Download  Print this page

Cisco WS-C3750-48PS-S Software Configuration Manual

Network switch.
Hide thumbs
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990

Advertisement

Catalyst 3750 Switch
Software Configuration Guide
Cisco IOS Release 12.2(20)SE
May 2004
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7816180=
Text Part Number: 78-16180-02

Advertisement

Table of Contents

   Related Manuals for Cisco WS-C3750-48PS-S

   Summary of Contents for Cisco WS-C3750-48PS-S

  • Page 1 Catalyst 3750 Switch Software Configuration Guide Cisco IOS Release 12.2(20)SE May 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7816180= Text Part Number: 78-16180-02...
  • Page 2 CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,...
  • Page 3: Table Of Contents

    Cisco.com xxxvii Ordering Documentation xxxviii Documentation Feedback xxxviii Obtaining Technical Assistance xxxviii Cisco Technical Support Website xxxix Submitting a Service Request xxxix Definitions of Service Request Severity xxxix Obtaining Additional Publications and Information Overview C H A P T E R...
  • Page 4 Contents Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Accessing the CLI through a Console Connection or through Telnet Accessing the CLI from a Browser...
  • Page 5 Contents Assigning the Switch IP Address and Default Gateway C H A P T E R Understanding the Boot Process Assigning Switch Information Default Switch Information Understanding DHCP-Based Autoconfiguration DHCP Client Request Process Configuring DHCP-Based Autoconfiguration DHCP Server Configuration Guidelines Configuring the TFTP Server Configuring the DNS Configuring the Relay Device...
  • Page 6 Contents Compatibility Recommendations 5-11 Incompatible Software and Stack Member Image Upgrades 5-11 Stack Protocol Version Compatibility 5-11 Switch Stack Configuration Files 5-12 Additional Considerations for System-Wide Configuration on Switch Stacks 5-13 Switch Stack Management Connectivity 5-14 Connectivity to the Switch Stack Through an IP Address 5-14 Connectivity to the Switch Stack Through an SSH Session 5-14...
  • Page 7 Contents SNMP Community Strings 6-14 Switch Clusters and Switch Stacks 6-14 TACACS+ and RADIUS 6-16 Access Modes in CMS 6-16 LRE Profiles 6-17 Availability of Switch-Specific Features in Switch Clusters 6-17 Creating a Switch Cluster 6-17 Enabling a Cluster Command Switch 6-17 Adding Cluster Member Switches 6-18...
  • Page 8 Contents Displaying the DNS Configuration 7-18 Creating a Banner 7-18 Default Banner Configuration 7-18 Configuring a Message-of-the-Day Login Banner 7-19 Configuring a Login Banner 7-20 Managing the MAC Address Table 7-20 Building the Address Table 7-21 MAC Addresses and VLANs 7-21 MAC Addresses and Switch Stacks 7-22...
  • Page 9 Contents Logging into and Exiting a Privilege Level 9-10 Controlling Switch Access with TACACS+ 9-10 Understanding TACACS+ 9-10 TACACS+ Operation 9-12 Configuring TACACS+ 9-13 Default TACACS+ Configuration 9-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 9-13 Configuring TACACS+ Login Authentication 9-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 9-16...
  • Page 10 Contents Setting Up the Switch to Run SSH 9-39 Configuring the SSH Server 9-40 Displaying the SSH Configuration and Status 9-41 Configuring 802.1x Port-Based Authentication 10-1 C H A P T E R Understanding 802.1x Port-Based Authentication 10-1 Device Roles 10-2 Authentication Initiation and Message Exchange 10-3...
  • Page 11 Understanding Smartports Macros 12-1 Configuring Smartports Macros 12-2 Default Smartports Macro Configuration 12-2 Smartports Macro Configuration Guidelines 12-3 Creating Smartports Macros 12-4 Applying Smartports Macros 12-5 Applying Cisco-Default Smartports Macros 12-6 Displaying Smartports Macros 12-8 Catalyst 3750 Switch Software Configuration Guide 78-16180-02...
  • Page 12 Contents Configuring VLANs 13-1 C H A P T E R Understanding VLANs 13-1 Supported VLANs 13-3 VLAN Port Membership Modes 13-3 Configuring Normal-Range VLANs 13-5 Token Ring VLANs 13-6 Normal-Range VLAN Configuration Guidelines 13-6 VLAN Configuration Mode Options 13-7 VLAN Configuration in config-vlan Mode 13-7 VLAN Configuration in VLAN Database Configuration Mode...
  • Page 13 Contents VMPS Configuration Guidelines 13-29 Configuring the VMPS Client 13-30 Entering the IP Address of the VMPS 13-30 Configuring Dynamic-Access Ports on VMPS Clients 13-30 Reconfirming VLAN Memberships 13-31 Changing the Reconfirmation Interval 13-31 Changing the Retry Count 13-32 Monitoring the VMPS 13-32 Troubleshooting Dynamic-Access Port VLAN Membership 13-33...
  • Page 14 Configuring Voice VLAN 16-3 Default Voice VLAN Configuration 16-3 Voice VLAN Configuration Guidelines 16-3 Configuring a Port Connected to a Cisco 7960 IP Phone 16-4 Configuring IP Phone Voice Traffic 16-4 Configuring the Priority of Incoming Data Frames 16-6 Displaying Voice VLAN...
  • Page 15 Contents Learning State 17-7 Forwarding State 17-7 Disabled State 17-8 How a Switch or Port Becomes the Root Switch or Root Port 17-8 Spanning Tree and Redundant Connectivity 17-9 Spanning-Tree Address Management 17-9 Accelerated Aging to Retain Connectivity 17-9 Spanning-Tree Modes and Protocols 17-10 Supported Spanning-Tree Instances 17-10...
  • Page 16 Contents Understanding RSTP 18-6 Port Roles and the Active Topology 18-7 Rapid Convergence 18-8 Synchronization of Port Roles 18-9 Bridge Protocol Data Unit Format and Processing 18-10 Processing Superior BPDU Information 18-11 Processing Inferior BPDU Information 18-11 Topology Changes 18-11 Configuring MSTP Features 18-12 Default MSTP Configuration...
  • Page 17 21-1 DHCP Server 21-2 DHCP Relay Agent 21-2 DHCP Snooping 21-2 Option-82 Data Insertion 21-3 Cisco IOS DHCP Server Database 21-5 DHCP Snooping Binding Database 21-5 DHCP Snooping and Switch Stacks 21-6 Configuring DHCP Features 21-7 Default DHCP Configuration 21-7...
  • Page 18 Contents Enabling the Cisco IOS DHCP Server Database 21-12 Enabling the DHCP Snooping Binding Database Agent 21-12 Displaying DHCP Snooping Information 21-14 Displaying the DHCP Snooping Configuration 21-14 Displaying the DHCP Snooping Binding Database 21-14 Understanding IP Source Guard 21-15...
  • Page 19 Contents Configuring IGMP Snooping 23-6 Default IGMP Snooping Configuration 23-6 Enabling or Disabling IGMP Snooping 23-7 Setting the Snooping Method 23-7 Configuring a Multicast Router Port 23-9 Configuring a Host Statically to Join a Group 23-10 Enabling IGMP Immediate Leave 23-11 Disabling IGMP Report Suppression 23-11...
  • Page 20 Contents Understanding Port Security 24-7 Secure MAC Addresses 24-7 Security Violations 24-8 Default Port Security Configuration 24-9 Configuration Guidelines 24-10 Enabling and Configuring Port Security 24-10 Enabling and Configuring Port Security Aging 24-14 Port Security and Switch Stacks 24-15 Displaying Port-Based Traffic Control Settings 24-16 Configuring CDP 25-1...
  • Page 21 Contents Monitored Traffic 27-5 Source Ports 27-6 Source VLANs 27-7 VLAN Filtering 27-7 Destination Port 27-8 RSPAN VLAN 27-9 SPAN and RSPAN Interaction with Other Features 27-9 SPAN and RSPAN and Switch Stacks 27-10 Configuring SPAN and RSPAN 27-10 Default SPAN and RSPAN Configuration 27-11 Configuring Local SPAN 27-11...
  • Page 22 Contents Setting the Message Display Destination Device 29-5 Synchronizing Log Messages 29-6 Enabling and Disabling Time Stamps on Log Messages 29-7 Enabling and Disabling Sequence Numbers in Log Messages 29-8 Defining the Message Severity Level 29-9 Limiting Syslog Messages Sent to the History Table and to SNMP 29-10 Configuring UNIX Syslog Servers 29-11...
  • Page 23 Contents ACLs and Switch Stacks 31-6 Configuring IP ACLs 31-6 Creating Standard and Extended IP ACLs 31-7 Access List Numbers 31-7 Creating a Numbered Standard ACL 31-9 Creating a Numbered Extended ACL 31-11 Resequencing ACEs in an ACL 31-15 Creating Named Standard and Extended ACLs 31-15 Using Time Ranges with ACLs 31-17...
  • Page 24 Contents Configuring QoS 32-1 C H A P T E R Understanding QoS 32-1 Basic QoS Model 32-3 Classification 32-4 Classification Based on QoS ACLs 32-7 Classification Based on Class Maps and Policy Maps 32-7 Policing and Marking 32-8 Mapping Tables 32-10 Queueing and Scheduling Overview 32-11...
  • Page 25 Contents Configuring DSCP Maps 32-49 Configuring the CoS-to-DSCP Map 32-50 Configuring the IP-Precedence-to-DSCP Map 32-50 Configuring the Policed-DSCP Map 32-51 Configuring the DSCP-to-CoS Map 32-52 Configuring the DSCP-to-DSCP-Mutation Map 32-53 Configuring Ingress Queue Characteristics 32-55 Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds 32-56 Allocating Buffer Space Between the Ingress Queues 32-57...
  • Page 26 Contents Configuring the Physical Interfaces 33-16 Configuring EtherChannel Load Balancing 33-18 Configuring the PAgP Learn Method and Priority 33-19 Configuring LACP Hot-Standby Ports 33-20 Configuring the LACP System Priority 33-21 Configuring the LACP Port Priority 33-22 Displaying EtherChannel, PAgP, and LACP Status 33-23 Configuring IP Unicast Routing 34-1...
  • Page 27 Configuring BGP Route Reflectors 34-57 Configuring Route Dampening 34-58 Monitoring and Maintaining BGP 34-59 Configuring Protocol-Independent Features 34-60 Configuring Distributed Cisco Express Forwarding 34-60 Configuring the Number of Equal-Cost Routing Paths 34-62 Configuring Static Unicast Routes 34-62 Specifying Default Routes and Networks 34-63...
  • Page 28 Configuring HSRP Groups and Clustering 35-11 Displaying HSRP Configurations 35-11 Configuring IP Multicast Routing 36-1 C H A P T E R Understanding Cisco’s Implementation of IP Multicast Routing 36-2 Understanding IGMP 36-2 IGMP Version 1 36-3 IGMP Version 2...
  • Page 29 Contents PIMv1 and PIMv2 Interoperability 36-9 Auto-RP and BSR Configuration Guidelines 36-10 Configuring Basic Multicast Routing 36-10 Configuring a Rendezvous Point 36-12 Manually Assigning an RP to Multicast Groups 36-12 Configuring Auto-RP 36-14 Configuring PIMv2 BSR 36-18 Using Auto-RP and a BSR 36-22 Monitoring the RP Mapping Information 36-23...
  • Page 30 Contents Changing the DVMRP Route Threshold 36-46 Configuring a DVMRP Summary Address 36-47 Disabling DVMRP Autosummarization 36-49 Adding a Metric Offset to the DVMRP Route 36-49 Monitoring and Maintaining IP Multicast Routing 36-50 Clearing Caches, Tables, and Databases 36-51 Displaying System and Network Statistics 36-51 Monitoring IP Multicast Routing 36-52...
  • Page 31 Contents Adjusting Spanning-Tree Parameters 38-6 Changing the VLAN-Bridge Spanning-Tree Priority 38-7 Changing the Interface Priority 38-7 Assigning a Path Cost 38-8 Adjusting BPDU Intervals 38-9 Disabling the Spanning Tree on an Interface 38-11 Monitoring and Maintaining Fallback Bridging 38-11 Troubleshooting 39-1 C H A P T E R Recovering from Corrupted Software By Using the Xmodem Protocol...
  • Page 32 A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
  • Page 33 Working with Software Images B-20 Image Location on the Switch B-20 tar File Format of Images on a Server or Cisco.com B-21 Copying Image Files By Using TFTP B-22 Preparing to Download or Upload an Image File By Using TFTP...
  • Page 34 Contents IP Multicast Routing Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands IP Unicast Routing Unsupported Privileged EXEC or User EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands Unsupported BGP Router Configuration Commands Unsupported VPN Configuration Commands Unsupported Route Map Commands MAC Address Commands Unsupported Privileged EXEC Commands...
  • Page 35 This guide is for the networking professional managing the Catalyst 3750 switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
  • Page 36 Preface Conventions Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: Commands and keywords are in boldface text. • Arguments for which you supply values are in italic. • Square brackets ([ ]) mean optional elements. •...
  • Page 37: Related Publications

