-
Catalyst 4500 Series Software Configuration Guide, 7.5
-
Preface
-
Product Overview
-
Using the Command-Line Interface
-
Configuring the Switch IP Address and Default Gateway
-
Configuring Ethernet and Fast Ethernet Switching
-
Configuring Gigabit Ethernet Switching
-
Configuring Fast EtherChannel and Gigabit EtherChannel
-
Configuring Spanning Tree
-
Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard
-
Configuring VTP
-
Configuring VLANs
-
Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports
-
Configuring Dynamic VLAN Membership with VMPS
-
Configuring GVRP
-
Configuring QoS
-
Configuring Multicast Services
-
Configuring Port Security
-
Configuring Unicast Flood Blocking
-
Configuring the IP Permit List
-
Configuring Protocol Filtering
-
Checking Port Status and Connectivity
-
Configuring CDP
-
Using Switch TopN Reports
-
Configuring UDLD
-
Configuring SNMP
-
Configuring RMON
-
Configuring SPAN and RSPAN
-
Administering the Switch
-
Configuring Switch Access Using AAA
-
Modifying the Switch Boot Configuration
-
Working with System Software Images
-
Using the Flash File System
-
Working with Configuration Files
-
Configuring Switch Acceleration
-
Configuring System Message Logging
-
Configuring DNS
-
Configuring NTP
-
Glossary
-
Index
-
Feedback
Table Of Contents
Checking Port Status and Connectivity
Using Secure Shell Encryption for Telnet Sessions
Understanding How IP Traceroute Works
Checking Port Status and Connectivity
This chapter describes how to check switch port status and connectivity on the Catalyst enterprise LAN switches.
Note
For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
This chapter consists of these major sections:
•
Checking Module Status
The Catalyst enterprise LAN switches are multimodule systems. You can see what modules are installed, as well as the MAC address ranges and version numbers for each module, by using the show module command. You can use the [mod_num] argument to specify a particular module number to see detailed information on that module.
The Catalyst 4912G, 2948G, and 2980G switches are fixed-configuration switches, but are logically modular. You must apply configuration commands to the appropriate module. For example, on a Catalyst 2948G series switch, the 24 Fast Ethernet ports belong logically to module 2.
This example shows how to check module status on a Catalyst 2948G switch:
Console> (enable) show moduleMod Slot Ports Module-Type Model Status--- ---- ----- ------------------------- ------------------- --------1 1 0 Switching Supervisor WS-X2948 ok2 1 50 10/100/1000 Ethernet WS-X2948G okMod Module-Name Serial-Num--- ------------------- --------------------1 Supervisor JAB023807H12 Switch Ports JAB023807H1Mod MAC-Address(es) Hw Fw Sw--- -------------------------------------- ------ ---------- -----------------1 00-50-73-12-09-00 to 00-50-73-12-0c-ff 1.0 4.4(1) 5.1(1)2 00-50-73-12-0c-9e to 00-50-73-12-0c-fd 1.0Console> (enable)This example shows how to check module status on a specific module:
Console> (enable) show module 3Mod Slot Ports Module-Type Model Sub Status--- ---- ----- ------------------------- ------------------- --- --------3 3 6 1000BaseX Ethernet WS-X4306 no okMod Module-Name Serial-Num--- ------------------- --------------------3 JAB024000YYMod MAC-Address(es) Hw Fw Sw--- -------------------------------------- ------ ---------- -----------------3 00-10-7b-f6-b2-1a to 00-10-7b-f6-b2-1f 0.2Console> (enable)Checking Port Status
You can display summary or detailed information on the switch ports using the show port command. To display summary information on all of the ports on the switch, enter the show port command with no arguments. Specify a particular module number to see information on the ports on that module only. Enter both the module number and the port number to see detailed information about the specified port.
The Catalyst 4912G, 2948G, and 2980G switches are fixed-configuration switches but are logically modular. To apply configuration commands to a particular port, you must specify the appropriate logical module. For more information, see the "Checking Module Status" section.
