Cisco Catalyst 3850 Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Switch
  5. Catalyst 3850
  6. Manual

Cisco Catalyst 3850 Manual

Hide thumbs Also See for Catalyst 3850:
Table of Contents

Advertisement

Quick Links

See also: Configuration Manual
Cisco Catalyst 3850 Series and Cisco
Catalyst 3650 Series Switches Best
Practices Guide
First Published: November 30, 2015
Last Updated: December 14, 2015
Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.

Advertisement

Table of Contents
loading

Related Manuals for Cisco Catalyst 3850

Summary of Contents for Cisco Catalyst 3850

  • Page 1 Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide First Published: November 30, 2015 Last Updated: December 14, 2015 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.
  • Page 3 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.

  • Page 5: Table Of Contents

    Create a Management VLAN in Hardware 2-15 Verify Basic Switch Configuration 2-17 Show Running Configuration for Initial Management Information 2-17 Switch Stack Update 3-21 Purpose 3-21 Prerequisites 3-21 Identify Configuration Values 3-22 Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide...
  • Page 6 Prerequisites 5-41 Restrictions 5-41 Identify Configuration Values 5-42 LAN Access Switch Topology with Uplinks to a Distribution Switch or Distribution Router 5-43 Configure Uplink Interface Connectivity 5-44 Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide...
  • Page 7 Provision Common Wired Security Access 7-68 Provision in Monitor Mode 7-71 Provision in Low Impact Mode 7-72 Provision in High Impact Mode 7-73 Verify Secure Access Control on the Switch 7-74 Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide...
  • Page 8 Verify WLAN Client Connectivity 8-98 Verify the Converged Access Configuration on the Switch 8-99 Show Running Configuration for Wireless LAN Converged Access 8-99 System Health Monitoring 9-103 Purpose 9-103 Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide...
  • Page 9 9-106 Monitor File Systems Usage 9-106 Run a System Baseline for Environmental Resources 9-107 Other System Monitoring Considerations 9-108 Spanning Tree Monitoring 9-108 N D E X Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide...
  • Page 10 Contents Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide...
  • Page 11 Preface Audience This document is written for managing the Cisco Catalyst 3850 Series Switches and the Cisco 3650 Series switches and switch stacks in their network. A basic understanding of Ethernet networking is expected. Cisco Certified Network Associate level (CCNA) knowledge is helpful, but not required.

  • Page 12: Obtaining Documentation And Submitting A Service Request

    Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.

  • Page 13: Ease Of Deployment

    This document describes best practices for deploying your Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series switches. Unless otherwise noted, the term switch refers to a standalone Catalyst 3850 switch, a Catalyst 3650 Note switch, or a switch stack.
  • Page 14 VSS (Cat6500/6800/4500), or VPC (Nexus 7000) Data VLAN 10 Trunk link Native VLAN 999 All VLANs included Printer Access point VLAN 12 Wireless access Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 15 Figure 3 shows the best-practice configurations described in this document. See the Switch Hardware Installation Guide for information on how to install a switch. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 16 Configure wireless LAN on the switch and on access on the switch to enable connected devices converged access functionality Monitor switch health to maintain network stability and performance Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 17 192.168.13.0/24 Upstream device Wireless client VLAN and subnet. — 192.168.254.0 — IP address range for all central services. The services are not physically adjacent to the switch. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 18 Ease of Deployment Switch Address Plan Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 19: Switch Stack Update

    Cisco IOS XE release to avoid mismatch issues. In addition, any new switch that needs to join the switch stack must also be running the same Cisco IOS XE release; otherwise, the switch stack will not converge and the new switch will remain in a standalone state.
  • Page 20 VSS (Cat6500/6800/4500), or VPC (Nexus 7000) Data VLAN 10 Trunk link Native VLAN 999 All VLANs included Printer Access point VLAN 12 Wireless access Performing the Stack Update Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 21: Performing The Stack Update