    For upgrading information, refer to the “Downloading Software” section in the release notes. • You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxxvii.
  • Page 38: Ordering Documentation

    Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
  • Page 39: Cisco Technical Support Website

    URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
  • Page 40: Obtaining Additional Publications And Information

    Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as • ordering and customer support services. Access the Cisco Product Catalog at this URL: http://cisco.com/univercd/cc/td/doc/pcat/...
  • Page 41 Some features noted in this chapter are available only on the cryptographic (that is, supports encryption) versions of the SMI and EMI. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, refer to the release notes for this release.
  • Page 42: Chapter 1 Overview

    For more information about Express Setup, refer to the hardware installation guide. • User-defined and Cisco-default Smartports macros for creating custom switch configurations for simplified deployment across the network. Cluster Management Suite (CMS) graphical user interface (GUI) for •...
  • Page 43 Using a single IP address and configuration file to manage the entire switch stack. – – Automatic Cisco IOS version-check of new stack members with the option to automatically load images from the stack master or from a TFTP server. –...
  • Page 44 For more information about CMS, see Chapter 3, “Getting Started with CMS.” CLI—The Cisco IOS CLI software is enhanced to support desktop- and multilayer-switching • features. You can access the CLI either by connecting your management station directly to the switch console port or by using Telnet from a remote management station.
  • Page 45 Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external • source Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • In-band management access through CMS over a Netscape Communicator or Microsoft Internet •...
  • Page 46 Flex Link Layer 2 interfaces to back up one another as an alternative to STP for basic link redundancy • RPS support through the Cisco RPS 300 and Cisco RPS 675 for enhancing power reliability VLAN Features Support for up to 1005 VLANs for assigning users to VLANs associated with appropriate network •...
  • Page 47 Chapter 1 Overview Features Protected port option for restricting the forwarding of traffic to designated ports on the same switch • Port security option for limiting and identifying MAC addresses of the stations allowed to access • the port • Port security aging to set the aging time for secure addresses on a port BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs •...
  • Page 48 Trusted port states (CoS, DSCP, and IP precedence) within a QoS domain and with a port – bordering another QoS domain – Trusted boundary for detecting the presence of a Cisco IP phone, trusting the CoS value received, and ensuring port security • Policing Traffic-policing policies on the switch port for managing how much of the port bandwidth –...
  • Page 49 Power over Ethernet (PoE) Features • Ability to provide power to connected Cisco pre-standard and IEEE 802.3af-compliant powered devices from all 10/100 Ethernet ports if the switch detects that there is no power on the circuit 24-port PoE switch provides 15.4 W of power on each 10/100 port; 48-port PoE switch provides •...
  • Page 50: Default Settings After Initial Switch Configuration

    “Configuring Interface Characteristics.” – Auto-MDIX is enabled. For more information, see Chapter 11, “Configuring Interface Characteristics.” In releases earlier than Cisco IOS Release 12.2(18)SE, the default setting for Note auto-MDIX is disabled. Catalyst 3750 Switch Software Configuration Guide 1-10 78-16180-02...
  • Page 51: Default Settings After Initial Switch Configuration

    Chapter 1 Overview Default Settings After Initial Switch Configuration Flow control is off. For more information, see Chapter 11, “Configuring Interface – Characteristics.” PoE is autonegotiate. For more information, see Chapter 11, “Configuring Interface – Characteristics.” No Smartports macros are defined. For more information, see Chapter 12, “Configuring Smartports •...
  • Page 52: Network Configuration Examples

    Chapter 1 Overview Network Configuration Examples CDP is enabled. For more information, see Chapter 25, “Configuring CDP.” • UDLD is disabled. For more information, see Chapter 26, “Configuring UDLD.” • • SPAN and RSPAN are disabled. For more information, see Chapter 27, “Configuring SPAN and RSPAN.”...
  • Page 53: Network Configuration Examples