This example shows how to display information about the ports on a specific module only:
Console> (enable) show port 3Port Name Status Vlan Level Duplex Speed Type----- ------------------ ---------- ---------- ------ ------ ----- ------------3/1 connected 10 normal full 1000 1000BaseSX3/2 connected 10 normal full 1000 1000BaseSX3/3 connected 20 normal full 1000 1000BaseSX3/4 connected 40 normal full 1000 1000BaseSX3/5 notconnect 1 normal full 1000 No GBIC3/6 notconnect 1 normal full 1000 No GBICPort Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex----- -------- ----------------- ----------------- -------- -------- -------3/1 disabled No disabled 153/2 disabled No disabled 163/3 disabled No disabled 173/4 disabled No disabled 183/5 disabled No disabled 193/6 disabled No disabled 20Port Send FlowControl Receive FlowControl RxPause TxPause Unsupportedadmin oper admin oper opcodes----- -------- -------- -------- -------- ------- ------- -----------3/1 desired on desired on 0 0 03/2 desired on desired on 0 0 03/3 desired on desired on 0 0 03/4 desired on desired on 0 0 03/5 desired off off off 0 0 03/6 desired off off off 0 0 0Port Status Channel Channel Neighbor Neighbormode status device port----- ---------- --------- ----------- ------------------------- ----------3/1 connected off not channel3/2 connected off not channel3/3 connected off not channel3/4 connected off not channel3/5 notconnect off not channel3/6 notconnect off not channelPort Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize----- ---------- ---------- ---------- ---------- ---------3/1 - 0 0 0 03/2 - 0 0 0 03/3 - 0 0 0 03/4 - 0 0 0 03/5 - 0 0 0 03/6 - 0 0 0 0Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants----- ---------- ---------- ---------- ---------- --------- --------- ---------3/1 0 0 0 0 0 0 03/2 0 0 0 0 0 0 03/3 0 0 0 0 0 0 03/4 0 0 0 0 0 0 03/5 0 0 0 0 0 0 03/6 0 0 0 0 0 0 0Last-Time-Cleared--------------------------Fri Apr 30 1999, 18:54:17Console> (enable)This example shows how to display information on an individual port:
Console> (enable) show port 2/1Port Name Status Vlan Level Duplex Speed Type----- ------------------ ---------- ---------- ------ ------ ----- ------------2/1 inactive 100 normal auto auto 10/100BaseTXPort AuxiliaryVlan AuxVlan-Status InlinePowered PowerAllocatedAdmin Oper Detected mWatt mA @51V----- ------------- -------------- ----- ------ -------- ----- --------2/1 none none - - - - -Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex----- -------- --------- ------------- -------- -------- -------- -------2/1 disabled shutdown 0 0 1 disabled 15Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left----- -------- ----------------- -------- ----------------- ------------------2/1 0 - - - - -Port Status Channel Admin ChMode Group Id----- ---------- -------------------- ----- -----2/1 inactive auto silent 1 0Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize----- ---------- ---------- ---------- ---------- ---------2/1 - 0 998 1012 0Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants----- ---------- ---------- ---------- ---------- --------- --------- ---------2/1 0 0 0 0 0 1012 0Last-Time-Cleared--------------------------Mon Jun 11 2001, 07:26:48Console> (enable)Checking a Port MAC Address
In addition to displaying the MAC address range for a module using the show module command, you can display the MAC address of a specific port in the switch using the show port mac-address command.
