When you log onto a switch, there are one of two GUI management systems you're likely to encounter: Virtual Switch Manager (VSM) or Cluster Management Suite (CMS). These applications are essentially the same. Although superseded by other tools, like Cisco Network Assistant (CNA), CMS is still used to manage a great many switches. Because of that fact, we have chosen to include a section on it here. That said, you may even run into some much older legacy switches in your endeavors that use VSM. Again, these programs do essentially the same thing and make switch setup and management easier through the clickable world of a GUI.
And don't worry-if you were wondering about Cisco Network Assistant, we'll cover it in detail in Chapter 13.
Aside from some basic navigational differences (in VSM, configuration is performed on individual Web browser pages, while in CMS, configuration is done on pop-up windows), the main difference between the two is that VSM is HTMLbased, while CMS is Java-based. That provides for a cleaner, more aesthetically appealing GUI than its HTML predecessor. Whichever application comes on the switch you're using, they both get the job done.
CMS is a Web browser–based tool used to work with Cisco Catalyst switches. CMS presents real-time information measuring activity in a switch while it runs. This information is used to monitor and manage a switch. More important, the tool is also used to modify switch configuration.
Figure 5-14 shows the CMS menu bar and a list of pages by area. The home page itself handles such housekeeping chores as naming the switch and setting its Line password.
Figure 5-14: The CMS menu bar is used to navigate the switch configuration options
An outstanding feature of CMS is that a device's status can be viewed by looking at a live image of it on the home page. Figure 5-15 shows the graphical image of a Cisco 2950-24 switch. You can't see the color keys in this black-and-white book, but if the port is colored green, its status is Link Up; blue means No Link Status; and red indicates Link Faulty or Port Disabled.
Figure 5-15: A "live" graphical image reports a Cisco switch's status
Notice that in Figure 5-15 CMS makes the distinction between a port and a link. A port is the physical connection where the cable is plugged in. A link, on the other hand, is the logical connection taking place over that port to a port on some other device-which could be another switch, router, server, or other device. A port could be operating properly, and at the same time the link running through it could be malfunctioning. You can see how Visual Switch Manager helps network administrators isolate and solve problems quickly.
The Port Configuration pages (or commands, if you're in the IOS command-line interface) allow you to enable or disable specific switch ports and to set duplex mode to full, half, or automatically selected, according to the capability of the host device making a link to the port. If the switch device being configured is 10/100, speed mode can be set in the same way. If a switch is participating in an EtherChannel, individual ports would be assigned to EtherChannel groups in the Port Grouping page.
The Administration area pages cover basic system-wide configuration parameters, such as the version of IOS software installed, booting procedure, system console baud rate, and memory configuration options.
Perhaps the most important area of switch configuration and management has to do with VLANs. Visual Switch Manager includes pages for assigning ports VLAN memberships, as well as pages to set parameters for such specialized VLAN services as:
STP (Spanning Tree Protocol) A link management protocol that allows advertisement of redundant paths through switched networks, while at the same time preventing paths from looping back to their source. STP does for switched networks what routing protocols do for routed networks.
VTP (VLAN Trunk Protocol) A way to create pathways serving a number of switches in a VLAN, accomplished by dynamically sharing MAC addresses and other information from a VTP server and VTP clients.
VMPS (VLAN Membership Policy Server) A client-server–based protocol that dynamically tracks the VLAN (or VLANs) to which a particular MAC address belongs.
VQP (VLAN Query Protocol) A protocol that continually runs statistics on VMPS queries sent by the VMPS server to its clients.
How switches can be configured and managed using SNMP and CiscoWorks is covered in Chapter 13.
CMS operates by talking to a switch through the HTTP protocol. HTTP is the IP protocol used to support Web browser–based applications. As a browser application, CMS overlays the switch's image of Cisco IOS software and runs IOS commands.
Initial switch installation is done while running a terminal session through the switch's Console port (not CMS). Notice that both Telnet and Cluster Management Suite are options in Figure 5-16. It is only after the switch is made a member of a LAN that management activity can begin through VSM.
Figure 5-16: You enter Cluster Management Suite through this page
The home page also provides access to other tools besides CMS. For example, clicking the Telnet hyperlink lets you log into the IOS command-line interface. Other hyperlinks connect to Cisco resources, such as Cisco's Web page and Technical Assistance Center.
The CMS home page is where the system administrator starts and is the launching-off point for all of the switch's management activities. For instance, under the Administration menu, you can look at and change the switch's IP address and upgrade the device's firmware.