    Chapter 1 Overview Network Configuration Examples Table 1-1 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network Create smaller network segments so that fewer users share the bandwidth, and use • segment and a growing number of VLANs and IP subnets to place the network resources in the same logical network users accessing the Internet as the users who access those resources most.
  • Page 54 Chapter 1 Overview Network Configuration Examples Table 1-2 Providing Network Services (continued) Network Demands Suggested Design Methods An evolving demand for IP telephony Use QoS to prioritize applications such as IP telephony during congestion and to • help control both delay and jitter within the network. •...
  • Page 55 Chapter 1 Overview Network Configuration Examples IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch in the backbone, such as a Catalyst 4500 Gigabit switch or Catalyst 6500 Gigabit switch. Each switch in this configuration provides users with a dedicated 1-Gbps connection to network resources.
  • Page 56 Chapter 1 Overview Network Configuration Examples QoS and policing on the switches provide preferential treatment for certain data streams, if required. They segment traffic streams into different paths for processing. Security features on the switch ensure rapid handling of packets. Dual homing of servers to dual switch stacks with redundant Gigabit EtherChannel and cross-stack EtherChannel provide fault tolerance from the server racks to the core.
  • Page 57: Small To Medium-sized Network Using Catalyst 3750 Switches

    Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet.
  • Page 58: Large Network Using Catalyst 3750 Switches

    Cisco CallManager controls call processing, routing, and IP phone features and configuration. Users with workstations running Cisco SoftPhone software can place, receive, and control calls from their PCs. Using Cisco IP Phones, Cisco CallManager software, and Cisco SoftPhone software integrates telephony and IP networks, and the IP network supports both voice and data.
  • Page 59 Chapter 1 Overview Network Configuration Examples In the wiring closet, each switch stack has IGMP snooping enabled to efficiently forward multimedia and multicast traffic. QoS ACLs that either drop or mark nonconforming traffic based on bandwidth limits are also configured on each switch stack. VLAN maps provide intra-VLAN security and prevent unauthorized users from accessing critical pieces of the network.
  • Page 60 Chapter 1 Overview Network Configuration Examples Figure 1-7 Catalyst 3750 Switch Stacks in Wiring Closets in a Backbone Configuration Cisco 7x00 routers Catalyst 6500 multilayer switches Catalyst 3750 Catalyst 3750 multilayer multilayer StackWise StackWise switch stack switch stack IEEE 802.3af-compliant IEEE 802.3af-compliant...
  • Page 61: Multidwelling Network Using Catalyst 3750 Switches

    Chapter 1 Overview Network Configuration Examples Multidwelling Network Using Catalyst 3750 Switches A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metropolitan-area networks (MANs). Figure 1-8 shows a configuration for a Gigabit Ethernet MAN ring using multilayer switch stacks as aggregation switches in the mini-point-of-presence (POP) location.
  • Page 62 The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, refer to the Cisco CWDM GBIC and CWDM SFP Installation Note. Catalyst 3750 Switch Software Configuration Guide...
  • Page 63: Chapter 4 Assigning The Switch Ip Address And Default Gateway

    Chapter 1 Overview Where to Go Next Figure 1-9 Long-Distance, High-Bandwidth Transport Configuration Access layer Aggregation layer 8 Gbps CWDM CWDM OADM OADM Catalyst 4500 modules modules Eight multilayer 1-Gbps switches connections Catalyst switches Where to Go Next Before configuring the switch, review these sections for startup information: Chapter 2, “Using the Command-Line Interface”...
  • Page 64: Where To Go Next

    Chapter 1 Overview Where to Go Next Catalyst 3750 Switch Software Configuration Guide 1-24 78-16180-02...
  • Page 65: Understanding Command Modes

    C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 3750 switch. It contains these sections: Understanding Command Modes, page 2-1 •...
  • Page 66: C H A P T E R 2 Using The Command-line Interface

    Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with Enter logout or Use this mode to Switch> your switch. quit. Change terminal settings.
  • Page 67: Understanding The Help System

    Chapter 2 Using the Command-Line Interface Understanding the Help System Understanding the Help System You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 2-2.
  • Page 68: Understanding No And Default Forms Of Commands

    Chapter 2 Using the Command-Line Interface Understanding no and default Forms of Commands Understanding no and default Forms of Commands Almost every configuration command also has a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface.
  • Page 69: Changing The Command History Buffer Size

    Chapter 2 Using the Command-Line Interface Using Command History Changing the Command History Buffer Size By default, the switch records ten command lines in its history buffer. You can alter this number for a current terminal session or for all sessions on a particular line. These procedures are optional. Beginning in privileged EXEC mode, enter this command to change the number of command lines that the switch records during the current terminal session: Switch# terminal history...
  • Page 70: Using Editing Features

    Chapter 2 Using the Command-Line Interface Using Editing Features Using Editing Features This section describes the editing features that can help you manipulate the command line. It contains these sections: • Enabling and Disabling Editing Features, page 2-6 (optional) • Editing Commands through Keystrokes, page 2-6 (optional) Editing Command Lines that Wrap, page 2-8...
  • Page 71 Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Press Esc Y. Recall the next buffer entry. The buffer contains only the last 10 items that you have deleted or cut. If you press Esc Y more than ten times, you cycle to the first buffer entry.
  • Page 72: Editing Command Lines That Wrap

    Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Editing Command Lines that Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command.
  • Page 73: Accessing The Cli

    Chapter 2 Using the Command-Line Interface Accessing the CLI Accessing the CLI You can access the CLI through a console connection, through Telnet, or by using the browser. You manage the switch stack and the stack member interfaces through the stack master. You cannot manage stack members on an individual switch basis.
  • Page 74: Accessing The Cli From A Browser

    Access page. You can access the CLI by clicking Web Console - HTML access to the command line interface from a cached copy of the Cisco Systems Access page. To prevent unauthorized access to the CLI or to the Cluster Management Suite (CMS), exit your browser to end the browser session.
  • Page 75: Understanding Cms

    C H A P T E R Getting Started with CMS This chapter contains these sections that describe the Cluster Management Suite (CMS) on the Catalyst 3750 switch: “Understanding CMS” section on page 3-1 • “Configuring CMS” section on page 3-8 •...
  • Page 76: Chapter 3 Getting Started With Cm

    Chapter 3 Getting Started with CMS Understanding CMS Front Panel View The Front Panel view displays the front-panel image of a specific set of switches in a cluster. From this view, you can select multiple ports or multiple switches and configure them with the same settings. For more information, see the “Displaying CMS”...
  • Page 77 Chapter 3 Getting Started with CMS Understanding CMS The toolbar provides buttons for commonly used switch and cluster configuration options and • information windows such as legends and online help. Table 3-1 lists the toolbar options from left to right on the toolbar. Table 3-1 Toolbar Buttons Toolbar Option...
  • Page 78 Chapter 3 Getting Started with CMS Understanding CMS The feature bar shows the features available for the devices in your cluster. By default, the feature • bar is in standard mode. In this mode, the feature bar is always visible, and you can reduce or increase the width of the feature bar.
  • Page 79: Online Help

    You can send us feedback about the information provided in the online help. Click Feedback to display an online form. After completing the form, click Submit to send your comments to Cisco Systems Inc. We appreciate and value your comments.
  • Page 80: Expert Mode

    Chapter 3 Getting Started with CMS Understanding CMS Figure 3-3 Guide Mode and Wizards Guide mode icon Wizards Guide mode is not available if your switch access level is read-only. For more information about the read-only access mode, see the “Privilege Levels”...
  • Page 81: Privilege Levels

    If your cluster has these member switches running earlier software releases and if you have read-only access to these member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 • or earlier Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier...
  • Page 82: Configuring Cms

    Chapter 3 Getting Started with CMS Configuring CMS Configuring CMS This section contains these topics that describe the requirements and configuration information for CMS: • “CMS Requirements” section on page 3-8 “Cross-Platform Considerations” section on page 3-9 • “Launching CMS” section on page 3-11 •...
  • Page 83: Operating System And Browser Support

    When managing switch clusters through CMS, remember that clusters can have a mix of switch models using different Cisco IOS releases and that CMS in earlier Cisco IOS releases and on different switch platforms might look and function differently from CMS in this Cisco IOS release.
  • Page 84: Http Access To Cms

    CMS on the Catalyst 1900 and Catalyst 2820 switches is referred to as Switch Manager. Cluster management options are not available on these switches. This is the earliest version of CMS. Refer to the documentation specific to the switch and its Cisco IOS release for descriptions of the CMS version.
  • Page 85: Displaying Cms

