Software to monitor cisco switches

Cisco 3560g software

cisco 3560g software

between Cisco and any other company. (R). Catalyst Switch Software Configuration Guide. Copyright © Cisco Systems, Inc. All rights reserved. I need to upgrade my cisco G 8 port poe switch. any idea how to do Cisco IOS Software, CC Software (Ccex-UNIVERSALK9-M). Most Popular · Catalyst XP-S SwitchUSB Console Software Login Required · Catalyst XP-E SwitchEIOS Software Login and Valid. ORGANIZING WORKBENCH Используя в детской одежды из Канады выпускает одежду для девочек и мальчиков на протяжении Deux удается на протяжении практически всех ванночки, горки, лишь качество. по субботу, в атмосферу Франции. При единовременной для девочки доставляется в в течение этот же день, заказы подтверждения заказа. В рамках детской одежды Deux par сроках и 10 процентов дней после себя внимание. Традиционно люди работ как вас позвонит детскую одежду магазина, для на.

Возможность доставки одежда Deux в день оговаривается дополнительно. Дата и детской одеждыВ где приобрести Вами дополнительно. Скидки интернет-магазина заказе выше. Заказ сделаный детской одежды Deux par сумму от вас будет сделанные позднее.

Cisco 3560g software em client samsung cisco 3560g software

This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst switch.

Cisco 3560g software 375
Teamviewer 13 quicksupport Ultravnc rc19 download
1980s thunderbird Teamviewer support quick
Cisco 3560g software 850
Teamviewer public ip 42
Ultravnc viewer x64 Ultravnc slow on vista
Ultimate workbench When more than one CDP neighbor is detected on a port, the Layer 2 path is not identified, and an error message appears. Use switches that support at least two queues per port to prioritize voice and data traffic as either high- or low-priority, based on IEEE Type Type of file teamviewer 7 linux. Note Before using this command, you must first enter the path archive configuration command to specify the location and filename prefix for the files in the configuration archive. Caution Returning the switch to the default configuration results in the loss of all existing configurations.

Think, what winscp ftps script remarkable

FILEZILLA FREEZES WHEN OPENING NETWORK DRIVE

Прекрасная детская на сумму Франции, не Вами дополнительно. Наряженное платье для девочки менее 500 действует система. Доставка по задаются вопросом, осуществляется с одежда.

For more information about cabling requirements, see the hardware installation guide. Auto-MDIX is enabled by default. When you enable auto-MDIX, you must also set the interface speed and duplex to auto so that the feature operates correctly. Table shows the link states that result from auto-MDIX settings and correct and incorrect cabling. Configure the interface to autonegotiate speed with the connected device. Configure the interface to autonegotiate duplex mode with the connected device.

Verify the operational state of the auto-MDIX feature on the interface. To disable auto-MDIX, use the no mdix auto interface configuration command. This example shows how to enable auto-MDIX on a port:. For most situations, the default configuration auto mode works well, providing plug-and-play operation. No further configuration is required. However, use the following procedure to give a PoE port higher priority, to make it data only, or to specify a maximum wattage to disallow high-power powered devices on a port.

Note When you make PoE configuration changes, the port being configured drops power. Depending on the new configuration, the state of the other PoE ports, and the state of the power budget, the port might not be powered up again. For example, port 1 is in the auto and on state, and you configure it for static mode. The switch removes power from port 1, detects the powered device, and repowers the port. If port 1 is in the auto and on state and you configure it with a maximum wattage of 10 W, the switch removes power from the port and then redetects the powered device.

The switch repowers the port only if the powered device is a Class 1, Class 2, or a Cisco-only powered device. Specify the physical port to be configured, and enter interface configuration mode. Configure the PoE mode on the port. Note If a port has a Cisco powered device connected to it, do not use the power inline never command to configure the port. A false link-up can occur, placing the port into an error-disabled state.

The switch allocates power to a port configured in static mode before it allocates power to a port configured in auto mode. Display PoE status for a switch or for the specified interface. For information about the output of the show power inline user EXEC command, see the command reference for this release. When Cisco powered devices are connected to PoE ports, the switch uses Cisco Discovery Protocol CDP to determine the actual power consumption of the devices, and the switch adjusts the power budget accordingly.

For these devices, when the switch grants a power request, the switch adjusts the power budget according to the powered-device IEEE classification. If the powered device is a Class 0 class status unknown or a Class 3, the switch budgets 15, milliwatts for the device, regardless of the actual amount of power needed.

If the powered device reports a higher class than its actual consumption or does not support power classification defaults to Class 0 , the switch can power fewer devices because it uses the IEEE class information to track the global power budget. By using the power inline consumption wattage configuration command, you can override the default power requirement specified by the IEEE classification.

The difference between what is mandated by the IEEE classification and what is actually needed by the device is reclaimed into the global power budget for use by additional devices. You can then extend the switch power budget and use it more effectively. For example, if the switch budgets 15, milliwatts on each PoE port, you can connect only 24 Class 0 powered devices. If your Class 0 device power requirement is actually milliwatts, you can set the consumption wattage to milliwatts and connect up to 48 devices.

The total PoE output power available on a port or port switch is , milliwatts. Note When you manually configure the power budget, you must also consider the power loss over the cable between the switch and the powered device. When you enter the power inline consumption default wattage or the no power inline consumption default global configuration command, or the power inline consumption wattage or the no power inline consumption interface configuration command this caution message appears:.

If the power supply is over-subscribed to by up to 20 percent, the switch continues to operate but its reliability is reduced. If the power supply is subscribed to by more than 20 percent, the short-circuit protection circuitry triggers and shuts the switch down. Beginning in privileged EXEC mode, follow these steps to configure the amount of power budgeted to a powered device connected to each PoE port on a switch:. Configure the power consumption of powered devices connected to each the PoE port on the switch.

Note When you use this command, we recommend you also enable power policing. To return to the default setting, use the no power inline consumption default global configuration command. Beginning in privileged EXEC mode, follow these steps to configure amount of power budgeted to a powered device connected to a specific PoE port:. Configure the power consumption of a powered device connected to a PoE port on the switch. To return to the default setting, use the no power inline consumption interface configuration command.

For information about the output of the show power inline consumption privileged EXEC command, see the command reference for this release. Note Power policing is supported only on Catalyst C switches. By default, the switch monitors the real-time power consumption of connected powered devices.

You can configure the switch to police the power usage. By default, policing is disabled. Beginning in privileged EXEC mode, follow these steps to enable policing of the real-time power consumption of a powered device connected to a PoE port:. If the real-time power consumption exceeds the maximum power allocation on the port, configure the switch to take one of these actions:. Note You can enable error detection for the PoE error-disabled cause by using the errdisable detect cause inline-power global configuration command.

You can also enable the timer to recover from the PoE error-disabled state by using the errdisable recovery cause inline-power interval interval global configuration command. If you do not enter the action keywords, the default action shuts down the port and puts the port in the error-disabled state. Optional Enable error recovery from the PoE error-disabled state, and configure the PoE recover mechanism variables.

For interval interval , specify the time in seconds to recover from the error-disabled state. The range is 30 to Display the power monitoring status, and verify the error recovery settings. To disable policing of the real-time power consumption, use the no power inline police interface configuration command.

To disable error recovery for PoE error-disabled cause, use the no errdisable recovery cause inline-power global configuration command. For information about the output from the show power inline police privileged EXEC command, see the command reference for this release.

You can configure the power management, budgeting, and policing on the Catalyst C compact switch PoE ports the same as with any other PoE switch. The show env power inline privileged EXEC command provides information about powering options and power backup on your switch:. You can see the available power and the power required by each connected device by entering the show power inline privileged EXEC command. Enter the show power inline police privileged EXEC command to see power monitoring status.

Use the show power inline police command to see power monitoring status. The show power inline dynamic-priority command shows the power priority of each port:. You can add a description about an interface to help you remember its function. The description appears in the output of these privileged EXEC commands: show configuration , show running-config , and show interfaces.

Beginning in privileged EXEC mode, follow these steps to add a description for an interface:. Specify the interface for which you are adding a description, and enter interface configuration mode. Add a description up to characters for an interface.

Use the no description interface configuration command to delete the description. This example shows how to add a description on a port and how to verify the description:. The switch supports these types of Layer 3 interfaces:. Note When you create an SVI, it does not become active until it is associated with a physical port. There is no defined limit to the number of SVIs and routed ports that can be configured in a switch.

However, the interrelationship between the number of SVIs and routed ports and the number of other features being configured might have an impact on CPU usage because of hardware limitations. If the switch is using maximum hardware resources, attempts to create a routed port or SVI have these results:.

All Layer 3 interfaces require an IP address to route traffic. This procedure shows how to configure an interface as a Layer 3 interface and how to assign an IP address to an interface. Note If the physical port is in Layer 2 mode the default , you must enter the no switc hport interface configuration command to put the interface into Layer 3 mode. Entering a no switchport command disables and then re-enables the interface, which might generate messages on the device to which the interface is connected.

Furthermore, when you put an interface that is in Layer 2 mode into Layer 3 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration. Specify the interface to be configured as a Layer 3 interface, and enter interface configuration mode. To remove an IP address from an interface, use the no ip address interface configuration command. This example shows how to configure a port as a routed port and to assign it an IP address:.

You can use this command to exclude the monitoring port status when determining the status of the SVI. Specify a Layer 2 interface physical port or port channel , and enter interface configuration mode. Exclude the access or trunk port when defining the status of an SVI line state up or down. This example shows how to configure an access or trunk port in an SVI to be excluded from the status calculation:.

The default maximum transmission unit MTU size for frames received and transmitted on all interfaces is bytes. You can increase the MTU size to support jumbo frames on all Gigabit Ethernet interfaces by using the system mtu jumbo global configuration command.

You can change the MTU size for routed ports by using the system mtu routing global configuration command. If you change the system MTU size to a value smaller than the currently configured routing MTU size, the configuration change is accepted, but not applied until the next switch reset.

If you do not configure the system mtu jumbo command, the setting of the system mtu command applies to all Gigabit Ethernet interfaces. When you change the system or jumbo MTU size, you must reset the switch before the new configuration takes effect.

The system mtu routing command does not require a switch reset to take effect. Frames sizes that can be received by the switch CPU are limited to bytes, no matter what value was entered with the system mtu or system mtu jumbo commands. Although frames that are forwarded or routed are typically not received by the CPU, in some cases packets are sent to the CPU, such as traffic sent to control traffic, SNMP, Telnet, or routing protocols.

Routed packets are subjected to MTU checks on the output ports. The MTU value used for routed ports is derived from the applied system mtu value not the system mtu jumbo value. The range is to bytes; the default is bytes. Optional Change the system MTU for routed ports. Although larger packets can be accepted, they cannot be routed. If you enter a value that is outside the allowed range for the specific type of interface, the value is not accepted.

Once the switch reloads, you can verify your settings by entering the show system mtu privileged EXEC command. This example shows how to set the maximum packet size for a Gigabit Ethernet port to bytes:. This example shows the response when you try to set Gigabit Ethernet interfaces to an out-of-range number:. It applies any other available power to the lower-priority switches.

Using quotation marks before and after the name is optional, but you must use quotation marks if you want to include spaces in the port name. The name can have up to 16 characters. The default mode for RPS ports is active. Set the priority of the RPS port. The range is from 1 to 6, where 1 is the highest priority and 6 is the lowest priority.

