Cisco Systems Intelligent Gigabit Ethernet
Switch Modules for the IBM BladeCenter
Software Configuration Guide
Cisco IOS Release 12.1(22)EA6
Note: Before using this information and the product it supports, read the general information in Appendix C, “Getting Help and Technical Assistance” and Appendix D,
“Notices.”
First Edition (October 2005)
© Copyright International Business Machines Corporation 2005. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Preface xxiii
Audience xxiii
Purpose xxiii
Conventions xxiv
Related Publications xxv
CONTENTS
CHAPTER
CHAPTER
1 Overview 1-1
Features 1-1
Ease of Use and Ease of Deployment 1-1
Performance 1-1
Manageability 1-2
Redundancy 1-3
VLAN Support 1-4
Security 1-4
Quality of Service and Class of Service 1-5
Monitoring 1-5
Management Options 1-6
Management Interface Options 1-6
Network Configuration Examples 1-7
Where to Go Next 1-8
2 Using the Command-Line Interface 2-1
Cisco IOS Command Modes 2-1
Getting Help 2-3
24R9746
Abbreviating Commands 2-4
Using no and default Forms of Commands 2-4
Understanding CLI Messages 2-5
Using Command History 2-5
Changing the Command History Buffer Size 2-5
Recalling Commands 2-6
Disabling the Command History Feature 2-6
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
iii
Contents
Using Editing Features 2-6
Enabling and Disabling Editing Features 2-6
Editing Commands through Keystrokes 2-7
Editing Command Lines that Wrap 2-8
Searching and Filtering Output of show and more Commands 2-9
Accessing the CLI 2-9
CHAPTER
CHAPTER
3 Assigning the Switch IP Address and Default Gateway 3-1
Understanding the Boot Process 3-1
Assigning Switch Information 3-2
Default Switch Information 3-2
Manually Assigning IP Information 3-3
Checking and Saving the Running Configuration 3-4
Modifying the Startup Configuration 3-6
Default Boot Configuration 3-7
Specifying the Filename to Read and Write the System Configuration 3-7
Booting a Specific Software Image 3-8
Controlling Environment Variables 3-8
Scheduling a Reload of the Software Image 3-11
Configuring a Scheduled Reload 3-11
Displaying Scheduled Reload Information 3-12
4 Administering the Switch 4-1
Managing the System Time and Date 4-1
Understanding the System Clock 4-1
Understanding Network Time Protocol 4-2
Configuring NTP 4-3
Default NTP Configuration 4-4
Configuring NTP Authentication 4-4
Configuring NTP Associations 4-5
Configuring NTP Broadcast Service 4-6
Configuring NTP Access Restrictions 4-7
Configuring the Source IP Address for NTP Packets 4-9
Displaying the NTP Configuration 4-10
Configuring Time and Date Manually 4-10
Setting the System Clock 4-10
Displaying the Time and Date Configuration 4-11
Configuring the Time Zone 4-11
Configuring Summer Time (Daylight Saving Time) 4-12
iv
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Configuring a System Name and Prompt 4-13
Default System Name and Prompt Configuration 4-14
Configuring a System Name 4-14
Understanding DNS 4-14
Default DNS Configuration 4-15
Setting Up DNS 4-15
Displaying the DNS Configuration 4-16
Creating a Banner 4-16
Default Banner Configuration 4-16
Configuring a Message-of-the-Day Login Banner 4-16
Configuring a Login Banner 4-18
Managing the MAC Address Table 4-18
Building the Address Table 4-19
MAC Addresses and VLANs 4-19
Default MAC Address Table Configuration 4-20
Changing the Address Aging Time 4-20
Removing Dynamic Address Entries 4-20
Configuring MAC Address Notification Traps 4-21
Adding and Removing Static Address Entries 4-23
Displaying Address Table Entries 4-24
Contents
CHAPTER
Managing the ARP Table 4-24
5 Configuring Switch-Based Authentication 5-1
Preventing Unauthorized Access to Your Switch 5-1
Protecting Access to Privileged EXEC Commands 5-2
Default Password and Privilege Level Configuration 5-2
Setting or Changing a Static Enable Password 5-3
Protecting Enable and Enable Secret Passwords with Encryption 5-4
Setting a Telnet Password for a Terminal Line 5-5
Configuring Username and Password Pairs 5-6
Configuring Multiple Privilege Levels 5-6
Setting the Privilege Level for a Command 5-7
Changing the Default Privilege Level for Lines 5-8
Logging into and Exiting a Privilege Level 5-8
Controlling Switch Access with TACACS+ 5-9
Understanding TACACS+ 5-9
TACACS+ Operation 5-11
Configuring TACACS+ 5-11
Default TACACS+ Configuration 5-12
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
v
Contents
Identifying the TACACS+ Server Host and Setting the Authentication Key 5-12
Configuring TACACS+ Login Authentication 5-13
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 5-15
Starting TACACS+ Accounting 5-16
Displaying the TACACS+ Configuration 5-16
Controlling Switch Access with RADIUS 5-16
Understanding RADIUS 5-17
RADIUS Operation 5-18
Configuring RADIUS 5-19
Default RADIUS Configuration 5-19
Identifying the RADIUS Server Host 5-19
Configuring RADIUS Login Authentication 5-22
Defining AAA Server Groups 5-24
Configuring RADIUS Authorization for User Privileged Access and Network Services 5-26
Starting RADIUS Accounting 5-27
Configuring Settings for All RADIUS Servers 5-28
Configuring the Switch to Use Vendor-Specific RADIUS Attributes 5-28
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 5-29
Displaying the RADIUS Configuration 5-30
CHAPTER
Configuring the Switch for Local Authentication and Authorization 5-31
Configuring the Switch for Secure Shell 5-32
Understanding SSH 5-32
SSH Servers, Integrated Clients, and Supported Versions 5-32
Limitations 5-33
Configuring SSH 5-33
Configuration Guidelines 5-33
Cryptographic Software Image Guidelines 5-34
Setting Up the Switch to Run SSH 5-34
Configuring the SSH Server 5-35
Displaying the SSH Configuration and Status 5-36
6 Configuring IEEE 802.1x Port-Based Authentication 6-1
Understanding IEEE 802.1x Port-Based Authentication 6-1
Device Roles 6-2
Authentication Initiation and Message Exchange 6-3
Ports in Authorized and Unauthorized States 6-4
IEEE 802.1x Accounting 6-5
IEEE 802.1x Accounting Attribute-Value Pairs 6-5
IEEE 802.1x Host Mode 6-6
vi
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Using IEEE 802.1x with Port Security 6-7
Using IEEE 802.1x with Voice VLAN Ports 6-8
Using IEEE 802.1x with VLAN Assignment 6-8
Using IEEE 802.1x with Guest VLAN 6-9
Using IEEE 802.1x with Wake-on-LAN 6-10
Unidirectional State 6-10
Bidirectional State 6-10
Configuring IEEE 802.1x Authentication 6-11
Default IEEE 802.1x Configuration 6-11
IEEE 802.1x Configuration Guidelines 6-12
Enabling IEEE 802.1x Authentication 6-13
Configuring the Switch-to-RADIUS-Server Communication 6-14
Configuring IEEE 802.1x Authentication Using a RADIUS Server 6-16
Enabling Periodic Re-Authentication 6-16
Manually Re-Authenticating a Client Connected to a Port 6-17
Changing the Quiet Period 6-17
Changing the Switch-to-Client Retransmission Time 6-18
Setting the Switch-to-Client Frame-Retransmission Number 6-19
Configuring the Host Mode 6-20
Configuring a Guest VLAN 6-20
Resetting the IEEE 802.1x Configuration to the Default Values 6-22
Configuring IEEE 802.1x Authentication 6-22
Configuring IEEE 802.1x Accounting 6-24
Contents
CHAPTER
24R9746
Displaying IEEE 802.1x Statistics and Status 6-25
7 Configuring Interface Characteristics 7-1
Understanding Interface Types 7-1
Access Ports 7-2
Trunk Ports 7-2
Port-Based VLANs 7-3
EtherChannel Port Groups 7-3
Connecting Interfaces 7-4
Using the Interface Command 7-4
Procedures for Configuring Interfaces 7-5
Configuring a Range of Interfaces 7-6
Configuring and Using Interface-Range Macros 7-7
Configuring Ethernet Interfaces 7-9
Default Ethernet Interface Configuration 7-9
Configuring Interface Speed and Duplex Mode 7-10
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
vii
Contents
Configuration Guidelines 7-11
Setting the Interface Speed and Duplex Parameters 7-11
Adding a Description for an Interface 7-12
Monitoring and Maintaining the Interfaces 7-13
Monitoring Interface and Controller Status 7-13
Clearing and Resetting Interfaces and Counters 7-15
Shutting Down and Restarting the Interface 7-15
CHAPTER
CHAPTER
8 Configuring Smartports Macros 8-1
Understanding Smartports Macros 8-1
Configuring Smartports Macros 8-2
Default Smartports Macro Configuration 8-2
Smartports Macro Configuration Guidelines 8-2
Creating Smartports Macros 8-4
Applying Smartports Macros 8-5
Applying Cisco-Default Smartports Macros 8-6
Displaying Smartports Macros 8-8
9 Configuring STP 9-1
Understanding Spanning-Tree Features 9-1
STP Overview 9-2
Spanning-Tree Topology and BPDUs 9-3
Bridge ID, Switch Priority, and Extended System ID 9-4
Spanning-Tree Interface States 9-4
Blocking State 9-5
Listening State 9-6
Learning State 9-6
Forwarding State 9-6
Disabled State 9-7
How a Switch or Port Becomes the Root Switch or Root Port 9-7
Spanning Tree and Redundant Connectivity 9-8
Spanning-Tree Address Management 9-8
Accelerated Aging to Retain Connectivity 9-8
Spanning-Tree Modes and Protocols 9-9
Supported Spanning-Tree Instances 9-9
Spanning-Tree Interoperability and Backward Compatibility 9-10
STP and IEEE 802.1Q Trunks 9-10
Spanning Tree Considerations for Cisco Systems Intelligent Gigabit Ethernet Switch Modules 9-11
viii
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Configuring Spanning-Tree Features 9-11
Default Spanning-Tree Configuration 9-12
Spanning-Tree Configuration Guidelines 9-12
Changing the Spanning-Tree Mode 9-13
Disabling Spanning Tree 9-14
Configuring the Root Switch 9-15
Configuring a Secondary Root Switch 9-17
Configuring the Port Priority 9-17
Configuring the Path Cost 9-19
Configuring the Switch Priority of a VLAN 9-20
Configuring Spanning-Tree Timers 9-21
Configuring the Hello Time 9-21
Configuring the Forwarding-Delay Time for a VLAN 9-22
Configuring the Maximum-Aging Time for a VLAN 9-22
Displaying the Spanning-Tree Status 9-23
Contents
CHAPTER
10 Configuring MSTP 10-1
Understanding MSTP 10-2
Multiple Spanning-Tree Regions 10-2
IST, CIST, and CST 10-2
Operations Within an MST Region 10-3
Hop Count 10-4
Interoperability with IEEE 802.1D STP 10-4
Understanding RSTP 10-5
Port Roles and the Active Topology 10-5
Rapid Convergence 10-6
Synchronization of Port Roles 10-7
Bridge Protocol Data Unit Format and Processing 10-8
Processing Superior BPDU Information 10-9
Processing Inferior BPDU Information 10-9
Topology Changes 10-9
Configuring MSTP Features 10-10
Default MSTP Configuration 10-11
MSTP Configuration Guidelines 10-11
Specifying the MST Region Configuration and Enabling MSTP 10-12
Configuring the Root Switch 10-13
Configuring a Secondary Root Switch 10-15
Configuring the Port Priority 10-15
Configuring the Path Cost 10-17
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
ix
Contents
Configuring the Switch Priority 10-18
Configuring the Hello Time 10-18
Configuring the Forwarding-Delay Time 10-19
Configuring the Maximum-Aging Time 10-20
Configuring the Maximum-Hop Count 10-20
Specifying the Link Type to Ensure Rapid Transitions 10-21
Restarting the Protocol Migration Process 10-21
Displaying the MST Configuration and Status 10-22
CHAPTER
11 Configuring Optional Spanning-Tree Features 11-1
Understanding Optional Spanning-Tree Features 11-1
Understanding Port Fast 11-2
Understanding BPDU Guard 11-3
Understanding BPDU Filtering 11-3
Understanding UplinkFast 11-4
Understanding BackboneFast 11-5
Understanding EtherChannel Guard 11-8
Understanding Root Guard 11-8
Understanding Loop Guard 11-9
Configuring Optional Spanning-Tree Features 11-9
Default Optional Spanning-Tree Configuration 11-10
Optional Spanning-Tree Configuration Guidelines 11-10
Enabling Port Fast 11-10
Enabling BPDU Guard 11-11
Enabling BPDU Filtering 11-12
Enabling UplinkFast for Use with Redundant Links 11-13
Enabling BackboneFast 11-14
Enabling EtherChannel Guard 11-15
Enabling Root Guard 11-15
Enabling Loop Guard 11-16
CHAPTER
x
Displaying the Spanning-Tree Status 11-17
12 Configuring VLANs 12-1
Understanding VLANs 12-1
Supported VLANs 12-2
VLAN Port Membership Modes 12-3
Configuring Normal-Range VLANs 12-4
Token Ring VLANs 12-5
Normal-Range VLAN Configuration Guidelines 12-5
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
VLAN Configuration Mode Options 12-6
VLAN Configuration in config-vlan Mode 12-6
VLAN Configuration in VLAN Configuration Mode 12-6
Saving VLAN Configuration 12-7
Default Ethernet VLAN Configuration 12-7
Creating or Modifying an Ethernet VLAN 12-8
Deleting a VLAN 12-10
Assigning Static-Access Ports to a VLAN 12-10
Configuring Extended-Range VLANs 12-11
Default VLAN Configuration 12-12
Extended-Range VLAN Configuration Guidelines 12-12
Creating an Extended-Range VLAN 12-12
Displaying VLANs 12-13
Configuring VLAN Trunks 12-14
Trunking Overview 12-14
IEEE 802.1Q Configuration Considerations 12-16
Default Layer 2 Ethernet Interface VLAN Configuration 12-17
Configuring an Ethernet Interface as a Trunk Port 12-17
Interaction with Other Features 12-18
Configuring a Trunk Port 12-18
Defining the Allowed VLANs on a Trunk 12-19
Changing the Pruning-Eligible List 12-20
Configuring the Native VLAN for Untagged Traffic 12-21
Load Sharing Using STP 12-22
Load Sharing Using STP Port Priorities 12-22
Load Sharing Using STP Path Cost 12-24
Contents
24R9746
Configuring VMPS 12-25
Understanding VMPS 12-26
Dynamic Port VLAN Membership 12-26
VMPS Database Configuration File 12-27
Default VMPS Client Configuration 12-27
VMPS Configuration Guidelines 12-27
Configuring the VMPS Client 12-28
Entering the IP Address of the VMPS 12-28
Configuring Dynamic Access Ports on VMPS Clients 12-28
Reconfirming VLAN Memberships 12-29
Changing the Reconfirmation Interval 12-30
Changing the Retry Count 12-30
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
xi
Contents
Monitoring the VMPS 12-30
Troubleshooting Dynamic Port VLAN Membership 12-31
VMPS Configuration Example 12-31
CHAPTER
13 Configuring VTP 13-1
Understanding VTP 13-1
The VTP Domain 13-2
VTP Modes 13-3
VTP Advertisements 13-3
VTP Version 2 13-4
VTP Pruning 13-4
Configuring VTP 13-6
Default VTP Configuration 13-6
VTP Configuration Options 13-7
VTP Configuration in Global Configuration Mode 13-7
VTP Configuration in VLAN Configuration Mode 13-7
VTP Configuration Guidelines 13-8
Domain Names 13-8
Passwords 13-8
VTP Version 13-8
Configuration Requirements 13-9
Configuring a VTP Server 13-9
Configuring a VTP Client 13-10
Disabling VTP (VTP Transparent Mode) 13-11
Enabling VTP Version 2 13-12
Enabling VTP Pruning 13-13
Adding a VTP Client Switch to a VTP Domain 13-14
CHAPTER
xii
Monitoring VTP 13-15
14 Configuring IGMP Snooping and MVR 14-1
Understanding IGMP Snooping 14-2
IGMP Versions 14-2
Joining a Multicast Group 14-3
Leaving a Multicast Group 14-5
Immediate-Leave Processing 14-6
IGMP Configurable-Leave Timer 14-6
IGMP Report Suppression 14-6
Source-Only Networks 14-7
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Configuring IGMP Snooping 14-7
Default IGMP Snooping Configuration 14-8
Enabling or Disabling IGMP Snooping 14-8
Setting the Snooping Method 14-9
Configuring a Multicast Router Port 14-10
Configuring a Host Statically to Join a Group 14-10
Enabling IGMP Immediate-Leave Processing 14-11
Configuring the IGMP Leave Timer 14-12
Disabling IGMP Report Suppression 14-12
Disabling IP Multicast-Source-Only Learning 14-13
Configuring the Aging Time 14-14
Displaying IGMP Snooping Information 14-14
Understanding Multicast VLAN Registration 14-15
Using MVR in a Multicast Television Application 14-16
Configuring MVR 14-17
Default MVR Configuration 14-18
MVR Configuration Guidelines and Limitations 14-18
Configuring MVR Global Parameters 14-18
Configuring MVR Interfaces 14-20
Contents
CHAPTER
Displaying MVR Information 14-21
Configuring IGMP Filtering and Throttling 14-21
Default IGMP Filtering and Throttling Configuration 14-22
Configuring IGMP Profiles 14-23
Applying IGMP Profiles 14-24
Setting the Maximum Number of IGMP Groups 14-25
Configuring the IGMP Throttling Action 14-25
Displaying IGMP Filtering and Throttling Configuration 14-27
15 Configuring Port-Based Traffic Control 15-1
Configuring Storm Control 15-1
Understanding Storm Control 15-1
Default Storm Control Configuration 15-2
Configuring Storm Control and Threshold Levels 15-2
Configuring Protected Ports 15-3
Configuring Port Security 15-4
Understanding Port Security 15-4
Secure MAC Addresses 15-5
Security Violations 15-5
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
xiii
Contents
Default Port Security Configuration 15-6
Port Security Configuration Guidelines 15-6
Enabling and Configuring Port Security 15-7
Enabling and Configuring Port Security Aging 15-9
Displaying Port-Based Traffic Control Settings 15-11
CHAPTER
CHAPTER
16 Configuring UDLD 16-1
Understanding UDLD 16-1
Modes of Operation 16-1
Methods to Detect Unidirectional Links 16-2
Configuring UDLD 16-4
Default UDLD Configuration 16-4
Configuration Guidelines 16-4
Enabling UDLD Globally 16-5
Enabling UDLD on an Interface 16-6
Resetting an Interface Shut Down by UDLD 16-6
Displaying UDLD Status 16-7
17 Configuring CDP 17-1
Understanding CDP 17-1
Configuring CDP 17-2
Default CDP Configuration 17-2
Configuring the CDP Characteristics 17-2
Disabling and Enabling CDP 17-3
Disabling and Enabling CDP on an Interface 17-4
CHAPTER
xiv
Monitoring and Maintaining CDP 17-5
18 Configuring SPAN and RSPAN 18-1
Understanding SPAN and RSPAN 18-1
SPAN and RSPAN Concepts and Terminology 18-3
SPAN Session 18-3
Traffic Types 18-3
Source Port 18-4
Destination Port 18-4
Reflector Port 18-5
SPAN Traffic 18-5
SPAN and RSPAN Interaction with Other Features 18-6
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
SPAN and RSPAN Session Limits 18-7
Default SPAN and RSPAN Configuration 18-7
Configuring SPAN 18-7
SPAN Configuration Guidelines 18-7
Creating a SPAN Session and Specifying Ports to Monitor 18-8
Creating a SPAN Session and Enabling Ingress Traffic 18-9
Removing Ports from a SPAN Session 18-11
Configuring RSPAN 18-12
RSPAN Configuration Guidelines 18-12
Configuring a VLAN as an RSPAN VLAN 18-13
Creating an RSPAN Source Session 18-14
Creating an RSPAN Destination Session 18-15
Removing Ports from an RSPAN Session 18-16
Displaying SPAN and RSPAN Status 18-17
Contents
CHAPTER
CHAPTER
19 Configuring RMON 19-1
Understanding RMON 19-1
Configuring RMON 19-2
Default RMON Configuration 19-3
Configuring RMON Alarms and Events 19-3
Configuring RMON Collection on an Interface 19-5
Displaying RMON Status 19-6
20 Configuring System Message Logging 20-1
Understanding System Message Logging 20-1
Configuring System Message Logging 20-2
System Log Message Format 20-2
Default System Message Logging Configuration 20-3
Disabling and Enabling Message Logging 20-4
Setting the Message Display Destination Device 20-4
Synchronizing Log Messages 20-6
Enabling and Disabling Timestamps on Log Messages 20-7
Enabling and Disabling Sequence Numbers in Log Messages 20-8
Defining the Message Severity Level 20-8
Limiting Syslog Messages Sent to the History Table and to SNMP 20-10
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
xv
Contents
Configuring UNIX Syslog Servers 20-10
Logging Messages to a UNIX Syslog Daemon 20-11
Configuring the UNIX System Logging Facility 20-11
Displaying the Logging Configuration 20-12
CHAPTER
21 Configuring SNMP 21-1
Understanding SNMP 21-1
SNMP Versions 21-2
SNMP Manager Functions 21-3
SNMP Agent Functions 21-3
SNMP Community Strings 21-4
Using SNMP to Access MIB Variables 21-4
SNMP Notifications 21-4
Configuring SNMP 21-5
Default SNMP Configuration 21-5
SNMP Configuration Guidelines 21-6
Disabling the SNMP Agent 21-6
Configuring Community Strings 21-7
Configuring SNMP Groups and Users 21-8
Configuring SNMP Notifications 21-10
Setting the Agent Contact and Location Information 21-13
Limiting TFTP Servers Used Through SNMP 21-13