    HTTP • server user authentication. • local—Local user database as defined on the Cisco router or access server is used. tacacs—TACACS server is used. • Step 3 Return to privileged EXEC mode.
  • Page 86 Tools—Accesses diagnostic and monitoring tools, such as Telnet, Extended Ping, and the show • interfaces privileged EXEC command Help Resources—Provides links to the Cisco website, technical documentation, and the Cisco • Technical Assistance Center (TAC) Click Cluster Management Suite to launch the CMS interface. The CMS Startup Report runs and Step 3 verifies that your PC or workstation can correctly run CMS.
  • Page 87 Chapter 3 Getting Started with CMS Displaying CMS Figure 3-5 CMS Startup Report The CMS Startup Report has links that instruct you how to correctly configure your PC or workstation. If the CMS Startup Report appears, click the links, and follow the instructions to configure your PC or workstation.
  • Page 88: Front Panel View

    Chapter 3 Getting Started with CMS Displaying CMS Front Panel View When CMS is launched from a command switch, you can display the Front Panel view by clicking the Front Panel button on the tool bar, as shown in Figure 3-6.
  • Page 89: Topology View

    Chapter 3 Getting Started with CMS Displaying CMS Figure 3-7 shows a cluster with a Catalyst 3550 switch as the command switch. Refer to the release notes Note for a list of switches that can be members of a cluster with a Catalyst 3750 switch as the command switch.
  • Page 90: Cms Icons

    Chapter 3 Getting Started with CMS Where to Go Next The Topology view shows how the devices within a switch cluster are connected and how the switch cluster is connected to other clusters and devices. From this view, you can add and remove cluster members.
  • Page 91: Understanding The Boot Process

    For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release and to the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. This chapter consists of these sections: •...
  • Page 92: Assigning Switch Information

    For more information about the setup program, refer to the release notes on Cisco.com. The switch stack is managed through a single IP address. The IP address is a system-level setting and is not specific to the stack master or to any other stack member.
  • Page 93: Default Switch Information

    Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you are using DHCP, do not respond to any of the questions in the setup program until the switch Note receives the dynamically assigned IP address and reads the configuration file. If you are an experienced user familiar with the switch configuration steps, manually configure the switch.
  • Page 94: Dhcp Client Request Process

    Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The DHCP server for your switch can be on the same LAN or on a different LAN than the switch. If the DHCP server is running on a different LAN, you should configure a DHCP relay device between your switch and the DHCP server.
  • Page 95: Configuring Dhcp-based Autoconfiguration

    Example Configuration, page 4-8 • If your DHCP server is a Cisco device, refer to the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for additional information about configuring DHCP.
  • Page 96: Configuring The Dns

    If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
  • Page 97: Obtaining Configuration Files

    Note see the “Routed Ports” section on page 11-3 and the “Configuring Layer 3 Interfaces” section on page 11-21. Figure 4-2 Relay Device Used in Autoconfiguration Switch Cisco router (DHCP client) (Relay) 10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2 20.0.0.3 20.0.0.4 DHCP server...
  • Page 98: Example Configuration

    Figure 4-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (tftpserver) Table 4-2 shows the configuration of the reserved leases on the DHCP server.
  • Page 99 Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 4-2 DHCP Server Configuration (continued) Switch A Switch B Switch C Switch D Boot filename (configuration file) switcha-confg switchb-confg switchc-confg switchd-confg (optional) Host name (optional) switcha switchb switchc switchd...
  • Page 100: Manually Assigning Ip Information

    Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs) or ports: Command Purpose Step 1...
  • Page 101: Modifying The Startup Configuration

    EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Modifying the Startup Configuration This section describes how to modify the switch startup configuration.
  • Page 102: Default Boot Configuration

    Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
  • Page 103: Booting Manually

    Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Command Purpose Step 4 show boot Verify your entries. The boot config-file global configuration command changes the setting of the CONFIG_FILE environment variable. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
  • Page 104: Controlling Environment Variables

    Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration This command only works properly from a standalone switch. Note Beginning in privileged EXEC mode, follow these steps to configure the switch to boot a specific image during the next boot cycle: Command Purpose...
  • Page 105 Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
  • Page 106: Scheduling A Reload Of The Software Image

    CONFIG_FILE set CONFIG_FILE flash:/file-url boot config-file flash:/file-url Changes the filename that Cisco IOS uses to read Specifies the filename that Cisco IOS uses to read and write a nonvolatile copy of the system and write a nonvolatile copy of the system configuration.
  • Page 107: Displaying Scheduled Reload Information

    Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Use the at keyword only if the switch system clock has been set (through Network Time Note Protocol (NTP), the hardware calendar, or manually). The time is relative to the configured time zone on the switch.
  • Page 108 Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 3750 Switch Software Configuration Guide 4-18 78-16180-02...
  • Page 109: Managing Switch Stacks

    One of the switches controls the operation of the stack and is called the stack master. The stack master and the other switches in the stack are stack members. The stack members use the Cisco StackWise technology to behave and work together as a unified system. Layer 2 and Layer 3 protocols present the entire switch stack as a single entity to the network.
  • Page 110: Chapter 5 Managing Switch Stack

    Chapter 5 Managing Switch Stacks Understanding Switch Stacks The system-level features supported on the stack master are supported on the entire switch stack. If the switch stack must have switches running both standard multilayer image (SMI) and enhanced multilayer image (EMI) software, we recommend that a switch running the EMI software be the stack master. EMI features are unavailable if the stack master is running the SMI software.
  • Page 111: Switch Stack Membership

    Chapter 5 Managing Switch Stacks Understanding Switch Stacks Switch Stack Membership A switch stack has up to nine stack members connected through their StackWise ports. A switch stack always has one stack master. A standalone switch is a switch stack with one stack member that also operates as the stack master. You can connect one standalone switch to another (Figure 5-1 on page 5-4) to create a switch stack...
  • Page 112: Stack Master Election And Re-election

    The Catalyst 3750 EMI cryptographic image has a higher priority than the Catalyst 3750 SMI image during the master switch election in a stack. However, when two or more switches in the stack use different software images, such as the SMI image for Cisco IOS Release 12.1(11)AX and the Catalyst 3750 Switch Software Configuration Guide...
  • Page 113: Switch Stack Bridge Id And Router Mac Address

    10 seconds. To avoid this problem, upgrade the switch running the SMI to a software release later than Cisco IOS Release 12.1(11)AX or manually start the master switch and wait at least 8 seconds before starting the new member switch.
  • Page 114: Stack Member Numbers

    Chapter 5 Managing Switch Stacks Understanding Switch Stacks Stack Member Numbers The stack member number (1 to 9) identifies each member in the switch stack. The member number also determines the interface-level configuration that a stack member uses. You can display the stack member number by using the show switch user EXEC command.
  • Page 115: Stack Member Priority Values

    You manually create the provisioned configuration through the switch stack-member-number provision type global configuration command. The provisioned configuration also is automatically created when a switch is added to a switch stack that is running Cisco IOS Release 12.2(20)SE or later and when no provisioned configuration exists.
  • Page 116: Effects Of Adding A Provisioned Switch To A Switch Stack

    Chapter 5 Managing Switch Stacks Understanding Switch Stacks Effects of Adding a Provisioned Switch to a Switch Stack When you add a provisioned switch to the switch stack, the stack applies either the provisioned configuration or the default configuration to it. Table 5-1 lists the events that occur when the switch stack compares the provisioned configuration with the provisioned switch:...
  • Page 117 In addition, any configured PoE-related commands that are valid only on PoE-capable interfaces are rejected, even for ports 1 through 24. If the switch stack is running Cisco IOS Release 12.2(20)SE or later and does not contain a provisioned Note configuration for a new switch, the switch joins the stack with the default interface configuration.
  • Page 118: Effects Of Replacing A Provisioned Switch In A Switch Stack

    Effects of Removing a Provisioned Switch from a Switch Stack If a switch stack is running Cisco IOS Release 12.2(20)SE or later and you remove a provisioned switch from a switch stack, the configuration associated with the removed stack member remains in the running configuration as provisioned information.
  • Page 119: Compatibility Recommendations

    “Hardware Compatibility in Switch Stacks” section on page 5-10. Compatibility Recommendations All stack members must run the same Cisco IOS software version to ensure compatibility between stack members. Follow these recommendations: The Cisco IOS software version on all stack members, including the stack master, should be the •...
  • Page 120: Switch Stack Configuration Files

