Cisco 2960 X Owners Manual
Have a look at the manual Cisco 2960 X Owners Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 68
SUMMARY STEPS
1.configureterminal
2.snmp-serverengineIDremoteip-addressengineid-string
3.snmp-serveruserusernamegroup-name{remotehost[udp-portport]}{v1[accessaccess-list]|v2c
[accessaccess-list]|v3[encrypted][accessaccess-list][auth{md5|sha}auth-password]}
4.snmp-servergroupgroup-name{v1|v2c|v3{auth|noauth|priv}}[readreadview][writewriteview]
[notifynotifyview][accessaccess-list]
5.snmp-serverhosthost-addr[informs|traps][version{1|2c|3{auth|noauth|priv}}]
community-string[notification-type]...](http://img.usermanuals.tech/thumb/17/102385/w64_2960-x-owners-manual-1511197621_d-67.png "Page 68
SUMMARY STEPS
1.configureterminal
2.snmp-serverengineIDremoteip-addressengineid-string
3.snmp-serveruserusernamegroup-name{remotehost[udp-portport]}{v1[accessaccess-list]|v2c
[accessaccess-list]|v3[encrypted][accessaccess-list][auth{md5|sha}auth-password]}
4.snmp-servergroupgroup-name{v1|v2c|v3{auth|noauth|priv}}[readreadview][writewriteview]
[notifynotifyview][accessaccess-list]
5.snmp-serverhosthost-addr[informs|traps][version{1|2c|3{auth|noauth|priv}}]
community-string[notification-type]...")
![Page 69
PurposeCommand or Action
SpecifiestherecipientofanSNMPtrapoperation.snmp-serverhosthost-addr[informs|traps]
[version{1|2c|3{auth|noauth|priv}}]
community-string[notification-type]
Step 5
Forhost-addr,specifythenameorInternetaddressofthehost(the
targetedrecipient).
Example:Switch(config)#snmp-serverhost203.0.113.1comaccesssnmp
(Optional)Specifytraps(thedefault)tosendSNMPtrapstothehost.
SpecifyinformstosendSNMPinformstothehost.
(Optional)SpecifytheSNMPversion(1,2c,or3).SNMPv1does
notsupportinforms....](http://img.usermanuals.tech/thumb/17/102385/w64_2960-x-owners-manual-1511197621_d-68.png "Page 69
PurposeCommand or Action
SpecifiestherecipientofanSNMPtrapoperation.snmp-serverhosthost-addr[informs|traps]
[version{1|2c|3{auth|noauth|priv}}]
community-string[notification-type]
Step 5
Forhost-addr,specifythenameorInternetaddressofthehost(the
targetedrecipient).
Example:Switch(config)#snmp-serverhost203.0.113.1comaccesssnmp
(Optional)Specifytraps(thedefault)tosendSNMPtrapstothehost.
SpecifyinformstosendSNMPinformstothehost.
(Optional)SpecifytheSNMPversion(1,2c,or3).SNMPv1does
notsupportinforms....")
DETAILED STEPS
PurposeCommand or Action
Enterstheglobalconfigurationmode.configureterminal
Example:
Switch#configureterminal
Step 1
Setsthesystemcontactstring.snmp-servercontacttext
Example:Switch(config)#snmp-servercontactDialSystemOperatoratbeeper21555
Step 2
Setsthesystemlocationstring.snmp-serverlocationtext
Example:Switch(config)#snmp-serverlocationBuilding3/Room222
Step 3
ReturnstoprivilegedEXECmode.end
Example:
Switch(config)#end
Step 4
Limiting TFTP Servers Used Through SNMP
BeginninginprivilegedEXECmode,followthesestepstolimittheTFTPserversusedforsavingandloading
configurationfilesthroughSNMPtotheserversspecifiedinanaccesslist.
SUMMARY STEPS
1.configureterminal
2.snmp-servertftp-server-listaccess-list-number
3.access-listaccess-list-number{deny|permit}source[source-wildcard]
4.end
Catalyst 2960-X Switch Network Management Configuration Guide, Cisco IOS Release 15.0(2)EX
OL-29044-0161
Configuring Simple Network Management Protocol
Limiting TFTP Servers Used Through SNMP
DETAILED STEPS
PurposeCommand or Action
Enterstheglobalconfigurationmode.configureterminal
Example:
Switch#configureterminal
Step 1
LimitstheTFTPserversusedforconfigurationfilecopiesthroughSNMP
totheserversintheaccesslist.
snmp-servertftp-server-list
access-list-number
Step 2
Example:Switch(config)#snmp-servertftp-server-list44
Foraccess-list-number,enteranIPstandardaccesslistnumberedfrom1
to99and1300to1999.