SNMP Examples 21-14
CHAPTER
xvi
Displaying SNMP Status 21-15
22 Configuring Network Security with ACLs 22-1
Understanding ACLs 22-2
Handling Fragmented and Unfragmented Traffic 22-3
Understanding Access Control Parameters 22-4
Guidelines for Applying ACLs to Physical Interfaces 22-5
Configuring ACLs 22-6
Unsupported Features 22-6
Creating Standard and Extended IP ACLs 22-7
ACL Numbers 22-7
Creating a Numbered Standard ACL 22-8
Creating a Numbered Extended ACL 22-9
Creating Named Standard and Extended ACLs 22-12
Applying Time Ranges to ACLs 22-14
Including Comments About Entries in ACLs 22-16
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Creating Named MAC Extended ACLs 22-17
Creating MAC Access Groups 22-18
Applying ACLs to Terminal Lines or Physical Interfaces 22-18
Applying ACLs to a Terminal Line 22-19
Applying ACLs to a Physical Interface 22-19
Displaying ACL Information 22-20
Displaying ACLs 22-20
Displaying Access Groups 22-21
Examples for Compiling ACLs 22-22
Numbered ACL Examples 22-23
Extended ACL Examples 22-23
Named ACL Example 22-23
Commented IP ACL Entry Examples 22-23
Contents
CHAPTER
23 Configuring QoS 23-1
Understanding QoS 23-2
Basic QoS Model 23-3
Classification 23-4
Classification Based on QoS ACLs 23-5
Classification Based on Class Maps and Policy Maps 23-6
Policing and Marking 23-6
Mapping Tables 23-7
Queueing and Scheduling 23-7
How Class of Service Works 23-7
Port Priority 23-7
Port Scheduling 23-8
Egress CoS Queues 23-8
Configuring Auto-QoS 23-9
Generated Auto-QoS Configuration 23-9
Effects of Auto-QoS on the Configuration 23-11
Configuration Guidelines 23-11
Enabling Auto-QoS for VoIP 23-12
24R9746
Displaying Auto-QoS Information 23-13
Auto-QoS Configuration Example 23-14
Configuring Standard QoS 23-16
Default Standard QoS Configuration 23-16
Configuration Guidelines 23-16
Configuring Classification Using Port Trust States 23-17
Configuring the Trust State on Ports within the QoS Domain 23-18
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
xvii
Contents
Configuring the CoS Value for an Interface 23-19
Configuring Trusted Boundary 23-20
Enabling Pass-Through Mode 23-22
Configuring a QoS Policy 23-23
Classifying Traffic by Using ACLs 23-23
Classifying Traffic by Using Class Maps 23-27
Classifying, Policing, and Marking Traffic by Using Policy Maps 23-28
Configuring CoS Maps 23-31
Configuring the CoS-to-DSCP Map 23-32
Configuring the DSCP-to-CoS Map 23-33
Configuring the Egress Queues 23-34
Configuring CoS Priority Queues 23-34
Configuring WRR Priority 23-35
Enabling the Expedite Queue and Configuring WRR Priority 23-35
Displaying Standard QoS Information 23-36
CHAPTER
Standard QoS Configuration Examples 23-36
QoS Configuration for the Existing Wiring Closet 23-37
QoS Configuration for the Intelligent Wiring Closet 23-38
24 Configuring EtherChannels and Layer 2 Trunk Failover 24-1
Understanding EtherChannels 24-1
Understanding Port-Channel Interfaces 24-2
Understanding the Port Aggregation Protocol and Link Aggregation Protocol 24-3
PAgP and LACP Modes 24-4
Physical Learners and Aggregate-Port Learners 24-5
PAgP and LACP Interaction with Other Features 24-5
EtherChannel On Mode 24-6
Understanding Load Balancing and Forwarding Methods 24-6
Configuring EtherChannels 24-8
Default EtherChannel Configuration 24-8
EtherChannel Configuration Guidelines 24-8
Configuring Layer 2 EtherChannels 24-9
Configuring EtherChannel Load Balancing 24-11
Configuring the PAgP Learn Method and Priority 24-12
Configuring the LACP Port Priority 24-13
Configuring Hot Standby Ports 24-13
Configuring the LACP System Priority 24-14
xviii
Displaying EtherChannel, PAgP, and LACP Status 24-15
Understanding Layer 2 Trunk Failover 24-15
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Configuring Layer 2 Trunk Failover 24-16
Default Layer 2 Trunk Failover Configuration 24-16
Layer 2 Trunk Failover Configuration Guidelines 24-17
Configuring Layer 2 Trunk Failover 24-17
Displaying Layer 2 Trunk Failover Status 24-18
Contents
CHAPTER
25 Troubleshooting 25-1
Using Recovery Procedures 25-1
Recovering from a Software Failure 25-1
Recovering from Lost or Forgotten Passwords 25-2
Password Recovery with Password Recovery Enabled 25-4
Procedure with Password Recovery Disabled 25-5
Preventing Autonegotiation Mismatches 25-7
SFP Module Security and Identification 25-7
Diagnosing Connectivity Problems 25-7
Using Ping 25-8
Understanding Ping 25-8
Executing Ping 25-8
Using Layer 2 Traceroute 25-9
Understanding Layer 2 Traceroute 25-9
Usage Guidelines 25-9
Displaying the Physical Path 25-10
Using Debug Commands 25-11
Enabling Debugging on a Specific Feature 25-11
Enabling All-System Diagnostics 25-12
Redirecting Debug and Error Message Output 25-12
Using the debug auto qos Command 25-12
APPENDIX
APPENDIX
24R9746
Using the crashinfo File 25-13
A Supported MIBs A-1
MIB List A-1
Using FTP to Access the MIB Files A-3
B Working with the Cisco IOS File System, Configuration Files, and Software Images B-1
Working with the Flash File System B-1
Displaying Available File Systems B-2
Setting the Default File System B-3
Displaying Information about Files on a File System B-3
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
xix
Contents
Changing Directories and Displaying the Working Directory B-4
Creating and Removing Directories B-4
Copying Files B-5
Deleting Files B-6
Creating, Displaying, and Extracting tar Files B-6
Creating a tar File B-6
Displaying the Contents of a tar File B-7
Extracting a tar File B-7
Displaying the Contents of a File B-8
Working with Configuration Files B-8
Guidelines for Creating and Using Configuration Files B-9
Configuration File Types and Location B-10
Creating a Configuration File By Using a Text Editor B-10
Copying Configuration Files By Using TFTP B-10
Preparing to Download or Upload a Configuration File By Using TFTP B-10
Downloading the Configuration File By Using TFTP B-11
Uploading the Configuration File By Using TFTP B-12
Copying Configuration Files By Using FTP B-12
Preparing to Download or Upload a Configuration File By Using FTP B-13
Downloading a Configuration File By Using FTP B-13
Uploading a Configuration File By Using FTP B-14
Copying Configuration Files By Using RCP B-15
Preparing to Download or Upload a Configuration File By Using RCP B-16
Downloading a Configuration File By Using RCP B-17
Uploading a Configuration File By Using RCP B-18
Clearing Configuration Information B-19
Clearing the Startup Configuration File B-19
Deleting a Stored Configuration File B-19
xx
Working with Software Images B-19
Image Location on the Switch B-20
tar File Format of Images on a Server or IBM.com B-20
Copying Image Files By Using TFTP B-21
Preparing to Download or Upload an Image File By Using TFTP B-21
Downloading an Image File By Using TFTP B-22
Uploading an Image File By Using TFTP B-23
Copying Image Files By Using FTP B-24
Preparing to Download or Upload an Image File By Using FTP B-24
Downloading an Image File By Using FTP B-25
Uploading an Image File By Using FTP B-27
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Copying Image Files By Using RCP B-28
Preparing to Download or Upload an Image File By Using RCP B-28
Downloading an Image File By Using RCP B-29
Uploading an Image File By Using RCP B-31
Contents
APPENDIX
APPENDIX
I
NDEX
C Getting Help and Technical Assistance C-1
Before You Call C-1
Using the Documentation C-2
Getting Help and Information from the World Wide Web C-2
Software Service and Support C-2
Hardware Service and Support C-2
D Notices D-1
Edition Notice D-2
Trademarks D-2
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
xxi
Contents
xxii
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Audience
Preface
This guide is for the networking professional managing the Cisco Systems Intelligent Gigabit Ethernet
Switch Modules, hereafter referred to as the switch. Before using this guide, you should have experience
working with the Cisco IOS and be familiar with the concepts and terminology of Ethernet and local area
networking.
Purpose
This guide provides the information you need to configure software features on your switch.
Use this guide with other documents for information about these topics:
• Requirements—This guide assumes that you have met the hardware and software requirements
described in the release notes.
• Start-up information—This guide assumes that you have assigned switch IP information and
passwords by using the BladeCenter Management Module WEB page described in the IBM
BladeCenter QuickStart Guide.
• Embedded device manager graphical user interface (GUI)—This guide does not provide detailed
information on the GUI. However, the concepts in this guide are applicable to the GUI user. For
information about the device manager, see the switch online help.
• CLI command information—This guide provides an overview for using the CLI. For complete
syntax and usage information about the commands that have been specifically created or changed
for the switches, see the command reference for this release.
This guide provides procedures for using the commands that have been created or changed for use with
the switch. It does not provide detailed information about these commands. For detailed information
about these commands, see the command reference for this release.
This guide does not repeat the concepts and CLI procedures provided in the standard Cisco IOS
Release 12.1 documentation. For information about the standard Cisco IOS Release 12.1 commands, see
the Cisco IOS documentation set available from the Cisco.com home page at Service and Support >
Technical Documents. On the Cisco Product Documentation home page, select Release 12.1 from the Cisco
IOS Software drop-down list.
This guide does not describe system messages you might encounter or how to install your switch. For
this information, see the system message guide for this release and to the hardware installation guide.
24R9746
For documentation updates, see the release notes for this release.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
xxiii
Conventions
Conventions
This publication uses these conventions to convey instructions and information:
Command descriptions use these conventions:
Interactive examples use these conventions:
Notes, cautions, and timesavers use these conventions and symbols:
Preface
• Commands and keywords are in boldface text.
• Arguments for which you supply values are in italic.
• Square brackets ([ ]) mean optional elements.
• Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
• Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional
element.
• Terminal sessions and system displays are in screen font.
• Information you enter is in boldface screen font.
• Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).
Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in
this manual.
Caution Means reader be careful. In this situation, you might do something that could result equipment damage
or loss of data.
Timesaver Means the following will help you solve a problem. The tips information might not be troubleshooting
or even an action, but could be useful information.
xxiv
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Preface
Related Publications
In addition to this document, the following related documentation comes with the Gigabit Ethernet
switch module:
• Cisco Systems Intelligent Gigabit Ethernet Switch Module for the IBM BladeCenter System Release
Notes
Note Switch requirements and procedures for initial configurations and software upgrades tend to change and
therefore appear only in the release notes. Before installing, configuring, or upgrading the switch, see
the release notes for the latest information.
• Cisco Systems Intelligent Gigabit Ethernet Switch Module for the IBM BladeCenter System
Command Reference
This document is in PDF form on the IBM BladeCenter Documentation CD. It includes:
–
Command-line interface (CLI) modes
–
CLI commands and examples
Related Publications
–
Syntax description
–
Defaults
–
Command history
–
Usage guidelines
–
Related commands
• Cisco Systems Intelligent Gigabit Ethernet Switch Module for the IBM BladeCenter System
Message Guide
This document is in PDF on the IBM BladeCenter Documentation CD. It has information about the
switch-specific system messages. During operation, the system software sends these messages to the
console or logging server on another system. Not all system messages indicate problems with the
system. Some messages are informational, and others can help diagnose problems with
communication lines, internal hardware, or the system software. This document also includes error
messages that appear when the system fails.
• Cisco Systems Intelligent Gigabit Ethernet Switch Module for the IBM BladeCenter Installation
Guide
This document has installation and configuration instructions for the Gigabit Ethernet switch
module. This document also provides general information about your Gigabit Ethernet switch
module, including warranty information and how to get help. This document is also on the IBM
BladeCenter Documentation CD.
• Cisco Systems Intelligent Gb Fiber Ethernet Switch Module for the IBM BladeCenter Installation
Guide
This document has installation and configuration instructions for the Gb Fiber Ethernet switch
module. This document also provides general information about your Gb Fiber Ethernet switch
module, including warranty information and how to get help. This document is also on the IBM
BladeCenter Documentation CD.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
xxv
Related Publications
• BladeCenter Type 8677 Installation and User’s Guide
This document is in PDF on the IBM BladeCenter Documentation CD. It contains general
information about your BladeCenter unit, including:
–
Information about features
–
How to set up, cable, and start the BladeCenter unit
–
How to install options in the BladeCenter unit
–
How to configure the BladeCenter unit
–
How to perform basic troubleshooting of the BladeCenter unit
–
How to get help
• BladeCenter Management Module User’s Guide
This document is in PDF on the IBM BladeCenter Documentation CD. It provides general
information about the management module, including:
–
Information about features
–
How to start the management module
–
How to install the management module
–
How to configure and use the management module
Preface
• BladeCenter HS20 Installation and User’s Guide (for each blade server type)
These documents are in PDF on the IBM BladeCenter Documentation CD. Each provides general
information about a blade server, including:
–
Information about features
–
How to set up and start your blade server
–
How to install options in your blade server
–
How to configure your blade server
–
How to install an operating system on your blade server
–
How to perform basic troubleshooting of your blade server
–
How to get help
• Cisco IOS Release 12.1 documentation at
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/index.html
• Cisco IOS Release 12.2 documentation at
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/index.html
For information about related products, see these documents:
• Cisco Small Form-Factor Pluggable Modules Installation Notes (order number DOC-7815160=)
• Cisco CWDM GBIC and CWDM SFP Installation Note (not orderable but available on Cisco.com)
xxvi
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Note In this document, IP refers to IP version 4 (IPv4). Layer 3 IP version 6 (IPv6) packets are treated as
Features
CHAPTER
1
Overview
This chapter provides these topics about the Cisco Systems Intelligent Gigabit Ethernet Switch Module:
• Features, page 1-1
• Management Options, page 1-6
• Network Configuration Examples, page 1-7
• Where to Go Next, page 1-8
non-IP packets.
This section describes the features supported in this release.
Ease of Use and Ease of Deployment
• User-defined Smartports macros for creating custom switch configurations for simplified
deployment across the network.
• Embedded device manager GUI for configuring and monitoring a single switch through a web
browser. For information about launching the device manager, see the switch hardware installation
guide. For more information about the device manager, see the switch online help.
• Real-time status monitoring of a switch from the LEDs on a front-panel image from the device
manager.
Performance
• Autosensing of speed on the 10/100/1000 ports and autonegotiation of duplex mode on the external
ports for optimizing bandwidth
• Fast EtherChannel and Gigabit EtherChannel for enhanced fault tolerance and for providing up
to 4 Gbps of bandwidth among switches, routers, and servers
• Support for frame sizes from 64 to 9216 bytes
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
1-1
Features
Chapter 1 Overview
• Port blocking on forwarding unknown unicast and multicast traffic
• Per-port broadcast storm control for preventing faulty end stations from degrading overall system
performance with broadcast storms
• Port Aggregation Protocol (PAgP) and Link Aggregation Control Protocol (LACP) for automatic
creation of EtherChannel links
• Internet Group Management Protocol (IGMP) snooping for IGMP versions 1, 2, and 3 to limit
flooding of IP multicast traffic
• IGMP report suppression for sending only one IGMP report per multicast router query to the
multicast devices (supported only for IGMPv1 or IGMPv2 queries)
• IGMP snooping querier support to configure switch to generate periodic IGMP General Query
messages
• Multicast VLAN registration (MVR) to continuously send multicast streams in a multicast VLAN
while isolating the streams from subscriber VLANs for bandwidth and security reasons
• IGMP filtering for controlling the set of multicast groups to which hosts on a switch port can belong
• IGMP throttling for configuring the action when the maximum number of entries is in the IGMP
forwarding table
• Protected port (private VLAN edge port) option for restricting the forwarding of traffic to
designated ports on the same switch
• Dynamic address learning for enhanced security
Manageability
• Address Resolution Protocol (ARP) for identifying a switch through its IP address and its
corresponding MAC address
• Unicast MAC address filtering to drop packets with specific source or destination MAC addresses
• Cisco Discovery Protocol (CDP) versions 1 and 2 for network topology discovery and mapping
between the switch and other Cisco devices on the network
• Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external
source
• Directed unicast requests to a TFTP server for obtaining software upgrades from a TFTP server
• Default configuration storage in flash memory to ensure that the switch can be connected to a
network and can forward traffic with minimal user intervention
• In-band management access through the embedded device manager through a Netscape Navigator
or Internet Explorer session
• In-band management access through up to 16 simultaneous Telnet connections for multiple
command-line interface (CLI)-based sessions over the network
• In-band management access through up to five simultaneous, encrypted Secure Shell (SSH)
connections for multiple CLI-based sessions over the network (only available in the enhanced
cryptographic software image)
• In-band management access through SNMP versions 1, 2c, and 3 get and set requests
1-2
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 1 Overview
Redundancy
Features
• Out-of-band management access through the switch service port to a directly-attached terminal or
to a remote terminal through a serial connection and a modem
Note For additional descriptions of the management interfaces, see the “Management Options”
section on page 1-6.
