM Link Monitoring
Specifying the High-Threshold Error Count and the Associated Action for Ethernet OAM Link Monitoring
Specifying the Associated Action for OAM Critical Link Events
Clearing Ethernet OAM Statistics and the Ethernet OAM Configuration
Clearing User-Configured Parameters for OAM Link Monitoring
Clearing User-Configured Actions for OAM Critical Link Events
Displaying Ethernet OAM-Related Information
Displaying Ethernet OAM Neighbor Information
Displaying Ethernet OAM Remote Loopback Test Information
Displaying Ethernet OAM Statistics
Configuring Metro Ethernet CFM
Overview
Implementing Metro Ethernet CFM
Enabling or Disabling Metro Ethernet CFM
Clearing a Metro Ethernet CFM
Configuring Metro Ethernet CFM Maintenance Points
Configuring Metro Ethernet CFM Domains
Configuring a Metro Ethernet CFM Continuity Check
Displaying Metro Ethernet CFM Maintenance Point Information
Displaying the Metro Ethernet CFM Status
Displaying Metro Ethernet CFM Domains
Displaying Metro Ethernet CFM Statistics
Displaying Metro Ethernet CFM Port Status
Displaying Metro Ethernet CFM Port VLAN Status
Displaying Metro Ethernet CFM Errors
Configuring MAC Address Move Counters
Overview
MAC Address Move Counter Configuration Guidelines and Restrictions
MAC Address Move Counter syslog Generation
Detecting MAC Address Moves
Exceeding the Maximum Limit for MAC Address Move Counters for a VLAN
Executing MAC Address Move Counters
Enabling or Disabling MAC Address Move Counters
Displaying MAC Address Move Counter Statistics
Clearing MAC Address Move Counter Statistics
Digital Optical Monitoring
Displaying Transceiver Information
Displaying General Port Transceiver Information
Displaying Detailed Transceiver Information
Displaying Transceiver Threshold Violations
Displaying Port Transceiver Information
Displaying Port Transceiver Configuration Information
Setting Transceiver Monitoring and Thresholds
Enabling or Disabling Transceiver Monitoring
Setting the Transceiver Monitoring Interval
Setting the Transceiver Temperature Threshold
Checking Status and Connectivity
This chapter describes how to check the status and connectivity on the Catalyst 6500 series switches.
Note
For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.
This chapter consists of these sections:
•
Checking the Module Status
•
Checking the Port Status
•
Displaying the Port MAC Address
•
Displaying the Duplicate MAC Entries in the CAM Table
•
Displaying Port Capabilities
•
Configuring the MAC Utilization Load Interval
•
Checking the 10-Gigabit Ethernet Link Status
•
Checking the Cable Status Using TDR
•
Using Telnet
•
Using Secure Shell Encryption for Telnet Sessions
•
Monitoring User Sessions
•
Using Ping
•
Using Layer 2 Traceroute
•
Using IP Traceroute
•
Using System Warnings on Port Counters
•
Configuring Packet-Buffer Error Handling
•
Configuring EtherChannel/Link Error Handling
•
Configuring IEEE 802.3ah Ethernet OAM
•
Configuring Metro Ethernet CFM
•
Configuring MAC Address Move Counters
Checking the Module Status
Catalyst 6500 series switches are multimodule systems. You can see what modules are installed and the MAC address ranges and version numbers for each module using the show module [mod] command. Specify a particular module number to see detailed information on that module.
To check the module status, perform this task in normal mode:
Task
|
Command
|
Check the module status.
|
show module [mod]
|
This example shows how to check the module status. The output shows that there is one supervisor engine and four additional modules that are installed in the chassis.