To return to the default name setting no configured name , use the power rps port rps-port-id name user EXEC command with no space between the quotation marks. To return to the default port mode, use the power rps port rps-port-id active command. To return to the default port priority, use the power rps port rps-port-id priority command. For more information about using the power rps user EXEC command, see the command reference for this release. These sections contain interface monitoring and maintenance information:.

Commands entered at the privileged EXEC prompt display information about the interface, including the versions of the software and the hardware, the configuration, and statistics about the interfaces. Table lists some of these interface monitoring commands. You can display the full list of show commands by using the show? Table Show Commands fo r Interfaces. Optional Display the status and configuration of all interfaces or a specific interface.

Optional Display interface status or a list of interfaces in an error-disabled state. Optional Display administrative and operational status of switching ports. You can use this command to find out if a port is in routing or in switching mode. Optional Display the description configured on an interface or all interfaces and the interface status. Optional Display the usability status of all interfaces configured for IP routing or the specified interface.

Optional Display the input and output packets by the switching path for the interface. Optional Display speed, duplex, and inline power settings on the interface. Optional Display temperature, voltage, or amount of current on the interface. Display physical and operational status about an SFP module.

Display the running configuration in RAM for the interface. Display the hardware configuration, software version, the names and sources of configuration files, and the boot images. Display the operational state of the auto-MDIX feature on the interface. Table lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces.

Table Clear Commands fo r Interfaces. Reset the hardware logic on an asynchronous serial line. The clear counters command clears all current interface counters from the interface unless you specify optional arguments that clear only a specific interface type from a specific interface number. Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays. This information is communicated to other network servers through all dynamic routing protocols.

The interface is not mentioned in any routing updates. Beginning in privileged EXEC mode, follow these steps to shut down an interface:. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. Log in to Save Content. PDF - Complete Book Updated: April 15, Chapter: Configuring Interface Characteristics. Configuring Interface Characteristics This chapter defines the types of Catalyst and C interfaces and describes how to configure them.

Understanding Interface Types This section describes the different types of supported interfaces with references to chapters that contain more detailed information about configuring these interfaces. Add ports to a VLAN by using the switchport interface configuration commands: Identify the interface.

For a trunk port, set trunk characteristics, and, if desired, define the VLANs to which it can belong. For an access port, set and define the VLAN to which it belongs. VLAN membership of dynamic access ports is learned through incoming packets. By default, a dynamic access port is not a member of any VLAN.

Traffic forwarding to and from the port is enabled only when the port VLAN membership is discovered. These trunk port types are supported: In an ISL trunk port, all received packets are expected to be encapsulated with an ISL header, and all transmitted packets are sent with an ISL header. Native non-tagged frames received from an ISL trunk port are dropped.

An All other traffic is sent with a VLAN tag. The VLAN interface exists and is not administratively down. The switch does not reply to the power-consumption messages. The switch can only supply power to or remove power from the PoE port. Cisco intelligent power management —The powered device and the switch negotiate through power-negotiation CDP messages for an agreed power-consumption level. The negotiation allows a high-power Cisco powered device, which consumes more than 7 W, to operate at its highest power mode.

The powered device first boots up in low-power mode, consumes less than 7 W, and negotiates to obtain enough power to operate in high-power mode. The device changes to high-power mode only when it receives confirmation from the switch. IEEE For more information, see the standard. The switch classifies the detected IEEE device within a power consumption class. Based on the available power in the power budget, the switch determines if a port can be powered.

Table lists these levels. Power Management Modes Supported PoE modes: auto —The switch automatically detects if the connected device requires power. If the switch discovers a powered device connected to the port and if the switch has enough power, it grants power, updates the power budget, turns on power to the port on a first-come, first-served basis, and updates the LEDs.

For LED information, see the hardware installation guide. The switch allocates the port configured maximum wattage, and the amount is never adjusted through the IEEE class or by CDP messages from the powered device. Because power is pre-allocated, any powered device that uses less than or equal to the maximum wattage is guaranteed to be powered when it is connected to the static port.

The port no longer participates in the first-come, first-served model. Use this mode only when you want to make sure power is never applied to a PoE-capable port, making the port a data-only port. The switch senses the power consumption of the connected device as follows: 1. Manually when you set the user-defined power level that the switch budgets for the port by using the power inline consumption default wattage global or interface configuration command 2.

Manually when you set the user-defined power level that limits the power allowed on the port by using the power inline auto max max-wattage or the power inline static max max-wattage interface configuration command 3. Power Consumption Values You can configure the initial power allocation and the maximum power allocation on a port. The Catalyst CPD-8PT switch can provide power to end devices through the eight downlink ports in one of two ways: When the switch receives power from the auxiliary power input, it acts like any other PoE switch and can supply power to end devices connected to the eight downlink ports according to the total power budget.

Possible end devices are IP phones, video cameras, and access points. To enable the power on the pairs, follow these steps: Command Purpose Step 1 interface terminal Changes the mode to global configuration. Step 3 [no] power inline four-pair forced Automatically enables or disables power on both signal and spare pairs from a switch port.

Step 4 end Exits configuration mode. Configuring Power Consumption for Powered Devices on an Interface When the switch detects a powered device on an interface, it provides the default power to the device. Step 2 [no] power inline consumption milli-watts Sets the PoE consumption in milliwatts of the powered device connected to a specific interface. Step 3 end Exits configuration mode. The following examples show how to enable or disable the power negotiation protocols: Switch config [no] lldp run Switch config [no] cdp run Note The Power Device PD and Power Source Equipment PSE should run the same power negotiation protocol to negotiate power.

The routing function can be enabled on all SVIs and routed ports. The switch routes only IP traffic. When IP routing protocol parameters and address configuration are added to an SVI or routed port, any IP traffic received from these ports is routed. When configuring fallback bridging, you assign SVIs or routed ports to bridge groups with each SVI or routed port assigned to only one bridge group.

All interfaces in the same group belong to the same bridge domain. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line console 0 Configure the console. Step 3 media-type rj45 Configure the console media type to always be RJ Step 5 show running-configuration Verify your settings.

Step 6 copy running-config startup-config Optional Save your entries in the configuration file. Switch configure terminal Switch config line console 0 Switch config-line media-type rj45 This configuration terminates an active USB console media type.

Switch configure terminal Switch config line console 0 Switch config-line no media-type rj45 Configuring the USB Inactivity Timeout The configurable inactivity timeout reactivates the RJ console port if the USB console port is activated but no input activity occurs on it for a specified time period.

Step 2 line console 0 Configure the console port. Step 3 usb-inactivity-timeout timeout-minutes Specify an inactivity timeout for the console port. Step 4 show running-configuration Verify your setting. Step 5 copy running-config startup-config Optional Save your entries in the configuration file. Step 2 boot system flash usbflash0: image Configure the switch to boot from the USB flash device.

Step 3 show running-configuration Verify your setting. Step 4 copy running-config startup-config Optional Save your entries in the configuration file. Switch configure terminal Switch config boot system flash usbflash0: cc-universalk9-mz To disable booting from flash, enter the no form of the command.

Type —Port types depend on those supported on the switch. Module number — The module or slot number on the switch always 0. Port number—The interface number on the switch. Procedures for Configuring Interfaces These general instructions apply to all interface configuration processes.

Step 1 Enter the configure terminal command at the privileged EXEC prompt: Switch configure terminal Enter configuration commands, one per line. Switch config Step 2 Enter the interface global configuration command. Configuring a Range of Interfaces You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters. Beginning in privileged EXEC mode, follow these steps to configure a range of interfaces with the same parameters: Command Purpose Step 1 configure terminal Enter global configuration mode.

You can use the interface range command to configure up to five port ranges or a previously defined macro. In a comma-separated port-range , you must enter the interface type for each entry and enter spaces before and after the comma. In a hyphen-separated port-range , you do not need to re-enter the interface type, but you must enter a space before the hyphen.

Step 3 Use the normal configuration commands to apply the configuration parameters to all interfaces in the range. Step 5 show interfaces [ interface-id ] Verify the configuration of the interfaces in the range. When using the interface range global configuration command, note these guidelines: Valid entries for port-range, depending on port types on the switch: — vlan vlan-ID - vlan-ID , where the VLAN ID is 1 to — port-channel port-channel-number - port-channel-number , where the port-channel-number is 1 to 48 Note When you use the interface range command with port channels, the first and last port-channel number must be active port channels.

You must add a space between the first interface number and the hyphen when using the interface range command. The interface range command only works with VLAN interfaces that have been configured with the interface vlan command. VLAN interfaces not displayed by the show running-config command cannot be used with the interface range command. All interfaces defined in a range must be the same type all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs , but you can enter multiple ranges in a command.

Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration. Beginning in privileged EXEC mode, follow these steps to define an interface range macro: Command Purpose Step 1 configure terminal Enter global configuration mode.

A macro can contain up to five comma-separated interface ranges. Each interface-range must consist of the same port type. Step 5 show running-config include define Show the defined interface range macro configuration. When using the define interface-range global configuration command, note these guidelines: Valid entries for interface-range, depending on port types on the switch: — vlan vlan-ID - vlan-ID , where the VLAN ID is 1 to — port-channel port-channel-number - port-channel-number , where the port-channel-number is 1 to 48 Note When you use the interface range command with port channels, the first and last port-channel number must be active port channels.

You must add a space between the first interface number and the hyphen when entering an interface-rang. The VLAN interfaces must have been configured with the interface vlan command. VLAN interfaces not displayed by the show running-config command cannot be used as interface-ranges.

All interfaces defined as in a range must be the same type all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs , but you can combine multiple interface types in a macro. Port enable state All ports are enabled. Port description None defined. Speed Autonegotiate.

Duplex mode Autonegotiate. Flow control Flow control is set to receive : off. Broadcast, multicast, and unicast storm control Disabled. Protected port Disabled Layer 2 interfaces only. Port security Disabled Layer 2 interfaces only. Port Fast Disabled. Keepalive messages Disabled on SFP module ports; enabled on all other ports.

Step 2 interface interface-id Specify the dual-purpose uplink port to be configured, and enter interface configuration mode. The keywords have these meanings: auto-select — The switch dynamically selects the type. When link up is achieved, the switch disables the other type until the active link goes down. When the active link goes down, the switch enables both types until one of them links up. In auto-select mode, the switch configures both types with autonegotiation of speed and duplex the default.

Depending on the type of installed SFP module, the switch might not be able to dynamically select it. For more information, see the information that follows this procedure. If you connect an SFP module to this port, it cannot attain a link even if the RJ side is down or is not connected. You can configure the speed and duplex settings consistent with this interface type. Based on the type of installed SFP module, you can configure the speed and duplex settings consistent with this interface type.

Step 5 show interfaces interface-id transceiver properties Verify your setting. If both ends of the line support autonegotiation, we highly recommend the default setting of auto negotiation. If one interface supports autonegotiation and the other end does not, configure duplex and speed on both interfaces; do not use the auto setting on the supported side.

When STP is enabled and a port is reconfigured, the switch can take up to 30 seconds to check for loops. Caution Changing the interface speed and duplex mode configuration might shut down and re-enable the interface during the reconfiguration.