    Note We recommend that all stack members are installed with Cisco IOS Release 12.1(14)EA1 or later to ensure that the interface-specific settings of the stack master are saved, in case the stack master is replaced without saving the running configuration to the startup configuration.
  • Page 121: Additional Considerations For System-wide Configuration On Switch Stacks

    For more information about file systems and configuration files, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Additional Considerations for System-Wide Configuration on Switch Stacks These sections provide additional considerations for configuring system-wide features on switch stacks: •...
  • Page 122: Switch Stack Management Connectivity

    Chapter 5 Managing Switch Stacks Understanding Switch Stacks Switch Stack Management Connectivity You manage the switch stack and the stack member interfaces through the stack master. You can use the CMS, the CLI, and SNMP and CiscoWorks network management applications. You cannot manage stack members on an individual switch basis.
  • Page 123: Switch Stack Configuration Scenarios

    Chapter 5 Managing Switch Stacks Understanding Switch Stacks To debug a specific stack member, you can access it from the stack master by using the session stack-member-number privileged EXEC command. The stack member number is appended to the system prompt. For example, is the prompt in privileged EXEC mode for stack member 2, and the Switch-2# system prompt for the stack master is...
  • Page 124 Chapter 5 Managing Switch Stacks Understanding Switch Stacks Table 5-2 Switch Stack Configuration Scenarios (continued) Scenario Result Stack master election Assuming that all stack members have the The stack member with the noncryptographic EMI specifically determined same priority value: software is elected stack master. by the EMI software Make sure that one stack member has the noncryptographic EMI software...
  • Page 125: Assigning Stack Member Information

    Chapter 5 Managing Switch Stacks Assigning Stack Member Information Table 5-2 Switch Stack Configuration Scenarios (continued) Scenario Result Stack master failure Remove (or power off) the stack master. Based on the factors described in the “Stack Master Election and Re-Election” section on page 5-4, one of the remaining stack members becomes the new stack master.
  • Page 126: Setting The Stack Member Priority Value

    Chapter 5 Managing Switch Stacks Assigning Stack Member Information Beginning in privileged EXEC mode, follow these steps to assign a member number to a stack member. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 switch current-stack-member-number Specify the current stack member number and the new stack member...
  • Page 127: Accessing The Cli Of A Specific Stack Member

    Chapter 5 Managing Switch Stacks Accessing the CLI of a Specific Stack Member Beginning in privileged EXEC mode, follow these steps to provision a new member for a switch stack. This procedure is optional. Command Purpose Step 1 show switch Display summary information about the switch stack.
  • Page 128: Displaying Switch Stack Information

    Chapter 5 Managing Switch Stacks Displaying Switch Stack Information Displaying Switch Stack Information To display configuration changes that you save after you reset a specific stack member or the switch stack, use the privileged EXEC commands listed in Table 5-4. Table 5-4 Commands for Displaying Switch Stack Information Command...
  • Page 129: Clustering Switches

    C H A P T E R Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 3750 switch clusters. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. This chapter focuses on Catalyst 3750 switch clusters.
  • Page 130: Chapter 6 Clustering Switche

    Chapter 6 Clustering Switches Understanding Switch Clusters Understanding Switch Clusters A switch cluster is a set of up to 16 connected, cluster-capable Catalyst switches that are managed as a single entity. The switches in the cluster use the switch clustering technology so that you can configure and troubleshoot a group of different Catalyst desktop switch platforms through a single IP address.
  • Page 131: Cluster Command Switch Characteristics

    It has an IP address. • • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). It is not a command or cluster member switch of another cluster. • It is connected to the standby cluster command switches through the management VLAN and to the •...
  • Page 132: Candidate Switch And Cluster Member Switch Characteristics

    Chapter 6 Clustering Switches Planning a Switch Cluster Candidate Switch and Cluster Member Switch Characteristics Candidate switches are cluster-capable switches and switch stacks that have not yet been added to a cluster. Cluster member switches are switches and switch stacks that have actually been added to a switch cluster.
  • Page 133: Automatic Discovery Of Cluster Candidates And Members

    Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
  • Page 134: Discovery Through Non-cdp-capable And Noncluster-capable Devices

    Switch 15 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
  • Page 135: Discovery Through Different Vlans

    Chapter 6 Clustering Switches Planning a Switch Cluster Discovery Through Different VLANs If the cluster command switch is a Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 switch, the cluster can have cluster member switches in different VLANs. As cluster member switches, they must be connected through at least one VLAN in common with the cluster command switch.
  • Page 136: Discovery Through Routed Ports

    Chapter 6 Clustering Switches Planning a Switch Cluster If the switch cluster has a Catalyst 3750 switch or switch stack, that switch or switch stack must be the Note cluster command switch. The cluster command switch and standby command switch in Figure 6-4 (assuming they are Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches) have ports...
  • Page 137: Discovery Of Newly Installed Switches

    Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-5 Discovery Through Routed Ports Command switch VLAN 9 VLAN 62 VLAN VLAN 62 VLAN 9 Member (management VLAN 62) switch 7 VLAN 4 Discovery of Newly Installed Switches To join a cluster, the new, out-of-the-box switch must be connected to the cluster through one of its access ports.
  • Page 138: Hsrp And Standby Cluster Command Switches

    Chapter 6 Clustering Switches Planning a Switch Cluster HSRP and Standby Cluster Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby cluster command switches. Because a cluster command switch manages the forwarding of all communication and configuration information to all the cluster member switches, we strongly recommend the following: For a cluster command switch stack, a standby cluster command switch is necessary if the entire...
  • Page 139: Virtual Ip Addresses

    Chapter 6 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on a specific VLAN or routed port on the active cluster command switch.
  • Page 140: Automatic Recovery Of Cluster Configuration

    Chapter 6 Clustering Switches Planning a Switch Cluster Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL cluster member switches must be connected to the cluster standby group through their management VLANs. For more information about VLANs in switch clusters, see these sections: “Discovery Through Different VLANs”...
  • Page 141: Ip Addresses

    Chapter 6 Clustering Switches Planning a Switch Cluster When the previously active cluster command switch resumes its active role, it receives a copy of the latest cluster configuration from the active cluster command switch, including members that were added while it was down. The active cluster command switch sends a copy of the cluster configuration to the cluster standby group.
  • Page 142: Passwords

    Chapter 6 Clustering Switches Planning a Switch Cluster Passwords You do not need to assign passwords to an individual switch if it will be a cluster member. When a switch joins a cluster, it inherits the command-switch password and retains it when it leaves the cluster. If no command-switch password is configured, the cluster member switch inherits a null password.
  • Page 143 Chapter 6 Clustering Switches Planning a Switch Cluster Table 6-1 Basic Comparison of Switch Stacks and Switch Clusters (continued) Switch Stack Switch Cluster Stack master is the single point of complete management for Cluster command switch is the single point of some manage- all stack members in a particular switch stack ment for all cluster members in a particular switch cluster Back-up stack master is automatically determined in case the...
  • Page 144: Tacacs+ And Radius

    If your cluster has these cluster member switches running earlier software releases and if you have read-only access to these cluster member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL cluster member switches running Cisco IOS • Release 12.0(5)WC2 or earlier Catalyst 2950 cluster member switches running Cisco IOS Release 12.0(5)WC2 or earlier...
  • Page 145: Lre Profiles

    Chapter 6 Clustering Switches Creating a Switch Cluster LRE Profiles A configuration conflict occurs if a switch cluster has Long-Reach Ethernet (LRE) switches that use both private and public profiles. If one LRE switch in a cluster is assigned a public profile, all LRE switches in that cluster must have that same public profile.
  • Page 146: Adding Cluster Member Switches

    Chapter 6 Clustering Switches Creating a Switch Cluster If you did not enable a cluster command switch during initial switch setup, launch Device Manager from a command-capable switch, and select Cluster > Create Cluster. Enter a cluster number (the default is 0), and use up to 31 characters to name the cluster (Figure 6-8).
  • Page 147 Chapter 6 Clustering Switches Creating a Switch Cluster Instead of using CMS to add members to the cluster, you can use the cluster member global configuration command from the cluster command switch. Use the password option in this command if the candidate switch has a password.
  • Page 148: Creating A Cluster Standby Group

    Chapter 6 Clustering Switches Creating a Switch Cluster Figure 6-10 Using the Topology View to Add Cluster Member Switches stack1 - 4 stack1 - 6 stack10 stack1 - 5 stack1 - 2 Add To Cluster Add To Cluster Device Manager... Device Manager...
  • Page 149 “Configuring HSRP Authentication and Timers” section on page 35-9. Figure 6-11 Standby Command Configuration Window stack10 (cisco WS-C3750-24TS, HC, .. Active command switch. stack1 (cisco WS-3750-48, CC, 0) TRS (cisco WS-C37xx-24, HC, ...) G-M-C3550-24 (cisco WS-C3550-24, H Standby command switch.
  • Page 150: Verifying A Switch Cluster