Switches are almost always administered from inside the enterprise's private network. Figure 5-15 shows a private IP address (http://192.168.1.200), as opposed to a public address (such as http://184.108.40.206). For security reasons, administrative access to a switch from outside the private network is rare.
When you select an item to manage from the menu bar, a new window pops up and generally shows current configuration information. You can also change a parameter if desired. For a parameter change to take effect in the switch's running-configuration file, the Apply button must be clicked. This causes the parameter change to be uploaded to the switch and be updated in the device's memory.
Cluster Management Suite starts with an image of a switch at the bottom of the home page. The image is of the actual switch device. The example in Figure 5-15 is logged into a Cisco Catalyst 2950-24. The switch image is "live," in that status information displayed reflects what's currently happening on the device. Each switch port is lit up in one of three colors to indicate current device status:
Green The link is up.
Blue No link is reported.
Red The link is either faulty or disabled.
The switch image does more, however, than just report device status. It's an interactive interface through which you can change configuration parameters. If you've already read a previous edition of this book, you'll recognize the switch image as the same interactive graphical device interface used in CiscoView. CiscoView (covered in Chapter 15) is a superset of CMS, in that it handles all Cisco devices, not just switches.
The dialog box in Figure 5-17 comes up after the user right-clicks the FastEthernet0/7 port in the switch image in Figure 5-15 and then selects Port Settings from the context menu. This input dialog box is specific to the port that is clicked.
Figure 5-17: Click the CMS switch image to configure specific switch ports
The port's basic parameters are set here. The Status drop-down menu turns the switch port on or off by selecting Enable or Disable. You can also select whether the port should be full-duplex or half-duplex, what speed the port should run at (10 Mbps, 100 Mbps, or automatic), and whether port fast should be enabled or disabled.
The Topology View feature is an application that discovers and diagrams surrounding network topology. Network View diagrams only Cisco devices. It provides reports on network devices and links, and can be used as an interactive interface to change device configuration parameters. Topology View diagrams include these features:
Visual Stack Use this to display a switch image of one or more members of a switch stack.
Switch Manager Click the right mouse button on a switch in the image to show a context menu with two options: to see a report on the switch or to launch a management software application that can be used to reconfigure the LAN.
Link Report Click the right mouse button on a link (the line connecting devices in the diagram) to see that link's IP addresses, operating mode, VLANs, and other operating parameters.
Toggle Labels Use this to change device labels in the diagram from IP addresses to the Cisco device model numbers (for example, from IP address 192.168.1.200 to model number 2950-24) and to label network links (lines). Link labels contain the name of the device interface through which the link is running (for example, Ethernet1).
Be careful before launching Network View, though. It can be slow, because it uses CDP (Cisco Discovery Protocol) to find other devices. Figure 5-18 shows the topology view of a very small LAN.
Figure 5-18: CMS can build a graphical diagram of the switch's LAN
A port is where stations physically connect to the switch. Ports on switch devices are called switch ports or switched ports. They are the connections into which twisted-pair cables from hosts (such as PCs, servers, or printers) are plugged. Other network devices, such as routers and other switches, also connect to switch ports.
Switch ports have both administrative status and actual status. They can be accessed by selecting Port Settings from the Port menu, as shown in Figure 5-19. Status is set to enabled mode by default. The Enable setting means the port is ready for work. Actual status-shown in the Runtime Status tab in Figure 5-20-can be either Up or Down. It's possible for a port's administrative status to be enabled and its actual status to be Down. This would indicate that the port is operationally ready but is not at work (Down) because nothing is plugged into it.
Figure 5-19: Individual switch ports can be configured here
Figure 5-20: The status of individual switch ports can be monitored here
Two parameters can be set to affect a switch port's effective operating speed: duplex mode and transmission speed.
The Duplex parameter can be set so that it automatically recognizes and sets either full-duplex or half-duplex. Duplex mode is whether transmission is one-way or twoway. If devices connected at both ends of a link have full-duplex capability, the Auto setting will automatically set to full-duplex, in effect doubling transmission speed. Unless configured otherwise, VSM always autonegotiates full-duplex mode when possible.
In switches with 10/100 autosensing, the Transmission Speed Requested parameter is usually set to Auto. The term 10/100 refers to the capability of a switch to sense automatically whether the device at the other end of a link is running 100 Mbps (Fast Ethernet) or 10 Mbps (plain Ethernet). Unless configured otherwise, CMS always autonegotiates a 100-Mbps connection when possible. Network administrators will override Auto and specify one speed over the other when the switch is having trouble correctly sensing a link's speed.