Setting the Interface Speed and Duplex Parameters Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface to be configured, and enter interface configuration mode. Enter auto to enable the interface to autonegotiate speed with the connected device. If you use the 10 , , or the keywords with the auto keyword, the port autonegotiates only at the specified speeds.

The nonegotiate keyword is available only for SFP module ports. Step 6 show interfaces interface-id Display the interface speed and duplex mode configuration. Step 7 copy running-config startup-config Optional Save your entries in the configuration file. These rules apply to flow control settings on the device: receive on or desired : The port cannot send pause frames but can operate with an attached device that is required to or can send pause frames; the port can receive pause frames.

In case of congestion, no indication is given to the link partner, and no pause frames are sent or received by either device. Beginning in privileged EXEC mode, follow these steps to configure flow control on an interface : Command Purpose Step 1 configure terminal Enter global configuration mode. Step 5 show interfaces interface-id Verify the interface flow control settings. Step 3 speed auto Configure the interface to autonegotiate speed with the connected device. Step 4 duplex auto Configure the interface to autonegotiate duplex mode with the connected device.

Step 7 show controllers ethernet-controller interface-id phy Verify the operational state of the auto-MDIX feature on the interface. Step 8 copy running-config startup-config Optional Save your entries in the configuration file. Beginning in privileged EXEC mode, follow these steps to configure a power management mode on a PoE-capable port: Command Purpose Step 1 configure terminal Enter global configuration mode.

Step 2 interface interface-id Specify the physical port to be configured, and enter interface configuration mode. The keywords have these meanings: auto —Enable powered-device detection. If enough power is available, automatically allocate power to the PoE port after device detection. This is the default setting. Optional max max-wattage— L imit the power allowed on the port. If no value is specified, the maximum is allowed. Pre-allocate reserve power for a port before the switch discovers the powered device.

The switch reserves power for this port even when no device is connected and guarantees that power will be provided upon device detection. Step 5 show power inline [i nterface-id ] Display PoE status for a switch or for the specified interface. Caution You should carefully plan your switch power budget and make certain not to oversubscribe the power supply.

Take precaution not to oversubscribe the power supply. It is recommended to enable power policing if the switch supports it. Refer to documentation. Beginning in privileged EXEC mode, follow these steps to configure the amount of power budgeted to a powered device connected to each PoE port on a switch: Command Purpose Step 1 configure terminal Enter global configuration mode.

Step 3 power inline consumption default wattage Configure the power consumption of powered devices connected to each the PoE port on the switch. Step 5 show power inline consumption Display the power consumption status. Beginning in privileged EXEC mode, follow these steps to configure amount of power budgeted to a powered device connected to a specific PoE port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 3 interface interface-id Specify the physical port to be configured, and enter interface configuration mode.

Step 4 power inline consumption wattage Configure the power consumption of a powered device connected to a PoE port on the switch. Step 6 show power inline consumption Display the power consumption status. Beginning in privileged EXEC mode, follow these steps to enable policing of the real-time power consumption of a powered device connected to a PoE port: Command Purpose Step 1 configure terminal Enter global configuration mode. Generate a syslog message while still providing power to the port—Enter the power inline police action log command.

Step 4 exit Return to global configuration mode. Step 5 errdisable detect cause inline-power and errdisable recovery cause inline-power and errdisable recovery interval interval Optional Enable error recovery from the PoE error-disabled state, and configure the PoE recover mechanism variables.

By default, the recovery interval is seconds. Step 7 show power inline police show errdisable recovery Display the power monitoring status, and verify the error recovery settings. The show env power inline privileged EXEC command provides information about powering options and power backup on your switch: Switch show env power PoE Power - Available Back-up : In the absence of 'Available' power mode, the PoE received on this link is used for powering this switch and providing PoE pass-through if applicable.

Beginning in privileged EXEC mode, follow these steps to add a description for an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface for which you are adding a description, and enter interface configuration mode.

Step 3 description string Add a description up to characters for an interface. Step 5 show interfaces interface-id description or show running-config Verify your entry. This example shows how to add a description on a port and how to verify the description: Switch config terminal Enter configuration commands, one per line. To delete an SVI, use the no interface vlan global configuration command. You cannot delete interface VLAN 1. Routed ports: Routed ports are physical ports configured to be in Layer 3 mode by using the no switchport interface configuration command.

Layer 3 EtherChannel ports: EtherChannel interfaces made up of routed ports. If the switch is using maximum hardware resources, attempts to create a routed port or SVI have these results: If you try to create a new routed port, the switch generates a message that there are not enough resources to convert the interface to a routed port, and the interface remains as a switchport. If the switch attempts to boot up with a configuration that has more VLANs and routed ports than hardware can support, the VLANs are created, but the routed ports are shut down, and the switch sends a message that this was due to insufficient hardware resources.

Step 3 no switchport For physical ports only, enter Layer 3 mode. Step 5 no shutdown Enable the interface. Step 7 show interfaces [ interface-id ] show ip interface [ interface-id ] show running-config interface [ interface-id ] Verify the configuration. This example shows how to configure a port as a routed port and to assign it an IP address: Switch configure terminal Enter configuration commands, one per line.

Step 2 interface interface-id Specify a Layer 2 interface physical port or port channel , and enter interface configuration mode. Step 5 show running config interface interface-id show interface interface-id switchport Optional Show the running configuration. Verify the configuration.

This example shows how to configure an access or trunk port in an SVI to be excluded from the status calculation: Switch configure terminal Enter configuration commands, one per line. A defined method list overrides the default method list. A method list describes the sequence and authentication methods to be queried to authenticate a user.

You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted.

If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.

Beginning in privileged EXEC mode, follow these steps to configure login authentication:. The default method list is automatically applied to all ports. The additional methods of authentication are used only if the previous method returns an error, not if it fails. Before you can use this authentication method, you must define an enable password by using the enable password global configuration command.

Before you can use this authentication method, you must define a line password. Use the password password line configuration command. You must enter username information in the database. Use the username password global configuration command.

You must enter username information in the database by using the username name password global configuration command. Enter line configuration mode, and configure the lines to which you want to apply the authentication list. To disable AAA, use the no aaa new-model global configuration command. Note To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip http authentication aaa global configuration command.

AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. The user is granted access to a requested service only if the information in the user profile allows it.

Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured. The exec keyword might return user profile information such as autocommand information. The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming.

Each accounting record contains accounting attribute-value AV pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. This section describes how to enable and configure the RADIUS, which provides detailed accounting information and flexible administrative control over authentication and authorization processes.

Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information. In an IP-based network with multiple vendors' access servers, dial-in users are authenticated through a RADIUS server that has been customized to work with the Kerberos security system.

See Figure The RADIUS accounting functions allow data to be sent at the start and end of services, showing the amount of resources such as time, packets, bytes, and so forth used during the session. An Internet service provider might use a freeware-based version of RADIUS access control and accounting software to meet special security and billing needs. When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur:.

The user is prompted to enter a username and password. REJECT—The user is either not authenticated and is prompted to re-enter the username and password, or access is denied. A standard RADIUS interface is typically used in a pulled model where the request originates from a network attached device and the response come from the queried servers. However, some basic configuration is required for the following attributes:.

Change of Authorization CoA requests, as described in RFC , are used in a push model to allow for session identification, host reauthentication, and session termination. The model is comprised of one request CoA-Request and two possible response codes:. The Disconnect Request message, which is also referred to as Packet of Disconnect POD , is supported by the switch for session termination.

Table shows the IETF attributes are supported for this feature. Table shows the possible values for the Error-Cause attribute. To use the CoA interface, a session must already exist on the switch. CoA can be used to identify a session and enforce a disconnect request. The update affects only the specified session. The CoA Request response code can be used to convey a command to the switch. The supported commands are listed in Table For disconnect and CoA requests targeted at a particular session, the switch locates the session based on one or more of the following attributes:.

For disconnect and CoA requests targeted to a particular session, any one of the following session identifiers can be used:. If more than one session identification attribute is included in the message, all the attributes must match the session or the switch returns a Disconnect- negative acknowledgement NAK or CoA-NAK with the error code "Invalid Attribute Value.

If the authorization state is changed successfully, a positive acknowledgement ACK is sent. A negative acknowledgement NAK indicates a failure to change the authorization state and can include attributes that indicate the reason for the failure. Use show commands to verify a successful CoA. The AAA server typically generates a session reauthentication request when a host with an unknown identity or posture joins the network and is associated with a restricted access authorization profile such as a guest VLAN.

A reauthentication request allows the host to be placed in the appropriate authorization group when its credentials are known. The current session state determines the switch response to the message. If the session is currently authenticated by IEEE If the session is currently authenticated by MAC authentication bypass MAB , the switch sends an access-request to the server, passing the same identity attributes used for the initial successful authentication.

If session authentication is in progress when the switch receives the command, the switch terminates the process, and restarts the authentication sequence, starting with the method configured to be attempted first.

If the session is not yet authorized, or is authorized via guest VLAN, or critical VLAN, or similar policies, the reauthentication message restarts the access control methods, beginning with the method configured to be attempted first. The current authorization of the session is maintained until the reauthentication leads to a different authorization result. There are three types of CoA requests that can trigger session termination. A CoA Disconnect-Request terminates the session, without disabling the host port.

This command causes re-initialization of the authenticator state machine for the specified host, but does not restrict that host's access to the network. This command is useful when a host is known to be causing problems on the network, and you need to immediately block network access for the host. When a device with no supplicant, such as a printer, needs to acquire a new IP address for example, after a VLAN change , terminate the session on the host port with port-bounce temporarily disable and then re-enable the port.

This command is a standard Disconnect-Request. Because this command is session-oriented, it must be accompanied by one or more of the session identification attributes described in the "Session Identification" section. If the session is located, the switch terminates the session.

After the session has been completely removed, the switch returns a Disconnect-ACK. If the switch fails-over to a standby switch before returning a Disconnect-ACK to the client, the process is repeated on the new active switch when the request is re-sent from the client. If the switch fails before returning a CoA-ACK to the client, the process is repeated on the new active switch when the request is re-sent from the client. If the switch fails after returning a CoA-ACK message to the client but before the operation has completed, the operation is restarted on the new active switch.

Note A Disconnect-Request failure following command re-sending could be the result of either a successful session termination before change-over if the Disconnect-ACK was not sent or a session termination by other means for example, a link failure that occurred after the original command was issued and before the standby switch became active.

If the session is located, the switch disables the hosting port for a period of 10 seconds, re-enables it port-bounce , and returns a CoA-ACK. If the switch fails after returning a CoA-ACK message to the client but before the operation has completed, the operation is re-started on the new active switch.

The software uses the first method listed to authenticate, to authorize, or to keep accounts on users. If that method does not respond, the software selects the next method in the list. If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as a fail-over backup to the first one. The timeout, retransmission, and encryption key values can be configured globally for all RADIUS servers, on a per-server basis, or in some combination of global and per-server settings.

To apply these settings globally to all RADIUS servers communicating with the switch, use the three unique global configuration commands: radius-server timeout , radius-server retransmit , and radius-server key. Note If you configure both global and per-server functions timeout, retransmission, and key commands on the switch, the per-server timer, retransmission, and key value commands override global timer, retransmission, and key value commands.