    Download the desired .bin file from Cisco.com to the switch flash storage. Step 1 The purpose of this example is only to show you how the Cisco-suggested release symbol is designated, Note and not to give you recommended release versions because those change over time.
  • Page 22 Since the format of the pacakges.conf file has changed in Cisco IOS XE Release Denali 16.1, overwrite Note the old packages.conf with the new packages.conf file. Perform the above step for eachswitch in your stack. If you have a 3 member stack, it will need to be done on flash:, flash-2:, and flash-3.
  • Page 23 ------ ----- ----- ---------- ---------- ---- 1 32 WS-C3850-24P Denali 16.1.1 CAT3K_CAA-UNIVERSALK9 BUNDLE 2 32 WS-C3850-24P Denali 16.1.1 CAT3K_CAA-UNIVERSALK9 BUNDLE 3 32 WS-C3850-24P Denali 16.1.1 CAT3K_CAA-UNIVERSALK9 BUNDLE Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 24 The request platform clean switch command also deletes the .bin file that is used to install the new Note Cisco IOS software. After the .bin is extracted, you no longer need it. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 25 Do you want to proceed? [y/n]y [1]: Deleting file flash:cat3k_caa-rpbase.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg done. Deleting file flash:cat3k_caa-srdriver.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg ... done. Deleting file flash:cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.bin ... done. Deleting file flash:cat3k_caa-wcm.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg ... done. Deleting file flash:cat3k_caa-webui.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg done. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 26: Update The Switch Stack Image

    [1 2]: Do you want to proceed with reload? [yes/no] After the reload completes, run the request platform software package clean switch all file flash Step 12 command. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 27: Enable Switch Image Auto-Upgrade

    The auto-upgrade feature automatically installs the software packages from an existing stack member to the stack member that is running incompatible software. Auto-upgrade is disabled by default. Note The rolling-upgrade feature is not supported. Note software auto-upgrade enable Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 28 Switch Stack Update Performing the Stack Update Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 29: Prerequisites

    We recommend that you take a print out of Table 2, and, as you follow the configuration sequence, replace the values in column B with your values in column C. Replace the blue italicized example values with your own values. Note Cisco Systems, Inc. www.cisco.com...

  • Page 30: Assign Initial Management Information

    Enter the show running-configuration command to display the initial management information for • the switch. The following configurations should be performed in the same sequence in which they are listed here. Note Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 31: Configure The Hostname For Switch Identification

    If the switch acts as a Web authentication server or as an authentication proxy, then do not disable the HTTP server by executing the no ip http server command. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 32: Configure Snmp For Remote Management

    TACACS+ server is unavailable. This example shows how to configure the switch for TACACS administrative access. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 33: Assign An Ip Address To The Switch

    Configure a Management IP Address on an Out-of-Band Interface • • Configure a Management IP Address on an In-Band Interface • Create a Management VLAN in Hardware Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 34 The GigabitEthernet 0/0 interface will not function without an IP address assigned to it. Mgmt-vrf is built-in; you do not have to create one for out-of-band management. ip route vrf Mgmt-vrf 192.168.128.5 255.255.255.0 192.168.128.1 exit Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 35: Purpose

    VLAN, is in a forwarding state. This example shows a VLAN created for management and indicates that the IP address is reachable. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 36: Create A Management Vlan In Hardware

    VLAN ID on both ends of the Ethernet link to properly configure the management VLAN in hardware. A “dummy” VLAN is used as the native VLAN on trunk interfaces. A dummy VLAN is not used for data or management traffic. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 37 ! The next step assumes the uplink interface is GigabitEthernet 1/1/1, but ! your uplink interface may be different. interface GigabitEthernet 1/1/1 Switchport mode trunk Switchport trunk native vlan Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 38 ! Now the default gateway will respond to pings ping 182.168.1.1 Enter the show running-configuration command to display the initial management information for the Note switch. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 39 Initial Switch Configuration Assign Initial Management Information Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 40 Initial Switch Configuration Assign Initial Management Information Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 41: Identify Configuration Values

    Replace the blue italicized example values with your own values. Note Table 4 Global System: Setting Values A. Value Name B. Example Value C. Your Value Management subnets allowed 192.168.128.5/0.0.0.255 192.168.0.0/0.0.0.255 192.168.254.0/0.0.0.255 NTP server IP address 192.168.254.11 Cisco Systems, Inc. www.cisco.com...