Createsastandardaccesslist,repeatingthecommandasmanytimesas
necessary.
access-listaccess-list-number{deny|
permit}source[source-wildcard]
Step 3
Example:Switch(config)#access-list44permit10.1.1.2
Foraccess-list-number,entertheaccesslistnumberspecifiedinStep2.
Thedenykeyworddeniesaccessiftheconditionsarematched.Thepermit
keywordpermitsaccessiftheconditionsarematched.
Forsource,entertheIPaddressoftheTFTPserversthatcanaccessthe
switch.
(Optional)Forsource-wildcard,enterthewildcardbits,indotteddecimal
notation,tobeappliedtothesource.Placeonesinthebitpositionsthat
youwanttoignore.
Theaccesslistisalwaysterminatedbyanimplicitdenystatementfor
everything.
ReturnstoprivilegedEXECmode.end
Example:
Switch(config)#end
Step 4
Monitoring SNMP Status
TodisplaySNMPinputandoutputstatistics,includingthenumberofillegalcommunitystringentries,errors,
andrequestedvariables,usetheshowsnmpprivilegedEXECcommand.Youalsocanusetheotherprivileged
EXECcommandslistedinthetabletodisplaySNMPinformation.
Catalyst 2960-X Switch Network Management Configuration Guide, Cisco IOS Release 15.0(2)EX
62OL-29044-01
Configuring Simple Network Management Protocol
Monitoring SNMP Status
Table 11: Commands for Displaying SNMP Information Default SettingFeature DisplaysSNMPstatistics.showsnmp DisplaysinformationonthelocalSNMPengineandallremote enginesthathavebeenconfiguredonthedevice. showsnmpengineID DisplaysinformationoneachSNMPgrouponthenetwork.showsnmpgroup DisplaysinformationonpendingSNMPrequests.showsnmppending DisplaysinformationonthecurrentSNMPsessions.showsnmpsessions DisplaysinformationoneachSNMPusernameintheSNMP userstable. YoumustusethiscommandtodisplaySNMPv3 configurationinformationforauth|noauth|privmode. Thisinformationisnotdisplayedintheshow running-configoutput. Note showsnmpuser SNMP Examples ThisexampleshowshowtoenableallversionsofSNMP.TheconfigurationpermitsanySNMPmanagerto accessallobjectswithread-onlypermissionsusingthecommunitystringpublic.Thisconfigurationdoesnot causetheswitchtosendanytraps. Switch(config)#snmp-servercommunitypublic ThisexampleshowshowtopermitanySNMPmanagertoaccessallobjectswithread-onlypermissionusing thecommunitystringpublic.TheswitchalsosendsVTPtrapstothehosts192.180.1.111and192.180.1.33 usingSNMPv1andtothehost192.180.1.27usingSNMPv2C.Thecommunitystringpublicissentwiththe traps. Switch(config)#snmp-servercommunitypublicSwitch(config)#snmp-serverenabletrapsvtpSwitch(config)#snmp-serverhost192.180.1.27version2cpublicSwitch(config)#snmp-serverhost192.180.1.111version1publicSwitch(config)#snmp-serverhost192.180.1.33public Thisexampleshowshowtoallowread-onlyaccessforallobjectstomembersofaccesslist4thatusethe comaccesscommunitystring.NootherSNMPmanagershaveaccesstoanyobjects.SNMPAuthentication FailuretrapsaresentbySNMPv2Ctothehostcisco.comusingthecommunitystringpublic. Switch(config)#snmp-servercommunitycomaccessro4Switch(config)#snmp-serverenabletrapssnmpauthenticationSwitch(config)#snmp-serverhostcisco.comversion2cpublic ThisexampleshowshowtosendEntityMIBtrapstothehostcisco.com.Thecommunitystringisrestricted. ThefirstlineenablestheswitchtosendEntityMIBtrapsinadditiontoanytrapspreviouslyenabled.The Catalyst 2960-X Switch Network Management Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29044-0163 Configuring Simple Network Management Protocol SNMP Examples