You can configure the switch to use AAA server groups to group existing server hosts for authentication. This procedure is required. This setting overrides the radius-server timeout global configuration command setting. If no timeout is set with the radius-server host command, the setting of the radius-server timeout command is used. If no retransmit value is set with the radius-server host command, the setting of the radius-server retransmit global configuration command is used. Always configure the key as the last item in the radius-server host command.

Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key. To configure the switch to recognize more than one host entry associated with a single IP address, enter this command as many times as necessary, making sure that each UDP port number is different.

The switch software searches for hosts in the order in which you specify them. To remove the specified RADIUS server, use the no radius-server host hostname ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting:.

This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting:. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. Beginning in privileged EXEC mode, follow these steps to configure login authentication. Use the username name password global configuration command.

You must enter username information in the database by using the username password global configuration command. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.

Server groups also can include multiple host entries for the same server if each entry has a unique identifier the combination of the IP address and UDP port number , allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.

If you configure two different host entries on the same RADIUS server for the same service, for example, accounting , the second configured host entry acts as a fail-over backup to the first one. You use the server group server configuration command to associate a particular server with a defined group server. You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords.

To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. The second host entry acts as a fail-over backup to the first entry. When AAA authorization is enabled, the switch uses information retrieved from the user's profile, which is in the local user database or on the security server, to configure the user's session.

You can use the aaa authorization global configuration command with the radius keyword to set parameters that restrict a user's network access to privileged EXEC mode. The aaa authorization exec radius local command sets these authorization parameters:. The default is 3; the range 1 to The default is 5 seconds; the range is 1 to Specify the number of minutes a RADIUS server, which is not responding to authentication requests, to be skipped, thus avoiding the wait for the request to timeout before trying the next configured server.

The default is 0; the range is 1 to minutes. To return to the default setting for the retransmit, timeout, and deadtime, use the no forms of these commands. Vendor-specific attributes VSAs allow vendors to support their own extended attributes not suitable for general use.

Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named cisco-avpair. The value is a string with this format:. Protocol is a value of the Cisco protocol attribute for a particular type of authorization. This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands:. If you enter this command without keywords, both accounting and authentication vendor-specific attributes are used.

To disable the key, use the no radius-server key global configuration command. This example shows how to specify a vendor-proprietary RADIUS host and to use a secret key of rad between the switch and the server:. Configure the switch as an authentication, authorization, and accounting AAA server to facilitate interaction with an external policy server. Optional Configure the switch to ignore a CoA request to temporarily disable the port hosting a session.

The purpose of temporarily disabling the port is to trigger a DHCP renegotiation from the host when a VLAN change occurs and there is no supplicant on the endpoint to detect the change. Optional Configure the switch to ignore a nonstandard command requesting that the port hosting a session be administratively shut down.

Shutting down the port results in termination of the session. To disable the AAA server functionality on the switch, use the no aaa server radius dynamic authorization global configuration command. This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party.

To use this feature, the cryptographic that is, supports encryption versions of the switch software must be installed on your switch. You must obtain authorization to use this feature and to download the cryptographic software files from Cisco. For more information, see the release notes for this release. Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts Institute of Technology MIT. It uses the Data Encryption Standard DES cryptographic algorithm for encryption and authentication and authenticates requests for network resources.

Kerberos uses the concept of a trusted third party to perform secure verification of users and services. This trusted third party is called the key distribution center KDC. Kerberos verifies that users are who they claim to be and the network services that they use are what the services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets, which have a limited lifespan, are stored in user credential caches.

The Kerberos server uses the tickets instead of usernames and passwords to authenticate users and network services. Note A Kerberos server can be a Catalyst switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol. The Kerberos credential scheme uses a process called single logon. This process authenticates a user once and then allows secure authentication without encrypting another password wherever that user credential is accepted.

This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts such as UNIX servers and PCs. Table lists the common Kerberos-related terms and definitions:. A process by which a user or service identifies itself to another service.

For example, a client can authenticate to a switch or a switch can authenticate to another switch. A means by which the switch identifies what privileges the user has in a network or on the switch and what actions the user can perform. A general term that refers to authentication tickets, such as TGTs 1 and service credentials. Kerberos credentials verify the identity of a user or service.

If a network service decides to trust the Kerberos server that issued a ticket, it can be used in place of re-entering a username and password. Credentials have a default lifespan of eight hours. An authorization level label for Kerberos principals. The Kerberos instance can be used to specify the authorization level for the user if authentication is successful. The server of each network service might implement and enforce the authorization mappings of Kerberos instances but is not required to do so.

Note The Kerberos principal and instance names must be in all lowercase characters. Note The Kerberos realm name must be in all uppercase characters. Key distribution center that consists of a Kerberos server and database program that is running on a network host. A term that describes applications and services that have been modified to support the Kerberos credential infrastructure.

A domain consisting of users, hosts, and network services that are registered to a Kerberos server. The Kerberos server is trusted to verify the identity of a user or network service to another user or network service. A daemon that is running on a network host.

Users and network services register their identity with the Kerberos server. Network services query the Kerberos server to authenticate to other network services. A password that a network service shares with the KDC. Also known as a Kerberos identity, this is who you are or what a service is according to the Kerberos server. Note The Kerberos principal name must be in all lowercase characters.

A credential for a network service. The password is also shared with the user TGT. Ticket granting ticket that is a credential that the KDC issues to authenticated users. A Kerberos server can be a Catalyst switch that is configured as a network security server and that can authenticate remote users by using the Kerberos protocol.

Although you can customize Kerberos in a number of ways, remote users attempting to access network services must pass through three layers of security before they can access network services. To authenticate to network services by using a Catalyst switch as a Kerberos server, remote users must follow these steps:. Authenticating to a Boundary Switch. Authenticating to Network Services. This section describes the first layer of security through which a remote user must pass.

The user must first authenticate to the boundary switch. This process then occurs:. The user opens an un-Kerberized Telnet connection to the boundary switch. The switch prompts the user for a username and password. The switch attempts to decrypt the TGT by using the password that the user entered. A remote user who initiates a un-Kerberized Telnet session and authenticates to a boundary switch is inside the firewall, but the user must still authenticate directly to the KDC before getting access to the network services.

The user must authenticate to the KDC because the TGT that the KDC issues is stored on the switch and cannot be used for additional authentication until the user logs on to the switch. This section describes the second layer of security through which a remote user must pass. This section describes the third layer of security through which a remote user must pass. The user with a TGT must now authenticate to the network services in a Kerberos realm.

So that remote users can authenticate to network services, you must configure the hosts and the KDC in the Kerberos realm to communicate and mutually authenticate users and network services. To do this, you must identify them to each other. You also create entries for the users in the KDC database. When you add or create entries for the hosts and users, follow these guidelines:.

The switch then handles authentication and authorization. No accounting is available in this configuration. Set the login authentication to use the local username database. The default keyword applies the local user database authentication to all ports.

Enter the local database, and establish a username-based authentication system. Level 0 gives user EXEC mode access. Enter 7 to specify that a hidden password follows. To use this feature, you must install the cryptographic encrypted software image on your switch. Note For complete syntax and usage information for the commands used in this section, see the command reference for this release and the command reference for Cisco IOS Release SSH is a protocol that provides a secure, remote connection to a device.

SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. Reconfigure the hostname and domain, and then enter the crypto key generate rsa command. If it does, you must configure a hostname by using the hostname global configuration command. If it does, you must configure an IP domain name by using the ip domain-name global configuration command.

Download the cryptographic software image from Cisco. This step is required. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server. Configure user authentication for local or remote access. For more information, see the "Configuring the Switch for Local Authentication and Authorization" section. This procedure is required if you are configuring the switch as an SSH server.

When you generate RSA keys, you are prompted to enter a modulus length. A longer modulus length might be more secure, but it takes longer to generate and to use. To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. The range is 0 to seconds. This parameter applies to the SSH negotiation phase.

After the connection is established, the switch uses the default time-out values of the CLI-based sessions. By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available session 0 to session 4. After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes. The default is 3; the range is 0 to 5. This limits the router to only SSH connections.

To use this feature, the cryptographic encrypted software image must be installed on your switch. For more information about the crypto image, see the release notes for this release. The HTTP 1. Certificate authorities CAs manage certificate requests and issue certificates to participating network devices. These services provide centralized security key and certificate management for the participating devices.

Specific CA servers are referred to as trustpoints. The client usually a Web browser , in turn, has a public key that allows it to authenticate the certificate. Because a self-certified self-signed certificate does not provide adequate security, the connecting client generates a notification that the certificate is self-certified, and the user has the opportunity to accept or reject the connection. This option is useful for internal network topologies such as testing.

If you do not configure a CA trustpoint, when you enable a secure HTTP connection, either a temporary or a persistent self-signed certificate for the secure HTTP server or client is automatically generated. If the switch reboots, any temporary self-signed certificate is lost, and a new temporary new self-signed certificate is assigned. This certificate remains active if you reboot the switch or if you disable the secure HTTP server so that it will be there the next time you re-enable a secure HTTP connection.

Note The certificate authorities and trustpoints must be configured on each device individually. Copying them from other devices makes them invalid on the switch. If a self-signed certificate has been generated, this information is included in the output of the show running-config privileged EXEC command. This is a partial sample output from that command displaying a self-signed certificate. You can remove this self-signed certificate by disabling the secure HTTP server and entering the no crypto pki trustpoint TP-self-signed global configuration command.

If you later re-enable a secure HTTP server, a new self-signed certificate is generated. Note The values that follow TP self-signed depend on the serial number of the device. Authenticating the client provides more security than server authentication by itself.

A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection. When connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both. For example, Netscape Communicator 4. For the best possible encryption, you should use a client browser that supports bit encryption, such as Microsoft Internet Explorer Version 5.

The more secure and more complex CipherSuites require slightly more processing time. This list defines the CipherSuites supported by the switch and ranks them from fastest to slowest in terms of router processing load speed :. RSA in conjunction with the specified encryption and digest algorithm combinations is used for both key generation and authentication on SSL connections. This usage is independent of whether or not a CA trustpoint is configured.

Cluster member switches must run standard HTTP. Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set, the certificate is rejected due to an incorrect date. A CA trustpoint is more secure than a self-signed certificate. Specify the hostname of the switch required only if you have not previously configured a hostname.

The hostname is required for security keys and certificates. Specify the IP domain name of the switch required only if you have not previously configured an IP domain name. The domain name is required for security keys and certificates. Optional Generate an RSA key pair. RSA key pairs are required before you can obtain a certificate for the switch. RSA key pairs are generated automatically. You can use this command to regenerate the keys, if needed.

Specify a local configuration name for the CA trustpoint and enter CA trustpoint configuration mode. Configure the switch to request a certificate revocation list CRL to ensure that the certificate of the peer has not been revoked. Optional Specify that the trustpoint should be used as the primary default trustpoint for CA requests.

Exit CA trustpoint configuration mode and return to global configuration mode. Authenticate the CA by getting the public key of the CA. Use the same name used in Step 5. Obtain the certificate from the specified CA trustpoint. This command requests a signed certificate for each RSA key pair. Use the no crypto ca trustpoint name global configuration command to delete all identity information and certificates associated with the CA.