• Link state tracking to mirror the state of the external ports on the internal Ethernet links and to allow
the failover of the processor blade traffic to an operational external link on a separate Cisco Ethernet
switch
• HSRP for command-switch redundancy
• UniDirectional Link Detection (UDLD) on all Ethernet ports for detecting and disabling
unidirectional links on fiber-optic interfaces caused by incorrect fiber-optic wiring or port faults
• IEEE 802.1D Spanning Tree Protocol (STP) for redundant backbone connections and loop-free
networks.
–
Up to 64 spanning-tree instances supported
–
Per-VLAN spanning-tree plus (PVST+) for load balancing across VLANs
–
Rapid PVST+ for load balancing across VLANs
–
UplinkFast and BackboneFast for fast convergence after a spanning-tree topology change and
for achieving load balancing among redundant uplinks, including Gigabit uplinks
• IEEE 802.1s Multiple Spanning Tree Protocol (MSTP) for grouping VLANs into a spanning-tree
instance and for providing multiple forwarding paths for data traffic and load balancing and rapid
per-VLAN Spanning-Tree plus (rapid-PVST+), based on the IEEE 802.1w Rapid Spanning Tree
Protocol (RSTP) for rapid convergence of the spanning tree by immediately transitioning root and
designated ports to the forwarding state
• Optional spanning-tree features available in the PVST+, rapid PVST+, and MSTP modes:
–
Port Fast for eliminating the forwarding delay by enabling a port to immediately transition from
the blocking state to the forwarding state
–
BPDU guard for shutting down Port Fast-enabled ports that receive BPDUs
–
BPDU filtering for preventing a Port Fast-enabled port from sending or receiving BPDUs
–
Root guard for preventing switches outside the network core from becoming the spanning-tree
root
–
Loop guard for preventing alternate or root ports from becoming designated ports because of a
failure that leads to a unidirectional link
Note The switch supports up to 64 spanning-tree instances.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
1-3
Features
VLAN Support
Chapter 1 Overview
• The switches support 250 port-based VLANs for assigning users to VLANs associated with
appropriate network resources, traffic patterns, and bandwidth
• The switch supports up to 4094 VLAN IDs to allow service provider networks to support the number of
VLANs allowed by the IEEE 802.1Q standard
• IEEE 802.1Q trunking protocol on all ports for network moves, adds, and changes; management and
control of broadcast and multicast traffic; and network security by establishing VLAN groups for
high-security users and network resources
• VLAN Membership Policy Server (VMPS) for dynamic VLAN membership
• VLAN Trunking Protocol (VTP) pruning for reducing network traffic by restricting flooded traffic
to links destined for stations receiving the traffic
• Dynamic Trunking Protocol (DTP) for negotiating trunking on a link between two devices and for
negotiating the type of trunking encapsulation (IEEE 802.1Q) to be used
• VLAN 1 minimization to reduce the risk of spanning-tree loops or storms by allowing VLAN 1 to
be disabled on any individual VLAN trunk link. With this feature enabled, no user traffic is sent or
received. The switch CPU continues to send and receive control protocol frames.
Security
• Multiple management interface support allowing multiple interfaces to be assigned to a unique IP
address.
• Bridge protocol data unit (BPDU) guard for shutting down a Port Fast-configured port when an
invalid configuration occurs
• Protected port option for restricting the forwarding of traffic to designated ports on the same switch
• Password-protected access (read-only and read-write access) to management interfaces (device
manager and CLI) for protection against unauthorized configuration changes
• Port security option for limiting and identifying MAC addresses of the stations allowed to access
the port
• Port security aging to set the aging time for secure addresses on a port
• Multilevel security for a choice of security level, notification, and resulting actions
• MAC-based port-level security for restricting the use of a switch port to a specific group of source
addresses and preventing switch access from unauthorized stations
• TACACS+, a proprietary feature for managing network security through a TACACS server
• IEEE 802.1x port-based authentication to prevent unauthorized devices from gaining access to the
network
• IEEE 802.1x accounting to track network usage
1-4
• IEEE 802.1x with wake-on-LAN to allow dormant PCs to be powered on based on the receipt of a
specific Ethernet frame
• Standard and extended IP access control lists (ACLs) for defining security policies
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 1 Overview
Quality of Service and Class of Service
• Automatic quality of service (auto-QoS) to simplify the deployment of existing QoS features by
classifying traffic and configuring egress queues
• IEEE 802.1p class of service (CoS) with eight priority queues on the Gigabit ports for prioritizing
mission-critical and time-sensitive traffic from data, voice, and telephony applications
–
IP Differentiated Services Code Point (IP DSCP) and CoS marking priorities on a per-port basis
for protecting the performance of mission-critical applications
–
Flow-based packet classification (classification based on information in the MAC, IP, and
TCP/UDP headers) for high-performance quality of service at the network edge, allowing for
differentiated service levels for different types of network traffic and for prioritizing
mission-critical traffic in the network
–
Support for IEEE 802.1p CoS scheduling for classification and preferential treatment of
high-priority voice traffic
–
Trusted boundary (detect the presence of a Cisco IP Phone, trust the CoS value received, and
ensure port security. If the IP phone is not detected, disable the trusted setting on the port and
prevent misuse of a high-priority queue.)
• Policing
Features
Monitoring
–
Traffic-policing policies on the switch port for allocating the amount of the port bandwidth to
a specific traffic flow
–
Policing traffic flows to restrict specific applications or traffic flows to metered, predefined
rates
–
Up to 60 policers on ingress Gigabit-capable Ethernet ports
Granularity of 8 Mbps on 10/100/1000 ports
–
Out-of-profile markdown for packets that exceed bandwidth utilization limits
• Egress Policing and Scheduling of Egress Queues—Four egress queues on all switch ports. Support
for strict priority and weighted round-robin (WRR) CoS policies
• Source IP/Destination IP (SIP/DIP) address routing
• Switch LEDs that show port and switch status
• Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) for traffic monitoring on any port or
VLAN
• SPAN support of Intrusion Detection Systems (IDSs) to monitor, repel, and report network security
violations
• Four groups (history, statistics, alarms, and events) of embedded remote monitoring (RMON) agents
for network monitoring and traffic analysis
24R9746
• MAC address notification for tracking the MAC addresses that the switch has learned or removed
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
1-5
Management Options
• Syslog facility for logging system messages about authentication or authorization errors, resource
issues, and time-out events
• Layer 2 traceroute to identify the physical path that a packet takes from a source device to a
destination device
Management Options
The switch is designed for plug-and-play operation: you only need to assign basic IP information to the
switch and connect it to the other devices in your network. If you have specific network needs, you can
configure and monitor the switch—on an individual basis—through its various management interfaces.
Note For information about assigning an IP address by using the BladeCenter Management Module WEB
page, see the IBM BladeCenter QuickStart Guide.
Management Interface Options
Chapter 1 Overview
You can configure and monitor individual switches by using these interfaces:
• An embedded device manager—The device manager is a GUI that is integrated in the software
image. You use it to can configure and to monitor a single switch through a web browser. For more
information about the device manager, see the switch online help.
• CLI—The switch Cisco IOS software supports desktop-switching features. You can access the CLI
either by connecting your management station directly to the switch service port or by using Telnet
or SSH from a remote management station.
For more information about the CLI, see Chapter 2, “Using the Command-Line Interface.”
• SNMP—SNMP provides a means to monitor and control the switch. You can manage switch
configuration settings, performance, and security and collect statistics by using SNMP management
applications such as CiscoWorks2000 LAN Management Suite (LMS) and HP OpenView.
You can manage the switch from an SNMP-compatible management station that is running
platforms such as HP OpenView or SunNet Manager. The switch supports a comprehensive set of
MIB extensions and four RMON groups.
For more information about using SNMP, see the Chapter 21, “Configuring SNMP.”
1-6
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 1 Overview
Network Configuration Examples
Figure 1-1, Figure 1-2, and Figure 1-3 show three different network configurations.
Figure 1-1 Basic Configuration
Cisco
ESM
For example,
Catalyst 3750
Switch
Network Configuration Examples
Firewall
Bay 1
Bay 2
Server
Server
Server
Server
BladeCenter
Figure 1-2 Trunking Configuration
Etherchannel
Cisco
ESM
For example,
Catalyst 3750
Por ts
17–20
Server
Server
Server
Server
BladeCenter
Network
126761
Firewall
Switch
Network
126760
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
1-7
Where to Go Next
Figure 1-3 Redundancy Configuration
Cisco
ESM
Server
Server
Server
Server
For example,
Catalyst 3750
Switch
Por ts
17–20
Chapter 1 Overview
Firewall
Network
BladeCenter
Where to Go Next
Before configuring the switch, review these sections for start-up information:
• Chapter 2, “Using the Command-Line Interface”
• Chapter 3, “Assigning the Switch IP Address and Default Gateway”
126759
1-8
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
CHAPTER
2
Using the Command-Line Interface
This chapter describes the Cisco IOS command-line interface (CLI) that you can use to configure your
Cisco Systems Intelligent Gigabit Ethernet Switch Module. It contains these sections:
• Cisco IOS Command Modes, page 2-1
• Getting Help, page 2-3
• Abbreviating Commands, page 2-4
• Using no and default Forms of Commands, page 2-4
• Understanding CLI Messages, page 2-5
• Using Command History, page 2-5
• Using Editing Features, page 2-6
• Searching and Filtering Output of show and more Commands, page 2-9
• Accessing the CLI, page 2-9
Cisco IOS Command Modes
The user interface is divided into many different modes. The commands available to you depend on
which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of
commands available for each command mode.
When you start a session on the switch, you begin in user mode, often called user EXEC mode. Only a
limited subset of the commands are available in user EXEC mode. For example, most of the user EXEC
commands are one-time commands, such as show commands, which show the current configuration
status, and clear commands, which clear counters or interfaces. The user EXEC commands are not saved
when the switch reboots.
To have access to all commands, you must enter privileged EXEC mode. Normally, you must enter a
password to enter privileged EXEC mode. From this mode, you can enter any privileged EXEC
command or enter global configuration mode.
Using the configuration modes (global, interface, and line), you can make changes to the running
configuration. If you save the configuration, these commands are stored and used when the switch
reboots. To access the various configuration modes, you must start at global configuration mode. From
global configuration mode, you can enter interface configuration mode and line configuration mode.
For information on accessing the CLI through the switch service port or through a Telnet session, see
the hardware installation guide.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
2-1
Chapter 2 Using the Command-Line Interface
Cisco IOS Command Modes
Tabl e 2- 1 describes the main command modes, how to access each one, the prompt you see in that mode, and
how to exit the mode. The examples in the table use the host name Switch.
Table 2-1 Command Mode Summary
Mode Access Method Prompt Exit Method About This Mode
User EXEC Begin a session with
your switch.
Privileged EXEC While in user EXEC
mode, enter the
enable command.
Global configuration While in privileged
EXEC mode, enter
the configure
command.
Config-vlan While in global
configuration mode,
enter the
vlan vlan-id
command.
VLAN configuration While in privileged
EXEC mode, enter
the vlan database
command.
Switch>
Switch#
Switch(config)#
Switch(config-vlan)#
Switch(vlan)#
Enter logout or quit. Use this mode to
• Change terminal
settings.
• Perform basic tests.
• Display system
information.
Enter disable to exit. Use this mode to verify
commands that you have
entered. Use a password to
protect access to this mode.
To exit to privileged
EXEC mode, enter
exit or end, or press
Use this mode to configure
parameters that apply to the
entire switch.
Ctrl-Z.
To exit to global
configuration mode,
enter the exit
command.
To return to
privileged EXEC
mode, press Ctrl-Z or
enter end.
To exit to privileged
EXEC mode, enter
exit.
Use this mode to configure
VLAN parameters. When
VTP mode is transparent,
you can create
extended-range VLANs
(VLAN IDs greater than
1005) and save
configurations in the switch
startup configuration file.
Use this mode to configure
VLAN parameters for
VLANs 1 to 1005 in the
VLAN database.
2-2
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 2 Using the Command-Line Interface
Table 2-1 Command Mode Summary (continued)
Mode Access Method Prompt Exit Method About This Mode
Interface
configuration
While in global
configuration mode,
enter the interface
command (with a
specific interface).
Line configuration While in global
configuration mode,
specify a line with
the line vty or line
console command.
Switch(config-if)#
Switch(config-line)#
To exit to global
configuration mode,
enter exit.
To return to
privileged EXEC
mode, press Ctrl-Z or
enter end.
To exit to global
configuration mode,
enter exit.
To return to
privileged EXEC
mode, press Ctrl-Z or
enter end.
Use this mode to configure
parameters for the
interfaces.
To configure multiple
interfaces with the same
parameters, see the
“Configuring a Range of
Interfaces” section on
page 7-6.
Use this mode to configure
parameters for the terminal
line.
Getting Help
Getting Help
You can enter a question mark (?) at the system prompt to display a list of commands available for each
command mode. You can also obtain a list of associated keywords and arguments for any command, as
shown in Table 2-2.
Ta bl e 2 -2 H el p S um ma r y
Command Purpose
help Obtain a brief description of the help system in any command mode.
abbreviated-command-entry? Obtain a list of commands that begin with a particular character string.
For example:
Switch# di?
dir disable disconnect
abbreviated-command-entry<Ta b> Complete a partial command name.
For example:
Switch# sh conf<tab>
Switch# show configuration
? List all commands available for a particular command mode.
For example:
Switch> ?
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
2-3
Abbreviating Commands
Table 2-2 Help Summary (continued)
Command Purpose
command ? List the associated keywords for a command.
For example:
Switch> show ?
command keyword ? List the associated arguments for a keyword.
For example:
Switch(config)# cdp holdtime ?
<10-255> Length of time (in sec) that receiver must keep this packet
Abbreviating Commands
You have to enter only enough characters for the switch to recognize the command as unique. This
example shows how to enter the show configuration privileged EXEC command:
Switch# show conf
Chapter 2 Using the Command-Line Interface
Using no and default Forms of Commands
Almost every configuration command also has a no form. In general, use the no form to disable a feature
or function or reverse the action of a command. For example, the no shutdown interface configuration
command reverses the shutdown of an interface. Use the command without the keyword no to re-enable
a disabled feature or to enable a feature that is disabled by default.
Configuration commands can also have a default form. The default form of a command returns the
command setting to its default. Most commands are disabled by default, so the default form is the same
as the no form. However, some commands are enabled by default and have variables set to certain
default values. In these cases, the default command enables the command and sets variables to their
default values.
2-4
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 2 Using the Command-Line Interface
Understanding CLI Messages
Table 2-3 lists some error messages that you might encounter while using the CLI to configure your
switch.
Table 2-3 Common CLI Error Messages
Error Message Meaning How to Get Help
% Ambiguous command:
"show con"
% Incomplete command.
% Invalid input detected
at ‘^’ marker.
You did not enter enough characters
for your switch to recognize the
command.
You did not enter all the keywords or
values required by this command.
You entered the command
incorrectly. The caret (^) marks the
point of the error.
Re-enter the command followed by a question mark (?)
with a space between the command and the question
mark.
The possible keywords that you can enter with the
command appear.
Re-enter the command followed by a question mark (?)
with a space between the command and the question
mark.
The possible keywords that you can enter with the
command appear.
Enter a question mark (?) to display all the commands
that are available in this command mode.
The possible keywords that you can enter with the
command appear.
Understanding CLI Messages
Using Command History
The software provides a history or record of commands that you have entered. This feature is particularly
useful for recalling long or complex commands or entries, including access lists. You can customize the
command history feature to suit your needs as described in these sections:
• Changing the Command History Buffer Size, page 2-5
• Recalling Commands, page 2-6
• Disabling the Command History Feature, page 2-6
Changing the Command History Buffer Size
By default, the switch records ten command lines in its history buffer. Beginning in privileged EXEC
mode, enter this command to change the number of command lines that the switch records during the
current terminal session:
Switch# terminal history [size
The range is from 0 to 256.
Beginning in line configuration mode, enter this command to configure the number of command lines
the switch records for all sessions on a particular line:
Switch(config-line)# history [size
The range is from 0 to 256.
number-of-lines
number-of-lines
]
]
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
2-5
Chapter 2 Using the Command-Line Interface
Using Editing Features
Recalling Commands
To recall commands from the history buffer, perform one of the actions listed in Ta b le 2-4:
Table 2-4 Recalling Commands
1
Action
Press Ctrl-P or the up arrow key. Recall commands in the history buffer, beginning with the most recent command.
Press Ctrl-N or the down arrow key. Return to more recent commands in the history buffer after recalling commands
show history While in privileged EXEC mode, list the last several commands that you just
1. The arrow keys function only on ANSI-compatible terminals such as VT100s.
Result
Repeat the key sequence to recall successively older commands.
with Ctrl-P or the up arrow key. Repeat the key sequence to recall successively
more recent commands.
entered. The number of commands that appear is determined by the setting of the
terminal history global configuration command and history line configuration
command.
Disabling the Command History Feature
The command history feature is automatically enabled.
To disable the feature during the current terminal session, enter the terminal no history privileged
EXEC command.
To disable command history for the line, enter the no history line configuration command.
Using Editing Features
This section describes the editing features that can help you manipulate the command line. It contains
these sections:
• Enabling and Disabling Editing Features, page 2-6
• Editing Commands through Keystrokes, page 2-7
• Editing Command Lines that Wrap, page 2-8
Enabling and Disabling Editing Features
Although enhanced editing mode is automatically enabled, you can disable it.
To re-enable the enhanced editing mode for the current terminal session, enter this command in
privileged EXEC mode:
Switch# terminal editing
2-6
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 2 Using the Command-Line Interface
To reconfigure a specific line to have enhanced editing mode, enter this command in line configuration
mode:
Switch(config-line)# editing
To globally disable enhanced editing mode, enter this command in line configuration mode:
Switch(config-line)# no editing
Editing Commands through Keystrokes
Table 2-5 shows the keystrokes that you need to edit command lines.
Table 2-5 Editing Commands through Keystrokes
Using Editing Features
Capability Keystroke
Move around the command line to
make changes or corrections.
Press Ctrl-B, or press the
left arrow key.
Press Ctrl-F, or press the
right arrow key.
Press Ctrl-A. Move the cursor to the beginning of the command line.
Press Ctrl-E. Move the cursor to the end of the command line.