Console> (enable) show module
Mod Slot Ports Module-Type Model Status
--- ---- ----- ------------------------- ------------------- --------
1 1 2 1000BaseX Supervisor WS-X6K-SUP1-2GE ok
2 2 24 100BaseFX MM Ethernet WS-X6224-100FX-MT ok
3 3 8 1000BaseX Ethernet WS-X6408-GBIC ok
4 4 48 10/100BaseTX (Telco) WS-X6248-TEL ok
5 5 48 10/100BaseTX (RJ-45) WS-X6248-RJ-45 ok
Mod Module-Name Serial-Num
--- ------------------- -----------
Mod MAC-Address(es) Hw Fw Sw
--- -------------------------------------- ------ ---------- -----------------
1 00-50-f0-a8-26-b2 to 00-50-f0-a8-26-b3 1.4 5.1(1) 5.2(1)CSX
00-50-f0-a8-26-b0 to 00-50-f0-a8-26-b1
00-50-3e-8d-64-00 to 00-50-3e-8d-67-ff
2 00-50-54-6c-e9-a8 to 00-50-54-6c-e9-bf 1.3 4.2(0.24)V 5.2(1)CSX
3 00-50-54-6c-93-6c to 00-50-54-6c-93-73 1.4 4.2(0.24)V 5.2(1)CSX
4 00-50-54-bf-59-64 to 00-50-54-bf-59-93 0.103 4.2(0.24)V 5.2(1)CSX
5 00-50-f0-ac-30-54 to 00-50-f0-ac-30-83 1.0 4.2(0.24)V 5.2(1)CSX
Mod Sub-Type Sub-Model Sub-Serial Sub-Hw
--- ----------------------- ------------------- ----------- ------
1 L2 Switching Engine I WS-F6020 SAD03040312 1.0
This example shows how to check the module status on a specific module:
Console> (enable) show module 4
Mod Slot Ports Module-Type Model Status
--- ---- ----- ------------------------- ------------------- --------
4 4 48 10/100BaseTX (Telco) WS-X6248-TEL ok
Mod Module-Name Serial-Num
--- ------------------- -----------
Mod MAC-Address(es) Hw Fw Sw
--- -------------------------------------- ------ ---------- -----------------
4 00-50-54-bf-59-64 to 00-50-54-bf-59-93 0.103 4.2(0.24)V 5.2(1)CSX
Checking the Port Status
You can see summary or detailed information on the switch ports using the show port [mod[/port]] command. To see summary information on all of the ports on the switch, enter the show port command with no arguments. Specify a particular module number to see information on the ports on that module only. Enter both the module number and the port number to see detailed information about the specified port.
To apply configuration commands to a particular port, you must specify the appropriate logical module. For more information, see the "Checking the Module Status" section.
To check the port status, perform this task in normal mode:
Task
|
Command
|
Check the port status.
|
show port [mod[/port]]
|
This example shows how to see information on the ports on a specific module only:
Console> (enable) show port 1
Port Name Status Vlan Duplex Speed Type
----- ------------------ ---------- ---------- ------ ----- ------------
1/1 connected 1 full 1000 1000BaseSX
1/2 notconnect 1 full 1000 1000BaseSX
Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex
----- -------- ----------------- ----------------- -------- -------- -------
1/1 disabled No disabled 3
1/2 disabled No disabled 4
Port Broadcast-Limit Broadcast-Drop
-------- --------------- --------------------
Port Send FlowControl Receive FlowControl RxPause TxPause
----- -------- -------- -------- -------- ---------- ----------
1/1 desired off off off 0 0
1/2 desired off off off 0 0
Port Status Channel Admin Ch Neighbor Neighbor
Mode Group Id Device Port
----- ---------- --------- ----- ----- ----------------------------------- -----
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize
----- ---------- ---------- ---------- ---------- ---------
Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants
----- ---------- ---------- ---------- ---------- --------- --------- ---------
--------------------------
This example shows how to see information on an individual port:
Console> (enable) show port 1/1
Port Name Status Vlan Duplex Speed Type
----- ------------------ ---------- ---------- ------ ----- ------------
1/1 connected 1 full 1000 1000BaseSX
Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex
----- -------- ----------------- ----------------- -------- -------- -------
1/1 disabled No disabled 3
Port Broadcast-Limit Broadcast-Drop
-------- --------------- --------------------
Port Send FlowControl Receive FlowControl RxPause TxPause
----- -------- -------- -------- -------- ---------- ----------
1/1 desired off off off 0 0
Port Status Channel Admin Ch Neighbor Neighbor
Mode Group Id Device Port
----- ---------- --------- ----- ----- ----------------------------------- -----
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize
----- ---------- ---------- ---------- ---------- ---------
Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants
----- ---------- ---------- ---------- ---------- --------- --------- ---------
--------------------------
Displaying the Port MAC Address
In addition to displaying the MAC address range for a module using the show module command, you can display the MAC address of a specific port in the switch using the show port mac-address [mod[/port]] command.