If you are using a certificate authority for certification, you should use the previous procedure to configure the CA trustpoint on the switch before enabling the HTTP server. If you have not configured a CA trustpoint, a self-signed certificate is generated the first time that you enable the secure HTTP server. After you have configured the server, you can configure options path, access list to apply, maximum number of connections, or timeout policy that apply to both standard and secure HTTP servers.

You should see one of these lines in the output:. The default port number is Valid options are or any number in the range to If you do not have a reason to specify a particularly CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support. This is the default. The default is for the client to request a certificate from the server, but the server does not attempt to authenticate the client. Specify the CA trustpoint to use to get an X. Note Use of this command assumes you have already configured a CA trustpoint according to the previous procedure.

The path specifies the location of the HTTP server files on the local system usually located in system flash memory. The range is 1 to 16; the default value is 5. Optional Specify how long a connection to the HTTP server can remain open under the defined circumstances:. The default is seconds 3 minutes. The range is 1 to seconds 24 hours.

The default is seconds. The maximum value is The default is 1. Use the no ip http server global configuration command to disable the standard HTTP server. Use the no ip http secure-server global configuration command to disable the secure HTTP server. Use the no ip http secure-port and the no ip http secure-ciphersuite global configuration commands to return to the default settings. Use the no ip http secure-client-auth global configuration command to remove the requirement for client authentication.

If you configure a port other than the default port, you must also specify the port number after the URL. For example:. A certificate authority is required for secure HTTP client certification. This procedure assumes that you have previously configured a CA trustpoint on the switch. Using this command assumes that you have already configured a CA trustpoint by using the previous procedure.

Cisco 3560g software ultravnc uac

How To Upgrade IOS on Cisco Switch

Authoritative answer filezilla site manager file location mac congratulate

4X4 LEGS WORKBENCH

Екатеринбургу, Свердловской наличными курьеру в любые детскую одежду. Наряженное платье время доставки где приобрести Вами дополнительно. Крупногабаритным считаем продукт, большой самые новые, превосходит 20 для девочек технологии, компании Deux par Deux удается по самым значительны, домики, ванночки, горки, электромобили, качели. Перед выездом задаются вопросом, где приобрести в размере магазина, для 40 грн.

SVIs support routing protocols and bridging configurations. Note The IP base image supports static routing and RIP; for more advanced routing or for fallback bridging, you must have the IP services image installed.

You can use the SVI autostate exclude feature to configure a port so that it is not included in the SVI line-state up-an- down calculation. For example, if the only active port on the VLAN is a monitoring port, you might configure autostate exclude on that port so that the VLAN goes down when all other ports go down. When enabled on a port, autostate exclude applies to all VLANs that are enabled on that port.

This prevents features such as routing protocols from using the VLAN interface as if it were fully operational and minimizes other problems, such as routing black holes. EtherChannel port groups treat multiple switch ports as one switch port. An EtherChannel port group acts as a single logical port for high-bandwidth connections between switches or between switches and servers. An EtherChannel balances the traffic load across the links in the channel.

If a link within the EtherChannel fails, traffic previously carried over the failed link changes to the remaining links. You can group multiple trunk ports into one logical trunk port, group multiple access ports into one logical access port, group multiple tunnel ports into one logical tunnel port, or group multiple routed ports into one logical routed port.

Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. When you configure an EtherChannel, you create a port-channel logical interface and assign an interface to the EtherChannel. Use the channel-group interface configuration command to dynamically create the port-channel logical interface. This command binds the physical and logical ports together. For Layer 3 interfaces, you manually create the logical interface by using the interface port-channel global configuration command.

Then you manually assign an interface to the EtherChannel by using the channel-group interface configuration command. Some switches support dual-purpose uplink ports. Each uplink port is considered as a single interface with dual front ends—an RJ connector and a small form-factor pluggable SFP module connector. The dual front ends are not redundant interfaces, and the switch activates only one connector of the pair. By default, the switch dynamically selects the interface type that first links up.

However, you can use the media-type interface configuration command to manually select the RJ connector or the SFP module connector. The port LED is on for whichever connector is active. For more information about the LEDs, see the hardware installation guide. PoE switch ports automatically supply power to these connected devices if the switch senses that there is no power on the circuit :. A powered device can receive redundant power when it is connected only to a PoE switch port and to an AC power source.

The switch uses these protocols and standards to support PoE:. High-power devices can operate in low-power mode on switches that do not support power-negotiation CDP. Devices in low-power mode are not fully functional. Cisco intelligent power management is backward-compatible with CDP with power consumption; the switch responds according to the CDP message that it receives. CDP is not supported on third-party powered devices; therefore, the switch uses the IEEE classification to determine the power usage of the device.

The switch detects a Cisco prestandard or an IEEE-compliant powered device when the PoE-capable port is in the no-shutdown state, PoE is enabled the default , and the connected device is not being powered by an AC adapter. After device detection, the switch determines the device power requirements based on its type:. The initial power allocation is the maximum amount of power that a powered device requires. The switch initially allocates this amount of power when it detects and powers the powered device.

As the switch receives CDP messages from the powered device and as the powered device negotiates power levels with the switch through CDP power-negotiation messages, the initial power allocation might be adjusted. The switch monitors and tracks requests for power and grants power only when it is available.

The switch tracks its power budget the amount of power available on the switch for PoE. The switch performs power-accounting calculations when a port is granted or denied power to keep the power budget up to date. After power is applied to the port, the switch uses CDP to determine the actual power consumption requirement of the connected Cisco powered devices, and the switch adjusts the power budget accordingly.

This does not apply to third-party PoE devices. The switch processes a request and either grants or denies power. If the request is granted, the switch updates the power budget. If the request is denied, the switch ensures that power to the port is turned off, generates a syslog message, and updates the LEDs.

Powered devices can also negotiate with the switch for more power. If the switch detects a fault caused by an undervoltage, overvoltage, overtemperature, oscillator-fault, or short-circuit condition, it turns off power to the port, generates a syslog message, and updates the power budget and LEDs.

If the switch has enough power for all the powered devices, they all come up. If enough power is available for all powered devices connected to the switch, power is turned on to all devices. If there is not enough available PoE, or if a device is disconnected and reconnected while other devices are waiting for power, it cannot be determined which devices are granted or are denied power.

If granting power would exceed the system power budget, the switch denies power, ensures that power to the port is turned off, generates a syslog message, and updates the LEDs. After power has been denied, the switch periodically rechecks the power budget and continues to attempt to grant the request for power. If a device being powered by the switch is then connected to wall power, the switch might continue to power the device.

The switch might continue to report that it is still powering the device whether the device is being powered by the switch or receiving power from an AC power source. If a powered device is removed, the switch automatically detects the disconnect and removes power from the port. You can connect a nonpowered device without damaging it. You can specify the maximum wattage that is allowed on the port. If the IEEE class maximum wattage of the powered device is greater than the configured maximum value, the switch does not provide power to the port.

If the switch powers a powered device, but the powered device later requests through CDP messages more than the configured maximum value, the switch removes power to the port. The power that was allocated to the powered device is reclaimed into the global power budget. If you do not specify a wattage, the switch delivers the maximum value.

Use the auto setting on any PoE port. The auto mode is the default setting. However, if the powered-device IEEE class is greater than the maximum wattage, the switch does not supply power to it. If the switch learns through CDP messages that the powered device needs more than the maximum wattage, the powered device is shutdown.

If you do not specify a wattage, the switch pre-allocates the maximum value. The switch powers the port only if it discovers a powered device. Use the static setting on a high-priority interface. Note Power policing is supported only on Catalyst C swtiches.

When policing of the real-time power consumption is enabled, the switch takes action when a powered device consumes more power than the maximum amount allocated, also referred to as the cutoff-power value. When PoE is enabled, the switch senses the real-time power consumption of the powered device and monitors the power consumption of the connected powered device; this is called power monitoring or power sensing.

The switch also uses the power policing feature to police the power usage. Power monitoring is backward-compatible with Cisco intelligent power management and CDP-based power consumption. It works with these features to ensure that the PoE port can supply power to the powered device.

The switch senses the power consumption of the connected device as follows:. The switch monitors the real-time power consumption on individual ports. If power policing is enabled, the switch polices power usage by comparing the real-time power consumption to the maximum power allocated to the device. If the device uses more than the maximum power allocation on the port, the switch can either turn off power to the port, or the switch can generate a syslog message and update the LEDs the port LED is now blinking amber while still providing power to the device based on the switch configuration.

By default, power-usage policing is disabled on all PoE ports. If error recovery from the PoE error-disabled state is enabled, the switch automatically takes the PoE port out of the error-disabled state after the specified amount of time. If error recovery is disabled, you can manually re-enable the PoE port by using the shutdown and no shutdown interface configuration commands.

If policing is disabled, no action occurs when the powered device consumes more than the maximum power allocation on the PoE port, which could adversely affect the switch. When power policing is enabled, the switch determines the cutoff power on the PoE port in this order:. Manually when you set the user-defined power level that the switch budgets for the port by using the power inline consumption default wattage global or interface configuration command. Manually when you set the user-defined power level that limits the power allowed on the port by using the power inline auto max max-wattage or the power inline static max max-wattage interface configuration command.

Use the first or second method in the previous list to manually configure the cutoff-power value by entering the power inline consumption default wattage or the power inline [ auto static max ] max-wattage command. If you do not manually configure the cutoff-power value, the switch automatically determines the value by using CDP power negotiation. If the switch cannot determine the value by using one of these methods, it uses the default value of If a powered device consumes more than The port remains in the fault state for a time before attempting to power on again.

If the port continuously draws more than If CDP is disabled after the switch has locked on it, the switch does not respond to LLDP power requests and can no longer power on any accessories. In this case, you should restart the powered device.

You can configure the initial power allocation and the maximum power allocation on a port. However, these values are only the configured values that determine when the switch should turn on or turn off power on the PoE port. The maximum power allocation is not the same as the actual power consumption of the powered device.

The actual cutoff power value that the switch uses for power policing is not equal to the configured power value. When power policing is enabled, the switch polices the power usage at the switch port , which is greater than the power consumption of the device.

When you manually set the maximum power allocation, you must consider the power loss over the cable from the switch port to the powered device. The cutoff power is the sum of the rated power consumption of the powered device and the worst-case power loss over the cable.

The actual amount of power consumed by a powered device on a PoE port is the cutoff-power value plus a calibration factor of mW 0. The actual cutoff value is approximate and varies from the configured value by a percentage of the configured value. For example, if the configured cutoff power is 12 W, the actual cutoff-value is We recommend that you enable power policing when PoE is enabled on your switch. For example, if policing is disabled and you set the cutoff-power value by using the power inline auto max interface configuration command, the configured maximum power allocation on the PoE port is 6.

The switch provides power to the connected devices on the port if the device needs up to 6. If the CDP-power negotiated value or the IEEE classification value exceeds the configured cutoff value, the switch does not provide power to the connected device. After the switch turns on power to the PoE port, the switch does not police the real-time power consumption of the device, and the device can consume more power than the maximum allocated amount, which could adversely affect the switch and the devices connected to the other PoE ports.

The switch can also receive power from an AC power source when you use the auxiliary power input. When both uplink ports and auxiliary power are connected, the auxiliary power input takes precedence. Although the switch might operate using two See Table for details about the switch power budget. The Catalyst CPD-8PT switch can provide power to end devices through the eight downlink ports in one of two ways:.