To display the MAC address for a specific port, perform this task in privileged mode:
This example shows you how to display the MAC address of a specific port:
Console> show port mac-address 4/1Port Mac address----- ----------------------4/1 00-50-54-bf-59-64This example shows you how to display the MAC addresses of all ports on a module:
Console> show port mac-address 4Port Mac address----- ----------------------4/1 00-50-54-bf-59-644/2 00-50-54-bf-59-654/3 00-50-54-bf-59-664/4 00-50-54-bf-59-67...4/47 00-50-54-bf-59-924/48 00-50-54-bf-59-93Checking Port Capabilities
You can display the capabilities of any port in a switch using the show port capabilities command. This example shows you how to display the port capabilities for ports on module 2:
Console> (enable) show port capabilities 2Model WS-X4148Port 2/1Type 10/100BaseTXSpeed auto,10,100Duplex half,fullTrunk encap type 802.1QTrunk mode on,off,desirable,auto,nonegotiateChannel 2/1-48Flow control noSecurity yesMembership static,dynamicFast start yesQOS scheduling rx-(none),tx-(2q1t)CoS rewrite noToS rewrite noRewrite noUDLD yesInline power noAuxiliaryVlan 1..1000,untagged,noneSPAN source,destination--------------------------------------------------------------Model WS-X4148Port 2/2Type 10/100BaseTXSpeed auto,10,100Duplex half,fullTrunk encap type 802.1QTrunk mode on,off,desirable,auto,nonegotiateChannel 2/1-48Flow control noSecurity yesMembership static,dynamicFast start yesQOS scheduling rx-(none),tx-(2q1t)CoS rewrite noToS rewrite noRewrite noUDLD yesInline power noAuxiliaryVlan 1..1000,untagged,noneSPAN source,destination...This example shows you how to display the port capabilities for port 5 on module 3:
Console> (enable) show port capabilities 3/5Model WS-X4148Port 3/5Type 10/100BaseTXSpeed auto,10,100Duplex half,fullTrunk encap type 802.1QTrunk mode on,off,desirable,auto,nonegotiateChannel 3/1-48Flow control noSecurity yesMembership static,dynamicFast start yesQOS scheduling rx-(none),tx-(2q1t)CoS rewrite noToS rewrite noRewrite noUDLD yesInline power noAuxiliaryVlan 1..1000,untagged,noneSPAN source,destinationConsole> (enable)Using Telnet
You can access the switch CLI using Telnet. In addition, you can use Telnet from the switch to access other devices in the network. Up to eight simultaneous Telnet sessions are possible.
Before you can open a Telnet session to the switch, you must first set the IP address (and in some cases the default gateway) for the switch. For information about setting the IP address and default gateway, see "Configuring the Switch IP Address and Default Gateway."
To open a Telnet session to another device on the network from the switch, perform this task in privileged mode:
This example shows how to open a Telnet session from the switch to the remote host labsparc:
Console> (enable) telnet labsparcTrying 172.16.10.3...Connected to labsparc.Escape character is '^]'.UNIX(r) System V Release 4.0 (labsparc)login:Changing the Login Timer
The login timer is the number of minutes after which an idle session is disconnected. To change the logout timer value, perform this task in privileged mode:
Change the logout timer value (a timeout value of 0 prevents idle sessions from being disconnected automatically).
set logout timeout
This example shows how to set the logout timer value to 10 minutes:
Console> (enable) set logout 10Sessions will be automatically logged out after 10 minutes of idle time.Console> (enable)This example shows how to set the logout timer value to 0, preventing idle sessions from being disconnected automatically:
Console> (enable) set logout 0Sessions will not be automatically logged out.Console> (enable)Using Secure Shell Encryption for Telnet Sessions
Note
The SSH feature provides security for Telnet sessions to the switch. SSH is supported for remote logins to the switch only. Telnet sessions initiated from the switch cannot be encrypted. To use this feature, you must install the application on the client accessing the switch and you must configure SSH the switch.
The current implementation of SSH supports version 1, both the data encryption standard (DES) and 3DES encryption methods, and can be used with RADIUS and TACACS+ authentication. To support authentication for Telnet with secure shell encryption, use the telnet keyword in the set authentication commands.
Note
To enable SSH on the switch, perform this task in privileged mode:
This example shows how to create the RSA host key:
Console> (enable) set crypto key rsa 1024Generating RSA keys.... [OK]Console> (enable)The nbits value specifies the RSA key size; the valid key size range is from 512 to 2048 bits. A key size with a larger number provides higher security but takes longer to generate.
Monitoring User Sessions
You can display the currently active user sessions on the switch using the show users command. The command output displays all active console port and Telnet sessions on the switch.