    Chapter 6 Clustering Switches Verifying a Switch Cluster Verifying a Switch Cluster When you finish adding cluster members, follow these steps to verify the cluster: Enter the cluster command switch IP address in the browser Location field (Netscape Communicator) Step 1 or Address field (Microsoft Internet Explorer) to access all switches in the cluster.
  • Page 151: Using The Cli To Manage Switch Clusters

    Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
  • Page 152: Using Snmp To Manage Switch Clusters

    Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Using SNMP to Manage Switch Clusters When you first power on the switch, SNMP is enabled if you enter the IP information by using the setup program and accept its proposed configuration. If you did not use the setup program to enter the IP information and SNMP was not enabled, you can enable it as described in the “Configuring SNMP”...
  • Page 153: Managing The System Time And Date

    You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2.
  • Page 154: Chapter 7 Administering The Switch

    Chapter 7 Administering the Switch Managing the System Time and Date Understanding the System Clock The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time. The system clock can then be set from these sources: Network Time Protocol •...
  • Page 155 Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
  • Page 156: Configuring Ntp

    Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP The switch does not have a hardware-supported clock and cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. The switch also has no hardware support for a calendar.
  • Page 157: Configuring Ntp Authentication

    Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP Authentication This procedure must be coordinated with the administrator of the NTP server; the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server. Beginning in privileged EXEC mode, follow these steps to authenticate the associations (communications between devices running NTP that provide for accurate timekeeping) with other devices for security purposes:...
  • Page 158: Configuring Ntp Associations

    Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP Associations An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around).
  • Page 159: Configuring Ntp Broadcast Service

    Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association.
  • Page 160: Configuring Ntp Access Restrictions

    Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure the switch to receive NTP broadcast packets from connected peers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to receive NTP broadcast packets, and enter interface...
  • Page 161 Chapter 7 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1...
  • Page 162: Configuring The Source Ip Address For Ntp Packets

    Chapter 7 Administering the Switch Managing the System Time and Date To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command. This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99.
  • Page 163: Displaying The Ntp Configuration

    • show ntp status • For detailed information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
  • Page 164: Displaying The Time And Date Configuration

    Chapter 7 Administering the Switch Managing the System Time and Date This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001: Switch# clock set 13:32:00 23 July 2001 Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command.
  • Page 165: Configuring Summer Time (daylight Saving Time)

    Chapter 7 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1...
  • Page 166: Configuring A System Name And Prompt

    Chapter 7 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1...
  • Page 167: Default System Name And Prompt Configuration

    Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
  • Page 168: Configuring A System Prompt

    Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
  • Page 169: Default Dns Configuration

    Chapter 7 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 7-2 shows the default DNS configuration. Table 7-2 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
  • Page 170: Displaying The Dns Configuration

    If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
  • Page 171: Configuring A Message-of-the-day Login Banner

    Chapter 7 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1...
  • Page 172: Configuring A Login Banner

    Chapter 7 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1...
  • Page 173: Building The Address Table

    Chapter 7 Administering the Switch Managing the MAC Address Table This section contains this configuration information: Building the Address Table, page 7-21 • • MAC Addresses and VLANs, page 7-21 • MAC Addresses and Switch Stacks, page 7-22 Default MAC Address Table Configuration, page 7-22 •...
  • Page 174: Mac Addresses And Switch Stacks

    Chapter 7 Administering the Switch Managing the MAC Address Table For more information about private VLANs, see Chapter 15, “Configuring Private VLANs.” MAC Addresses and Switch Stacks The MAC address tables on all stack members are synchronized. At any given time, each stack member has the same copy of the address tables for each VLAN.
  • Page 175: Removing Dynamic Address Entries

    Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 4 show mac address-table aging-time Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default value, use the no mac address-table aging-time global configuration command. Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode.
  • Page 176 Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message.
  • Page 177: Adding And Removing Static Address Entries

    Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 9 show mac address-table notification interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the switch from sending MAC address notification traps, use the no snmp-server enable traps mac-notification global configuration command.
  • Page 178: Configuring Unicast Mac Address Filtering

    Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a static address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table static mac-addr Add a static address to the MAC address table. vlan vlan-id interface interface-id •...
  • Page 179 Chapter 7 Administering the Switch Managing the MAC Address Table If you add a unicast MAC address as a static address and configure unicast MAC address filtering, • the switch either adds the MAC address as a static address or drops packets with that MAC address, depending on which command was entered last.
  • Page 180: Displaying Address Table Entries

    (represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, refer to the Cisco IOS Release 12.2 documentation on Cisco.com. Catalyst 3750 Switch Software Configuration Guide...
  • Page 181: Configuring Sdm Templates

    C H A P T E R Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
  • Page 182: Sdm Templates And Switch Stacks

    Chapter 8 Configuring SDM Templates Understanding the SDM Templates Table 8-1 Approximate Number of Feature Resources Allowed by Each Template Desktop Templates Aggregator Templates Resource Default Routing VLAN Default Routing VLAN Unicast MAC addresses 12 K 12 K IGMP groups and multicast routes Unicast routes 11 K 12 K...
  • Page 183: Configuring The Switch Sdm Template

    Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template You can use the show switch privileged EXEC command to see if any stack members are in SDM mismatch mode. This example shows the output from the show switch privileged EXEC command when an SDM mismatch exists: Switch# show switch Current...
  • Page 184: Sdm Template Configuration Guidelines

    Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template SDM Template Configuration Guidelines You must reload the switch for the configuration to take effect. Use the sdm prefer vlan [desktop] global configuration command only on switches intended for Layer 2 switching with no routing. When you use the VLAN template, no system resources are reserved for routing entries, and any routing is done through software.
  • Page 185: Displaying The Sdm Templates

    Chapter 8 Configuring SDM Templates Displaying the SDM Templates number of unicast mac addresses: number of igmp groups + multicast routes: number of unicast routes: number of directly connected hosts: number of indirect routes: number of qos aces: number of security aces: On next reload, template will be "aggregate routing"...
  • Page 186 Chapter 8 Configuring SDM Templates Displaying the SDM Templates This is an example of output from the show sdm prefer routing command entered on an aggregator switch: Switch# show sdm prefer routing "aggregate routing" template: The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
  • Page 187: Chapter 9 Configuring Switch-based Authentication

    C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. This chapter consists of these sections: Preventing Unauthorized Access to Your Switch, page 9-1 •...
  • Page 188: Protecting Access To Privileged Exec Commands

    Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference, Release 12.2. This section describes how to control access to the configuration file and privileged EXEC commands.
  • Page 189: Setting Or Changing A Static Enable Password

    Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1...
  • Page 190: Protecting Enable And Enable Secret Passwords With Encryption

    The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined. (Optional) For encryption-type, only type 5, a Cisco • proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you...
  • Page 191: Disabling Password Recovery

    Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
  • Page 192: Setting A Telnet Password For A Terminal Line

    Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands To re-enable password recovery, use the service password-recovery global configuration command. Note Disabling password recovery will not work if you have set the switch to boot manually by using the boot manual global configuration command.
  • Page 193: Configuring Username And Password Pairs

    Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Configuring Username and Password Pairs You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
  • Page 194: Configuring Multiple Privilege Levels

    Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
  • Page 195: Changing The Default Privilege Level For Lines

    Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
  • Page 196: Logging Into And Exiting A Privilege Level

    TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Note Security Command Reference, Release 12.2.
  • Page 197 The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or...
  • Page 198: Tacacs+ Operation

    Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs:...
  • Page 199: Configuring Tacacs

    Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Configuring TACACS+ This section describes how to configure your switch to support TACACS+. At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+ authentication.
  • Page 200: Configuring Tacacs+ Login Authentication

    Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining TACACS+ server and optionally set the encryption key: Command Purpose Step 1 configure terminal Enter global configuration mode.
  • Page 201 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted.
  • Page 202: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services

    Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 5 login authentication {default | Apply the authentication list to a line or set of lines. list-name} If you specify default, use the default list created with the aaa •...
  • Page 203: Starting Tacacs+ Accounting

    (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:...
  • Page 204: Controlling Switch Access With Radius

    RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference, Release 12.2. This section contains this configuration information: •...
  • Page 205: Radius Operation

    X.25 PAD connections. Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. • Networks using a variety of services. RADIUS generally binds a user to one service model.
  • Page 206: Configuring Radius

    Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization. Users must first successfully complete RADIUS authentication before proceeding to RADIUS authorization, if it is enabled. The additional data included with the ACCEPT or REJECT packets includes these items: Telnet, SSH, rlogin, or privileged EXEC services •...
  • Page 207: Identifying The Radius Server Host

    Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Identifying the RADIUS Server Host Switch-to-RADIUS-server communication involves several components: Host name or IP address • Authentication destination port • Accounting destination port • Key string • • Timeout period •...
  • Page 208 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host.
  • Page 209: Configuring Radius Login Authentication

    Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2...
  • Page 210 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA.
  • Page 211: Defining Aaa Server Groups

    Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 5 login authentication {default | Apply the authentication list to a line or set of lines. list-name} If you specify default, use the default list created with the aaa •...
  • Page 212 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host.
  • Page 213: Configuring Radius Authorization For User Privileged Access And Network Services

    Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 9-23.
  • Page 214: Starting Radius Accounting

    (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
  • Page 215: Configuring Settings For All Radius Servers

    1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
  • Page 216 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“...
  • Page 217: Configuring The Switch For Vendor-proprietary Radius Server Communication

    Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
  • Page 218: Controlling Switch Access With Kerberos

    Configuring Kerberos, page 9-36 • For Kerberos configuration examples, refer to the “Kerberos Configuration Examples” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/ For complete syntax and usage information for the commands used in this section, refer to the “Kerberos Note Commands”...
  • Page 219 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
  • Page 220: Kerberos Operation

    Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 9-2 Kerberos Terms (continued) Term Definition KEYTAB A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it.
  • Page 221: Authenticating To A Boundary Switch

    KDC and obtain a TGT from the KDC to access network services. For instructions about how to authenticate to a KDC, refer to the “Obtaining a TGT from a KDC” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfkerb.ht...
  • Page 222: Configuring Kerberos

    • Configure the switch to use the Kerberos protocol. For instructions, refer to the “Kerberos Configuration Task List” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfkerb.ht m#1001027. Configuring the Switch for Local Authentication and...
  • Page 223: Configuring The Switch For Secure Shell

    For complete syntax and usage information for the commands used in this section, refer to the command Note reference for this release and the command reference for Cisco IOS Release 12.2 at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Catalyst 3750 Switch Software Configuration Guide...
  • Page 224: Understanding Ssh

    You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
  • Page 225: Limitations

    Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, refer to the release notes for this release.
  • Page 226: Configuring The Ssh Server

    Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Generate an RSA key pair for the switch, which automatically enables SSH. Follow this procedure only if you are configuring the switch as an SSH server. Configure user authentication for local or remote access. This step is required. For more information, see the “Configuring the Switch for Local Authentication and Authorization”...
  • Page 227: Displaying The Ssh Configuration And Status

    Shows the status of the SSH server. For more information about these commands, refer to the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr/...
  • Page 228 Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Catalyst 3750 Switch Software Configuration Guide 9-42 78-16180-02...
  • Page 229 Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
  • Page 230: Understanding 802.1x Port-based Authentication

    Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
  • Page 231: Authentication Initiation And Message Exchange

    Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication When the switch receives EAPOL frames and relays them to the authentication server, the Ethernet header is stripped and the remaining EAP frame is re-encapsulated in the RADIUS format. The EAP frames are not modified or examined during encapsulation, and the authentication server must support EAP within the native frame format.
  • Page 232: Ports In Authorized And Unauthorized States

    Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication Figure 10-2 Message Exchange Authentication server Client (RADIUS) EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS Access-Request EAP-Request/OTP RADIUS Access-Challenge EAP-Response/OTP RADIUS Access-Request EAP-Success RADIUS Access-Accept Port Authorized EAPOL-Logoff Port Unauthorized Ports in Authorized and Unauthorized States Depending on the switch port state, the switch can grant a client access to the network.
  • Page 233: Accounting

    Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication If the client is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated client are allowed through the port.
  • Page 234: Using 802.1x With Port Security

    Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication Figure 10-3 Wireless LAN Example Authentication server Access point (RADIUS) Wireless clients Using 802.1x with Port Security You can configure 802.1x port and port security in either single-host or multiple-hosts mode. (You also must configure port security on the port by using the switchport port-security interface configuration command.) When you enable port security and 802.1x on a port, 802.1x authenticates the port, and port security manages network access for all MAC addresses, including that of the client.
  • Page 235: Using 802.1x With Voice Vlan Ports

    When 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN. If you enable 802.1x on an access port on which a voice VLAN is configured and to which a Cisco IP Note Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
  • Page 236: Using 802.1x With Guest Vlan

    Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication When configured on the switch and the RADIUS server, 802.1x with VLAN assignment has these characteristics: If no VLAN is supplied by the RADIUS server or if 802.1x authorization is disabled, the port is •...
  • Page 237: Using 802.1x With Per-user Acls

    If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
  • Page 238: 802.1x And Switch Stacks

    Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication The maximum size of the per-user ACL is 4000 ASCII characters. For examples of vendor-specific attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes” section on page 9-29. For more information about configuring ACLs, see Chapter 31, “Configuring Network Security with ACLs.”...
  • Page 239: Default 802.1x Configuration

    Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring the Switch-to-RADIUS-Server Communication, page 10-15 (required) • Configuring Periodic Re-Authentication, page 10-16 (optional) • • Manually Re-Authenticating a Client Connected to a Port, page 10-16 (optional) • Changing the Quiet Period, page 10-17 (optional) Changing the Switch-to-Client Retransmission Time, page 10-17 (optional)
  • Page 240: 802.1x Configuration Guidelines

    EtherChannel as an 802.1x port. If you try to enable 802.1x on an EtherChannel port, an error message appears, and 802.1x is not enabled. In software releases earlier than Cisco IOS Release 12.2(18)SE, if 802.1x is enabled on Note a not-yet active port of an EtherChannel, the port does not join the EtherChannel.
  • Page 241: Upgrading From A Previous Software Release

    Some global configuration commands became interface configuration commands, and new commands were added. If you have 802.1x configured on the switch and you upgrade to Cisco IOS Release 12.1(14)EA1 or later, the configuration file will not contain the new commands, and 802.1x will not operate. After the upgrade is complete, make sure to globally enable 802.1x by using the dot1x system-auth-control global...
  • Page 242 Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration. Step 3 The switch sends a start message to an accounting server. Step 4 Step 5 Re-authentication is performed, as necessary. Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication.
  • Page 243: Configuring The Switch-to-radius-server Communication

    Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
  • Page 244: Configuring Periodic Re-authentication

    Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, refer to the RADIUS server documentation.
  • Page 245: Changing The Quiet Period

    Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The dot1x timeout quiet-period interface configuration command controls the idle period. A failed authentication of the client might occur because the client provided an invalid password.
  • Page 246: Setting The Switch-to-client Frame-retransmission Number

    Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show dot1xinterface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default retransmission time, use the no dot1x timeout tx-period interface configuration command.
  • Page 247: Configuring The Host Mode

    Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication You should change the default value of this command only to adjust for unusual circumstances such as Note unreliable links or specific behavioral problems with certain clients and authentication servers. Beginning in privileged EXEC mode, follow these steps to set the re-authentication number. This procedure is optional.
  • Page 248: Configuring A Guest Vlan

    Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 3 dot1x host-mode multi-host Allow multiple hosts (clients) on an 802.1x-authorized port. Make sure that the dot1x port-control interface configuration command set is set to auto for the specified interface. Step 4 Return to privileged EXEC mode.
  • Page 249: Resetting The 802.1x Configuration To The Default Values

    Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request, and to enable VLAN 2 as an 802.1x guest VLAN when an 802.1x port is connected to a DHCP client: Switch(config-if)# dot1x timeout quiet-period 3...
  • Page 250: Displaying 802.1x Statistics And Status

    Chapter 10 Configuring 802.1x Port-Based Authentication Displaying 802.1x Statistics and Status Beginning in privileged EXEC mode, follow these steps to configure 802.1x accounting after AAA is enabled on your switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
  • Page 251: Understanding Interface Types

    • For complete syntax and usage information for the commands used in this chapter, refer to the switch Note command reference for this release and the online Cisco IOS Interface Command Reference, Release 12.2. Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types.
  • Page 252: C H A P T E R 11 Configuring Interface Characteristics

    Chapter 11 Configuring Interface Characteristics Understanding Interface Types EtherChannel Port Groups, page 11-5 • Connecting Interfaces, page 11-5 • Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 13, “Configuring VLANs.”...
  • Page 253: Access Ports