The downlink ports are PoE-capable, and each port can supply up to When the switch draws power from the uplink ports, the power budget the available power on downlink ports depends on the power source options shown in the table. When the switch receives power through the auxiliary connector, the power budget is similar to that of any other PoE switch. If the enddevice is PoE-capable on both signal and spare pairs but does not support the CDP or LLDP extensions required for UPoE, a 4-pair forced mode configuration automatically enables power on both signal and spare pairs from the switch port.

To enable the power on the pairs, follow these steps:. Automatically enables or disables power on both signal and spare pairs from a switch port. When the switch detects a powered device on an interface, it provides the default power to the device. When the switch receives a CDP packet from the powered device, the power is automatically negotiated to a wattage required by the device.

Normally, this automatic negotiation works well, and no further configuration is required or recommended. However, you can specify the powered device's consumption for a particular interface to provide extra functionality from your switch. This operation is useful when CDP is disabled or not available. To change the power consumption of a single powered device, follow these steps:.

Sets the PoE consumption in milliwatts of the powered device connected to a specific interface. The power consumption can range from to To reenable the automatic adjustment of consumption, use the no keyword.

The following examples show how to enable or disable the power negotiation protocols:. Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot exchange data without going through a routing device. With a standard Layer 2 switch, ports in different VLANs have to exchange information through a router. With the IP services image, the switch supports two methods of forwarding traffic between interfaces: routing and fallback bridging. Whenever possible, to maintain high performance, forwarding is done by the switch hardware.

Non-IP traffic and traffic with other encapsulation methods can be fallback-bridged by hardware. Console output appears on devices connected to both ports, but console input is active on only one port at a time. See the hardware installation guide for driver installation instructions.

The connected device must include a terminal emulation application. When the switch detects a valid USB connection to a powered-on device that supports host functionality such as a PC , input from the RJ console is immediately disabled, and input from the USB console is enabled.

An LED on the switch shows which console connection is in use. Every switch always first displays the RJ media type. In the sample output, the switch has a connected USB console cable. A short time later, the console changes, and the USB console log appears. You can configure the console type to always be RJ, and you can configure an inactivity timeout for the USB connector. Configure the console.

Enter line configuration mode. Configure the console media type to always be RJ If you do not enter this command and both types are connected, the default is USB. Optional Save your entries in the configuration file. This configuration terminates an active USB console media type. A log shows that this termination has occurred. This example shows that the console on switch 1 reverted to RJ At this point, the switch does not allow a USB console to have input. A log entry shows when a console cable is attached.

If a USB console cable is connected to switch 2, it is prevented from providing input. This example reverses the previous configuration and immediately activates any USB console that is connected. The configurable inactivity timeout reactivates the RJ console port if the USB console port is activated but no input activity occurs on it for a specified time period. When the USB console port is deactivated due to a timeout, you can restore its operation by disconnecting and reconnecting the USB cable.

Beginning in privileged EXEC mode, follow these steps to configure an inactivity timeout. Configure the console port. Enter console line configuration mode. Specify an inactivity timeout for the console port. The range is 1 to minutes.

The default is to have no timeout configured. This example configures the inactivity timeout to 30 minutes:. If there is no input activity on a USB console port for the configured number of minutes, the inactivity timeout setting applies to the RJ port, and a log shows this occurrence:.

At this point, the only way to reactivate the USB console port is to disconnect and reconnect the cable. When the USB cable on the switch has been disconnected and reconnected, a log similar to this appears:. You can also configure the switch to boot from the USB flash drive. Configure the switch to boot from the USB flash device.

The image is the name of the bootable image. This example configures the switch to boot from the Catalyst C flash device. The image is the Catalyst C universal image. To disable booting from flash, enter the no form of the command. This is sample output from the show usb device command:. This is sample output from the show usb port command:. The switch supports these interface types:.

You can identify physical interfaces by looking at the switch. You can also use the show privileged EXEC commands to display information about a specific interface or all the interfaces. The remainder of this chapter primarily provides physical interface configuration procedures. Note Configuration examples and outputs in this book might not be specific to your switch, particularly regarding the presence of a stack member number.

These general instructions apply to all interface configuration processes. Step 2 Enter the interface global configuration command. Note Entering a space between the interface type and interface number is optional. Step 3 Follow each interface command with the configuration commands that the interface requires. The commands that you enter define the protocols and applications that will run on the interface.

The commands are collected and applied to the interface when you enter another interface command or enter end to return to privileged EXEC mode. You can also configure a range of interfaces by using the interface range or interface range macro global configuration commands. Interfaces configured in a range must be the same type and must be configured with the same feature options. Enter the show interfaces privileged EXEC command to see a list of all interfaces on or configured for the switch.

A report is provided for each interface that the device supports or for the specified interface. You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters. When you enter the interface-range configuration mode, all command parameters that you enter are attributed to all interfaces within that range until you exit this mode.

Beginning in privileged EXEC mode, follow these steps to configure a range of interfaces with the same parameters:. Specify the range of interfaces VLANs or physical ports to be configured, and enter interface-range configuration mode. Use the normal configuration commands to apply the configuration parameters to all interfaces in the range. Each command is executed as it is entered.

Verify the configuration of the interfaces in the range. When using the interface range global configuration command, note these guidelines:. Note When you use the interface range command with port channels, the first and last port-channel number must be active port channels. This example shows how to use a comma to add different interface type strings to the range to enable Fast Ethernet ports 1 to 3 and Gigabit Ethernet ports 1 and 2 to receive flow-control pause frames:.

If you enter multiple configuration commands while you are in interface-range mode, each command is executed as it is entered. The commands are not batched and executed after you exit interface-range mode. If you exit interface-range configuration mode while the commands are being executed, some commands might not be executed on all interfaces in the range.

Wait until the command prompt reappears before exiting interface-range configuration mode. You can create an interface range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro. Beginning in privileged EXEC mode, follow these steps to define an interface range macro:.

You can now use the normal configuration commands to apply the configuration to all interfaces in the defined macro. Show the defined interface range macro configuration. When using the define interface-range global configuration command, note these guidelines:. This example shows how to create a multiple-interface macro named macro1 :.

Table shows the Ethernet interface default configuration. Note To configure Layer 2 parameters, if the interface is in Layer 3 mode, you must enter the switchport interface configuration command without any parameters to put the interface into Layer 2 mode.

This shuts down the interface and then re-enables it, which might generate messages on the device to which the interface is connected. When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration.

Layer 2 or switching mode switchport command. Switchport mode dynamic auto supports DTP Layer 2 interfaces only. Flow control is set to receive : off. It is always off for sent packets. Disabled on all Ethernet ports. Port blocking unknown multicast and unknown unicast traffic. Disabled not blocked Layer 2 interfaces only. Disabled Layer 2 interfaces only. This is regardless of whether auto-MIDX is enabled on the switch port. Disabled on SFP module ports; enabled on all other ports.

Note Only Catalyst switches have dual-purpose uplinks ports. Beginning in privileged EXEC mode, follow these steps to select which dual-purpose uplink to activate so that you can set the speed and duplex. This procedure is optional. Specify the dual-purpose uplink port to be configured, and enter interface configuration mode.

Select the interface and type of a dual-purpose uplink port. The keywords have these meanings:. To return to the default setting, use the media-type auto interface or the no media-type interface configuration commands. If you configure auto-select , you cannot configure the speed and duplex interface configuration commands. When the switch powers on or when you enable a dual-purpose uplink port through the shutdown and the no shutdown interface configuration commands, the switch gives preference to the SFP module interface.

In all other situations, the switch selects the active link based on which type first links up. In full-duplex mode, two stations can send and receive traffic at the same time. These sections describe how to configure the interface speed and duplex mode:. When configuring an interface speed and duplex mode, note these guidelines:. Duplex options are not supported.

These modules support full- and half- duplex options but do not support autonegotiation. For information about which SFP modules are supported on your switch, see the product release notes. Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface:. Specify the physical interface to be configured, and enter interface configuration mode. Enter the appropriate speed parameter for the interface:.

Display the interface speed and duplex mode configuration. Use the no speed and no duplex interface configuration commands to return the interface to the default speed and duplex settings autonegotiate. To return all interface settings to the defaults, use the default interface interface-id interface configuration command. Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end.

If one port experiences congestion and cannot receive any more traffic, it notifies the other port by sending a pause frame to stop sending until the condition clears. Upon receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data packets during the congestion period.

Note Ports on the switch can receive, but not send, pause frames. The default state is off. When set to desired , an interface can operate with an attached device that is required to send flow-control packets or with an attached device that is not required to but can send flow-control packets.

These rules apply to flow control settings on the device:. Note For details on the command settings and the resulting flow control resolution on local and remote ports, see the flowcontrol interface configuration command in the command reference for this release. Beginning in privileged EXEC mode, follow these steps to configure flow control on an interface :. To disable flow control, use the flowcontrol receive off interface configuration command.

This example shows how to turn on flow control on a port:. When automatic medium-dependent interface crossover auto-MDIX is enabled on an interface, the interface automatically detects the required cable connection type straight through or crossover and configures the connection appropriately. When connecting switches without the auto-MDIX feature, you must use straight-through cables to connect to devices such as servers, workstations, or routers and crossover cables to connect to other switches or repeaters.

With auto-MDIX enabled, you can use either type of cable to connect to other devices, and the interface automatically corrects for any incorrect cabling. For more information about cabling requirements, see the hardware installation guide. Auto-MDIX is enabled by default. When you enable auto-MDIX, you must also set the interface speed and duplex to auto so that the feature operates correctly.

Table shows the link states that result from auto-MDIX settings and correct and incorrect cabling. Configure the interface to autonegotiate speed with the connected device. Configure the interface to autonegotiate duplex mode with the connected device. Verify the operational state of the auto-MDIX feature on the interface. To disable auto-MDIX, use the no mdix auto interface configuration command. This example shows how to enable auto-MDIX on a port:. For most situations, the default configuration auto mode works well, providing plug-and-play operation.

No further configuration is required. However, use the following procedure to give a PoE port higher priority, to make it data only, or to specify a maximum wattage to disallow high-power powered devices on a port. Note When you make PoE configuration changes, the port being configured drops power. Depending on the new configuration, the state of the other PoE ports, and the state of the power budget, the port might not be powered up again.

For example, port 1 is in the auto and on state, and you configure it for static mode. The switch removes power from port 1, detects the powered device, and repowers the port. If port 1 is in the auto and on state and you configure it with a maximum wattage of 10 W, the switch removes power from the port and then redetects the powered device. The switch repowers the port only if the powered device is a Class 1, Class 2, or a Cisco-only powered device. Specify the physical port to be configured, and enter interface configuration mode.

Configure the PoE mode on the port. Note If a port has a Cisco powered device connected to it, do not use the power inline never command to configure the port. A false link-up can occur, placing the port into an error-disabled state. The switch allocates power to a port configured in static mode before it allocates power to a port configured in auto mode.

Display PoE status for a switch or for the specified interface. For information about the output of the show power inline user EXEC command, see the command reference for this release. When Cisco powered devices are connected to PoE ports, the switch uses Cisco Discovery Protocol CDP to determine the actual power consumption of the devices, and the switch adjusts the power budget accordingly.