  • Page 42: Assign Global Configuration Information

    Configure the Switch to run in VTP Transparent Mode • Enable Rapid Per-VLAN Spanning Tree Plus Configure BPDU Guard for Spanning-Tree PortFast Interfaces • Configure UDLD to Detect Link Failure • Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 43: Configure High Availability On The Switch Stack

    Typically, VLANs are defined once during your initial switch configuration and do not require continuous VTP updates after the switch is operational. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 44: Enable Rapid Per-Vlan Spanning Tree

    The BPDU configuration protects STPF-enabled interfaces by disabling the port if another switch is plugged into the port. This command should configured globally, not at the interface level. spanning-tree portfast bpduguard default Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 45: Configure Udld To Detect Link Failure

    55 permit 192.168.0.0 0.0.0.255 access-list 55 permit 192.168.254.0 0.0.0.255 line vty 0 15 access-class 55 in vrf-also exit snmp-server community sample-READONLY RO 55 snmp-server community sampe-READWRITE RW 55 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 46: Configure System Clock And Console Timestamps

    Step 11 send traffic to. EtherChannel traffic should be balanced across all physical interfaces. The default load-balancing scheme for EtherChannels is based on the source MAC address. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 47: Create Access Layer Vlans

    IPv6 problems. Access interfaces to end devices should not be trusted for router advertisements and IPv6 DHCP Note response. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 48: Increase The Tftp Block Size

    When new members join an existing switch stack, the Cisco IOS version of the new members must match the Cisco IOS version of the existing members. The Auto Upgrade feature provides the ability to automatically update new members when they join.

  • Page 49: Uplink Interface Connectivity

    We recommend that you identify certain switch configuration values in advance so that you can proceed with this workflow without interruption. We recommend that you take a print out of Table 5, and, as you follow the configuration sequence, replace the values in column B with your values in column C. Cisco Systems, Inc. www.cisco.com...
  • Page 50 Guard policy name QoS service policy input name AutoQos-4.0-Trust-Dscp-Input -Policy QoS service policy output name AutoQos-4.0-Output-Policy Configuration examples begin in global configuration mode, unless noted otherwise. Note Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 51: Lan Access Switch Topology With Uplinks To A Distribution Switch Or Distribution Router

    VSS (Cat6500/6800/4500), or VPC (Nexus 7000) Data VLAN 10 Trunk link Native VLAN 999 Printer All VLANs included Access point VLAN 12 Wireless access Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 52 Desktop user Dual redundant direct connect routers running HSRP Data VLAN 10 Trunk link Native VLAN 999 Printer All VLANs included Access point VLAN 12 Wireless access Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 53: Configure Uplink Interface Connectivity

    Additional service policies should be applied after traffic is transmitted in order to ease congestion. For more information see, “Configure QoS on an Access Interface” on page 56 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 54: Configure The Uplink Interface As An Etherchannel And As A Trunk

    6, shows the switch stack that has a single EtherChannel connection to a distribution VSS or VPC switch pair. The VSS and VPC systems have an explicit configuration between the Cisco distribution switch pair. That allows them to act as a single logical switch when connected to the EtherChannel. The EtherChannel is configured as a trunk with VLANs 10, 11, 12, and 100, with the native VLAN set to 999.
  • Page 55 EtherChannel to each distribution router. Each EtherChannel is configured as a trunk with VLANs 10, 11, 12, 100, 200, and 999, with the native VLAN set to 999. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 56 The policies that should be applied are defined in the “Global System Configuration” workflow. In the following example, security is applied to the uplink interfaces connecting to VPC, VSS, or standalone switch. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 57 For more information about spanning-tree root on distribution switches, see the “Spanning VLANs across Access Layer Switches” section of the Campus Network for High Availability Design Guide. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 58: Verify Uplink Interface Configurations

    0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 59 Uplink Interface Connectivity Display Uplink Interface Connectivity for the Switch Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 60 Uplink Interface Connectivity Display Uplink Interface Connectivity for the Switch Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 61: Prerequisites

    We also recommend that you take a print out of Table 6, and, as you follow the configuration sequence, replace the values in column B with your values in column C. Replace the blue italicized example values with your own values. Note Cisco Systems, Inc. www.cisco.com...
  • Page 62 Uplink EtherChannel Interfaces” Classify-Police-Input-Policy section.) Trust-Dscp-Input-Policy SoftPhone-Input-Policy Trust-Dscp-Input-Policy Trust-Dscp-Input-Policy Trust-COS-Input-Policy No-Trust-Input-Policy QoS service policy output name 2P6Q3T Configuration examples begin in global configuration mode, unless noted otherwise. Note Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 63: Lan Access Switch Topology With Connections To End Devices