Port groups are logical high-speed connections between switches. They are configured for either Fast EtherChannel or Gigabit EtherChannel connections. Port groups create redundant links between switches so that if there's a failure with one link in the group, its traffic will automatically move to the other links (an automatic process called failover ).
A port group is treated as a single logical port. Forming port groups simplifies management and reporting. For example, configuration changes for a port group need to be made in just one place instead of for each individual port. Figure 5-21 shows the interface for forming port groups. This is found by selecting EtherChannel from the Ports menu.
Figure 5-21: EtherChannel port groups are configured for speed and redundancy
All ports in the group must belong to the same set of VLANs, and all must be sourcebased or destination-based, shown in the drop-down menu in the center of the window in Figure 5-21. Source-based switching is when the port group makes switching decisions based on the source MAC addresses. In destination-based switching, switching decisions are based on the destination MACs. It's okay to configure both source-based and destination-based port groups on the same switch, but not in the same group.
SPAN (Switched Port ANalyzer) gathers real-time information for monitoring switch ports and diagnosing problems. Its purpose is to concentrate port activity information into a single port-the SPAN port-dedicated to troubleshooting. A SPAN port functions as a test instrument probe, but in the form of a dedicated switch port instead of separate hardware from an external test device.
SPAN operates by mirroring traffic from one or more switch ports to the SPAN port. If the ports being monitored are members of a VLAN, the SPAN port must be a member of the same VLAN. Figure 5-22 shows that two ports on the example switch are being monitored. The SPAN dialog box is called up by selecting SPAN from the Ports menu.
Figure 5-22: Individual switch ports can be selected for real-time monitoring
The SPAN port runs RMON probe software. RMON (for Remote Monitoring) is specialized probe software that tracks port performance statistics, traffic patterns, and alarms. Usually, a Network Management Module (NMM) card is inserted into the switch to provide electronics dedicated to monitoring and diagnosing problems. Sometimes, a network management station reads data from the port instead of from an NMM, which are usually PCs or UNIX workstations. Having this type of information available across a switched network helps network administrators anticipate and solve network problems. Without SPAN, port network management in switched networks would require more time and effort.
Flooding occurs when traffic received in one switch port is passed out all other ports. Switches flood when they receive messages with unknown destination addresses. Flooding is necessary in switched networks because they rely on MAC addresses of physical devices, not logical IP addresses, as do routers. Without flooding in switched networks, a message would be dropped by the first network, unaware of its destination MAC address, effectively terminating the transmission.
However, controls are necessary to ensure against a switch being drowned in a glut of flooded messages. The potential for flooding is made worse by the fact that messages are passed by a switch to all VLANs in which it has membership (switches are frequently multi-VLAN). Figure 5-23 shows the Flooding Control page. Flooding Control is located under the Ports menu.
Figure 5-23: Flooded and broadcast messages can be limited in switched networks
Flooding control blocks the forwarding of unnecessary flooded traffic by using one of the following techniques:
Sending all flooded messages to a single port (the network port ) so only that port gets flooded
Enabling broadcast storm thresholds to limit how many flooded messages a port will accept
Blocking the forwarding of unicast (one-to-one) and broadcast (one-to-all) messages, shown in the Receive Unknown MACs field
For a switch to become operable on a network, it must have several IP addresses assigned. The IP Addresses window shown in Figure 5-24 is used to administer and update IP information. This window can be called up by selecting IP Addresses from the Administration menu. This window contains two tabs: Interface Configuration and Device Configuration. Three mandatory IP addresses include the following:
IP address host A 32-bit address assigned to hosts using TCP/IP, written as four octets separated by periods (for example, 220.127.116.11).
IP subnet mask A mask overlaying a full IP address to indicate the bits of the full IP address used to address the local subnetwork, often simply called the mask. The mask is always some portion of the left side of the overall IP address (for example, 255.255.255.248).
Default gateway The switch sends traffic to an unknown IP address through the default gateway. When a message is sent outside the local network, it's routed through the default gateway, which has one or more external addresses. The default gateway address is frequently an Internet service provider (ISP).
Figure 5-24: The IP Addresses window is used to change IP address information
SNMP (Simple Network Management Protocol) is an IP application used to administer and troubleshoot network devices from a so-called network management station (NMS). SNMP is an industry standard, not a proprietary Cisco protocol. The interface shown in Figure 5-25 is, of course, Cisco's, but the parameters set through this window enable the creation of generalized SNMP information that can be used by any SNMP software product, not just Cisco's. This window is accessed by selecting SNMP on the Administration menu.