secondlinespecifiesthedestinationofthesetrapsandoverwritesanyprevioussnmp-serverhostcommands forthehostcisco.com. Switch(config)#snmp-serverenabletrapsentitySwitch(config)#snmp-serverhostcisco.comrestrictedentity Thisexampleshowshowtoenabletheswitchtosendalltrapstothehostmyhost.cisco.comusingthecommunity stringpublic: Switch(config)#snmp-serverenabletrapsSwitch(config)#snmp-serverhostmyhost.cisco.compublic Thisexampleshowshowtoassociateauserwitharemotehostandtosendauth(authNoPriv) authentication-levelinformswhentheuserentersglobalconfigurationmode: Switch(config)#snmp-serverengineIDremote192.180.1.2700000063000100a1c0b4011bSwitch(config)#snmp-servergroupauthgroupv3authSwitch(config)#snmp-serveruserauthuserauthgroupremote192.180.1.27v3authmd5mypasswordSwitch(config)#snmp-serveruserauthuserauthgroupv3authmd5mypasswordSwitch(config)#snmp-serverhost192.180.1.27informsversion3authauthuserconfigSwitch(config)#snmp-serverenabletrapsSwitch(config)#snmp-serverinformretries0 Feature History and Information for Simple Network Management Protocol ModificationRelease Thisfeaturewasintroduced.CiscoIOS15.0(2)EX Catalyst 2960-X Switch Network Management Configuration Guide, Cisco IOS Release 15.0(2)EX 64OL-29044-01 Configuring Simple Network Management Protocol Feature History and Information for Simple Network Management Protocol
CHAPTER 5
Configuring SPAN and RSPAN
ThischapterdescribeshowtoconfigureSwitchedPortAnalyzer(SPAN)andRemoteSPAN(RSPAN).
Unlessotherwisenoted,thetermswitchreferstoastandaloneswitchoraswitchstack.
•FindingFeatureInformation,page65
•PrerequisitesforSPANandRSPAN,page65
•RestrictionsforSPANandRSPAN,page66
•InformationAboutSPANandRSPAN,page67
•HowtoConfigureSPANandRSPAN,page78
•MonitoringSPANandRSPANOperations,page92
•SPANandRSPANConfigurationExamples,page93
•AdditionalReferences,page95
•FeatureHistoryandInformationforSPANandRSPAN,page96
Finding Feature Information
Yoursoftwarereleasemaynotsupportallthefeaturesdocumentedinthismodule.Forthelatestfeature
informationandcaveats,seethereleasenotesforyourplatformandsoftwarerelease.
UseCiscoFeatureNavigatortofindinformationaboutplatformsupportandCiscosoftwareimagesupport.
ToaccessCiscoFeatureNavigator,gotohttp://www.cisco.com/go/cfn.AnaccountonCisco.comisnot
required.
Prerequisites for SPAN and RSPAN
SPAN
•YoucanlimitSPANtraffictospecificVLANsbyusingthefiltervlankeyword.Ifatrunkportisbeing
monitored,onlytrafficontheVLANsspecifiedwiththiskeywordismonitored.Bydefault,allVLANs
aremonitoredonatrunkport.
Catalyst 2960-X Switch Network Management Configuration Guide, Cisco IOS Release 15.0(2)EX
OL-29044-0165
RSPAN
•WerecommendthatyouconfigureanRSPANVLANbeforeyouconfigureanRSPANsourceora
destinationsession.
Restrictions for SPAN and RSPAN
SPAN
TherestrictionsforSPANareasfollows:
•Oneachswitch,youcanconfigureamaximumof4(2ifswitchisstackedwithCatalyst2960-Sswitches)
sourcesessionsand64RSPANdestinationsessions.AsourcesessioniseitheralocalSPANsessionor
anRSPANsourcesession.
•ForSPANsources,youcanmonitortrafficforasingleportorVLANoraseriesorrangeofportsor
VLANsforeachsession.YoucannotmixsourceportsandsourceVLANswithinasingleSPANsession.
•Thedestinationportcannotbeasourceport;asourceportcannotbeadestinationport.
•YoucannothavetwoSPANsessionsusingthesamedestinationport.
•WhenyouconfigureaswitchportasaSPANdestinationport,itisnolongeranormalswitchport;only
monitoredtrafficpassesthroughtheSPANdestinationport.