    Catalyst 6500 series switch; the Catalyst 3750 switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 16, “Configuring Voice VLAN.”...
  • Page 254: 10-gigabit Ethernet Interfaces

    Chapter 11 Configuring Interface Characteristics Understanding Interface Types Configure routed ports by putting the interface into Layer 3 mode with the no switchport interface configuration command. Then assign an IP address to the port, enable routing, and assign routing protocol characteristics by using the ip routing and router protocol global configuration commands. Entering a no switchport interface configuration command shuts down the interface and then re-enables Note it, which might generate messages on the device to which the interface is connected.
  • Page 255: Etherchannel Port Groups

    Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
  • Page 256 Chapter 11 Configuring Interface Characteristics Understanding Interface Types Figure 11-1 Connecting VLANs with Layer 2 Switches Cisco router Switch Host A Host B VLAN 20 VLAN 30 By using the switch with routing enabled, when you configure VLAN 20 and VLAN 30 each with an...
  • Page 257: Using Interface Configuration Mode

    Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode When the EMI is running on the stack master, the switch supports two methods of forwarding traffic between interfaces: routing and fallback bridging. If the SMI is on the stack master, only basic routing (static routing and RIP) is supported.
  • Page 258: Procedures For Configuring Interfaces

    You can identify physical interfaces by physically checking the interface location on the switch. You can also use the Cisco IOS show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch. The remainder of this chapter primarily provides physical interface configuration procedures.
  • Page 259: Configuring A Range Of Interfaces

    Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode You can also configure a range of interfaces by using the interface range or interface range macro global configuration commands. Interfaces configured in a range must be the same type and must be configured with the same feature options.
  • Page 260: Configuring And Using Interface Range Macros

    Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode port-channel port-channel-number - port-channel-number, where the port-channel-number is – 1 to 12 Note When you use the interface range command with port channels, the first and last port channel number must be active port channels. You must add a space between the first interface number and the hyphen when using the •...
  • Page 261 Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode Beginning in privileged EXEC mode, follow these steps to define an interface range macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 define interface-range macro_name Define the interface-range macro, and save it in NVRAM. interface-range •...
  • Page 262: Configuring Ethernet Interfaces

    Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to define an interface-range named enet_list to include ports 1 and 2 on switch 1 and to verify the macro configuration: Switch# configure terminal Switch(config)# define interface-range enet_list gigabitethernet1/0/1 - 2 Switch(config)# end Switch# show running-config | include define define interface-range enet_list GigabitEthernet1/0/1 - 2...
  • Page 263 Enabled. Note The switch might not support a pre-standard powered device—such as Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether Auto-MIDX is enabled on the switch port.
  • Page 264: Configuration Guidelines For 10-gigabit Ethernet Interfaces

    The speed and duplex features are not supported. The 10-Gigabit interfaces do not support these QoS features: • – Policing Auto-QoS for VoIP with Cisco IP Phones – Servicing the egress queues by using shaped round robin (SRR) weights – Limiting the bandwidth on an egress interface –...
  • Page 265: Configuration Guidelines

    Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces These sections describe how to configure the interface speed and duplex mode: Configuration Guidelines, page 11-15 • • Setting the Interface Speed and Duplex Parameters, page 11-15 Configuration Guidelines When configuring an interface speed and duplex mode, note these guidelines: If both ends of the line support autonegotiation, we highly recommend the default setting of auto •...
  • Page 266 Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 3 speed {10 | 100 | 1000 | auto | nonegotiate} Enter the appropriate speed parameter for the interface: Enter 10, 100, or 1000 to set a specific speed for the interface. •...
  • Page 267: Configuring Ieee 802.3z Flow Control

    Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring IEEE 802.3z Flow Control Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port to stop sending until the condition clears by sending a pause frame.
  • Page 268: Configuring Auto-mdix On An Interface

    Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (Auto-MDIX) is enabled on an interface, the interface automatically detects the required cable connection type (straight through or crossover) and configures the connection appropriately. When connecting switches without the Auto-MDIX feature, you must use straight-through cables to connect to devices such as servers, workstations, or routers and crossover cables to connect to other switches or repeaters.
  • Page 269: Configuring Power Over Ethernet On An Interface

    After power is applied to an interface, the switch uses Cisco Discovery Protocol (CDP) to determine the power requirement of the connected Cisco PoE (standard and pre-standard) devices, and the switch adjusts the power budget accordingly.
  • Page 270: Adding A Description For An Interface

    39-13. This example shows how to enable automatic PoE on a port and the response from the show power inline command for the interface when a Cisco IEEE-compliant IP Phone is being supplied with power: Switch# configure terminal Switch(config)# interface fastethernet1/0/1...
  • Page 271: Configuring Layer 3 Interfaces

    Chapter 11 Configuring Interface Characteristics Configuring Layer 3 Interfaces Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show interfaces interface-id description Verify your entry. show running-config Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no description interface configuration command to delete the description.
  • Page 272: Configuring The System Mtu

    Chapter 11 Configuring Interface Characteristics Configuring the System MTU If the switch is notified by VLAN Trunking Protocol (VTP) of a new VLAN, it sends a message that • there are not enough hardware resources available and shuts down the VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state.
  • Page 273 Chapter 11 Configuring Interface Characteristics Configuring the System MTU support jumbo frames on all Gigabit Ethernet interfaces by using the system mtu jumbo global configuration command. Gigabit Ethernet ports are not affected by the system mtu command; 10/100 ports are not affected by the system jumbo mtu command. You cannot set the MTU size for an individual interface;...
  • Page 274: Monitoring And Maintaining The Interfaces

    (You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2. Table 11-3 Show Commands for Interfaces...
  • Page 275: Clearing And Resetting Interfaces And Counters

    Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 11-4 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 11-4 Clear Commands for Interfaces Command Purpose clear counters [interface-id]...
  • Page 276 Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 3750 Switch Software Configuration Guide 11-26 78-16180-02...
  • Page 277: Configuring Smartports Macros

    When the macro is applied to an interface, the existing interface configurations are not lost. The new commands are added to the interface and are saved in the running configuration file. There are Cisco-default Smartports macros embedded in the switch software (see Table 12-1).
  • Page 278: Configuring Smartports Macros

    Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
  • Page 279: Smartports Macro Configuration Guidelines

    EXEC command. Follow these guidelines when you apply a Cisco-default Smartports macro on an interface: • Display all macros on the switch by using the show parser macro user EXEC command. Display the contents of a specific macro by using the show parser macro macro-name user EXEC command.
  • Page 280: Creating Smartports Macros

    Chapter 12 Configuring Smartports Macros Configuring Smartports Macros The Cisco-default macros use the $ character to help identify required keywords. There is no restriction on using the $ character to define keywords when you create a macro. Creating Smartports Macros...
  • Page 281: Applying Smartports Macros

    Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} Apply each individual command defined in the macro to the switch by macro-name [parameter {value}] entering macro global apply macro-name.
  • Page 282: Applying Cisco-default Smartports Macros

    Enter global configuration mode. Step 4 macro global {apply | trace} Append the Cisco-default macro with the required values by using the macro-name [parameter {value}] parameter value keywords and apply the macro to the switch. [parameter {value}] [parameter...
  • Page 283 You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command. This example shows how to display the cisco-desktop macro, how to apply the macro, and to set the access VLAN ID to 25 on an interface:...
  • Page 284: Displaying Smartports Macros

    Chapter 12 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 12-2. Table 12-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros.
  • Page 285: Configuring Vlans

    C H A P T E R Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 3750 switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS).
  • Page 286 Figure 13-1 VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
  • Page 287: Chapter 13 Configuring Vlan

    Chapter 13 Configuring VLANs Understanding VLANs Supported VLANs The switch supports 1005 VLANs in VTP client, server, and transparent modes. VLANs are identified with a number from 1 to 4094. VLAN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.
  • Page 288 Dynamic-Access Ports on VMPS Clients” section on page 13-30. Voice VLAN A voice VLAN port is an access port attached to a Cisco VTP is not required; it has no affect on a IP Phone, configured to use one VLAN for voice traffic voice VLAN.
  • Page 289: Configuring Normal-range Vlans

    Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database.
  • Page 290: Token Ring Vlans

    Chapter 13 Configuring VLANs Configuring Normal-Range VLANs This section includes information about these topics about normal-range VLANs: Token Ring VLANs, page 13-6 • • Normal-Range VLAN Configuration Guidelines, page 13-6 • VLAN Configuration Mode Options, page 13-7 Saving VLAN Configuration, page 13-8 •...
  • Page 291: Vlan Configurat