    When configuring your access interface, you should complete the following tasks: Configure an Interface for Access Mode • Configure VLAN Membership • Create an Interface Description • Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 64: Configure The Interface For Access Mode

    Configure an Interface for Access Mode Use the switchport host command to perform the following configurations for the end devices on your Step 1 switch: Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 65: Configure Vlan Membership

    The MAC address limit is 11. When the end device exceeds 11 source MAC addresses, the ingress traffic to the switch on those source MAC addresses is dropped. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 66 IPv6 router advertisements, and IPv6 responses. The applied policies are defined in the “Global System Configuration” workflow. ipv6 nd raguard attach-policy endhost_ipv6_raguard ipv6 guard attach-policy endhost_ipv6__guard Configure QoS on an Access Interface Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 67: Verify Access Interface Configurations

    This following section describes the commands that you should use to use to confirm that your configurations in this workflow are correctly applied to your switch: Use the show running-configuration command to verify the operational configuration of the access Step 11 interfaces. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 68 Interfaces: Interface Trusted Allow option Rate limit (pps) ----------------------- ------- ------------ ---------------- GigabitEthernet1/0/1 Custom circuit-ids: GigabitEthernet1/0/2 Custom circuit-ids: GigabitEthernet1/0/3 Custom circuit-ids: GigabitEthernet1/0/4 Custom circuit-ids: Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 69 PORT endhost_ipv6_raguard RA guard vlan all Gi1/0/2 PORT endhost_ipv6_raguard RA guard vlan all Gi1/0/3 PORT endhost_ipv6_raguard RA guard vlan all Gi1/0/4 PORT endhost_ipv6_raguard RA guard vlan all Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 70 Enter the range command for each member. IP Phone Access Interface The following example displays the IP phone Access Interface information: Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 71 2k storm-control action trap ipv6 nd raguard attach-policy endhost_ipv6_raguard ipv6 guard attach-policy endhost_ipv6__guard auto qos voip cisco-phone service-policy input AutoQos-4.0-CiscoPhone-Input-Policy service-policy output 2P6Q3T Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 72 1k storm-control multicast level pps 2k storm-control action trap Printer Access Interface The following example displays the Printer Access Interface information. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 73 2k storm-control action trap ipv6 nd raguard attach-policy endhost_ipv6_raguard ipv6 guard attach-policy endhost_ipv6__guard auto qos classify police service-policy input AutoQos-4.0-Classify-Police-Input-Policy service-policy output 2P6Q3T Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 74 Access Interface Connectivity Display Running Configuration for Access Interface Connectivity Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 75: Prerequisites

    Do not use port security with IEEE 802.1x. When IEEE 802.1x is enabled, port security then • becomes redundant and might interfere with the IEEE 802.1x functionality. Identify Configuration Values Cisco Systems, Inc. www.cisco.com...

  • Page 76: Identify Configuration Values

    RADIUS server encryption key cisco123 Data VLAN Voice VLAN Auth-server dead vlan Extended IP ACL LowImpactSecurity-acl Configuration examples begin in global configuration mode, unless noted otherwise. Note Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 77: Lan Access Switch Topology With Ieee 802.1X Secure Access Control

    The main components of IEEE 802.1x are: Supplicant (end device) • Authenticator (switch) • Authentication server (RADIUS or ISE) • Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 78: Provision Common Wired Security Access

    In this mode, addresses. voice endpoint. all devices are authenticated. Unless otherwise noted, we recommend that multiple-authentication mode be configured instead of single-host mode, for increased security: Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 79 We recommend that you do not change the IEEE 802.1x timer and variable default settings, unless necessary. Begin in interface configuration mode: dot1x timeout tx -period dot1x max-reauth-req authentication timer restart dot1x timeout quiet-period Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 80 Begin in global configuration mode. Enable new access control aaa new-model !Set authentication list for 802.1x aaa authentication dot1x default group radius !Enable 802.1x authentication dot1x system-auth-control Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 81: Provision In Monitor Mode

    IEEE 802.1x functionality. Begin in interface configuration mode. no switchport port-security no switchport port-security violation no switchport port-security aging type no switchport port-security aging time no switchport port-security maximum Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 82: Provision In Low Impact Mode

    GigabitEthernet1/0/1 ip access-group LowImpactSecurity-acl Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 83: Provision In High Impact Mode