Press Esc B. Move the cursor back one word.
Press Esc F. Move the cursor forward one word.
Press Ctrl-T. Transpose the character to the left of the cursor with the
Recall commands from the buffer and
paste them in the command line. The
switch provides a buffer with the last
Press Ctrl-Y. Recall the most recent entry in the buffer.
Press Esc Y. Recall the next buffer entry.
ten items that you deleted.
Delete entries if you make a mistake
or change your mind.
Press the Delete or
Backspace key.
Press Ctrl-D. Delete the character at the cursor.
Press Ctrl-K. Delete all characters from the cursor to the end of the
Press Ctrl-U or Ctrl-X. Delete all characters from the cursor to the beginning of
Press Ctrl-W. Delete the word to the left of the cursor.
Press Esc D. Delete from the cursor to the end of the word.
Capitalize or lowercase words or
capitalize a set of letters.
Press Esc C. Capitalize at the cursor.
Press Esc L. Change the word at the cursor to lowercase.
Press Esc U. Capitalize letters from the cursor to the end of the word.
Designate a particular keystroke as
Press Ctrl-V or Esc Q.
an executable command, perhaps as a
shortcut.
1
Purpose
Move the cursor back one character.
Move the cursor forward one character.
character located at the cursor.
The buffer contains only the last 10 items that you have
deleted or cut. If you press Esc Y more than ten times, you
cycle to the first buffer entry.
Erase the character to the left of the cursor.
command line.
the command line.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
2-7
Using Editing Features
Table 2-5 Editing Commands through Keystrokes (continued)
Chapter 2 Using the Command-Line Interface
Capability Keystroke
Scroll down a line or screen on
displays that are longer than the
terminal screen can display.
Note The More prompt is used for
Press the Return key. Scroll down one line.
Press the Space bar. Scroll down one screen.
1
any output that has more
lines than can be displayed
on the terminal screen,
including show command
output. You can use the
Return and Space bar
keystrokes whenever you see
the More prompt.
Redisplay the current command line
Press Ctrl-L or Ctrl-R. Redisplay the current command line.
if the switch suddenly sends a
message to your screen.
1. The arrow keys function only on ANSI-compatible terminals such as VT100s.
Editing Command Lines that Wrap
You can use a wraparound feature for commands that extend beyond a single line on the screen. When
the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the
first ten characters of the line, but you can scroll back and check the syntax at the beginning of the
command.
Purpose
To scroll back to the beginning of the command entry, press Ctrl-B or the left arrow key repeatedly. You
can also press Ctrl-A to immediately move to the beginning of the line.
Note The arrow keys function only on ANSI-compatible terminals such as VT100s.
In this example, the access-list global configuration command entry extends beyond one line. When the
cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar
sign ($) shows that the line has been scrolled to the left. Each time the cursor reaches the end of the line,
the line is again shifted ten spaces to the left.
Switch(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1
Switch(config)# $ 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.25
Switch(config)# $t tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq
Switch(config)# $108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq 45
After you complete the entry, press Ctrl-A to check the complete syntax before pressing the Return key
to execute the command. The dollar sign ($) appears at the end of the line to show that the line has been
scrolled to the right:
Switch(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$
The software assumes you have a terminal screen that is 80 columns wide. If you have a width other than
that, use the terminal width privileged EXEC command to set the width of your terminal.
2-8
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 2 Using the Command-Line Interface
Searching and Filtering Output of show and more Commands
Use line wrapping with the command history feature to recall and modify previous complex command
entries. For information about recalling previous command entries, see the “Editing Commands through
Keystrokes” section on page 2-7.
Searching and Filtering Output of show and more Commands
You can search and filter the output for show and more commands. This is useful when you need to sort
through large amounts of output or if you want to exclude output that you do not need to see.
To use this functionality, enter a show or more command followed by the pipe character (|), one of the
keywords begin, include, or exclude, and an expression that you want to search for or filter out:
command | {begin | include | exclude} regular-expression
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output
are not displayed, but the lines that contain Output appear.
This example shows how to include in the output display only lines where the expression protocol
appears:
Switch# show interfaces | include protocol
Vlan1 is up, line protocol is up
Vlan10 is up, line protocol is down
GigabitEthernet0/17 is up, line protocol is down
GigabitEthernet0/20 is up, line protocol is up
Accessing the CLI
Before you can access the CLI, you need to connect a terminal or PC to the switch service port and power
on the switch as described in the hardware installation guide that shipped with your switch. Then, to
understand the boot process and the options available for assigning IP information, see Chapter 3,
“Assigning the Switch IP Address and Default Gateway.”
If your switch is already configured, you can access the CLI through a local service connection or
through a remote Telnet session, but your switch must first be configured for this type of access. For
more information, see the “Setting a Telnet Password for a Terminal Line” section on page 5-5.
You can establish a connection with the switch by either
• Connecting the switch service port to a management station or dial-up modem. For information
about connecting to the service port, see the switch hardware installation guide.
• Using any Telnet TCP/IP or encrypted Secure Shell (SSH) package from a remote management
station. The switch must have network connectivity with the Telnet or SSH client, and the switch
must have an enable secret password configured.
For information about configuring the switch for Telnet access, see the “Setting a Telnet Password
for a Terminal Line” section on page 5-5. The switch supports up to 16 simultaneous Telnet sessions.
Changes made by one Telnet user are reflected in all other Telnet sessions.
For information about configuring the switch for SSH, see the “Configuring the Switch for Secure
Shell” section on page 5-32. The switch supports up to five simultaneous secure SSH sessions.
After you connect through the service port, or through a Telnet session, or through an SSH session, the
user EXEC prompt appears on the management station.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
2-9
Accessing the CLI
Chapter 2 Using the Command-Line Interface
2-10
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
CHAPTER
3
Assigning the Switch IP Address and Default Gateway
This chapter describes how to create the initial switch configuration (for example, assign the switch IP
address and default gateway information) for the Cisco Systems Intelligent Gigabit Ethernet Switch
Module.
Note For complete syntax and usage information for the commands used in this chapter, see the command
reference for this release and the Cisco IOS IP and IP Routing Command Reference, Release 12.1.
This chapter consists of these sections:
• Understanding the Boot Process, page 3-1
• Assigning Switch Information, page 3-2
• Checking and Saving the Running Configuration, page 3-4
• Modifying the Startup Configuration, page 3-6
• Scheduling a Reload of the Software Image, page 3-11
Understanding the Boot Process
Before you can assign switch information (IP address, subnet mask, default gateway, secret and Telnet
passwords, and so forth), you need to install and power on the switch as described in the hardware
installation guide that shipped with your switch.
The normal boot process involves the operation of the boot loader software, which performs these
activities:
• Performs low-level CPU initialization. It initializes the CPU registers, which control where physical
memory is mapped, its quantity, its speed, and so forth.
• Performs power-on self-test (POST) for the CPU subsystem. It tests the CPU DRAM and the portion
of the flash device that makes up the flash file system.
• Initializes the flash file system on the system board.
• Loads a default operating system software image into memory and boots the switch.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
3-1
Assigning Switch Information
The boot loader provides access to the flash file system before the operating system is loaded. Normally,
the boot loader is used only to load, uncompress, and launch the operating system. After the boot loader
gives the operating system control of the CPU, the boot loader is not active until the next system reset
or power on.
The boot loader also provides trap-door access into the system if the operating system has problems so
serious that it cannot be used. The trap-door mechanism provides enough access to the system so that if
it is necessary, you can format the flash file system, re-install the operating system software image by
using the XMODEM Protocol, recover from a lost or forgotten password, and finally restart the
operating system.
Assigning Switch Information
Use the BladeCenter Management Module WEB page to assign IP information to the switch. For more
information, see the IBM BladeCenter QuickStart Guide.
If the switch reboots, the switch uses the IP address, subnet mask, and gateway configured in the
stored-configuration file.
This section has this configuration information:
Chapter 3 Assigning the Switch IP Address and Default Gateway
• Default Switch Information, page 3-2
• Manually Assigning IP Information, page 3-3
Default Switch Information
Table 3-1 shows the default switch information.
Table 3-1 Default Switch Information
Feature Default Setting
IP address and subnet mask 10.10.10.9x, where x is the slot number of the switch in
Subnet mask 255.255.255.0.
Default gateway No default gateway is defined.
Enable secret password No password is defined.
Hostname The factory-assigned default host name is Switch.
Telnet username USERID. You must use all uppercase letters.
Telnet password PASSW0RD. (Note that 0 is the number zero. You must
the BladeCenter chassis.
use all uppercase letters.)
3-2
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 3 Assigning the Switch IP Address and Default Gateway
Manually Assigning IP Information
You can configure multiple IP addresses for a switch. Each IP address and its subnet mask must be
unique and belong to different subnets. You cannot configure IP addresses that cross other subnets on
the switch. Each IP address must be assigned to a different VLAN interface. The switch can be managed
from any valid IP address.
Because the switch is inside the IBM BladeCenter Chassis, you need to consider some special
circumstances before assigning IP addresses. The chassis management module acts as the IP proxy for
the switch if the IP address of the switch and the primary VLAN interface is in the same subnet as the
chassis management module. The chassis management module then carries the switch management
traffic (SNMP, HTML, FTP, Telnet).
Because there can be multiple VLAN interfaces on a switch at a given time, you need to designate one
VLAN interface as the primary VLAN interface. The primary VLAN interface is known as the
management VLAN. The management VLANs configuration has the keyword management associated
with it. Only one VLAN interface can be configured as the management VLAN at a given time.
The management VLAN has special behaviors on the switch. The management VLAN communicates
with the chassis management module. The management VLAN is always the native VLAN on the
Ethernet interfaces that directly connect to the chassis management module. When the chassis
management module assigns an IP address to the switch, the switch applies it to the management VLAN.
When the switch receives an IP address update request from the chassis management module, the switch
overwrites any IP address that is configured on the management VLAN interface. The VLAN interface
configured as the management VLAN cannot be placed into the shutdown state.
Assigning Switch Information
Step 1
Step 2
Step 3
If the switch is managed with a single IP address, we highly recommend that the chassis management
module assign the IP address to the switch. The switch IP address is configured on the chassis
management module web page. If the switch is managed by multiple IP addresses, we still recommend
that the chassis management module assign the IP address to the switch for the management VLAN. Any
additional IP addresses that you may want must be configured from the CLI.
Changing the management VLAN does not require modifying the configured IP address even if the IP
address is assigned by the chassis management module. The IP address of the current management
VLAN is automatically copied by the switch when the new VLAN interface is created and designated
as the management VLAN. To change the management VLAN, create an additional VLAN interface,
and then enter the management command on that VLAN interface. The switch automatically copies the
IP address.
Assign additional IP addresses that are needed for switch management to VLAN interfaces other than
the management VLAN interface.
Note The IP addresses that are assigned to multiple VLAN interfaces must be in different subnets. The switch
does not allow two or more VLAN interfaces to have IP addresses in the same subnet.
Beginning in privileged EXEC mode, follow these steps to manually assign IP information to a VLAN
interface and then to designate that VLAN interface as the management VLAN:
Command Purpose
configure terminal Enter global configuration mode.
interface vlan vlan-id Enter interface configuration mode, and enter the VLAN to which the IP
information is assigned. The range is 1 to 4094.
ip address ip-address subnet-mask Enter the IP address and subnet mask.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
3-3
Checking and Saving the Running Configuration
Command Purpose
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
management Enable the VLAN interface as the management VLAN.
exit Return to global configuration mode.
end Return to privileged EXEC mode.
show interfaces vlan vlan-id Verify the configured IP address.
show ip redirects Verify the configured default gateway.
copy running-config startup-config (Optional) Save your entries in the configuration file.
To remove the switch IP address, use the no ip address interface configuration command. If you are
removing the address through a Telnet session, your connection to the switch will be lost. To remove the
default gateway address, use the no ip default-gateway global configuration command.
Note The no ip address interface configuration command is not supported on the management VLAN.
For information on setting the switch system name, protecting access to privileged EXEC commands,
and setting time and calendar services, see Chapter 4, “Administering the Switch.”
Chapter 3 Assigning the Switch IP Address and Default Gateway
Checking and Saving the Running Configuration
You can check the configuration settings you entered or changes that you made by entering the show
running-config privileged EXEC command:
Switch# show running-config
Building configuration...
Current configuration : 5277 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
username USERID privilege 15 password 0 PASSW0RD
username USERID1 privilege 15 password 0 PASSWORD
ip subnet-zero
!
vtp mode transparent
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
vlan 2
name operational
!
interface GigabitEthernet0/1
description blade1
switchport access vlan 2
switchport trunk native vlan 2
3-4
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 3 Assigning the Switch IP Address and Default Gateway
switchport trunk allowed vlan 2-4094
switchport mode trunk
storm-control broadcast level 99.99 99.98
spanning-tree bpdufilter enable
!
interface GigabitEthernet0/2
description blade2
switchport access vlan 2
switchport trunk native vlan 2
switchport trunk allowed vlan 2-4094
switchport mode trunk
ip access-group SecWiz_Gi0_2_in_ip in
spanning-tree bpdufilter enable
!
.
.
.
!
interface GigabitEthernet0/15
description mgmt1
switchport trunk allowed vlan 1
switchport mode trunk
ip access-group SecWiz_Gi0_1_out_ip in
spanning-tree cost 100
!
interface GigabitEthernet0/16
description mgmt2
switchport trunk allowed vlan 1
switchport mode trunk
ip access-group SecWiz_Gi0_1_out_ip in
spanning-tree cost 100
!
interface GigabitEthernet0/17
description extern1
switchport access vlan 2
switchport trunk native vlan 2
ip access-group SecWiz_Gi0_1_out_ip in
!
interface GigabitEthernet0/18
description extern2
switchport access vlan 2
switchport trunk native vlan 2
switchport mode access
ip access-group SecWiz_Gi0_1_out_ip in
!
interface GigabitEthernet0/19
description extern3
switchport access vlan 2
switchport trunk native vlan 2
switchport mode access
ip access-group SecWiz_Gi0_1_out_ip in
!
interface GigabitEthernet0/20
description extern4
switchport access vlan 2
switchport trunk native vlan 2
switchport mode access
ip access-group SecWiz_Gi0_1_out_ip in
speed 1000
!
interface Vlan1
ip address 172.20.138.185 255.255.255.240
no ip route-cache
management
Checking and Saving the Running Configuration
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
3-5
Modifying the Startup Configuration
!
ip default-gateway 172.20.138.178
ip http server
!
ip access-list extended SecWiz_Gi0_1_out_ip
ip access-list extended SecWiz_Gi0_2_in_ip
deny ip any host 1.1.1.1
permit ip any any
!
snmp-server community public RO
snmp-server community private RW
!
line con 0
login local
line vty 0 4
login local
line vty 5 15
login local
!
end
To store the configuration or changes you have made to your startup configuration in flash memory, enter
the copy running-config startup-config privileged EXEC command. This command saves the
configuration settings that you made. If you fail to do this, your configuration will be lost the next time
you reload the system. To display information stored in the NVRAM section of flash memory, use the
show startup-config or more startup-config privileged EXEC command.
Switch# copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
Chapter 3 Assigning the Switch IP Address and Default Gateway
For more information about alternative locations from which to copy the configuration file, see
Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.”
Modifying the Startup Configuration
This section describes how to modify the switch startup configuration. It contains this configuration
information:
• Default Boot Configuration, page 3-7
• Specifying the Filename to Read and Write the System Configuration, page 3-7
• Booting a Specific Software Image, page 3-8
• Controlling Environment Variables, page 3-8
3-6
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 3 Assigning the Switch IP Address and Default Gateway
Modifying the Startup Configuration
Default Boot Configuration
Table 3-2 shows the default boot configuration.
Table 3-2 Default Boot Configuration
Feature Default Setting
Operating system software image The switch attempts to automatically boot the system using information in the BOOT
environment variable. If the variable is not set, the switch attempts to load and
execute the first executable image it can by performing a recursive, depth-first search
throughout the flash file system.
The software image is stored in a directory that has the same name as the image file
(excluding the .bin extension).
In a depth-first search of a directory, each encountered subdirectory is completely
searched before continuing the search in the original directory.
Configuration file Configured switches use the config.text file stored on the system board in flash
memory.
A new switch has no configuration file.
Specifying the Filename to Read and Write the System Configuration
By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the
system configuration. However, you can specify a different filename that is loaded during the next boot
cycle.
Beginning in privileged EXEC mode, follow these steps to specify a different configuration filename:
Command Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal Enter global configuration mode.
boot config-file flash:/file-url Specify the configuration file to load during the next boot cycle.
For file-url, specify the path (directory) and the configuration
filename.
Filenames and directory names are case sensitive.
end Return to privileged EXEC mode.
show boot Verify your entries.
The boot config-file global configuration command changes the
setting of the CONFIG_FILE environment variable.
copy running-config startup-config (Optional) Save your entries in the configuration file.
24R9746
To return to the default setting, use the no boot config-file global configuration command.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
3-7
Modifying the Startup Configuration
Booting a Specific Software Image
By default, the switch attempts to automatically boot the system using information in the BOOT
environment variable. If this variable is not set, the switch attempts to load and execute the first
executable image it can by performing a recursive, depth-first search throughout the flash file system. In
a depth-first search of a directory, each encountered subdirectory is completely searched before
continuing the search in the original directory. However, you can specify a specific image to boot.
Beginning in privileged EXEC mode, follow these steps to configure the switch to boot a specific image
during the next boot cycle:
Command Purpose
Step 1
Step 2
configure terminal Enter global configuration mode.
boot system filesystem:/file-url Configure the switch to boot a specific image in flash memory during the
next boot cycle.
• For filesystem:, use flash: for the system board flash device.
• For file-url, specify the path (directory) and the name of the bootable
Chapter 3 Assigning the Switch IP Address and Default Gateway
image.
Filenames and directory names are case sensitive.
Step 3
Step 4
Step 5
end Return to privileged EXEC mode.
show boot Verify your entries.
The boot system global command changes the setting of the BOOT
environment variable.
During the next boot cycle, the switch attempts to automatically boot the
system using information in the BOOT environment variable.
copy running-config startup-config (Optional) Save your entries in the configuration file.
To return to the default setting, use the no boot system global configuration command.
Controlling Environment Variables
With a normally operating switch, you enter the boot loader mode only through a service port connection
at 9600 bps. Use the BladeCenter management application to restart the switch. When the switch
restarts, send ESC sequence characters to the service port to stop the autoboot.
You should then see the boot loader Switch: prompt. The boot loader performs low-level CPU
initialization, performs POST, and loads a default operating system image into memory.
The switch boot loader software provides support for nonvolatile environment variables, which can be
used to control how the boot loader, or any other software running on the system, behaves. Boot loader
environment variables are similar to environment variables that can be set on UNIX or DOS systems.
Environment variables that have values are stored in the flash file system in various files as shown in
Table 3-3.
3-8
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 3 Assigning the Switch IP Address and Default Gateway
Table 3-3 Environment Variables Storage Location
Environment Variable Location (file system:filename)
BAUD, ENABLE_BREAK, CONFIG_BUFSIZE,
CONFIG_FILE, MANUAL_BOOT, PS1
BOOT, BOOTHLPR, HELPER, HELPER_CONFIG_FILE flash:system_env_vars
Each line in these files contains an environment variable name and an equal sign followed by the value
of the variable. A variable has no value if it is not listed in this file; it has a value if it is listed in the file
even if the value is a null string. A variable that is set to a null string (for example, “ ”) is a variable with
a value. Many environment variables are predefined and have default values.