•EnteringSPANconfigurationcommandsdoesnotremovepreviouslyconfiguredSPANparameters.
Youmustenterthenomonitorsession{session_number|all|local|remote}globalconfiguration
commandtodeleteconfiguredSPANparameters.
•ForlocalSPAN,outgoingpacketsthroughtheSPANdestinationportcarrytheoriginalencapsulation
headers—untagged,ISL,orIEEE802.1Q—iftheencapsulationreplicatekeywordsarespecified.If
thekeywordsarenotspecified,thepacketsaresentinnativeform.
•Youcanconfigureadisabledporttobeasourceordestinationport,buttheSPANfunctiondoesnot
startuntilthedestinationportandatleastonesourceportorsourceVLANareenabled.
•YoucannotmixsourceVLANsandfilterVLANswithinasingleSPANsession.
TrafficmonitoringinaSPANsessionhasthefollowingrestrictions:
•SourcescanbeportsorVLANs,butyoucannotmixsourceportsandsourceVLANsinthesamesession.
•TheswitchsupportsuptofourlocalSPANorRSPANsourcesessions.Howeverifthisswitchisstacked
withCatalyst2960-Sswitches,youarelimitedto2localSPANorRSPANsourcesessions.
◦YoucanrunbothalocalSPANandanRSPANsourcesessioninthesameswitchorswitchstack.
Theswitchorswitchstacksupportsatotalof64sourceandRSPANdestinationsessions.
◦YoucanconfiguretwoseparateSPANorRSPANsourcesessionswithseparateoroverlapping
setsofSPANsourceportsandVLANs.BothswitchedandroutedportscanbeconfiguredasSPAN
sourcesanddestinations.
•YoucanhavemultipledestinationportsinaSPANsession,butnomorethan64destinationportsper
switchstack.
Catalyst 2960-X Switch Network Management Configuration Guide, Cisco IOS Release 15.0(2)EX
66OL-29044-01
Configuring SPAN and RSPAN
Restrictions for SPAN and RSPAN
•SPANsessionsdonotinterferewiththenormaloperationoftheswitch.However,anoversubscribed SPANdestination,forexample,a10-Mb/sportmonitoringa100-Mb/sport,canresultindroppedor lostpackets. •WhenSPANorRSPANisenabled,eachpacketbeingmonitoredissenttwice,onceasnormaltraffic andonceasamonitoredpacket.MonitoringalargenumberofportsorVLANscouldpotentiallygenerate largeamountsofnetworktraffic. •YoucanconfigureSPANsessionsondisabledports;however,aSPANsessiondoesnotbecomeactive unlessyouenablethedestinationportandatleastonesourceportorVLANforthatsession. •TheswitchdoesnotsupportacombinationoflocalSPANandRSPANinasinglesession. ◦AnRSPANsourcesessioncannothavealocaldestinationport. ◦AnRSPANdestinationsessioncannothavealocalsourceport. ◦AnRSPANdestinationsessionandanRSPANsourcesessionthatareusingthesameRSPAN VLANcannotrunonthesameswitchorswitchstack. RSPAN TherestrictionsforRSPANareasfollows: •RSPANdoesnotsupportBPDUpacketmonitoringorotherLayer2switchprotocols. •TheRSPANVLANisconfiguredonlyontrunkportsandnotonaccessports.Toavoidunwantedtraffic inRSPANVLANs,makesurethattheVLANremote-spanfeatureissupportedinalltheparticipating switches. •RSPANVLANsareincludedassourcesforport-basedRSPANsessionswhensourcetrunkportshave activeRSPANVLANs.RSPANVLANscanalsobesourcesinSPANsessions.However,sincethe switchdoesnotmonitorspannedtraffic,itdoesnotsupportegressspanningofpacketsonanyRSPAN VLANidentifiedasthedestinationofanRSPANsourcesessionontheswitch. •IfyouenableVTPandVTPpruning,RSPANtrafficisprunedinthetrunkstopreventtheunwanted floodingofRSPANtrafficacrossthenetworkforVLANIDsthatarelowerthan1005. •TouseRSPAN,theswitchmustberunningtheLANBaseimage. Information About SPAN and RSPAN SPAN and RSPAN YoucananalyzenetworktrafficpassingthroughportsorVLANsbyusingSPANorRSPANtosendacopy ofthetraffictoanotherportontheswitchoronanotherswitchthathasbeenconnectedtoanetworkanalyzer