To display the active user sessions on the switch, perform this task in privileged mode:
This example shows the output of the show users command when local authentication is enabled for console and Telnet sessions (the asterisk [*] indicates the current session):
Console> (enable) show usersSession User Location-------- ---------------- -------------------------consoletelnet sam-pc.bigcorp.com* telnet jake-mac.bigcorp.comConsole> (enable)This example shows the output of the show users command when TACACS+ authentication is enabled for console and Telnet sessions:
Console> (enable) show usersSession User Location-------- ---------------- -------------------------console samtelnet jake jake-mac.bigcorp.comtelnet tim tim-nt.bigcorp.com* telnet suzy suzy-pc.bigcorp.comConsole> (enable)This example shows how to display information about user sessions using the noalias keyword to display the IP addresses of connected hosts:
Console> (enable) show users noaliasSession User Location-------- ---------------- -------------------------consoletelnet 10.10.10.12* telnet 10.10.20.46Console> (enable)To disconnect an active user session, perform this task in privileged mode:
This example shows how to disconnect an active console port session and an active Telnet session:
Console> (enable) show usersSession User Location-------- ---------------- -------------------------console samtelnet jake jake-mac.bigcorp.comtelnet tim tim-nt.bigcorp.com* telnet suzy suzy-pc.bigcorp.comConsole> (enable) disconnect consoleConsole session disconnected.Console> (enable) disconnect tim-nt.bigcorp.comTelnet session from tim-nt.bigcorp.com disconnected. (1)Console> (enable) show usersSession User Location-------- ---------------- -------------------------telnet jake jake-mac.bigcorp.com* telnet suzy suzy-pc.bigcorp.comConsole> (enable)Using Ping
The next two sections describe how to use IP ping.
Understanding How Ping Works
You can use IP ping to test connectivity to remote hosts. To ping a host in a different IP subnetwork, you must define a static route to the network or configure a router to route between those subnets.
The ping command is configurable from normal executive and privileged executive mode. In normal executive mode, the ping command supports the -s parameter, which allows you to specify the packet size and packet count. In privileged executive mode, the ping command allows you to specify the packet size, packet count, and the wait time.
Table 20-1 lists the default values that apply to the ping-s command.
Table 20-1 Ping Default Values
5
0=continuous ping
56
56
2
2
Host IP Address
-
Ping will return one of the following responses:
•
•
•
•
•
To stop a ping in progress, press Ctrl-C.
Executing Ping
To ping another device on the network from the switch, perform one of these tasks in normal or privileged mode:
Ping a remote host.
ping host
Ping a remote host using ping options.
ping -s host [packet_size] [packet_count]
This example shows how to ping a remote host from normal executive mode:
Console> ping labsparclabsparc is aliveConsole> ping 72.16.10.312.16.10.3 is aliveConsole>This example shows how to ping a remote host using the -s option:
Console> ping -s 12.20.5.3 800 10PING 12.20.2.3: 800 data bytes808 bytes from 12.20.2.3: icmp_seq=0. time=2 ms808 bytes from 12.20.2.3: icmp_seq=1. time=3 ms808 bytes from 12.20.2.3: icmp_seq=2. time=2 ms808 bytes from 12.20.2.3: icmp_seq=3. time=2 ms808 bytes from 12.20.2.3: icmp_seq=4. time=2 ms808 bytes from 12.20.2.3: icmp_seq=5. time=2 ms808 bytes from 12.20.2.3: icmp_seq=6. time=2 ms808 bytes from 12.20.2.3: icmp_seq=7. time=2 ms808 bytes from 12.20.2.3: icmp_seq=8. time=2 ms808 bytes from 12.20.2.3: icmp_seq=9. time=3 ms----17.20.2.3 PING Statistics----10 packets transmitted, 10 packets received, 0% packet lossround-trip (ms) min/avg/max = 2/2/3Console>This example shows how to enter a ping command in privileged mode specifying the number of packets, the packet size, and the timeout period:
Console> (enable) pingTarget IP Address []: 12.20.5.19Number of Packets [5]: 10Datagram Size [56]: 100Timeout in seconds [2]: 10Source IP Address [12.20.2.18]: 12.20.2.18!!!!!!!!!!----12.20.2.19 PING Statistics----10 packets transmitted, 10 packets received, 0% packet lossround-trip (ms) min/avg/max = 1/1/1Console> (enable)Using Layer 2 Traceroute
The Layer 2 Traceroute utility allows you to identify the physical path that a packet takes from a source to a destination. This utility determines the path by looking at the forwarding engine tables of the switches in the path.