    (multiauth) mode or if the voice domain of the port is in MDA mode. authentication event server dead action authorize vlan If the authentication server does not respond, authorize voice. Step 15 authentication dead action authorize voice Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 84: Show Running Configuration For Provisioning Modes

    AutoQos-4.0-CiscoPhone-Input-Policy service-policy output AutoQos-4.0-Output-Policy ip verify source snooping limit rate 100 radius server AuthServer address ipv4 192.168.254.14 auth-port 1645 acct-port 1646 key cisco123 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 85 AuthServer address ipv4 192.168.254.14 auth-port 1645 acct-port 1646 key cisco123 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 86: Monitoring Ieee 802.1X Status And Statistics

    192.168.254.14 auth-port 1645 acct-port 1646 key cisco123 Monitoring IEEE 802.1x Status and Statistics Step 1 Use the show dot1x statistics command to display switch-related and port-related IEEE 802.1x statistics. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 87 Sysauthcontrol Enabled Dot1x Protocol Version Dot1x Info for GigabitEthernet1/0/1 ----------------------------------- = AUTHENTICATOR QuietPeriod = 60 ServerTimeout SuppTimeout = 30 ReAuthMax MaxReq TxPeriod = 30 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 88 Dot1x Info for GigabitEthernet1/0/1 ----------------------------------- PAE = AUTHENTICATOR QuietPeriod = 60 ServerTimeout = 0 SuppTimeout = 30 ReAuthMax = 2 MaxReq = 2 TxPeriod = 30 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 89: Converged Wired And Wireless Access

    Wired and wireless features that are enabled in the same platform is referred to as converged access. The wired plus wireless features are bundled into a single Cisco IOS Software image, which reduces the number of software images that users have to qualify and certify before enabling them in their network.

  • Page 90: Identify Configuration Values

    Converged Wired and Wireless Access Identify Configuration Values A Catalyst 3850 switch stack can support a maximum of 50 access points. • A Cisco Catalyst 3650 stack can support a maximum of 25 access points. • WLAN cannot use client VLAN 0.

  • Page 91: Lan Access Switch Topology With Wireless Connectivity

    We recommend that you distribute the access points equally across the stack to achieve reliability during switchover scenarios preventing connectivity loss to access points connected to a member or standby switch. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 92: Enable The Switch As A Wireless Controller

    AP-count license for the switch stack is automatically recalculated. When members are removed from the stack, the total AP-count license is decremented from the total • available AP-count license in the stack. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 93: Verify Ap-Count License Installation

    Verify the RTU license summary details. Step 3 The example shows that a permanent IP Services license is installed and is available upon switch reboot: Five AP-count licenses are in use. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 94: Configure A Wireless Management Vlan

    We recommend that you exclude the IP address already used for the default router and the in-use wireless management SVI address to prevent an upstream router from allocating this IP address to an access point. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 95: Enable Wireless Controller Functionality

    [confirm] y After the switch reboots, verify that the role of the switch has changed to Mobility Controller. Step 8 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 96: Enable The Access Point Connections

    Note The access VLAN on the switch port should be the same as the wireless management VLAN configured Step 4 in this workflow. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 97: Enable A Client Vlan

    !Activate the client VLAN in the VLAN database. !Configure VLAN 200 if not already configured. vlan name Wireless_Client interface vlan description Client VLAN ip address 192.168.13.2 255.255.254.0 no shutdown Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 98: Provisioning A Small Branch Wlan

    Access II (WPA2). To make the WLAN open, use the no security wpa wpa2 command. wlan OPEN_WLAN 1 open_wlan client vlan no security wpa no security wpa akm dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes no shutdown Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 99: Configure Qos To Secure The Wlan

    WLAN. wlan secure_WLAN 2 CISCO_WLAN shutdown service-policy client input wlan-Entr-Client-Input-Policy service-policy output wlan-Entr-SSID-Output-policy no shutdown exit Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 100: Verify Client Connectivity In Radius

    Anchor Clients Foreign Clients MTE Clients Mac Address VlanId IPv4 Address Src If -------------- ------ --------------- ------------------ ------- 0000.3a40.0001 340 153.40.125.100 0x00000000800000E2 LOCAL 0000.3a40.0002 340 153.40.125.101 0x00000000800000A1 LOCAL Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 101: Provision In Secure Mode