orothermonitoringorsecuritydevice.SPANcopies(ormirrors)trafficreceivedorsent(orboth)onsource portsorsourceVLANstoadestinationportforanalysis.SPANdoesnotaffecttheswitchingofnetwork trafficonthesourceportsorVLANs.YoumustdedicatethedestinationportforSPANuse.Exceptfortraffic thatisrequiredfortheSPANorRSPANsession,destinationportsdonotreceiveorforwardtraffic. OnlytrafficthatentersorleavessourceportsortrafficthatentersorleavessourceVLANscanbemonitored byusingSPAN;trafficroutedtoasourceVLANcannotbemonitored.Forexample,ifincomingtrafficis Catalyst 2960-X Switch Network Management Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29044-0167 Configuring SPAN and RSPAN Information About SPAN and RSPAN
beingmonitored,trafficthatgetsroutedfromanotherVLANtothesourceVLANcannotbemonitored; however,trafficthatisreceivedonthesourceVLANandroutedtoanotherVLANcanbemonitored. YoucanusetheSPANorRSPANdestinationporttoinjecttrafficfromanetworksecuritydevice.Forexample, ifyouconnectaCiscoIntrusionDetectionSystem(IDS)sensorappliancetoadestinationport,theIDSdevice cansendTCPresetpacketstoclosedowntheTCPsessionofasuspectedattacker. Local SPAN LocalSPANsupportsaSPANsessionentirelywithinoneswitch;allsourceportsorsourceVLANsand destinationportsareinthesameswitchorswitchstack.LocalSPANcopiestrafficfromoneormoresource portsinanyVLANorfromoneormoreVLANstoadestinationportforanalysis. Alltrafficonport5(thesourceport)ismirroredtoport10(thedestinationport).Anetworkanalyzeronport 10receivesallnetworktrafficfromport5withoutbeingphysicallyattachedtoport5. Figure 4: Example of Local SPAN Configuration on a Single Device ThisisanexampleofalocalSPANinaswitchstack,wherethesourceanddestinationportsresideondifferent stackmembers. Catalyst 2960-X Switch Network Management Configuration Guide, Cisco IOS Release 15.0(2)EX 68OL-29044-01 Configuring SPAN and RSPAN SPAN and RSPAN
Figure 5: Example of Local SPAN Configuration on a Device Stack Related Topics CreatingaLocalSPANSession,onpage78 CreatingaLocalSPANSessionandConfiguringIncomingTraffic,onpage80 Example:ConfiguringLocalSPAN,onpage93 Remote SPAN RSPANsupportssourceports,sourceVLANs,anddestinationportsondifferentswitches(ordifferentswitch stacks),enablingremotemonitoringofmultipleswitchesacrossyournetwork. ThefigurebelowshowssourceportsonSwitchAandSwitchB.ThetrafficforeachRSPANsessioniscarried overauser-specifiedRSPANVLANthatisdedicatedforthatRSPANsessioninallparticipatingswitches. TheRSPANtrafficfromthesourceportsorVLANsiscopiedintotheRSPANVLANandforwardedover trunkportscarryingtheRSPANVLANtoadestinationsessionmonitoringtheRSPANVLAN.EachRSPAN Catalyst 2960-X Switch Network Management Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29044-0169 Configuring SPAN and RSPAN SPAN and RSPAN
sourceswitchmusthaveeitherportsorVLANsasRSPANsources.Thedestinationisalwaysaphysicalport, asshownonSwitchCinthefigure. Figure 6: Example of RSPAN Configuration Related Topics CreatinganRSPANSourceSession,onpage85 CreatinganRSPANDestinationSession,onpage88 CreatinganRSPANDestinationSessionandConfiguringIncomingTraffic,onpage90 Examples:CreatinganRSPANVLAN,onpage94 SPAN and RSPAN Concepts and Terminology •SPANSessions •MonitoredTraffic •SourcePorts •SourceVLANs •VLANFiltering •DestinationPort •RSPANVLAN Catalyst 2960-X Switch Network Management Configuration Guide, Cisco IOS Release 15.0(2)EX 70OL-29044-01 Configuring SPAN and RSPAN SPAN and RSPAN