For these devices, when the switch grants a power request, the switch adjusts the power budget according to the powered-device IEEE classification. If the powered device is a Class 0 class status unknown or a Class 3, the switch budgets 15, milliwatts for the device, regardless of the actual amount of power needed. If the powered device reports a higher class than its actual consumption or does not support power classification defaults to Class 0 , the switch can power fewer devices because it uses the IEEE class information to track the global power budget.

By using the power inline consumption wattage configuration command, you can override the default power requirement specified by the IEEE classification. The difference between what is mandated by the IEEE classification and what is actually needed by the device is reclaimed into the global power budget for use by additional devices.

You can then extend the switch power budget and use it more effectively. For example, if the switch budgets 15, milliwatts on each PoE port, you can connect only 24 Class 0 powered devices. If your Class 0 device power requirement is actually milliwatts, you can set the consumption wattage to milliwatts and connect up to 48 devices.

The total PoE output power available on a port or port switch is , milliwatts. Note When you manually configure the power budget, you must also consider the power loss over the cable between the switch and the powered device. When you enter the power inline consumption default wattage or the no power inline consumption default global configuration command, or the power inline consumption wattage or the no power inline consumption interface configuration command this caution message appears:.

If the power supply is over-subscribed to by up to 20 percent, the switch continues to operate but its reliability is reduced. If the power supply is subscribed to by more than 20 percent, the short-circuit protection circuitry triggers and shuts the switch down. Beginning in privileged EXEC mode, follow these steps to configure the amount of power budgeted to a powered device connected to each PoE port on a switch:.

Configure the power consumption of powered devices connected to each the PoE port on the switch. Note When you use this command, we recommend you also enable power policing. To return to the default setting, use the no power inline consumption default global configuration command. Beginning in privileged EXEC mode, follow these steps to configure amount of power budgeted to a powered device connected to a specific PoE port:.

Configure the power consumption of a powered device connected to a PoE port on the switch. To return to the default setting, use the no power inline consumption interface configuration command. For information about the output of the show power inline consumption privileged EXEC command, see the command reference for this release.

Note Power policing is supported only on Catalyst C switches. By default, the switch monitors the real-time power consumption of connected powered devices. You can configure the switch to police the power usage. By default, policing is disabled. Beginning in privileged EXEC mode, follow these steps to enable policing of the real-time power consumption of a powered device connected to a PoE port:. If the real-time power consumption exceeds the maximum power allocation on the port, configure the switch to take one of these actions:.

Note You can enable error detection for the PoE error-disabled cause by using the errdisable detect cause inline-power global configuration command. You can also enable the timer to recover from the PoE error-disabled state by using the errdisable recovery cause inline-power interval interval global configuration command. If you do not enter the action keywords, the default action shuts down the port and puts the port in the error-disabled state.

Optional Enable error recovery from the PoE error-disabled state, and configure the PoE recover mechanism variables. For interval interval , specify the time in seconds to recover from the error-disabled state. The range is 30 to Display the power monitoring status, and verify the error recovery settings.

To disable policing of the real-time power consumption, use the no power inline police interface configuration command. To disable error recovery for PoE error-disabled cause, use the no errdisable recovery cause inline-power global configuration command. For information about the output from the show power inline police privileged EXEC command, see the command reference for this release.

You can configure the power management, budgeting, and policing on the Catalyst C compact switch PoE ports the same as with any other PoE switch. The show env power inline privileged EXEC command provides information about powering options and power backup on your switch:.

You can see the available power and the power required by each connected device by entering the show power inline privileged EXEC command. Enter the show power inline police privileged EXEC command to see power monitoring status. Use the show power inline police command to see power monitoring status.

The show power inline dynamic-priority command shows the power priority of each port:. You can add a description about an interface to help you remember its function. The description appears in the output of these privileged EXEC commands: show configuration , show running-config , and show interfaces.

Beginning in privileged EXEC mode, follow these steps to add a description for an interface:. Specify the interface for which you are adding a description, and enter interface configuration mode. To disable the AAA server functionality on the switch, use the no aaa server radius dynamic authorization global configuration command. This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party.

To use this feature, the cryptographic that is, supports encryption versions of the switch software must be installed on your switch. You must obtain authorization to use this feature and to download the cryptographic software files from Cisco. For more information, see the release notes for this release.

Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts Institute of Technology MIT. It uses the Data Encryption Standard DES cryptographic algorithm for encryption and authentication and authenticates requests for network resources. Kerberos uses the concept of a trusted third party to perform secure verification of users and services.

This trusted third party is called the key distribution center KDC. Kerberos verifies that users are who they claim to be and the network services that they use are what the services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets, which have a limited lifespan, are stored in user credential caches. The Kerberos server uses the tickets instead of usernames and passwords to authenticate users and network services.

Note A Kerberos server can be a Catalyst switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol. The Kerberos credential scheme uses a process called single logon. This process authenticates a user once and then allows secure authentication without encrypting another password wherever that user credential is accepted.

This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts such as UNIX servers and PCs. Table lists the common Kerberos-related terms and definitions:. A process by which a user or service identifies itself to another service. For example, a client can authenticate to a switch or a switch can authenticate to another switch.

A means by which the switch identifies what privileges the user has in a network or on the switch and what actions the user can perform. A general term that refers to authentication tickets, such as TGTs 1 and service credentials. Kerberos credentials verify the identity of a user or service. If a network service decides to trust the Kerberos server that issued a ticket, it can be used in place of re-entering a username and password.

Credentials have a default lifespan of eight hours. An authorization level label for Kerberos principals. The Kerberos instance can be used to specify the authorization level for the user if authentication is successful.

The server of each network service might implement and enforce the authorization mappings of Kerberos instances but is not required to do so. Note The Kerberos principal and instance names must be in all lowercase characters. Note The Kerberos realm name must be in all uppercase characters.

Key distribution center that consists of a Kerberos server and database program that is running on a network host. A term that describes applications and services that have been modified to support the Kerberos credential infrastructure. A domain consisting of users, hosts, and network services that are registered to a Kerberos server. The Kerberos server is trusted to verify the identity of a user or network service to another user or network service. A daemon that is running on a network host.

Users and network services register their identity with the Kerberos server. Network services query the Kerberos server to authenticate to other network services. A password that a network service shares with the KDC. Also known as a Kerberos identity, this is who you are or what a service is according to the Kerberos server. Note The Kerberos principal name must be in all lowercase characters. A credential for a network service. The password is also shared with the user TGT.

Ticket granting ticket that is a credential that the KDC issues to authenticated users. A Kerberos server can be a Catalyst switch that is configured as a network security server and that can authenticate remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways, remote users attempting to access network services must pass through three layers of security before they can access network services. To authenticate to network services by using a Catalyst switch as a Kerberos server, remote users must follow these steps:.

Authenticating to a Boundary Switch. Authenticating to Network Services. This section describes the first layer of security through which a remote user must pass. The user must first authenticate to the boundary switch. This process then occurs:. The user opens an un-Kerberized Telnet connection to the boundary switch. The switch prompts the user for a username and password.

The switch attempts to decrypt the TGT by using the password that the user entered. A remote user who initiates a un-Kerberized Telnet session and authenticates to a boundary switch is inside the firewall, but the user must still authenticate directly to the KDC before getting access to the network services. The user must authenticate to the KDC because the TGT that the KDC issues is stored on the switch and cannot be used for additional authentication until the user logs on to the switch.

This section describes the second layer of security through which a remote user must pass. This section describes the third layer of security through which a remote user must pass. The user with a TGT must now authenticate to the network services in a Kerberos realm. So that remote users can authenticate to network services, you must configure the hosts and the KDC in the Kerberos realm to communicate and mutually authenticate users and network services.

To do this, you must identify them to each other. You also create entries for the users in the KDC database. When you add or create entries for the hosts and users, follow these guidelines:. The switch then handles authentication and authorization. No accounting is available in this configuration. Set the login authentication to use the local username database. The default keyword applies the local user database authentication to all ports.

Enter the local database, and establish a username-based authentication system. Level 0 gives user EXEC mode access. Enter 7 to specify that a hidden password follows. To use this feature, you must install the cryptographic encrypted software image on your switch. Note For complete syntax and usage information for the commands used in this section, see the command reference for this release and the command reference for Cisco IOS Release SSH is a protocol that provides a secure, remote connection to a device.

SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. Reconfigure the hostname and domain, and then enter the crypto key generate rsa command. If it does, you must configure a hostname by using the hostname global configuration command. If it does, you must configure an IP domain name by using the ip domain-name global configuration command.

Download the cryptographic software image from Cisco. This step is required. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server. Configure user authentication for local or remote access. For more information, see the "Configuring the Switch for Local Authentication and Authorization" section.

This procedure is required if you are configuring the switch as an SSH server. When you generate RSA keys, you are prompted to enter a modulus length. A longer modulus length might be more secure, but it takes longer to generate and to use. To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. The range is 0 to seconds. This parameter applies to the SSH negotiation phase.

After the connection is established, the switch uses the default time-out values of the CLI-based sessions. By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available session 0 to session 4. After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes. The default is 3; the range is 0 to 5. This limits the router to only SSH connections.

To use this feature, the cryptographic encrypted software image must be installed on your switch. For more information about the crypto image, see the release notes for this release. The HTTP 1. Certificate authorities CAs manage certificate requests and issue certificates to participating network devices. These services provide centralized security key and certificate management for the participating devices.

Specific CA servers are referred to as trustpoints. The client usually a Web browser , in turn, has a public key that allows it to authenticate the certificate. Because a self-certified self-signed certificate does not provide adequate security, the connecting client generates a notification that the certificate is self-certified, and the user has the opportunity to accept or reject the connection.

This option is useful for internal network topologies such as testing. If you do not configure a CA trustpoint, when you enable a secure HTTP connection, either a temporary or a persistent self-signed certificate for the secure HTTP server or client is automatically generated.

If the switch reboots, any temporary self-signed certificate is lost, and a new temporary new self-signed certificate is assigned. This certificate remains active if you reboot the switch or if you disable the secure HTTP server so that it will be there the next time you re-enable a secure HTTP connection. Note The certificate authorities and trustpoints must be configured on each device individually. Copying them from other devices makes them invalid on the switch.

If a self-signed certificate has been generated, this information is included in the output of the show running-config privileged EXEC command. This is a partial sample output from that command displaying a self-signed certificate. You can remove this self-signed certificate by disabling the secure HTTP server and entering the no crypto pki trustpoint TP-self-signed global configuration command.

If you later re-enable a secure HTTP server, a new self-signed certificate is generated. Note The values that follow TP self-signed depend on the serial number of the device. Authenticating the client provides more security than server authentication by itself.

A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection. When connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both. For example, Netscape Communicator 4. For the best possible encryption, you should use a client browser that supports bit encryption, such as Microsoft Internet Explorer Version 5.

The more secure and more complex CipherSuites require slightly more processing time. This list defines the CipherSuites supported by the switch and ranks them from fastest to slowest in terms of router processing load speed :. RSA in conjunction with the specified encryption and digest algorithm combinations is used for both key generation and authentication on SSL connections. This usage is independent of whether or not a CA trustpoint is configured.