To display the MAC address of a specific port, perform this task in normal mode:
Task
|
Command
|
Display the MAC address of a specific port.
|
show port mac-address [mod[/port]]
|
This example shows how to display the MAC address of a specific port:
Console> show port mac-address 4/1
----- ----------------------
This example shows how to display the MAC addresses of all ports on a module:
Console> show port mac-address 4
----- ----------------------
Displaying the Duplicate MAC Entries in the CAM Table
You can track multiple E-LAN VLANs and VLAN loops using the MAC duplication indicator (&) displayed next to the MAC entries that appear more than once in the CAM table.
To display the duplicate MAC entries in the CAM table, perform these tasks in enabled mode:
Task
|
Command
|
Display all duplicate MAC addresses in the CAM table.
|
show cam duplicate
|
Display only the dynamic MAC addresses with the duplicate indicator (&)
|
show cam dynamic [mod[/port]]
|
The show cam static | permanent commands also display MAC entries with the duplicate indicator (&).
This example shows how to display all duplicate MAC entries in the CAM table:
Console> (enable) show cam duplicate
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry. X = Port
Security Entry $ = Dot1x Security Entry M = Mac-Auth-Bypass Entry & = Duplicate MAC entry
VLAN Dest MAC/Route Des [CoS] Age VCs / [Protocol Type]
---- ------------------ ----- ---------- ---------------------
42 00-d0-02-83-eb-89 & 3/3
142 00-d0-02-83-eb-89 & 5/3
42 d8-d9-02-83-ef-ff & 2/3
3 d8-d9-02-83-ef-ff & 3/4
Total Matching CAM Entries Displayed = 2
========================================================================
Note
If the show cam duplicate command delays the printing of duplicate entries, some of the entries might age out before the print operation is complete.
This example shows how to display only the dynamic MAC addresses with the duplicate indicator (&):
Console> (enable) show cam dynamic
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry. X = Port
Security Entry $ = Dot1x Security Entry M = Mac-Auth-Bypass Entry & = Duplicate MAC entry
VLAN Dest MAC/Route Des [CoS] Age VCs / [Protocol Type]
---- ------------------ ----- ---------- ---------------------
142 00-d0-02-94-4f-ff 5/4
142 00-d0-02-83-eb-ff & 5/3
Total Matching CAM Entries Displayed = 3
=========================================================================
Displaying Port Capabilities
You can display the capabilities of any port in a switch using the show port capabilities [[mod][/port]] command.
To display the capabilities of a specific port, perform this task in normal mode:
Task
|
Command
|
Display the capabilities of a specific port.
|
show port capabilities [mod[/port]]
|
This example shows how to display the port capabilities for switch ports:
Console> (enable) show port capabilities 1/1
Trunk encap type 802.1Q,ISL
Trunk mode on,off,desirable,auto,nonegotiate
Broadcast suppression percentage(0-100)
Flow control receive-(off,on,desired),send-(off,on,desired)
Membership static,dynamic
QOS scheduling rx-(1p1q4t),tx-(1p2q2t)
Configuring the MAC Utilization Load Interval
This section consists of the following topics:
•
Overview
•
Setting the MAC Utilization Load Interval
•
Displaying MAC Utilization Statistics
•
Clearing MAC Utilization Counters
Overview
The show mac utilization command displays the packet rate, bit rate, and octet rate per port, per module, and per VLAN, based on the load-interval. You can set the load-interval to either 30 or 300 seconds. You can also clear the MAC utilization counters on a port, range of ports, or for all ports in a module.