Environment variables store two kinds of data:
• Data that controls code, which does not read the Cisco IOS configuration file. For example, the name
of a boot loader helper file, which extends or patches the functionality of the boot loader can be
stored as an environment variable.
• Data that controls code, which is responsible for reading the Cisco IOS configuration file. For
example, the name of the Cisco IOS configuration file can be stored as an environment variable.
You can change the settings of the environment variables by accessing the boot loader or by using Cisco
IOS commands. It is not necessary to alter the setting of the environment variables.
Modifying the Startup Configuration
flash:env_vars
Note For complete syntax and usage information for the boot loader commands and environment variables,
see the command reference for this release.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
3-9
Chapter 3 Assigning the Switch IP Address and Default Gateway
Modifying the Startup Configuration
Table 3-4 describes the function of the most common environment variables.
Table 3-4 Environment Variables
Variable Boot Loader Command Cisco IOS Global Configuration Command
MANUAL_BOOT set MANUAL_BOOT yes
Decides whether the switch automatically or
manually boots.
Valid values are 1, yes, 0, and no. If it is set
to no or 0, the boot loader attempts to
automatically boot the system. If it is set to
anything else, you must manually boot the
switch from the boot loader mode.
BOOT set BOOT filesystem:/file-url ...
A semicolon-separated list of executable
files to try to load and execute when
automatically booting. If the BOOT
environment variable is not set, the system
attempts to load and execute the first
executable image it can find by using a
recursive, depth-first search through the
flash file system. If the BOOT variable is set
but the specified images cannot be loaded,
the system attempts to boot the first bootable
file that it can find in the flash file system.
CONFIG_FILE set CONFIG_FILE flash:/file-url
Changes the filename that the software uses
to read and write a nonvolatile copy of the
system configuration.
CONFIG_BUFSIZE set CONFIG_BUFSIZE size
boot manual
Enables manually booting the switch during
the next boot cycle and changes the setting of
the MANUAL_BOOT environment variable.
The next time you reboot the system, the
switch is in boot loader mode. To boot the
system, use the boot flash:filesystem:/file-url
boot loader command, and specify the name
of the bootable image.
boot system filesystem:/file-url
Specifies the software image to load during
the next boot cycle. This command changes
the setting of the BOOT environment
variable.
boot config-file flash:/file-url
Specifies the filename that the software uses
to read and write a nonvolatile copy of the
system configuration. This command changes
the CONFIG_FILE environment variable.
boot buffersize size
3-10
Changes the buffer size that the software
uses to hold a copy of the configuration file
in memory. The configuration file cannot be
larger than the buffer size allocation. The
range is from 4096 to 524288 bytes.
Specifies the size of the file system-simulated
NVRAM in flash memory. The buffer holds a
copy of the configuration file in memory. This
command changes the setting of the
CONFIG_BUFSIZE environment variable.
You must reload the switch by using the
reload privileged EXEC command for this
command to take effect.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 3 Assigning the Switch IP Address and Default Gateway
Scheduling a Reload of the Software Image
You can schedule a reload of the software image to occur on the switch at a later time (for example, late
at night or during the weekend when the switch is used less), or you can synchronize a reload
network-wide (for example, to perform a software upgrade on all switches in the network).
Note A scheduled reload must take place within approximately 24 days.
Configuring a Scheduled Reload
To configure your switch to reload the software image at a later time, use one of these commands in
privileged EXEC mode:
• reload in [hh:]mm [text]
This command schedules a reload of the software to take affect in the specified minutes or hours and
minutes. The reload must take place within approximately 24 days. You can specify the reason for
the reload in a string up to 255 characters in length.
Scheduling a Reload of the Software Image
• reload at hh:mm [month day | day month] [text]
This command schedules a reload of the software to take place at the specified time (using a 24-hour
clock). If you specify the month and day, the reload is scheduled to take place at the specified time
and date. If you do not specify the month and day, the reload takes place at the specified time on the
current day (if the specified time is later than the current time) or on the next day (if the specified
time is earlier than the current time). Specifying 00:00 schedules the reload for midnight.
Note Use the at keyword only if the switch system clock has been set (through Network Time
Protocol (NTP), the hardware calendar, or manually). The time is relative to the configured
time zone on the switch. To schedule reloads across several switches to occur
simultaneously, the time on each switch must be synchronized with NTP.
The reload command halts the system. If the system is not set to manually boot, it reboots itself. Use the
reload command after you save the switch configuration information to the startup configuration (copy
running-config startup-config).
If your switch is configured for manual booting, do not reload it from a virtual terminal. This restriction
prevents the switch from entering the boot loader mode and thereby taking it from the remote user’s
control.
If you modify your configuration file, the switch prompts you to save the configuration before reloading.
During the save operation, the system requests whether you want to proceed with the save if the
CONFIG_FILE environment variable points to a startup configuration file that no longer exists. If you
proceed in this situation, the system enters setup mode upon reload.
24R9746
This example shows how to reload the software on the switch on the current day at 7:30 p.m:
Switch# reload at 19:30
Reload scheduled for 19:30:00 UTC Wed Jun 5 1996 (in 2 hours and 25 minutes)
Proceed with reload? [confirm]
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
3-11
Scheduling a Reload of the Software Image
This example shows how to reload the software on the switch at a future time:
Switch# reload at 02:00 jun 20
Reload scheduled for 02:00:00 UTC Thu Jun 20 1996 (in 344 hours and 53 minutes)
Proceed with reload? [confirm]
To cancel a previously scheduled reload, use the reload cancel privileged EXEC command.
Displaying Scheduled Reload Information
To display information about a previously scheduled reload or to determine if a reload has been
scheduled on the switch, use the show reload privileged EXEC command.
It displays reload information including the time the reload is scheduled to occur and the reason for the
reload (if it was specified when the reload was scheduled).
Chapter 3 Assigning the Switch IP Address and Default Gateway
3-12
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Administering the Switch
This chapter describes how to perform one-time operations to administer your Cisco Systems Intelligent
Gigabit Ethernet Switch Module. This chapter consists of these sections:
• Managing the System Time and Date, page 4-1
• Configuring a System Name and Prompt, page 4-13
• Creating a Banner, page 4-16
• Managing the MAC Address Table, page 4-18
• Managing the ARP Table, page 4-24
Managing the System Time and Date
You can manage the system time and date on your switch using automatic configuration, such as the
Network Time Protocol (NTP), or manual configuration methods.
CHAPTER
4
Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS
Configuration Fundamentals Command Reference for Cisco IOS, Release 12.1.
This section contains this configuration information:
• Understanding the System Clock, page 4-1
• Understanding Network Time Protocol, page 4-2
• Configuring NTP, page 4-3
• Configuring Time and Date Manually, page 4-10
Understanding the System Clock
The heart of the time service is the system clock. This clock runs from the moment the system starts up
and keeps track of the date and time.
The system clock can then be set from these sources:
• Network Time Protocol
• Manual configuration
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
4-1
Managing the System Time and Date
The system clock can provide time to these services:
• User show commands
• Logging and debugging messages
The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also
known as Greenwich Mean Time (GMT). You can configure information about the local time zone and
summer time (daylight saving time) so that the time appears correctly for the local time zone.
The system clock keeps track of whether the time is authoritative or not (that is, whether it has been set
by a time source considered to be authoritative). If it is not authoritative, the time is available only for
display purposes and is not redistributed. For configuration information, see the “Configuring Time and
Date Manually” section on page 4-10.
Understanding Network Time Protocol
The NTP is designed to time-synchronize a network of devices. NTP runs over User Datagram Protocol
(UDP), which runs over IP. NTP is documented in RFC 1305.
An NTP network usually gets its time from an authoritative time source, such as a radio clock or an
atomic clock attached to a time server. NTP then distributes this time across the network. NTP is
extremely efficient; no more than one packet per minute is necessary to synchronize two devices to
within a millisecond of one another.
Chapter 4 Administering the Switch
NTP uses the concept of a stratum to describe how many NTP hops away a device is from an
authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached, a
stratum 2 time server receives its time through NTP from a stratum 1 time server, and so on. A device
running NTP automatically chooses as its time source the device with the lowest stratum number with
which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP
speakers.
NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a
device that is not synchronized. NTP also compares the time reported by several devices and does not
synchronize to a device whose time is significantly different than the others, even if its stratum is lower.
The communications between devices running NTP (known as associations) are usually statically
configured; each device is given the IP address of all devices with which it should form associations.
Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an
association. However, in a LAN environment, NTP can be configured to use IP broadcast messages
instead. This alternative reduces configuration complexity because each device can simply be
configured to send or receive broadcast messages. However, in that case, information flow is one-way
only.
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the
accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based
restriction scheme and an encrypted authentication mechanism.
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio
or atomic clock. We recommend that the time service for your network be derived from the public NTP
servers available on the IP Internet.
Figure 4-1 show a typical network example using NTP.
4-2
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 4 Administering the Switch
Figure 4-1 Typical NTP Network Configuration
Local
workgroup
servers
Catalyst 2950, 2955,
or 3550 switch
Managing the System Time and Date
Catalyst 6500
series switch
(NTP master)
Catalyst 2950, 2955,
or 3550 switch
Catalyst 2950, 2955,
or 3550 switch
These switches are configured in
NTP server mode (server association)
with the Catalyst 6500 series switch.
If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as
though it is synchronized through NTP, when in fact it has determined the time by using other means.
Other devices then synchronize to that device through NTP.
When multiple sources of time are available, NTP is always considered to be more authoritative. NTP
time overrides the time set by any other method.
Several manufacturers include NTP software for their host systems, and a publicly available version for
systems running UNIX and its various derivatives is also available. This software allows host systems
to be time-synchronized as well.
Configuring NTP
The switch does not have a hardware-supported clock, and it cannot function as an NTP master clock to
which peers synchronize themselves when an external NTP source is not available. The switch also has
no hardware support for a calendar. As a result, the ntp update-calendar and the ntp master global
configuration commands are not available.
This section contains this configuration information:
• Default NTP Configuration, page 4-4
• Configuring NTP Authentication, page 4-4
BladeCenter
92439
24R9746
• Configuring NTP Associations, page 4-5
• Configuring NTP Broadcast Service, page 4-6
• Configuring NTP Access Restrictions, page 4-7
• Configuring the Source IP Address for NTP Packets, page 4-9
• Displaying the NTP Configuration, page 4-10
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
4-3
Managing the System Time and Date
Default NTP Configuration
Table 4-1 shows the default NTP configuration.
Table 4-1 Default NTP Configuration
Feature Default Setting
NTP authentication Disabled. No authentication key is specified.
NTP peer or server associations None configured.
NTP broadcast service Disabled; no interface sends or receives NTP broadcast packets.
NTP access restrictions No access control is specified.
NTP packet source IP address The source address is determined by the outgoing interface.
NTP is enabled on all interfaces by default. All interfaces receive NTP packets.
Configuring NTP Authentication
Chapter 4 Administering the Switch
Step 1
Step 2
Step 3
Step 4
This procedure must be coordinated with the administrator of the NTP server; the information you configure
in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server.
Beginning in privileged EXEC mode, follow these steps to authenticate the associations (communications
between devices running NTP that provide for accurate timekeeping) with other devices for security
purposes:
Command Purpose
configure terminal Enter global configuration mode.
ntp authenticate Enable the NTP authentication feature, which is disabled by
default.
ntp authentication-key number md5 value Define the authentication keys. By default, none are defined.
• For number, specify a key number. The range is 1 to
4294967295.
• md5 specifies that message authentication support is provided
by using the message digest algorithm 5 (MD5).
• For value, enter an arbitrary string of up to eight characters for
the key.
The switch does not synchronize to a device unless both have one
of these authentication keys, and the key number is specified by the
ntp trusted-key key-number command.
ntp trusted-key key-number Specify one or more key numbers (defined in Step 3) that a peer
NTP device must provide in its NTP packets for this switch to
synchronize to it.
By default, no trusted keys are defined.
4-4
For key-number, specify the key defined in Step 3.
This command provides protection against accidentally
synchronizing the switch to a device that is not trusted.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 4 Administering the Switch
Command Purpose
Step 5
Step 6
Step 7
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
To disable NTP authentication, use the no ntp authenticate global configuration command. To remove
an authentication key, use the no ntp authentication-key number global configuration command. To
disable authentication of the identity of a device, use the no ntp trusted-key key-number global
configuration command.
This example shows how to configure the switch to synchronize only to devices providing authentication
key 42 in the device’s NTP packets:
Switch(config)# ntp authenticate
Switch(config)# ntp authentication-key 42 md5 aNiceKey
Switch(config)# ntp trusted-key 42
Configuring NTP Associations
Managing the System Time and Date
Step 1
Step 2
An NTP association can be a peer association (this switch can either synchronize to the other device or
allow the other device to synchronize to it), or it can be a server association (meaning that only this
switch synchronizes to the other device, and not the other way around).
Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device:
Command Purpose
configure terminal Enter global configuration mode.
ntp peer ip-address [version number]
[key keyid] [source interface] [prefer]
or
ntp server ip-address [version number]
[key keyid] [source interface] [prefer]
Configure the switch system clock to synchronize a peer or to be
synchronized by a peer (peer association).
or
Configure the switch system clock to be synchronized by a time server
(server association).
No peer or server associations are defined by default.
• For ip-address in a peer association, specify either the IP address of
the peer providing, or being provided, the clock synchronization. For
a server association, specify the IP address of the time server
providing the clock synchronization.
• (Optional) For number, specify the NTP version number. The range is
1 to 3. By default, version 3 is selected.
• (Optional) For keyid, enter the authentication key defined with the
ntp authentication-key global configuration command.
24R9746
• (Optional) For interface, specify the interface from which to pick the
IP source address. By default, the source IP address is taken from the
outgoing interface.
• (Optional) Enter the prefer keyword to make this peer or server the
preferred one that provides synchronization. This keyword reduces
switching back and forth between peers and servers.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
4-5
Managing the System Time and Date
Command Purpose
Step 3
Step 4
Step 5
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
You need to configure only one end of an association; the other device can automatically establish the
association. If you are using the default NTP version (version 3) and NTP synchronization does not
occur, try using NTP version 2. Many NTP servers on the Internet run version 2.
To remove a peer or server association, use the no ntp peer ip-address or the no ntp server ip-address
global configuration command.
This example shows how to configure the switch to synchronize its system clock with the clock of the
peer at IP address 172.16.22.44 using NTP version 2:
Switch(config)# ntp server 172.16.22.44 version 2
Configuring NTP Broadcast Service
Chapter 4 Administering the Switch
Step 1
Step 2
Step 3
The communications between devices running NTP (known as associations) are usually statically
configured; each device is given the IP addresses of all devices with which it should form associations.
Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an
association. However, in a LAN environment, NTP can be configured to use IP broadcast messages
instead. This alternative reduces configuration complexity because each device can simply be
configured to send or receive broadcast messages. However, the information flow is one-way only.
The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP
broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP
broadcast packets to a peer so that the peer can synchronize to it. The switch can also receive NTP broadcast
packets to synchronize its own clock. This section has procedures for both sending and receiving NTP
broadcast packets.
Beginning in privileged EXEC mode, follow these steps to configure the switch to send NTP broadcast
packets to peers so that they can synchronize their clock to the switch:
Command Purpose
configure terminal Enter global configuration mode.
interface interface-id Specify the interface to send NTP broadcast packets, and enter
interface configuration mode.
ntp broadcast [version number] [key keyid]
[destination-address]
Enable the interface to send NTP broadcast packets to a peer.
By default, this feature is disabled on all interfaces.
• (Optional) For number, specify the NTP version number. The
range is 1 to 3. If you do not specify a version, version 3 is used.
• (Optional) For keyid, specify the authentication key to use when
sending packets to the peer.
Step 4
Step 5
4-6
• (Optional) For destination-address, specify the IP address of the
peer that is synchronizing its clock to this switch.
end Return to privileged EXEC mode.
show running-config Verify your entries.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 4 Administering the Switch
Command Purpose
Step 6
Step 7
copy running-config startup-config (Optional) Save your entries in the configuration file.
To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface
configuration command.
This example shows how to configure a port to send NTP version 2 packets:
Switch(config)# interface gigabitethernet0/17
Switch(config-if)# ntp broadcast version 2
Beginning in privileged EXEC mode, follow these steps to configure the switch to receive NTP
broadcast packets from connected peers:
Command Purpose
Step 1
Step 2
Step 3
configure terminal Enter global configuration mode.
interface interface-id Specify the interface to receive NTP broadcast packets, and enter interface
ntp broadcast client Enable the interface to receive NTP broadcast packets.
Managing the System Time and Date
Configure the connected peers to receive NTP broadcast packets as
described in the next procedure.
configuration mode.
Step 4
Step 5
Step 6
Step 7
Step 8
exit Return to global configuration mode.
ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the switch and
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
To disable an interface from receiving NTP broadcast packets, use the no ntp broadcast client interface
configuration command. To change the estimated round-trip delay to the default, use the no ntp
broadcastdelay global configuration command.
This example shows how to configure a port to receive NTP broadcast packets:
Switch(config)# interface gigabitethernet0/17
Switch(config-if)# ntp broadcast client
Configuring NTP Access Restrictions
You can control NTP access on two levels as described in these sections:
• Creating an Access Group and Assigning a Basic IP Access List, page 4-8
By default, no interfaces receive NTP broadcast packets.
the NTP broadcast server.
The default is 3000 microseconds; the range is 1 to 999999.
24R9746
• Disabling NTP Services on a Specific Interface, page 4-9
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
4-7
Managing the System Time and Date
Creating an Access Group and Assigning a Basic IP Access List
Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using
access lists:
Command Purpose
Step 1
Step 2
configure terminal Enter global configuration mode.
ntp access-group {query-only |
serve-only | serve | peer}
access-list-number
Create an access group, and apply a basic IP access list.
The keywords have these meanings:
• query-only—Allows only NTP control queries.
• serve-only—Allows only time requests.
• serve—Allows time requests and NTP control queries, but does not
allow the switch to synchronize to the remote device.
• peer—Allows time requests and NTP control queries and allows the
switch to synchronize to the remote device.
For access-list-number, enter a standard IP access list number from 1
to 99.
Step 3
access-list access-list-number permit
source [source-wildcard]
Create the access list.
• For access-list-number, enter the number specified in Step 2.
Chapter 4 Administering the Switch
Step 4
Step 5
Step 6
• Enter the permit keyword to permit access if the conditions are
matched.
• For source, enter the IP address of the device that is permitted access
to the switch.
• (Optional) For source-wildcard, enter the wildcard bits to be applied
to the source.
Note When creating an access list, remember that, by default, the end
of the access list contains an implicit deny statement for
everything if it did not find a match before reaching the end.
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
The access group keywords are scanned in this order, from least restrictive to most restrictive:
1. peer—Allows time requests and NTP control queries and allows the switch to synchronize itself to
a device whose address passes the access list criteria.
2. serve—Allows time requests and NTP control queries, but does not allow the switch to synchronize
itself to a device whose address passes the access list criteria.