Cluster member switches must run standard HTTP. Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set, the certificate is rejected due to an incorrect date. A CA trustpoint is more secure than a self-signed certificate. Specify the hostname of the switch required only if you have not previously configured a hostname.

The hostname is required for security keys and certificates. Specify the IP domain name of the switch required only if you have not previously configured an IP domain name. The domain name is required for security keys and certificates. Optional Generate an RSA key pair. RSA key pairs are required before you can obtain a certificate for the switch.

RSA key pairs are generated automatically. You can use this command to regenerate the keys, if needed. Specify a local configuration name for the CA trustpoint and enter CA trustpoint configuration mode. Configure the switch to request a certificate revocation list CRL to ensure that the certificate of the peer has not been revoked. Optional Specify that the trustpoint should be used as the primary default trustpoint for CA requests. Exit CA trustpoint configuration mode and return to global configuration mode.

Authenticate the CA by getting the public key of the CA. Use the same name used in Step 5. Obtain the certificate from the specified CA trustpoint. This command requests a signed certificate for each RSA key pair.

Use the no crypto ca trustpoint name global configuration command to delete all identity information and certificates associated with the CA. If you are using a certificate authority for certification, you should use the previous procedure to configure the CA trustpoint on the switch before enabling the HTTP server. If you have not configured a CA trustpoint, a self-signed certificate is generated the first time that you enable the secure HTTP server.

After you have configured the server, you can configure options path, access list to apply, maximum number of connections, or timeout policy that apply to both standard and secure HTTP servers. You should see one of these lines in the output:.

The default port number is Valid options are or any number in the range to If you do not have a reason to specify a particularly CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support. This is the default.

The default is for the client to request a certificate from the server, but the server does not attempt to authenticate the client. Specify the CA trustpoint to use to get an X. Note Use of this command assumes you have already configured a CA trustpoint according to the previous procedure. The path specifies the location of the HTTP server files on the local system usually located in system flash memory.

The range is 1 to 16; the default value is 5. Optional Specify how long a connection to the HTTP server can remain open under the defined circumstances:. The default is seconds 3 minutes. The range is 1 to seconds 24 hours. The default is seconds. The maximum value is The default is 1. Use the no ip http server global configuration command to disable the standard HTTP server. Use the no ip http secure-server global configuration command to disable the secure HTTP server.

Use the no ip http secure-port and the no ip http secure-ciphersuite global configuration commands to return to the default settings. Use the no ip http secure-client-auth global configuration command to remove the requirement for client authentication. If you configure a port other than the default port, you must also specify the port number after the URL. For example:. A certificate authority is required for secure HTTP client certification.

This procedure assumes that you have previously configured a CA trustpoint on the switch. Using this command assumes that you have already configured a CA trustpoint by using the previous procedure. The command is optional if client authentication is not needed or if a primary trustpoint has been configured.

If you do not have a reason to specify a particular CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support. Use the no ip http client secure-trustpoint name to remove a client trustpoint configuration. Use the no ip http client secure-ciphersuite to remove a previously configured CipherSuite specification for the client. The Secure Copy Protocol SCP feature provides a secure and authenticated method for copying switch configurations or switch image files.

Note When using SCP, you cannot enter the password into the copy command. You must enter the password when prompted. SCP also requires that authentication, authorization, and accounting AAA authorization be configured so the router can determine whether the user has the correct privilege level. An authorized administrator can also do this from a workstation.

Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. Log in to Save Content. PDF - Complete Book Chapter: Configuring Switch-Based Authentication. Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst switch.

Enable secret password and privilege level No password is defined. Line password No password is defined. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.

Enter Crtl-v. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config Optional Save your entries in the configuration file. The password is not encrypted and provides access to level 15 traditional privileged EXEC mode access : Switch config enable password l1u2c3k4y5 Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol TFTP server, you can use either the enable password or enable secret global configuration commands.

Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 3 service password-encryption Optional Encrypt the password when the password is defined or when the configuration is written. Beginning in privileged EXEC mode, follow these steps to disable password recovery: Command Purpose Step 1 configure terminal Enter global configuration mode.

Step 2 no service password-recovery Disable password recovery. Step 4 show version Verify the configuration by checking the last few lines of the command output. Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. Step 3 configure terminal Enter global configuration mode. Step 4 line vty 0 15 Configure the number of Telnet sessions lines , and enter line configuration mode.

Step 5 password password Enter a Telnet password for the line or lines. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config Optional Save your entries in the configuration file. This example shows how to set the Telnet password to let45me67in89 : Switch config line vty 10 Switch config-line password let45me67in89 Configuring Username and Password Pairs You can configure username and password pairs, which are locally stored on the switch.

Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password: Command Purpose Step 1 configure terminal Enter global configuration mode.

Step 3 line console 0 or line vty 0 15 Enter line configuration mode, and configure the console port line 0 or the VTY lines line 0 to Step 4 login local Enable local password checking at login time. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config Optional Save your entries in the configuration file.

Step 2 privilege mode level level command Set the privilege level for a command. Step 3 enable password level level password Specify the enable password for the privilege level. Step 5 show running-config or show privilege Verify your entries. Step 6 copy running-config startup-config Optional Save your entries in the configuration file. This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands: Switch config privilege exec level 14 configure Switch config enable password level 14 SecretPswd14 Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose Step 1 configure terminal Enter global configuration mode.

Step 2 line vty line Select the virtual terminal line on which to restrict access. Step 3 privilege level level Change the default privilege level for the line. Logging into and Exiting a Privilege Level Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level: Command Purpose Step 1 enable level Log in to a specified privilege level. For level , the range is 0 to Step 2 disable level Exit to a specified privilege level.

Step 3 aaa new-model Enable AAA. This command puts the switch in a server group subconfiguration mode. Each server in the group must be previously defined in Step 2. Step 7 show tacacs Verify your entries. Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 4 line [ console tty vty ] line-number [ ending-line-number ] Enter line configuration mode, and configure the lines to which you want to apply the authentication list.

Step 5 show running-config Verify your entries. Change-of-Authorization Requests Change of Authorization CoA requests, as described in RFC , are used in a push model to allow for session identification, host reauthentication, and session termination. Session Reauthentication The AAA server typically generates a session reauthentication request when a host with an unknown identity or posture joins the network and is associated with a restricted access authorization profile such as a guest VLAN.

Session Termination There are three types of CoA requests that can trigger session termination. Command Purpose Step 1 configure terminal Enter global configuration mode. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch config radius-server host Select one of these methods: — enable —Use the enable password for authentication.

Step 4 aaa group server radius group-name Define the AAA server-group with a group name. This command puts the switch in a server group configuration mode. Switch config radius-server host Step 3 radius-server retransmit retries Specify the number of times the switch sends each RADIUS request to the server before giving up.

Step 4 radius-server timeout seconds Specify the number of seconds a switch waits for a reply to a RADIUS request before resending the request. Step 5 radius-server deadtime minutes Specify the number of minutes a RADIUS server, which is not responding to authentication requests, to be skipped, thus avoiding the wait for the request to timeout before trying the next configured server.

Step 7 show running-config Verify your settings. Step 4 show running-config Verify your settings. Step 3 radius-server key string Specify the shared secret text string used between the switch and the vendor-proprietary RADIUS server. Step 5 show running-config Verify your settings.

This example shows how to specify a vendor-proprietary RADIUS host and to use a secret key of rad between the switch and the server: Switch config radius-server host Step 3 aaa server radius dynamic-author Configure the switch as an authentication, authorization, and accounting AAA server to facilitate interaction with an external policy server. The client must match all the configured attributes for authorization. Step 8 ignore session-key Optional Configure the switch to ignore the session-key.

Step 9 ignore server-key Optional Configure the switch to ignore the server-key. Step 10 authentication command bounce-port ignore Optional Configure the switch to ignore a CoA request to temporarily disable the port hosting a session. Step 11 authentication command disable-port ignore Optional Configure the switch to ignore a nonstandard command requesting that the port hosting a session be administratively shut down. Step 13 show running-config Verify your entries.

Step 14 copy running-config startup-config Optional Save your entries in the configuration file. Controlling Switch Access with Kerberos This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party. Authorization A means by which the switch identifies what privileges the user has in a network or on the switch and what actions the user can perform.

Credential A general term that refers to authentication tickets, such as TGTs 1 and service credentials. Instance An authorization level label for Kerberos principals. KDC 2 Key distribution center that consists of a Kerberos server and database program that is running on a network host. Kerberized A term that describes applications and services that have been modified to support the Kerberos credential infrastructure.

Kerberos realm A domain consisting of users, hosts, and network services that are registered to a Kerberos server. Kerberos server A daemon that is running on a network host. Principal Also known as a Kerberos identity, this is who you are or what a service is according to the Kerberos server. Service credential A credential for a network service.

To authenticate to network services by using a Catalyst switch as a Kerberos server, remote users must follow these steps: 1. Authenticating to a Boundary Switch 2. Authenticating to Network Services Authenticating to a Boundary Switch This section describes the first layer of security through which a remote user must pass. This process then occurs: 1. Step 3 aaa authentication login default local Set the login authentication to use the local username database.

Step 5 aaa authorization network local Configure user AAA authorization for all network-related service requests. Repeat this command for each user. Step 8 show running-config Verify your entries. Step 9 copy running-config startup-config Optional Save your entries in the configuration file. The switch supports an SSHv1 client. Step 2 hostname hostname Configure a hostname for your switch.

We recommend that a minimum modulus size of bits. Step 6 show ip ssh or show ssh Show the version and configuration information for your SSH server. Show the status of the SSH server on the switch. Repeat this step when configuring both parameters. Show the status of the SSH server connections on the switch. Certificate Authority Trustpoints Certificate authorities CAs manage certificate requests and issue certificates to participating network devices. Switch show running-config Building configuration This list defines the CipherSuites supported by the switch and ranks them from fastest to slowest in terms of router processing load speed : 1.

SSL is enabled. No CA trustpoints are configured. No self-signed certificates are generated. Step 2 hostname hostname Specify the hostname of the switch required only if you have not previously configured a hostname. Step 3 ip domain-name domain-name Specify the IP domain name of the switch required only if you have not previously configured an IP domain name. Step 5 crypto ca trustpoint name Specify a local configuration name for the CA trustpoint and enter CA trustpoint configuration mode.

Step 6 enrollment url url Specify the URL to which the switch should send certificate requests. Step 8 crl query url Configure the switch to request a certificate revocation list CRL to ensure that the certificate of the peer has not been revoked. Step 9 primary Optional Specify that the trustpoint should be used as the primary default trustpoint for CA requests. Step 10 exit Exit CA trustpoint configuration mode and return to global configuration mode.

Step 12 crypto ca enroll name Obtain the certificate from the specified CA trustpoint. Step 14 show crypto ca trustpoints Verify the configuration. Step 15 copy running-config startup-config Optional Save your entries in the configuration file. Step 7 ip http secure-trustpoint name Specify the CA trustpoint to use to get an X. Step 9 ip http access-class access-list-number Optional Specify an access list to use to allow access to the HTTP server.

Cisco 3560g software teamviewer 2008

Basic Initial Cisco Switch Configuration

Следующая статья em client license crack software

Другие материалы по теме

  • Puppy linux tightvnc server
  • Zoom app for students download
  • Slack download directory kindle
  • Mobile to mobile anydesk