Setting the MAC Utilization Load Interval
You can set the MAC utilization load-interval to 30 or 300 seconds. The default is 300 seconds.
To set the MAC utilization load interval, perform this task in enabled mode:
Task
|
Command
|
Set MAC utilization load interval.
|
set mac utilization load-interval seconds
|
This example shows how to set the MAC utilization load interval to 30 seconds:
Console> (enable) set mac utilization load-interval 30
Load interval set to 30 seconds.
Displaying MAC Utilization Statistics
To display MAC utilization statistics, perform this task in enabled mode:
Task
|
Command
|
Show MAC utilization load interval.
|
show mac utilization [vlan number]|[mod[/port]
|
Note
The show mac utilization command takes 2 minutes for 30 seconds and 22 minutes for 300 seconds to display the average utilization rate on the port that is closer to the packet input rate.
This example shows how to display the MAC utilization statistics globally:
Console> (enable) show mac utilization
30 seconds input/output port rates:
Port Xmit-Packet-Rate Xmit-Octet-Rate Xmit-Bit-Rate
----- -------------------- -------------------- --------------------
2/1 555351 71088003 568704024
2/2 555351 71088110 568704880
2/3 555350 71088002 568704016
2/14 555351 71088050 568704400
2/15 555350 71088001 568704008
2/16 555351 71088042 568704336
12/3 614539 921816483 7374531864
13/1 33960 50941147 407529176
13/2 33960 50941151 407529208
13/3 33960 50941190 407529520
Port Rcv-Packet-Rate Rcv-Octet-Rate Rcv-Bit-Rate
----- -------------------- -------------------- --------------------
2/1 845671 108247607 865980856
2/2 555384 71090299 568722392
2/3 555384 71090397 568723176
2/4 555384 71090295 568722360
2/5 555384 71090401 568723208
2/6 555384 71090296 568722368
2/16 845671 108247597 865980776
12/1 614201 921296589 7370372712
12/2 614198 921301441 7370411528
13/1 82362 123544992 988359936
13/21 33960 50941535 407532280
13/22 33960 50940833 407526664
13/23 33960 50941552 407532416
This example shows how to display the MAC utilization statistics for a vlan:
Console> (enable) show mac utilization vlan 100
300 seconds input/output port rates:
Port Xmit-Packet-Rate Xmit-Octet-Rate Xmit-Bit-Rate
----- -------------------- -------------------- --------------------
13/1 33925 50886135 407089080
13/26 33924 50885801 407086408
Port Rcv-Packet-Rate Rcv-Octet-Rate Rcv-Bit-Rate
----- -------------------- -------------------- --------------------
13/1 82278 123414184 987313472
13/26 33927 50887092 407096736
This example shows how to display MAC utilization statistics for a module:
Console> (enable) show mac utilization 12
30 seconds input/output port rates:
Port Xmit-Packet-Rate Xmit-Octet-Rate Xmit-Bit-Rate
----- -------------------- -------------------- --------------------
12/1 396702 594010991 4752087928
12/2 395978 593964837 4751718696
12/3 412889 619338738 4954709904
12/4 396693 418773370 3350186960
Port Rcv-Packet-Rate Rcv-Octet-Rate Rcv-Bit-Rate
----- -------------------- -------------------- --------------------
12/1 412891 619344814 4954758512
12/2 412891 619340051 4954720408
12/3 395978 593964450 4751715600
12/4 405223 425521134 3404169072
This example shows how to display MAC utilization statistics for a port:
Console> (enable) show mac utilization 12/1
30 seconds input/output port rates:
Port Xmit-Packet-Rate Xmit-Octet-Rate Xmit-Bit-Rate
----- -------------------- -------------------- --------------------
12/1 405825 607683712 4861469696
Port Rcv-Packet-Rate Rcv-Octet-Rate Rcv-Bit-Rate
----- -------------------- -------------------- --------------------
12/1 408276 612401845 4899214760
Clearing MAC Utilization Counters
To clear the MAC utilization counters, perform this task in enabled mode:
Task
|
Command
|
Clear the MAC utilization counters.
|
clear mac utilization [mod[/port]1
|
This example shows how to clear the MAC utilization counters for a port:
Console> (enable) clear mac utilization 1/1
Mac utilization counters are cleared for the port 1/1.