    Configure QoS Service Policies for an Open WLAN • DHCP Snooping Enable the AAA RADIUS Server The configuration of the RADIUS server is dependent on the RADIUS service that you choose. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 102: Configure The Wlan With Ieee 802.1X Authentication

    WPA2 with AES encryption and IEEE 802.1x key management are enabled by default on the WLAN for Note the switch so you do not need to explicitly configure these security settings. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 103: Configure Qos Service Policies For An Open Wlan

    WLAN. This option allows strict control of used IP addresses. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 104: Manage Radio Frequency And Channel Settings

    5ghz rate RATE_36M supported ap dot11 5ghz rate RATE_48M supported ap dot11 5ghz rate RATE_54M supported no ap dot11 5ghz shutdown !Shutdown 2.4Ghz network ap dot11 24ghz shutdown Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 105: Enable Clean Air

    24ghz cleanair device video ap dot11 5ghz cleanair device jammer ap dot11 5ghz cleanair device cont-tx ap dot11 5ghz cleanair device dect-like ap dot11 5ghz cleanair device video Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 106: Enable Dynamic Channel Assignment

    Client connectivity depends on the type of device used which can be verified by looking at the wireless network interface details. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 107: Verify Wlan Client Connectivity

    0x006B2F4000002844 RUN LOCAL Show Running Configuration for Wireless LAN Converged Access Enter the show running-configuration command to display the wireless configuration settings for the Step 1 switch. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 108 OPEN_WLAN 1 WiFi_Open client vlan 200 no security wpa no security wpa akm dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes no shutdown Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 109 5ghz rate RATE_24M mandatory ap dot11 5ghz rate RATE_36M supported ap dot11 5ghz rate RATE_48M supported ap dot11 5ghz rate RATE_54M supported no ap dot11 5ghz shutdown ap group default-group Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 110 Converged Wired and Wireless Access Show Running Configuration for Wireless LAN Converged Access Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 111: System Health Monitoring

    If you are only interested in the switch uptime and last reload, you can run a more direct command using the pipe “|” feature built into Cisco IOS XE (and Cisco IOS) software. This example shows that Cisco IOS XE release 3.3.2 SE was running for five weeks before a privileged user initiated a switch reload.

  • Page 112: Run A System Baseline For Core Resources

    This output shows the five-second, one-minute, and five-minute periods on each CPU core. It also shows the Forwarding Engine Driver (FED), IOS daemon IOSd, and Wireless Controller Module (WCM) processes have the highest CPU utilization. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 113 CPU% per second (last 60 seconds) Reference: For detailed information to help troubleshoot your high CPU usage concerns, see the Catalyst 3850 Series Switch High CPU Usage Troubleshooting document. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 114: Obtain Switch Memory Usage

    Use the dir filesystem or the show filesystem command to list the files under a specific files system. Step 6 When you find crash files, it is important to immediately retrieve them to diagnose a system failure or unexpected crash. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 115: Run A System Baseline For Environmental Resources

    If your switches are in a stack, run the show environment stack command to view all of the Step 8 environmental outputs stack wide. Although some of settings are adjustable, we recommend leaving the settings with their default values. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 116: Other System Monitoring Considerations

    This example output shows that the switch is actually operating as the root bridge for all of the VLANs which can cause extreme network degradation if incorrectly configured. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 117 This command displays network stability information about the number of topology changes within each VLAN, the last time a TCN was received, and so forth. Frequently monitoring this information is critical to maintaining overall health of the switch and network. Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 118 Number of topology changes 12 last change ed 4d07h ago from GigabitEthernet1/0/1 VLAN0881 is executing the ieee compatible Spanning Tree protocol Number of topology changes 7 last change ed 4d07h ago from GigabitEthernet1/0/1 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

  • Page 119: I N D E X

    Easy-open mode End-User-License Agreement (EULA) out-of-band management EtherChannels 135, 144 evaluation license password provision in phased deployments high impact mode HSRP (Hot Standby Router Protocol) HTTP (HTTPS) Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...
  • Page 120 Distribution switches synchronized clock TACACS+ TFTP and FTP server TFTP block size 121, 136 Unidirectional Link Detection (UDLD) uplink to distribution switches user id Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series...

This manual is also suitable for:

Catalyst 3650

Table of Contents