3. serve-only—Allows only time requests from a device whose address passes the access list criteria.
4. query-only—Allows only NTP control queries from a device whose address passes the access list
criteria.
4-8
If the source IP address matches the access lists for more than one access type, the first type is granted.
If no access groups are specified, all access types are granted to all devices. If any access groups are
specified, only the specified access types are granted.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 4 Administering the Switch
To remove access control to the switch NTP services, use the no ntp access-group {query-only |
serve-only | serve | peer} global configuration command.
This example shows how to configure the switch to allow itself to synchronize to a peer from access
list 99. However, the switch restricts access to allow only time requests from access list 42:
Switch# configure terminal
Switch(config)# ntp access-group peer 99
Switch(config)# ntp access-group serve-only 42
Switch(config)# access-list 99 permit 172.20.130.5
Switch(config)# access list 42 permit 172.20.130.6
Disabling NTP Services on a Specific Interface
NTP services are enabled on all interfaces by default.
Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on
an interface:
Command Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
configure terminal Enter global configuration mode.
interface interface-id Enter interface configuration mode, and specify the interface to disable.
ntp disable Disable NTP packets from being received on the interface.
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
Managing the System Time and Date
By default, all interfaces receive NTP packets.
To re-enable receipt of NTP packets on an interface, use the no ntp disable interface configuration
command.
Configuring the Source IP Address for NTP Packets
When the switch sends an NTP packet, the source IP address is normally set to the address of the interface
through which the NTP packet is sent. Use the ntp source global configuration command when you want to
use a particular source IP address for all NTP packets. The address is taken from the specified interface. This
command is useful if the address on an interface cannot be used as the destination for reply packets.
Beginning in privileged EXEC mode, follow these steps to configure a specific interface from which the
IP source address is to be taken:
Command Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal Enter global configuration mode.
ntp source type number Specify the interface type and number from which the IP source address
is taken.
By default, the source address is determined by the outgoing interface.
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
4-9
Managing the System Time and Date
The specified interface is used for the source address for all packets sent to all destinations. If a source address
is to be used for a specific association, use the source keyword in the ntp peer or ntp server global
configuration command as described in the “Configuring NTP Associations” section on page 4-5.
Displaying the NTP Configuration
You can use two privileged EXEC commands to display NTP information:
• show ntp associations [detail]
• show ntp status
For detailed information about the fields in these displays, see the Cisco IOS Configuration
Fundamentals Command Reference for Cisco IOS, Release 12.1.
Configuring Time and Date Manually
If no other source of time is available, you can manually configure the time and date after the system is
restarted. The time remains accurate until the next system restart. We recommend that you use manual
configuration only as a last resort. If you have an outside source to which the switch can synchronize,
you do not need to manually set the system clock.
This section contains this configuration information:
Chapter 4 Administering the Switch
• Setting the System Clock, page 4-10
• Displaying the Time and Date Configuration, page 4-11
• Configuring the Time Zone, page 4-11
• Configuring Summer Time (Daylight Saving Time), page 4-12
Setting the System Clock
If you have an outside source on the network that provides time services, such as an NTP server, you do
not need to manually set the system clock.
Beginning in privileged EXEC mode, follow these steps to set the system clock:
Command Purpose
Step 1
Step 2
Step 3
clock set hh:mm:ss day month year
or
clock set hh:mm:ss month day year
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
Manually set the system clock using one of these formats.
• For hh:mm:ss, specify the time in hours (24-hour format), minutes,
and seconds. The time specified is relative to the configured time
zone.
• For day, specify the day by date in the month.
• For month, specify the month by name.
• For year, specify the year (no abbreviation).
4-10
This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001:
Switch# clock set 13:32:00 23 July 2001
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 4 Administering the Switch
Displaying the Time and Date Configuration
To display the time and date configuration, use the show clock [detail] privileged EXEC command.
The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to
be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time
is not authoritative, it is used only for display purposes. Until the clock is authoritative and the
authoritative flag is set, the flag prevents peers from synchronizing to the clock when the peers’ time is
invalid.
The symbol that precedes the show clock display has this meaning:
• *—Time is not authoritative.
• (blank)—Time is authoritative.
• .—Time is authoritative, but NTP is not synchronized.
Configuring the Time Zone
Beginning in privileged EXEC mode, follow these steps to manually configure the time zone:
Managing the System Time and Date
Step 1
Step 2
Step 3
Step 4
Step 5
Command Purpose
configure terminal Enter global configuration mode.
clock timezone zone hours-offset
[minutes-offset]
Set the time zone.
The switch keeps internal time in universal time coordinated (UTC), so
this command is used only for display purposes and when the time is
manually set.
• For zone, enter the name of the time zone to be displayed when
standard time is in effect. The default is UTC.
• For hours-offset, enter the hours offset from UTC.
• (Optional) For minutes-offset, enter the minutes offset from UTC.
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
The minutes-offset variable in the clock timezone global configuration command is available for those
cases where a local time zone is a percentage of an hour different from UTC. For example, the time zone
for some sections of Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50
percent. In this case, the necessary command is clock timezone AST -3 30.
To set the time to UTC, use the no clock timezone global configuration command.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
4-11
Managing the System Time and Date
Configuring Summer Time (Daylight Saving Time)
Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving
time) in areas where it starts and ends on a particular day of the week each year:
Command Purpose
Step 1
Step 2
configure terminal Enter global configuration mode.
clock summer-time zone recurring
[week day month hh:mm week day month
hh:mm [offset]]
Configure summer time to start and end on the specified days every year.
Summer time is disabled by default. If you specify clock summer-time
zone recurring without parameters, the summer time rules default to the
United States rules.
• For zone, specify the name of the time zone (for example, PDT) to be
displayed when summer time is in effect.
• (Optional) For week, specify the week of the month (1 to 5 or last).
• (Optional) For day, specify the day of the week (Sunday, Monday...).
• (Optional) For month, specify the month (January, February...).
Chapter 4 Administering the Switch
Step 3
Step 4
Step 5
• (Optional) For hh:mm, specify the time (24-hour format) in hours and
minutes.
• (Optional) For offset, specify the number of minutes to add during
summer time. The default is 60.
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
The first part of the clock summer-time global configuration command specifies when summer time
begins, and the second part specifies when it ends. All times are relative to the local time zone. The start
time is relative to standard time. The end time is relative to summer time. If the starting month is after
the ending month, the system assumes that you are in the southern hemisphere.
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and
ends on the last Sunday in October at 02:00:
Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October
2:00
4-12
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 4 Administering the Switch
Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a
recurring pattern (configure the exact date and time of the next summer time events):
Command Purpose
Step 1
Step 2
configure terminal Enter global configuration mode.
clock summer-time zone date [month
date year hh:mm month date year hh:mm
[offset]]
or
clock summer-time zone date [date
month year hh:mm date month year
hh:mm [offset]]
Step 3
Step 4
Step 5
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
Configuring a System Name and Prompt
Configure summer time to start on the first date and end on the second
date.
Summer time is disabled by default.
• For zone, specify the name of the time zone (for example, PDT) to be
displayed when summer time is in effect.
• (Optional) For week, specify the week of the month (1 to 5 or last).
• (Optional) For day, specify the day of the week (Sunday, Monday...).
• (Optional) For month, specify the month (January, February...).
• (Optional) For hh:mm, specify the time (24-hour format) in hours and
minutes.
• (Optional) For offset, specify the number of minutes to add during
summer time. The default is 60.
The first part of the clock summer-time global configuration command specifies when summer time
begins, and the second part specifies when it ends. All times are relative to the local time zone. The start
time is relative to standard time. The end time is relative to summer time. If the starting month is after
the ending month, the system assumes that you are in the southern hemisphere.
To disable summer time, use the no clock summer-time global configuration command.
This example shows how to set summer time to start on October 12, 2000, at 02:00, and end on April
26, 2001, at 02:00:
Switch(config)# clock summer-time pdt date 12 October 2000 2:00 26 April 2001 2:00
Configuring a System Name and Prompt
You configure the system name on the switch to identify it. By default, the system name and prompt are
Switch.
If you have not configured a system prompt, the first 20 characters of the system name are used as the
system prompt. A greater-than symbol [>] is appended. The prompt is updated whenever the system
name changes.
Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS
Configuration Fundamentals Command Reference for Cisco IOS Release 12.1 and the Cisco IOS IP and
IP Routing Command Reference for Cisco IOS Release 12.1.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
4-13
Configuring a System Name and Prompt
This section contains this configuration information:
• Default System Name and Prompt Configuration, page 4-14
• Configuring a System Name, page 4-14
• Understanding DNS, page 4-14
Default System Name and Prompt Configuration
The default switch system name and prompt is Switch.
Configuring a System Name
Beginning in privileged EXEC mode, follow these steps to manually configure a system name:
Command Purpose
Step 1
Step 2
configure terminal Enter global configuration mode.
hostname name Manually configure a system name.
The default setting is switch.
Chapter 4 Administering the Switch
Step 3
Step 4
Step 5
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
When you set the system name, it is also used as the system prompt.
To return to the default hostname, use the no hostname global configuration command.
Understanding DNS
The DNS protocol controls the Domain Name System (DNS), a distributed database with which you can
map host names to IP addresses. When you configure DNS on your switch, you can substitute the host
name for the IP address with all IP commands, such as ping, telnet, connect, and related Telnet support
operations.
IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain.
Domain names are pieced together with periods (.) as the delimiting characters. For example, IBM is a
commercial organization that IP identifies by a com domain name, so its domain name is ibm.com. A
specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as
ftp.ibm.com.
The name must follow the rules for ARPANET host names. They must start
with a letter, end with a letter or digit, and have as interior characters only
letters, digits, and hyphens. Names can be up to 63 characters.
4-14
To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache
(or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first
identify the host names, specify the name server that is present on your network, and enable the DNS.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 4 Administering the Switch
This section contains this configuration information:
• Default DNS Configuration, page 4-15
• Setting Up DNS, page 4-15
• Displaying the DNS Configuration, page 4-16
Default DNS Configuration
Table 4-2 shows the default DNS configuration.
Table 4-2 Default DNS Configuration
Feature Default Setting
DNS enable state Enabled.
DNS default domain name None configured.
DNS servers No name server addresses are configured.
Configuring a System Name and Prompt
Setting Up DNS
Command Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
configure terminal Enter global configuration mode.
ip domain-name name Define a default domain name that the software uses to complete unqualified
ip name-server server-address1
[server-address2 ...
server-address6]
ip domain-lookup (Optional) Enable DNS-based host name-to-address translation on your switch.
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config
startup-config
Beginning in privileged EXEC mode, follow these steps to set up your switch to use the DNS:
host names (names without a dotted-decimal domain name).
Do not include the initial period that separates an unqualified name from the
domain name.
At boot time, no domain name is configured.
Specify the address of one or more name servers to use for name and address
resolution.
You can specify up to six name servers. Separate each server address with a
space. The first server specified is the primary server. The switch sends DNS
queries to the primary server first. If that query fails, the backup servers are
queried.
This feature is enabled by default.
If your network devices require connectivity with devices in networks for which
you do not control name assignment, you can dynamically assign device names
that uniquely identify your devices by using the global Internet naming scheme
(DNS).
(Optional) Save your entries in the configuration file.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
4-15
Creating a Banner
If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you
configure a hostname that contains no periods (.), a period followed by the default domain name is
appended to the hostname before the DNS query is made to map the name to an IP address. The default
domain name is the value set by the ip domain-name global configuration command. If there is a
period (.) in the hostname, the software looks up the IP address without appending any default domain
name to the hostname.
To remove a domain name, use the no ip domain-name name global configuration command. To
remove a name server address, use the no ip name-server server-address global configuration
command. To disable DNS on the switch, use the no ip domain-lookup global configuration command.
Displaying the DNS Configuration
To display the DNS configuration information, use the show running-config privileged EXEC
command.
Creating a Banner
Chapter 4 Administering the Switch
You can configure a message-of-the-day (MOTD) and a login banner. The MOTD banner displays on
all connected terminals at login and is useful for sending messages that affect all network users (such as
impending system shutdowns).
The login banner also displays on all connected terminals. It appears after the MOTD banner and before
the login prompts.
Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS
Configuration Fundamentals Command Reference for Cisco IOS, Release 12.1.
This section contains this configuration information:
• Default Banner Configuration, page 4-16
• Configuring a Message-of-the-Day Login Banner, page 4-16
• Configuring a Login Banner, page 4-18
Default Banner Configuration
The MOTD and login banners are not configured.
Configuring a Message-of-the-Day Login Banner
4-16
You can create a single or multiline message banner that appears on the screen when someone logs in to
the switch.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 4 Administering the Switch
Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner:
Command Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal Enter global configuration mode.
banner motd c message c Specify the message of the day.
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
To delete the MOTD banner, use the no banner motd global configuration command.
Creating a Banner
For c, enter the delimiting character of your choice, for example, a
pound sign (#), and press the Return key. The delimiting character
signifies the beginning and end of the banner text. Characters after the
ending delimiter are discarded.
For message, enter a banner message up to 255 characters. You cannot
use the delimiting character in the message.
This example shows how to configure a MOTD banner for the switch by using the pound sign (#) symbol
as the beginning and ending delimiter:
Switch(config)# banner motd #
This is a secure site. Only authorized users are allowed.
For access, contact technical support.
#
Switch(config)#
This example shows the banner displayed from the previous configuration:
Unix> telnet 172.2.5.4
Trying 172.2.5.4...
Connected to 172.2.5.4.
Escape character is '^]'.
This is a secure site. Only authorized users are allowed.
For access, contact technical support.
User Access Verification
Password:
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
4-17
Managing the MAC Address Table
Configuring a Login Banner
You can configure a login banner to be displayed on all connected terminals. This banner appears after
the MOTD banner and before the login prompt.
Beginning in privileged EXEC mode, follow these steps to configure a login banner:
Command Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal Enter global configuration mode.
banner login c message c Specify the login message.
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 4 Administering the Switch
For c, enter the delimiting character of your choice, for example, a pound
sign (#), and press the Return key. The delimiting character signifies the
beginning and end of the banner text. Characters after the ending delimiter
are discarded.
For message, enter a login message up to 255 characters. You cannot use the
delimiting character in the message.
To delete the login banner, use the no banner login global configuration command.
This example shows how to configure a login banner for the switch by using the dollar sign ($) symbol
as the beginning and ending delimiter:
Switch(config)# banner login $
Access for authorized users only. Please enter your username and password.
$
Switch(config)#
Managing the MAC Address Table
The MAC address table contains address information that the switch uses to forward traffic between
ports. All MAC addresses in the address table are associated with one or more ports. The address table
includes these types of addresses:
• Dynamic address: a source MAC address that the switch learns and then ages when it is not in use.
• Static address: a manually entered unicast or multicast address that does not age and that is not lost
when the switch resets.
The address table lists the destination MAC address, the associated VLAN ID, and port number
associated with the address.
Note For complete syntax and usage information for the commands used in this section, see the command
reference for this release.
4-18
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 4 Administering the Switch
This section contains this configuration information:
• Building the Address Table, page 4-19
• MAC Addresses and VLANs, page 4-19
• Default MAC Address Table Configuration, page 4-20
• Changing the Address Aging Time, page 4-20
• Removing Dynamic Address Entries, page 4-20
• Configuring MAC Address Notification Traps, page 4-21
• Adding and Removing Static Address Entries, page 4-23
• Displaying Address Table Entries, page 4-24
Building the Address Table
With multiple MAC addresses supported on all ports, you can connect any port on the switch to
individual workstations, repeaters, switches, routers, or other network devices. The switch provides
dynamic addressing by learning the source address of packets it receives on each port and adding the
address and its associated port number to the address table. As stations are added or removed from the
network, the switch updates the address table, adding new dynamic addresses and aging out those that
are not in use.
Managing the MAC Address Table
The aging interval is configured on a per-switch basis. However, the switch maintains an address table
for each VLAN, and STP can accelerate the aging interval on a per-VLAN basis.
The switch sends packets between any combination of ports, based on the destination address of the
received packet. Using the MAC address table, the switch forwards the packet only to the port or ports
associated with the destination address. If the destination address is on the port that sent the packet, the
packet is filtered and not forwarded. The switch always uses the store-and-forward method: complete
packets are stored and checked for errors before transmission.
MAC Addresses and VLANs
All addresses are associated with a VLAN. An address can exist in more than one VLAN and have
different destinations in each. Multicast addresses, for example, could be forwarded to port 1 in VLAN 1
and ports 9, 10, and 11 in VLAN 5.
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in
another until it is learned or statically associated with a port in the other VLAN. Addresses that are
statically entered in one VLAN must be configured as static addresses in all other VLANs or remain
unlearned in the other VLANs.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
4-19
Managing the MAC Address Table
Default MAC Address Table Configuration
Table 4-3 shows the default MAC address table configuration.
Table 4-3 Default MAC Address Table Configuration
Feature Default Setting
Aging time 300 seconds
Dynamic addresses Automatically learned
Static addresses None configured
Changing the Address Aging Time
Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in
use. The aging time parameter defines how long the switch retains unseen addresses. This parameter
applies to all VLANs.
Setting too short an aging time can cause addresses to be prematurely removed from the table. Then
when the switch receives a packet for an unknown destination, it floods the packet to all ports in the same
VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an
aging time can cause the address table to be filled with unused addresses, which prevents new addresses
from being learned.
Chapter 4 Administering the Switch
Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging
time:
Command Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal Enter global configuration mode.
mac address-table aging-time [0 |
10-1000000]
end Return to privileged EXEC mode.
show mac address-table aging-time Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
To return to the default value, use the no mac address-table aging-time global configuration command.
Removing Dynamic Address Entries
To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC
mode. You can also remove a specific MAC address (clear mac address-table dynamic address
mac-address), remove all addresses on the specified physical port or port channel (clear mac
address-table dynamic interface interface-id), or remove all addresses on a specified VLAN (clear
mac address-table dynamic vlan vlan-id).
Set the length of time that a dynamic entry remains in the MAC
address table after the entry is used or updated.
The range is 10 to 1000000 seconds. The default is 300. You can also
enter 0, which disables aging. Static address entries are never aged
or removed from the table.
4-20
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 4 Administering the Switch
To verify that dynamic entries have been removed, use the show mac address-table dynamic privileged
EXEC command.
Configuring MAC Address Notification Traps
MAC address notification enables you to track users on a network by storing the MAC address activity
on the switch. Whenever the switch learns or removes a MAC address, an SNMP notification can be
generated and sent to the NMS. If you have many users coming and going from the network, you can set
a trap interval time to bundle the notification traps and reduce network traffic. The MAC notification
history table stores the MAC address activity for each hardware port for which the trap is enabled. MAC
address notifications are generated for dynamic and secure MAC addresses; events are not generated for
self addresses, multicast addresses, or other static addresses.
Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address
notification traps to an NMS host:
Command Purpose
Step 1
Step 2
configure terminal Enter global configuration mode.
snmp-server host host-addr {traps | informs} {version {1
| 2c | 3}} community-string notification-type
Managing the MAC Address Table
Specify the recipient of the trap message.
• For host-addr, specify the name or address of the
NMS.
Step 3
Step 4
• Specify traps (the default) to send SNMP traps
to the host. Specify informs to send SNMP
informs to the host.