This example shows how to clear the MAC utilization counters for a module:
Console> (enable) clear mac utilization 1
Module 1 mac utilization counters are cleared.
This example shows how to clear the MAC utilization counters globally:
Console> (enable) clear mac utilization
Mac utilization counters are cleared.
Checking the 10-Gigabit Ethernet Link Status
Cable diagnostics allow you to activate the pseudorandom binary sequence (PRBS) test on the 10-Gigabit Ethernet links.
Note
The PRBS test is currently available on the 1-port 10GBASE-E serial 10-Gigabit Ethernet module (WS-X6502-10GE).
To run the PRBS test properly between two devices, you must start it on both ends of the cable. If the cable is looped back, a single end can generate the test sequence (on the Tx), verify the test sequence, and count the errors (at the Rx).
Before the PRBS test starts, the port is automatically put in errdisable state. The errdisable timeout is disabled for the port so that the port is not automatically reenabled after the timeout interval ends. The errdisable timeout is automatically reenabled on the port after the PRBS test finishes.
When the PRBS test is running, the system does not permit you to enter the set port enable and set port disable commands.
The PRBS error counter measures the reliability of the cable. The error counter range is from 0-255. A value of 0 signifies a perfect link connection; a value of 255 signifies that the port is faulty, not connected, or that there is no communication through the link. If the counter does not remain at 0 for a predetermined length of time, the link is faulty. For example, for a baud error rate (BER) of 10^-12, the counter should remain at 0 for 100 seconds.
Each time that you access the PRBS counter by entering the show port prbs command, the PRBS error counter value is reset to 0, and the counter begins to accumulate errors again.
Note
The PRBS counter is a "read and clear" register. The first reading in a sequence is usually unreliable and serves primarily to purge the counter; successive readings are accurate.
To start or stop the PRBS test, perform this task in privileged mode:
| |
Task
|
Command
|
Step 1
|
Start or stop the PRBS test.
|
test cable-diagnostics prbs {start | stop} mod/port
|
Step 2
|
Show the PRBS test counter information.
|
show port prbs
|
This example shows how to start the PRBS test on port 1 on module 5:
Console> (enable) test cable-diagnostics prbs start 5/1
PRBS cable-diagnostic test started on port 5/1.
This example shows how to stop the PRBS test on port 1 on module 5:
Console> (enable) test cable-diagnostics prbs stop 5/1
PRBS cable-diagnostic test stopped on port 5/1.
This example shows the message that displays when the PRBS test is not supported on a module:
Console> (enable) test cable-diagnostics prbs start 6/1
Feature not supported on module 6.
This example shows how to display the PRBS counter values and the ports that are running the PRBS test:
Console> (enable) show port prbs
Port PRBS state Error Counters
Console> (enable)
Checking the Cable Status Using TDR
You can check the status of the copper cables by using the time domain reflectometer (TDR). TDR is supported on the following modules: WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6548-GE-45AF, WS-X6748-GE-TX, WS-X6148A-GE-TX, WS-X6148-GE-45AF, WS-X6148A-GE-45AF, WS-X6148A-RJ-45, and WS-X6148A-45AF. The TDR detects a cable fault by sending a signal through the cable and reading the signal that is reflected back to it. All or part of the signal can be reflected back by any number of cable defects or by the end of the cable itself.
Note
TDR can test cables up to a maximum length of 115 meters.
Use TDR to determine if the cabling is at fault if you cannot establish a link. This test is especially important when replacing an existing switch, upgrading to Gigabit Ethernet, or installing new cable plants.