Figure 5-25: This window is used to configure a Cisco switch for SNMP management
You have the option of not enabling SNMP management for the switch. Disabling SNMP prevents SNMP-based network management applications from being able to monitor or reconfigure the switch.
SNMP works by setting up agents on a device. These agents are small software programs that observe activity on the switch and send alerts called traps to the NMS, informing it of significant events. Traps are managed on the Trap Managers tab.
Community strings are enabled on the Community Strings tab. A community string is a text string that acts as a sort of group password used to authenticate messages sent between the NMS and the devices it manages. The community string is sent in every packet between the manager and the SNMP agent. Refer to Chapter 13 for information about various Cisco products incorporating SNMP functionality.
ARP stands for the Address Resolution Protocol, which is an industry-standard protocol for mapping IP addresses to MAC addresses. Translating addresses is necessary, because when a message reaches its destination LAN, it must resolve the logical IP address to a physical MAC address in order to know which physical host device to communicate with. In ARP tables inside Cisco switches, the IP address is on the left column and the MAC address it is associated with is in the center column. The ARP configuration window is shown in Figure 5-26.
Figure 5-26: In switches, ARP tables resolve VLAN names, not LAN names
Addresses are dynamically added to the ARP table as messages pass through the switch. To prevent infinite growth of the table, the ARP Cache Timeout Value field (located under the ARP Cache Timeout tab) limits how long entries stay in the table prior to being dropped. The ARP table ages off of addresses that go unused for that specified period of time except those that were added to the table manually as permanent or static ARP entries. The default aging period is set for 14,400 seconds (four hours).
The address table (also called the address management table) is used by switches to decide where to forward incoming messages. The address table associates a list of MAC addresses with specific switch ports. Unlike IP addresses, MAC addresses are a sort of network serial number identifying physical network devices (usually the network interface card). Address tables are the centerpiece of switched network architecture because they guide messages to their destinations. MAC addresses function in switched networks the way IP addresses function in router-based networks. There are three kinds of address tables, which are located under individual tabs, as shown in Figure 5-27.
Figure 5-27: The address table is the key to how switched networks operate
The window is called up by selecting MAC Addresses from the Administration menu. The tables are as follows:
Dynamic address table Built by the switch by associating each message's incoming port number and source MAC address
Secure address table A secure address has only one destination port; they're manually entered and don't age
Static address table Like a secure address in that they're manually entered and don't age, but a static address applies to the entire switch instead of just a single port
Most ports in switched networks use dynamic addressing, because that way, the network can help operate itself without human intervention. Static addressing is used for port grouping, while secure addressing is used to protect valuable network resources and proprietary data.
A secure port is established by creating a list of one or more source MAC addresses that may send traffic to it. In this sense, a secure port is a form of static-access port. Port security should not be mixed up with SNMP alerts and other security applications. Port security works by restricting access to a port to explicitly named links. This is often done as much for performance reasons as for data security. Figure 5-28 shows the Port Security window. This window is accessed by selecting Port Security from the Port menu.
Figure 5-28: A secure port receives traffic only from user-defined stations
The advantages of securing a port are that unknown devices cannot connect to the port without your knowledge. It's also a good way to dedicate the port's bandwidth by setting the size of the port's address table to 1, thereby making available all the port's bandwidth to that device. A port is secured by selecting the check box in the Security column, as well as one or both of the Trap and Shutdown fields. Port security cannot be enabled on a multi-VLAN port.
Cisco Group Multicast Protocol (CGMP) is a proprietary Cisco protocol used to limit the forwarding of IP multicast (one-to-many) packets in a network. For example, a switch might sign up to receive multicasts advertising new MAC addresses from networks outside the intranet. CGMP is like a subscription-processing service in which hosts enroll in a group that receives certain kinds of multicasts. The CGMP window, shown in Figure 5-29, is accessed by selecting CGMP from the Devices menu.
Figure 5-29: CGMP is used to enroll switch ports into multicast groups
Hosts issue join messages to join a multicast group and leave messages to quit. Like most table-building protocols, CGMP ages off of unused subscriptions to limit table size. The Router Hold Time parameter (set to 300 seconds in the example in Figure 5-29) removes an entry after a user-specified time period.