Information is displayed about all Catalyst 4000 family, Catalyst 5000 family, and Catalyst 6500 series switches that are in the path from the source to the destination.
Usage Guidelines
This section lists the guidelines for the Layer 2 Traceroute utility:
•
•
•
•
•
•
•
•
Identifying a Layer 2 Path
To identify a Layer 2 path, perform one of these tasks in privileged mode:
This example shows the source and destination MAC addresses specified, with no VLAN specified but with the detail option specified. For each Catalyst 4000 family, 5000 family, and 6500 series switch found in the path, the output shows the device type, device name, device IP address, in port name, in port speed, in port duplex mode, out port name, out port speed, and out port duplex mode.
Console> (enable) l2trace 00-01-22-33-44-55 10-22-33-44-55-66 detaill2trace vlan number is 10.00-01-22-33-44-55 found in C4000 named wiring-1 on port 4/1 10Mb half duplexC4000:wiring-1:192.168.242.10:4/1 10Mb half duplex -> 5/2 100MB full duplexC4000:backup-wiring-1:192.168.242.20:1/1 100Mb full duplex -> 3/1 100MB full duplexC5000:backup-core-1:192.168.242.30:4/1 100 MB full duplex -> 1/1 100MB full duplexC6000:core-1:192.168.242.40:1/1 100MB full duplex -> 2/1 10MB half duplex.10-22-33-44-55-66 found in C4000 named core-1 on port 2/1 10MB half duplex.Console> (enable)Using IP Traceroute
The next two sections describe how to use IP traceroute.
Understanding How IP Traceroute Works
You can use IP traceroute to identify the path that packets take through the network on a hop-by-hop basis. The command output displays all network layer (Layer 3) devices, such as routers, that the traffic passes through on the way to the destination.
Switches can participate as the source or destination of the traceroute command but will not appear as a hop in the traceroute command output.
The traceroute command uses the Time To Live (TTL) field in the IP header to cause routers and servers to generate specific return messages. Traceroute starts by sending a User Datagram Protocol (UDP) datagram to the destination host with the TTL field set to 1. If a router finds a TTL value of 1 or 0, it drops the datagram and sends back an Internet Control Message Protocol (ICMP) time-exceeded message to the sender. The traceroute facility determines the address of the first hop by examining the source address field of the ICMP time-exceeded message.
To identify the next hop, traceroute sends a UDP packet with a TTL value of 2. The first router decrements the TTL field by 1 and sends the datagram to the next router. The second router sees a TTL value of 1, discards the datagram, and returns the time-exceeded message to the source. This process continues until the TTL is incremented to a value large enough for the datagram to reach the destination host (or until the maximum TTL is reached).
To determine when a datagram reaches its destination, traceroute sets the UDP destination port in the datagram to a very large value that the destination host is unlikely to be using. When a host receives a datagram with an unrecognized port number, it sends an ICMP port unreachable error to the source. This message indicates to the traceroute facility that it has reached the destination.
Executing IP Traceroute
To trace the path that packets take through the network, perform this task in privileged mode:
This example shows the basic usage of the traceroute command:
Console> (enable) traceroute 10.1.1.100traceroute to 10.1.1.100 (10.1.1.100), 30 hops max, 40 byte packets1 10.1.1.1 (10.1.1.1) 1 ms 2 ms 1 ms2 10.1.1.100 (10.1.1.100) 2 ms 2 ms 2 msConsole> (enable)This example shows how to perform a traceroute with six queries to each hop with packets of 1400 bytes each:
Console> (enable) traceroute -q 6 10.1.1.100 1400traceroute to 10.1.1.100 (10.1.1.100), 30 hops max, 1440 byte packets1 10.1.1.1 (10.1.1.1) 2 ms 2 ms 2 ms 1 ms 2 ms 2 ms2 10.1.1.100 (10.1.1.100) 2 ms 4 ms 3 ms 3 ms 3 ms 3 msConsole> (enable)