To start or stop the TDR test, perform this task in privileged mode:
| |
Task
|
Command
|
Step 1
|
Start or stop the TDR test.
|
test cable-diagnostics tdr {start | stop} mod/port
|
Step 2
|
Show the TDR test counter information.
|
show port tdr
|
This example shows how to start the TDR test on port 1 on module 2:
Console> (enable) test cable-diagnostics tdr start 2/1
TDR test started on port 2/1. Use show port tdr <m/p> to see the results
This example shows how to stop the TDR test on port 1 on module 2:
Console> (enable) test cable-diagnostics tdr stop 2/1
tdr cable-diagnostic test stopped on port 2/1.
This example shows the message that displays when the TDR test is not supported on a module:
Console> (enable) test cable-diagnostics tdr start 2/1
Feature not supported on module 2.
This example shows how to display the TDR test results for a port:
Console> (enable) show port tdr 2/1
TDR test last run on Mon, March 10 2003 at 1:35:00 pm
Port Speed Local pair Pair length Remote pair Pair status
----- ------ ----------- ------------------- ------------ ------------
2/1 1000 Pair A 12 +/- 3 meters Pair A Terminated
Pair B 12 +/- 3 meters Pair B Terminated
Pair C 12 +/- 3 meters Pair C Terminated
Pair D 12 +/- 3 meters Pair D Terminated
Using Telnet
You can access the switch command-line interface (CLI) using Telnet. In addition, you can use Telnet from the switch to access the other devices in the network. Up to eight simultaneous Telnet sessions are possible.
To Telnet to another device on the network from the switch, perform this task in privileged mode:
Task
|
Command
|
Open a Telnet session with a remote host.
|
telnet host [port]
|
This example shows how to Telnet from the switch to a remote host:
Console> (enable) telnet labsparc
Escape character is '^]'.
UNIX(r) System V Release 4.0 (labsparc)
Using Secure Shell Encryption for Telnet Sessions
Note
To use Secure Shell encryption commands, you must be running an encryption image. See Chapter 27, "Working with System Software Images" for the software image naming conventions that are used for the encryption images.
Note
The Secure Shell encryption feature includes cryptographic software written by Eric Young (eay@cryptsoft.com).
Secure Shell encryption provides security for Telnet sessions and other remote connections to the switch. Secure Shell encryption is supported for remote logins to the switch only. Telnet sessions that are initiated from the switch cannot be encrypted. To use this feature, you must install the application on the client accessing the switch, and you must configure Secure Shell encryption on the switch.
The current implementation of Secure Shell encryption supports SSH version 1 and version 2. SSH version 1 supports DES and 3DES encryption methods, and SSH version 2 supports the 3DES and AES encryption methods. Secure shell encryption can be used with RADIUS and TACACS+ authentication. To configure authentication with Secure Shell encryption, enter the telnet keyword in the set authentication commands.
Note
If you are using Kerberos to authenticate connections to the switch, you will not be able to use Secure Shell encryption.
Note
Catalyst 6500 series software release 8.7(1) supports SSH keyboard interactive authentication methods such as S/KEY, one-time-pads, hardware tokens that print a number or string, and other legacy authentication methods with RADIUS and TACACS servers. For SSH keyboard interactive authentication to work, ensure that the Apply password change rule checkbox is checked on the Authentication Server Group Setup page on the RADIUS/TACACS server. The keyboard interactive authentication method works only with SSH V2 and the blank password mechanism is supported only with TACACS authentication.
To enable Secure Shell encryption on the switch, perform this task in privileged mode:
| |
Task
|
Command
|
Step 1
|
Create the RSA host key.
|
set crypto key rsa nbits [force]
|
Step 2
|
Set the SSH version.
Note If you do not specify the v1 or the v2 keyword, SSH operates in compatibility mode.
|
set ssh mode {v1 | v2}
|
Step 3
|
Clear the SSH mode configuration.
|
clear ssh mode
|
Step 4
|
Display the SSH configuration information.
|
show ssh
|
This example shows how to create the RSA host key:
Console> (enable) set crypto key rsa 1024
Generating RSA keys.... [OK]
Console> (enable) set ssh mode v