The CGMP table is maintained on a router. For CGMP to work, therefore, a switch must have a connection to a router that is running both CGMP and IGMP (Internet Group Management Protocol). IGMP is used by IP hosts to report their multicast group memberships to an adjacent multicast router. When the router receives an IGMP request (leave or join) from a client, it forwards this information to the switch in a CGMP packet. The switch uses this information to alter its forwarding behavior.
Spanning-Tree Protocol (STP) is an industry-standard technique for preventing loopback paths in switched networks. Switched networks use MAC addresses in lieu of logical IP addresses. They work by forwarding a message to any switch containing the desired MAC address. Without STP, switched networks are susceptible to using paths that double-back to the switch that sent the message-causing slow delivery and generating unnecessary traffic.
STP works by identifying redundant paths and blocking at least one of them. The Spanning-Tree Protocol window is accessed by selecting STP from the Device menu. It contains seven tabs that are used to manage STP details. The Spanning-Tree Protocol is shown in Figure 5-30, and is used to enable a switch for STP and to define a root switch for each VLAN. Having a root switch for a VLAN helps the STP algorithm figure out which paths are best to block or not block. STP uses a path-costing system not unlike the routing protocols discussed in Chapter 12. A lower path cost represents higher speed (for example, an STP cost value of 100 for 10 Mbps versus 4 for 1 Gbps). The Hello Time parameter sets the number of seconds between STP messages. The Max Age parameter sets how long the switch should wait between STP messages before reconfiguring STP on its own.
Figure 5-30: STP prevents the proliferation of loop paths in switched networks
VLAN membership is a simple matter of assigning a switch port to one or more virtual LANs. The maximum number of VLANs a port may belong to is a function of the switch model. The example switch in Figure 5-31 is a Cisco Catalyst 2950-24, which supports up to 64 VLANs per port. VLAN membership modes are as follows:
Static-access VLAN membership mode
Multi-VLAN membership mode
Dynamic-access VLAN membership mode
ISL trunk VLAN membership mode
Figure 5-31: A port can belong to one or more VLANs and use any of four membership modes
ISL, which stands for Inter-Switch Link, is a proprietary Cisco protocol for interconnecting multiple switches and maintaining VLAN information as traffic goes between them. ISL provides VLAN capabilities while maintaining high performance on Fast Ethernet links in full-duplex or half-duplex mode.
Special IOS software feature sets are required on a switch for it to operate advanced VLAN modes such as multi-VLAN and dynamic-access VLAN.
VLAN Trunk Protocol (VTP) enables network administrators to make configuration changes on a single switch and automatically communicate those changes to all the other switches in the network. Central configuration limits a number of problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations. VTP works by sending advertisements over the switched network as a way to maintain VTP trunk memberships and transmit other VTP configuration changes. VTP configuration is maintained as a VLAN database stored in the NVRAM of member switches. A switch can be in any one of three VTP modes:
Client VTP mode A switch that is enabled for VTP; can send advertisements but cannot configure VLANs
Transparent VTP mode A switch that is disabled from using VTP; cannot send its own advertisements but can receive and forward them to and from other switches
Server VTP mode A switch that is enabled for VTP; can send advertisements and can configure VLANs
As shown in Figure 5-32, the VTP Management screen displays VTP status information at the top and inputs configuration parameter changes at the bottom.
Figure 5-32: VTP centrally administers configurations in switched networks
ISL works by encapsulating frames going through a switch with an ISL header, letting other switches on the trunk filter through ISL encapsulated messages as "native" to the trunk. The IEEE 802.1Q tagging format, an open standard that is not proprietary to Cisco, supports simultaneous tagged and untagged traffic on a switch port.
VLAN Membership Policy Server (VMPS) dynamically assigns switch ports to VLANs based on the MAC address of the device connected to the port. When a host is moved from a port on one switch in the network to a port on another switch in the network, it's automatically assigned to the proper VLAN. A VMPS maintains a database that maps the MAC addresses of VMPS-enabled ports to VLANs. It's downloaded from the server using Trivial File Transfer Protocol (TFTP).
VMPS is useful in enterprises in which users move about between locations and use their laptop computers to log into the intranet from wherever they are. The VMPS Configuration page (Figure 5-33) is used to set the VMPS server, add or remove VLANs, and set a primary VLAN.
Figure 5-33: VMPS is a way to assign switch ports to VLANs automatically
Switches are an important means of providing connectivity in an organization's network. They not only unite devices on a network-they also supply an important, intermediary step between the PC and the internetwork. In addition to a number of switch offerings for organizations large and small, Cisco also provides a powerful management tool in its CMS software.