• Specify the SNMP version to support. Version 1,
the default, is not available with informs.
• For community-string, specify the string to send
with the notification operation. Though you can
set this string by using the snmp-server host
command, we recommend that you define this
string by using the snmp-server community
command before using the snmp-server host
command.
• For notification-type, use the mac-notification
keyword.
snmp-server enable traps mac-notification Enable the switch to send MAC address traps to the
NMS.
mac address-table notification Enable the MAC address notification feature.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
4-21
Managing the MAC Address Table
Command Purpose
Step 5
mac address-table notification [interval value] |
[history-size value]
Step 6
Step 7
interface interface-id Enter interface configuration mode, and specify the
snmp trap mac-notification {added | removed} Enable the MAC address notification trap.
Chapter 4 Administering the Switch
Enter the trap interval time and the history table size.
• (Optional) For interval value, specify the
notification trap interval in seconds between
each set of traps that are generated to the NMS.
The range is 0 to 2147483647 seconds; the
default is 1 second.
• (Optional) For history-size value, specify the
maximum number of entries in the MAC
notification history table. The range is 0 to 500;
the default is 1.
interface on which to enable the SNMP MAC
address notification trap.
• Enable the MAC notification trap whenever a
MAC address is added on this interface.
Step 8
Step 9
Step 10
• Enable the MAC notification trap whenever a
MAC address is removed from this interface.
end Return to privileged EXEC mode.
show mac address-table notification interface
Verify your entries.
show running-config
copy running-config startup-config (Optional) Save your entries in the configuration file.
To disable the switch from sending MAC address notification traps, use the no snmp-server enable
traps mac-notification global configuration command. To disable the MAC address notification traps
on a specific interface, use the no snmp trap mac-notification {added | removed} interface
configuration command. To disable the MAC address notification feature, use the no mac address-table
notification global configuration command.
This example shows how to specify 172.20.10.10 as the NMS, enable the switch to send MAC address
notification traps to the NMS, enable the MAC address notification feature, set the interval time to
60 seconds, set the history-size to 100 entries, and enable traps whenever a MAC address is added on
the specified port.
Switch(config)# snmp-server host 172.20.10.10 traps private
Switch(config)# snmp-server enable traps mac-notification
Switch(config)# mac address-table notification
Switch(config)# mac address-table notification interval 60
Switch(config)# mac address-table notification history-size 100
Switch(config)# interface fastethernet0/4
Switch(config-if)# snmp trap mac-notification added
4-22
You can verify the previous commands by entering the show mac address-table notification interface
and the show mac address-table notification privileged EXEC commands.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 4 Administering the Switch
Adding and Removing Static Address Entries
A static address has these characteristics:
• It is manually entered in the address table and must be manually removed.
• It can be a unicast or multicast address.
• It does not age and is retained when the switch restarts.
You can add and remove static addresses and define the forwarding behavior for them. The forwarding
behavior determines how a port that receives a packet forwards it to another port for transmission.
Because all ports are associated with at least one VLAN, the switch acquires the VLAN ID for the
address from the ports that you specify. You can specify a different list of destination ports for each
source port.
A static address in one VLAN must be a static address in other VLANs. A packet with a static address
that arrives on a VLAN where it has not been statically entered is flooded to all ports and not learned.
You add a static address to the address table by specifying the destination MAC address (unicast or
multicast) and the VLAN from which it is received. Packets received with this destination address are
forwarded to the interface specified with the interface-id option.
Managing the MAC Address Table
Step 1
Step 2
Step 3
Step 4
Step 5
Beginning in privileged EXEC mode, follow these steps to add a static address:
Command Purpose
configure terminal Enter global configuration mode.
mac address-table static mac-addr
vlan vlan-id interface interface-id
Add a static address to the MAC address table.
• For mac-addr, specify the destination MAC address (unicast or
multicast) to add to the address table. Packets with this destination
address received in the specified VLAN are forwarded to the
specified interface.
• For vlan-id, specify the VLAN for which the packet with the
specified MAC address is received. Valid VLAN IDs are 1 to 4094.
• For interface-id, specify the interface to which the received packet is
forwarded. Valid interfaces include physical ports and port channels.
For interface-id, specify the interface to which the received packet is
forwarded. Valid interfaces include physical ports or port channels.
For static multicast addresses, you can enter multiple interface IDs.
For static unicast addresses, you can enter only one interface at a
time, but you can enter the command multiple times with the same
MAC address and VLAN ID.
end Return to privileged EXEC mode.
show mac address-table static Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
24R9746
To remove static entries from the address table, use the no mac address-table static mac-addr vlan
vlan-id [interface interface-id] global configuration command.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
4-23
Chapter 4 Administering the Switch
Managing the ARP Table
This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a
packet is received in VLAN 4 with this MAC address as its destination address, the packets is forwarded
to the specified interface:
Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 interface
gigabitethernet0/17
Displaying Address Table Entries
You can display the MAC address table by using one or more of the privileged EXEC commands
described in Ta ble 4-4:
Table 4-4 Commands for Displaying the MAC Address Table
Command Description
show mac address-table address Displays MAC address table information for the specified MAC address.
show mac address-table aging-time Displays the aging time in all VLANs or the specified VLAN.
show mac address-table count Displays the number of addresses present in all VLANs or the specified VLAN.
show mac address-table dynamic Displays dynamic MAC address table entries only.
show mac address-table interface Displays the MAC address table information for the specified interface.
show mac address-table multicast Displays the Layer 2 multicast entries for all VLANs or the specified VLAN.
show mac address-table static Displays static MAC address table entries only.
show mac address-table vlan Displays the MAC address table information for the specified VLAN.
Managing the ARP Table
To communicate with a device (over Ethernet, for example), the software first must determine the 48-bit
MAC or the local data link address of that device. The process of determining the local data link address
from an IP address is called address resolution.
The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or
MAC addresses and the VLAN ID. Taking an IP address as input, ARP determines the associated MAC
address. Once a MAC address is determined, the IP-MAC address association is stored in an ARP cache
for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network.
Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet
is specified by the Subnetwork Access Protocol (SNAP). By default, standard Ethernet-style ARP
encapsulation (represented by the arpa keyword) is enabled on the IP interface.
ARP entries added manually to the table do not age and must be manually removed.
For CLI procedures, see the Cisco IOS Release 12.1 documentation on Cisco.com.
4-24
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
CHAPTER
Configuring Switch-Based Authentication
This chapter describes how to configure switch-based authentication on the Cisco Systems Intelligent
Gigabit Ethernet Switch Module. This chapter consists of these sections:
• Preventing Unauthorized Access to Your Switch, page 5-1
• Protecting Access to Privileged EXEC Commands, page 5-2
• Controlling Switch Access with TACACS+, page 5-9
• Controlling Switch Access with RADIUS, page 5-16
• Configuring the Switch for Local Authentication and Authorization, page 5-31
• Configuring the Switch for Secure Shell, page 5-32
Preventing Unauthorized Access to Your Switch
5
You can prevent unauthorized users from reconfiguring your switch and viewing configuration
information. Typically, you want network administrators to have access to your switch while you restrict
access to users who dial from outside the network through an asynchronous port, connect from outside
the network through a serial port, or connect through a terminal or workstation from within the local
network.
To prevent unauthorized access into your switch, you should configure one or more of these security
features:
• At a minimum, you should configure passwords and privileges at each switch port. These passwords
are locally stored on the switch. When users attempt to access the switch through a port or line, they
must enter the password specified for the port or line before they can access the switch. For more
information, see the “Protecting Access to Privileged EXEC Commands” section on page 5-2.
• For an additional layer of security, you can also configure username and password pairs, which are
locally stored on the switch. These pairs are assigned to lines or interfaces and authenticate each
user before that user can access the switch. If you have defined privilege levels, you can also assign
a specific privilege level (with associated rights and privileges) to each username and password pair.
For more information, see the “Configuring Username and Password Pairs” section on page 5-6.
• If you want to use username and password pairs, but you want to store them centrally on a server
instead of locally, you can store them in a database on a security server. Multiple networking devices
can then use the same database to obtain user authentication (and, if necessary, authorization)
information. For more information, see the “Controlling Switch Access with TACACS+” section on
page 5-9.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
5-1
Chapter 5 Configuring Switch-Based Authentication
Protecting Access to Privileged EXEC Commands
Protecting Access to Privileged EXEC Commands
A simple way of providing terminal access control in your network is to use passwords and assign
privilege levels. Password protection restricts access to a network or network device. Privilege levels
define what commands users can enter after they have logged into a network device.
Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS
Security Command Reference for Cisco IOS Release 12.1.
This section describes how to control access to the configuration file and privileged EXEC commands.
It contains this configuration information:
• Default Password and Privilege Level Configuration, page 5-2
• Setting or Changing a Static Enable Password, page 5-3
• Protecting Enable and Enable Secret Passwords with Encryption, page 5-4
• Setting a Telnet Password for a Terminal Line, page 5-5
• Configuring Username and Password Pairs, page 5-6
• Configuring Multiple Privilege Levels, page 5-6
Default Password and Privilege Level Configuration
Table 5-1 shows the default password and privilege level configuration.
Table 5-1 Default Password and Privilege Levels
Feature Default Setting
Enable password and privilege level No password is defined. The default is level 15 (privileged EXEC level).
The password is not encrypted in the configuration file.
Enable secret password and privilege level No password is defined. The default is level 15 (privileged EXEC level).
The password is encrypted before it is written to the configuration file.
Line password No password is defined.
5-2
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 5 Configuring Switch-Based Authentication
Setting or Changing a Static Enable Password
The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC
mode, follow these steps to set or change a static enable password:
Command Purpose
Step 1
Step 2
configure terminal Enter global configuration mode.
enable password password Define a new password or change an existing password for access to
privileged EXEC mode.
By default, no password is defined.
For password, specify a string from 1 to 25 alphanumeric characters. The
string cannot start with a number, is case sensitive, and allows spaces but
ignores leading spaces. It can contain the question mark (?) character if
you precede the question mark with the key combination Crtl-v when you
create the password; for example, to create the password abc?123, do this:
Enter abc.
Protecting Access to Privileged EXEC Commands
Step 3
Step 4
Step 5
Enter Crtl-v.
Enter ?123.
When the system prompts you to enter the enable password, you need not
precede the question mark with the Ctrl-v; you can simply enter abc?123
at the password prompt.
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
The enable password is not encrypted and can be read in the switch
configuration file.
To remove the password, use the no enable password global configuration command.
This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted
and provides access to level 15 (traditional privileged EXEC mode access):
Switch(config)# enable password l1u2c3k4y5
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
5-3
Chapter 5 Configuring Switch-Based Authentication
Protecting Access to Privileged EXEC Commands
Protecting Enable and Enable Secret Passwords with Encryption
To provide an additional layer of security, particularly for passwords that cross the network or that are
stored on a TFTP server, you can use either the enable password or enable secret global configuration
commands. Both commands accomplish the same thing; that is, you can establish an encrypted password
that users must enter to access privileged EXEC mode (the default) or any privilege level you specify.
We recommend that you use the enable secret command because it uses an improved encryption
algorithm.
If you configure the enable secret command, it takes precedence over the enable password command;
the two commands cannot be in effect simultaneously.
Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable
secret passwords:
Command Purpose
Step 1
Step 2
configure terminal Enter global configuration mode.
enable password [level level] {password |
encryption-type encrypted-password}
Define a new password or change an existing password for
access to privileged EXEC mode.
Step 3
Step 4
Step 5
or
enable secret [level level] {password |
encryption-type encrypted-password}
or
Define a secret password, which is saved using a
nonreversible encryption method.
• (Optional) For level, the range is from 0 to 15. Level 1 is
normal user EXEC mode privileges. The default level is
15 (privileged EXEC mode privileges).
• For password, specify a string from 1 to 25
alphanumeric characters. The string cannot start with a
number, is case sensitive, and allows spaces but ignores
leading spaces. By default, no password is defined.
• (Optional) For encryption-type, only type 5, a Cisco
proprietary encryption algorithm, is available. If you
specify an encryption type, you must provide an
encrypted password—an encrypted password you copy
from another Cisco Systems Intelligent Gigabit Ethernet
Switch Module configuration.
Note If you specify an encryption type and then enter a
clear text password, you can not re-enter privileged
EXEC mode. You cannot recover a lost encrypted
password by any method.
service password-encryption (Optional) Encrypt the password when the password is
defined or when the configuration is written.
Encryption prevents the password from being readable in the
configuration file.
end Return to privileged EXEC mode.
copy running-config startup-config (Optional) Save your entries in the configuration file.
5-4
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 5 Configuring Switch-Based Authentication
If both the enable and enable secret passwords are defined, users must enter the enable secret password.
Use the level keyword to define a password for a specific privilege level. After you specify the level and
set a password, give the password only to users who need to have access at this level. Use the privilege
level global configuration command to specify commands accessible at various levels. For more
information, see the “Configuring Multiple Privilege Levels” section on page 5-6.
If you enable password encryption, it applies to all passwords including username passwords,
authentication key passwords, the privileged command password, and virtual terminal line passwords.
To remove a password and level, use the no enable password [level level] or no enable secret [level
level] global configuration command. To disable password encryption, use the no service
password-encryption global configuration command.
This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for
privilege level 2:
Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8
Setting a Telnet Password for a Terminal Line
The switch has a default username and password, which are required when accessing the switch through
a Telnet session. For more information, see the Cisco Intelligent Gigabit Ethernet Switch Module for the
IBM BladeCenter Installation Guide.
Protecting Access to Privileged EXEC Commands
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Beginning in privileged EXEC mode, follow these steps to configure your switch for Telnet access:
Command Purpose
enable password password Enter privileged EXEC mode.
Note An enable password is configured by default. It might not be
necessary to a password to enter privileged EXEC mode.
configure terminal Enter global configuration mode.
line vty 0 15 Configure the number of Telnet sessions (lines), and enter line
configuration mode.
The default configuration is login local.
There are 16 possible sessions on a command-capable switch. The 0
and 15 mean that you are configuring all 16 possible Telnet sessions.
password password Enter a Telnet password for the line or lines.
For password, specify a string from 1 to 25 alphanumeric characters. The
string cannot start with a number, is case sensitive, and allows spaces but
ignores leading spaces. By default, no password is defined.
end Return to privileged EXEC mode.
show running-config Verify your entries.
The password is listed under the command line vty 0 15.
copy running-config startup-config (Optional) Save your entries in the configuration file.
24R9746
To remove the password, use the no password global configuration command.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
5-5
Protecting Access to Privileged EXEC Commands
This example shows how to set the Telnet password to let45me67in89:
Switch(config)# line vty 10
Switch(config-line)# password let45me67in89
Configuring Username and Password Pairs
You can configure username and password pairs, which are locally stored on the switch. These pairs are
assigned to lines or interfaces and authenticate each user before that user can access the switch. If you
have defined privilege levels, you can also assign a specific privilege level (with associated rights and
privileges) to each username and password pair.
Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication
system that requests a login username and a password:
Command Purpose
Step 1
Step 2
configure terminal Enter global configuration mode.
username name [privilege level]
{password encryption-type password}
Enter the username, privilege level, and password for each user.
• For name, specify the user ID as one word. Spaces and quotation
marks are not allowed.
Chapter 5 Configuring Switch-Based Authentication
Step 3
Step 4
Step 5
Step 6
Step 7
• (Optional) For level, specify the privilege level the user has after
gaining access. The range is 0 to 15. Level 15 gives privileged EXEC
mode access. Level 1 gives user EXEC mode access.
• For encryption-type, enter 0 to specify that an unencrypted password
will follow. Enter 7 to specify that a hidden password will follow.
• For password, specify the password the user must enter to gain access
to the switch. The password must be from 1 to 25 characters, can
contain embedded spaces, and must be the last option specified in the
username command.
line vty 0 15 Enter line configuration mode, and configure the VTY lines (line 0 to 15).
login local Enable local password checking at login time. Authentication is based on
the username specified in Step 2.
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
To disable username authentication for a specific user, use the no username name global configuration
command. To disable password checking and allow connections without a password, use the no login
line configuration command.
Configuring Multiple Privilege Levels
By default, the software has two modes of password security: user EXEC and privileged EXEC. You
can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple
passwords, you can allow different sets of users to have access to specified commands.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
5-6
24R9746
Chapter 5 Configuring Switch-Based Authentication
For example, if you want many users to have access to the clear line command, you can assign it
level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access
to the configure command, you can assign it level 3 security and distribute that password to a more
restricted group of users.
This section includes this configuration information:
• Setting the Privilege Level for a Command, page 5-7
• Changing the Default Privilege Level for Lines, page 5-8
• Logging into and Exiting a Privilege Level, page 5-8
Setting the Privilege Level for a Command
Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode:
Command Purpose
Step 1
Step 2
configure terminal Enter global configuration mode.
privilege mode level level command Set the privilege level for a command.
Protecting Access to Privileged EXEC Commands
Step 3
Step 4
Step 5
Step 6
• For mode, enter configure for global configuration mode, exec for
EXEC mode, interface for interface configuration mode, or line for
line configuration mode.
• For level, the range is from 0 to 15. Level 1 is for normal user EXEC
mode privileges. Level 15 is the level of access permitted by the
enable password.
• For command, specify the command to which you want to restrict
access.
enable password level level password Specify the enable password for the privilege level.
• For level, the range is from 0 to 15. Level 1 is for normal user EXEC
mode privileges.
• For password, specify a string from 1 to 25 alphanumeric characters.
The string cannot start with a number, is case sensitive, and allows
spaces but ignores leading spaces. By default, no password is
defined.
end Return to privileged EXEC mode.
show running-config
or
show privilege
Verify your entries.
The first command displays the password and access level configuration.
The second command displays the privilege level configuration.
copy running-config startup-config (Optional) Save your entries in the configuration file.
24R9746
When you set a command to a privilege level, all commands whose syntax is a subset of that command
are also set to that level. For example, if you set the show ip traffic command to level 15, the show
commands and show ip commands are automatically set to privilege level 15 unless you set them
individually to different levels.
To return to the default privilege for a given command, use the no privilege mode level level command
global configuration command.
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
5-7
Protecting Access to Privileged EXEC Commands
This example shows how to set the configure command to privilege level 14 and define SecretPswd14
as the password users must enter to use level 14 commands:
Switch(config)# privilege exec level 14 configure
Switch(config)# enable password level 14 SecretPswd14
Changing the Default Privilege Level for Lines
Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line:
Command Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal Enter global configuration mode.
line vty line Select the virtual terminal line on which to restrict access.
privilege level level Change the default privilege level for the line.
For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode
privileges. Level 15 is the level of access permitted by the enable
password.
end Return to privileged EXEC mode.
show running-config
Verify your entries.
Chapter 5 Configuring Switch-Based Authentication
or
show privilege
Step 6
copy running-config startup-config (Optional) Save your entries in the configuration file.
Users can override the privilege level you set using the privilege level line configuration command by
logging in to the line and enabling a different privilege level. They can lower the privilege level by using
the disable command. If users know the password to a higher privilege level, they can use that password
to enable the higher privilege level.
To return to the default line privilege level, use the no privilege level line configuration command.
Logging into and Exiting a Privilege Level
Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit
to a specified privilege level:
Command Purpose
Step 1
Step 2
enable level Log in to a specified privilege level.
disable level Exit to a specified privilege level.
The first command displays the password and access level configuration.
The second command displays the privilege level configuration.
For level, the range is 0 to 15.
For level, the range is 0 to 15.
5-8
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 5 Configuring Switch-Based Authentication
Controlling Switch Access with TACACS+
This section describes how to enable and configure TACACS+, which provides detailed accounting
information and flexible administrative control over authentication and authorization processes.
TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled
only through AAA commands.
Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS
Security Command Reference for Cisco IOS Release 12.1.
This section contains this configuration information:
• Understanding TACACS+, page 5-9
• TACACS+ Operation, page 5-11
• Configuring TACACS+, page 5-11
• Displaying the TACACS+ Configuration, page 5-16
Controlling Switch Access with TACACS+
Understanding TACACS+
TACACS+ is a security application that provides centralized validation of users attempting to gain
access to your switch. TACACS+ services are maintained in a database on a TACACS+ daemon
typically running on a UNIX or Windows NT workstation. You should have access to and should
configure a TACACS+ server before the configuring TACACS+ features on your switch.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.
TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each
service—authentication, authorization, and accounting—independently. Each service can be tied into its
own database to take advantage of other services available on that server or on the network, depending
on the capabilities of the daemon.
The goal of TACACS+ is to provide a method for managing multiple network access points from a single
management service. Your switch can be a network access server along with other Cisco routers and
access servers. A network access server provides connections to a single user, to a network or
subnetwork, and to interconnected networks as shown in Figure 5-1.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
5-9
Controlling Switch Access with TACACS+
Figure 5-1 Typical TACACS+ Network Configuration
UNIX workstation
(TACACS+
server 1)
171.20.10.7
UNIX workstation
(TACACS+
server 2)
171.20.10.8
Chapter 5 Configuring Switch-Based Authentication
Catalyst 6500
series switch
BladeCenter BladeCenter
Configure the switches with the
TACACS+ server addresses.
Set an authentication key
(also configure the same key on
the TACACS+ servers).
Enable AAA.
Create a login authentication method list.
Apply the list to the terminal lines.
Create an authorization and accounting
method list as required.
92437
TACACS+, administered through the AAA security services, can provide these services:
• Authentication—Provides complete control of authentication through login and password dialog,
challenge and response, and messaging support.
The authentication facility can conduct a dialog with the user (for example, after a username and
password are provided, to challenge a user with several questions, such as home address, mother’s
maiden name, service type, and social security number). The TACACS+ authentication service can
also send messages to user screens. For example, a message could notify users that their passwords
must be changed because of the company’s password aging policy.
• Authorization—Provides fine-grained control over user capabilities for the duration of the user’s
session, including but not limited to setting autocommands, access control, session duration, or
protocol support. You can also enforce restrictions on what commands a user can execute with the
TACACS+ authorization feature.
• Accounting—Collects and sends information used for billing, auditing, and reporting to the
TACACS+ daemon. Network managers can use the accounting facility to track user activity for a
security audit or to provide information for user billing. Accounting records include user identities,
start and stop times, executed commands (such as PPP), number of packets, and number of bytes.
The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon, and it
ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon
are encrypted.
You need a system running the TACACS+ daemon software to use TACACS+ on your switch.
5-10
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 5 Configuring Switch-Based Authentication
TACACS+ Operation
When a user attempts a simple ASCII login by authenticating to a switch by using TACACS+, this
process occurs:
1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username
prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+
daemon to obtain a password prompt. The switch displays the password prompt to the user, the user
enters a password, and the password is then sent to the TACACS+ daemon.
TACACS+ allows a dialog between the daemon and the user until the daemon receives enough
information to authenticate the user. The daemon prompts for a username and password
combination, but can include other items, such as the user’s mother’s maiden name.
2. The switch eventually receives one of these responses from the TACACS+ daemon:
–
ACCEPT—The user is authenticated and service can begin. If the switch is configured to
require authorization, authorization begins at this time.
–
REJECT—The user is not authenticated. The user can be denied access or is prompted to retry
the login sequence, depending on the TACACS+ daemon.
–
ERROR—An error occurred at some time during authentication with the daemon or in the
network connection between the daemon and the switch. If an ERROR response is received, the
switch typically tries to use an alternative method for authenticating the user.
Controlling Switch Access with TACACS+
–
CONTINUE—The user is prompted for additional authentication information.
After authentication, the user undergoes an additional authorization phase if authorization has been
enabled on the switch. Users must first successfully complete TACACS+ authentication before
proceeding to TACACS+ authorization.
3. If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an
ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response
contains data in the form of attributes that direct the EXEC or NETWORK session for that user,
determining the services that the user can access:
–
Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services
–
Connection parameters, including the host or client IP address, access list, and user timeouts
Configuring TACACS+
This section describes how to configure your switch to support TACACS+. At a minimum, you must
identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+
authentication. You can optionally define method lists for TACACS+ authorization and accounting. A
method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts
on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring
a backup system if the initial method fails. The software uses the first method listed to authenticate, to
authorize, or to keep accounts on users; if that method does not respond, the software selects the next
method in the list. This process continues until there is successful communication with a listed method
or the method list is exhausted.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
5-11
Controlling Switch Access with TACACS+
This section contains this configuration information:
• Default TACACS+ Configuration, page 5-12
• Identifying the TACACS+ Server Host and Setting the Authentication Key, page 5-12
• Configuring TACACS+ Login Authentication, page 5-13
• Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page
5-15
• Starting TACACS+ Accounting, page 5-16
Default TACACS+ Configuration
TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management
application.When enabled, TACACS+ can authenticate users accessing the switch through the CLI.
Note Although TACACS+ configuration is performed through the CLI, the TACACS+ server authenticates
HTTP connections that have been configured with a privilege level of 15.
Chapter 5 Configuring Switch-Based Authentication
Identifying the TACACS+ Server Host and Setting the Authentication Key
You can configure the switch to use a single server or AAA server groups to group existing server hosts
for authentication. You can group servers to select a subset of the configured server hosts and use them
for a particular service. The server group is used with a global server-host list and contains the list of IP
addresses of the selected server hosts.
Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining
TACACS+ server and optionally set the encryption key:
Command Purpose
Step 1
Step 2
Step 3
configure terminal Enter global configuration mode.
tacacs-server host hostname [port
integer] [timeout integer] [key string]
Identify the IP host or hosts maintaining a TACACS+ server. Enter this
command multiple times to create a list of preferred hosts. The software
searches for hosts in the order in which you specify them.
• For hostname, specify the name or IP address of the host.
• (Optional) For port integer, specify a server port number. The default
is port 49. The range is 1 to 65535.
• (Optional) For timeout integer, specify a time in seconds the switch
waits for a response from the daemon before it times out and declares
an error. The default is 5 seconds. The range is 1 to 1000 seconds.
• (Optional) For key string, specify the encryption key for encrypting
and decrypting all traffic between the switch and the TACACS+
daemon. You must configure the same key on the TACACS+ daemon
for encryption to be successful.
aaa new-model Enable AAA.
5-12
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 5 Configuring Switch-Based Authentication
Command Purpose
Step 4
Step 5
Step 6
Step 7
Step 8
aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name.
server ip-address (Optional) Associate a particular TACACS+ server with the defined server
end Return to privileged EXEC mode.
show tacacs Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname
global configuration command. To remove a server group from the configuration list, use the no aaa
group server tacacs+ group-name global configuration command. To remove the IP address of a
TACACS+ server, use the no server ip-address server group subconfiguration command.
Controlling Switch Access with TACACS+
This command puts the switch in a server group subconfiguration mode.
group. Repeat this step for each TACACS+ server in the AAA server
group.
Each server in the group must be previously defined in Step 2.
Configuring TACACS+ Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that
list to various interfaces. The method list defines the types of authentication to be performed and the
sequence in which they are performed; it must be applied to a specific interface before any of the defined
authentication methods are performed. The only exception is the default method list (which, by
coincidence, is named default). The default method list is automatically applied to all interfaces except
those that have a named method list explicitly defined. A defined method list overrides the default
method list.
A method list describes the sequence and authentication methods to be queried to authenticate a user.
You can designate one or more security protocols to be used for authentication, thus ensuring a backup
system for authentication in case the initial method fails. The software uses the first method listed to
authenticate users; if that method fails to respond, the software selects the next authentication method
in the method list. This process continues until there is successful communication with a listed
authentication method or until all defined methods are exhausted. If authentication fails at any point in
this cycle—meaning that the security server or local username database responds by denying the user
access—the authentication process stops, and no other authentication methods are attempted.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
5-13
Controlling Switch Access with TACACS+
Beginning in privileged EXEC mode, follow these steps to configure login authentication:
Command Purpose
Step 1
Step 2
Step 3
configure terminal Enter global configuration mode.
aaa new-model Enable AAA.
aaa authentication login {default |
list-name} method1 [method2...]
Chapter 5 Configuring Switch-Based Authentication
Create a login authentication method list.
• To create a default list that is used when a named list is not specified
in the login authentication command, use the default keyword
followed by the methods that are to be used in default situations. The
default method list is automatically applied to all interfaces.
• For list-name, specify a character string to name the list you are
creating.
• For method1..., specify the actual method the authentication
algorithm tries. The additional methods of authentication are used
only if the previous method returns an error, not if it fails.
Select one of these methods:
• enable—Use the enable password for authentication. Before you can
use this authentication method, you must define an enable password
by using the enable password global configuration command.
Step 4
Step 5
Step 6
Step 7
Step 8
• group tacacs+—Uses TACACS+ authentication. Before you can use
this authentication method, you must configure the TACACS+ server.
For more information, see the “Identifying the TACACS+ Server Host
and Setting the Authentication Key” section on page 5-12.
• line—Use the line password for authentication. Before you can use
this authentication method, you must define a line password. Use the
password password line configuration command.
• local—Use the local username database for authentication. You must
enter username information in the database. Use the username
password global configuration command.
• local-case—Use a case-sensitive local username database for
authentication. You must enter username information in the database
by using the username name password global configuration
command.
• none—Do not use any authentication for login.
line [console | tty | vty] line-number
[ending-line-number]
login authentication {default |
list-name}
Enter line configuration mode, and configure the lines to which you want
to apply the authentication list.
Apply the authentication list to a line or set of lines.
• If you specify default, use the default list created with the aaa
authentication login command.
• For list-name, specify the list created with the aaa authentication
login command.
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
5-14
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 5 Configuring Switch-Based Authentication
Controlling Switch Access with TACACS+
To disable AAA, use the no aaa new-model global configuration command. To disable AAA
authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global
configuration command. To either disable TACACS+ authentication for logins or to return to the default
value, use the no login authentication {default | list-name} line configuration command.
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the
switch uses information retrieved from the user’s profile, which is located either in the local user
database or on the security server, to configure the user’s session. The user is granted access to a
requested service only if the information in the user profile allows it.
You can use the aaa authorization global configuration command with the tacacs+ keyword to set
parameters that restrict a user’s network access to privileged EXEC mode.
The aaa authorization exec tacacs+ local command sets these authorization parameters:
• Use TACACS+ for privileged EXEC access authorization if authentication was performed by using
TACACS+.
• Use the local database if authentication was not performed by using TACACS+.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has
been configured.
Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for
privileged EXEC access and network services:
Command Purpose
configure terminal Enter global configuration mode.
aaa authorization network tacacs+ Configure the switch for user TACACS+ authorization for all
network-related service requests.
aaa authorization exec tacacs+ Configure the switch for user TACACS+ authorization to determine if the
user has privileged EXEC access.
The exec keyword might return user profile information (such as
autocommand information).
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
To disable authorization, use the no aaa authorization {network | exec} method1 global configuration
command.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
5-15
Controlling Switch Access with RADIUS
Starting TACACS+ Accounting
The AAA accounting feature tracks the services that users are accessing and the amount of network
resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to
the TACACS+ security server in the form of accounting records. Each accounting record contains
accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed
for network management, client billing, or auditing.
Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each
privilege level and for network services:
Command Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
configure terminal Enter global configuration mode.
aaa accounting network start-stop
tacacs+
aaa accounting exec start-stop tacacs+ Enable TACACS+ accounting to send a start-record accounting notice at
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 5 Configuring Switch-Based Authentication
Enable TACACS+ accounting for all network-related service requests.
the beginning of a privileged EXEC process and a stop-record at the end.
To disable accounting, use the no aaa accounting {network | exec} {start-stop} method1... global
configuration command.
Displaying the TACACS+ Configuration
To display TACACS+ server statistics, use the show tacacs privileged EXEC command.
Controlling Switch Access with RADIUS
This section describes how to enable and configure the RADIUS, which provides detailed accounting
information and flexible administrative control over authentication and authorization processes.
RADIUS is facilitated through AAA and can be enabled only through AAA commands.
Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS
Security Command Reference for Cisco IOS Release 12.1.
This section contains this configuration information:
• Understanding RADIUS, page 5-17
• RADIUS Operation, page 5-18
5-16
• Configuring RADIUS, page 5-19
• Displaying the RADIUS Configuration, page 5-30
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 5 Configuring Switch-Based Authentication
Understanding RADIUS
RADIUS is a distributed client/server system that secures networks against unauthorized access.
RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a
central RADIUS server, which contains all user authentication and network service access information.
The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (Cisco
Secure Access Control Server version 3.0), Livingston, Merit, Microsoft, or another software provider.
For more information, see the RADIUS server documentation.
Use RADIUS in these network environments that require access security:
• Networks with multiple-vendor access servers, each supporting RADIUS. For example, access
servers from several vendors use a single RADIUS server-based security database. In an IP-based
network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS
server that has been customized to work with the Kerberos security system.
• Turnkey network security environments in which applications support the RADIUS protocol, such
as in an access environment that uses a smart card access control system. In one case, RADIUS has
been used with Enigma’s security cards to validates users and to grant access to network resources.
• Networks already using RADIUS. You can add a Cisco switch containing a RADIUS client to the
network. This might be the first step when you make a transition to a TACACS+ server. See
Figure 5-2 on page 5-18.
Controlling Switch Access with RADIUS
• Network in which the user must only access a single service. Using RADIUS, you can control user
access to a single host, to a single utility such as Telnet, or to the network through a protocol such
as IEEE 802.1X. For more information about this protocol, see Chapter 6, “Configuring IEEE
802.1x Port-Based Authentication.”
• Networks that require resource accounting. You can use RADIUS accounting independently of
RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent
at the start and end of services, showing the amount of resources (such as time, packets, bytes, and
so forth) used during the session. An Internet service provider might use a freeware-based version
of RADIUS access control and accounting software to meet special security and billing needs.
RADIUS is not suitable in these network security situations:
• Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA),
NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or
X.25 PAD connections.
• Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication.
RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device
requires authentication.
• Networks using a variety of services. RADIUS generally binds a user to one service model.
24R9746
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
5-17
Controlling Switch Access with RADIUS
Figure 5-2 Transitioning from RADIUS to TACACS+ Services
Remote
PC
Catalyst 2950, 2955,
or 3550 switch
RADIUS server
RADIUS server
TACACS+ server
TACACS+ server
Chapter 5 Configuring Switch-Based Authentication
BladeCenter
92438
RADIUS Operation
When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server,
these events occur:
1. The user is prompted to enter a username and password.
2. The username and encrypted password are sent over the network to the RADIUS server.
3. The user receives one of these responses from the RADIUS server:
a. ACCEPT—The user is authenticated.
b. REJECT—The user is either not authenticated and is prompted to re-enter the username and
c. CHALLENGE—A challenge requires additional data from the user.
d. CHALLENGE PASSWORD—A response requests the user to select a new password.
The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or
network authorization. Users must first successfully complete RADIUS authentication before
proceeding to RADIUS authorization, if it is enabled. The additional data included with the ACCEPT or
REJECT packets includes these items:
• Telnet, SSH, rlogin, or privileged EXEC services
• Connection parameters, including the host or client IP address, access list, and user timeouts
password, or access is denied.
5-18
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 5 Configuring Switch-Based Authentication
Configuring RADIUS
This section describes how to configure your switch to support RADIUS. At a minimum, you must
identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS
authentication. You can optionally define method lists for RADIUS authorization and accounting.
A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep
accounts on a user. You can use method lists to designate one or more security protocols to be used (such
as TACACS+ or local username lookup), thus ensuring a backup system if the initial method fails. The
software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that
method does not respond, the software selects the next method in the list. This process continues until
there is successful communication with a listed method or the method list is exhausted.
You should have access to and should configure a RADIUS server before configuring RADIUS features
on your switch.
This section contains this configuration information:
• Default RADIUS Configuration, page 5-19
• Identifying the RADIUS Server Host, page 5-19 (required)
• Configuring RADIUS Login Authentication, page 5-22 (required)
Controlling Switch Access with RADIUS
• Defining AAA Server Groups, page 5-24 (optional)
• Configuring RADIUS Authorization for User Privileged Access and Network Services, page 5-26
(optional)
• Starting RADIUS Accounting, page 5-27 (optional)
• Configuring Settings for All RADIUS Servers, page 5-28 (optional)
• Configuring the Switch to Use Vendor-Specific RADIUS Attributes, page 5-28 (optional)
• Configuring the Switch for Vendor-Proprietary RADIUS Server Communication, page 5-29
(optional)
Default RADIUS Configuration
RADIUS and AAA are disabled by default.
To prevent a lapse in security, you cannot configure RADIUS through a network management
application. When enabled, RADIUS can authenticate users accessing the switch through the CLI.
Identifying the RADIUS Server Host
Switch-to-RADIUS-server communication involves several components:
• Host name or IP address
• Authentication destination port
• Accounting destination port
24R9746
• Key string
• Timeout period
• Retransmission value
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
5-19
Controlling Switch Access with RADIUS
You identify RADIUS security servers by their host name or IP address, host name and specific UDP
port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and
the UDP port number creates a unique identifier, allowing different ports to be individually defined as
RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be
sent to multiple UDP ports on a server at the same IP address.
If two different host entries on the same RADIUS server are configured for the same service—for
example, accounting—the second host entry configured acts as a fail-over backup to the first one. Using
this example, if the first host entry fails to provide accounting services, the switch tries the second host
entry configured on the same device for accounting services. (The RADIUS host entries are tried in the
order that they are configured.)
A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange
responses. To configure RADIUS to use the AAA security commands, you must specify the host running
the RADIUS server daemon and a secret text (key) string that it shares with the switch.
The timeout, retransmission, and encryption key values can be configured globally for all RADIUS
servers, on a per-server basis, or in some combination of global and per-server settings. To apply these
settings globally to all RADIUS servers communicating with the switch, use the three unique global
configuration commands: radius-server timeout, radius-server retransmit, and radius-server key.
To apply these values on a specific RADIUS server, use the radius-server host global configuration
command.
Chapter 5 Configuring Switch-Based Authentication
Note If you configure both global and per-server functions (timeout, retransmission, and key commands) on
the switch, the per-server timer, retransmission, and key value commands override global timer,
retransmission, and key value commands. For information on configuring these settings on all RADIUS
servers, see the “Configuring Settings for All RADIUS Servers” section on page 5-28.
You can configure the switch to use AAA server groups to group existing server hosts for authentication.
For more information, see the “Defining AAA Server Groups” section on page 5-24.
5-20
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Loading...