Default Settings After Initial Switch Configuration 1-16 Network Configuration Examples 1-19 Design Concepts for Using the Switch 1-19 Small to Medium-Sized Network Using Catalyst 3750-X and 3560-X Switches 1-26 Large Network Using Catalyst 3750-X and 3560-X Switches 1-28 Multidwelling Network Using Catalyst 3750-X Switches 1-31...
Page 4
Configuring DHCP Autoconfiguration (Only Configuration File) 3-11 Configuring DHCP Auto-Image Update (Configuration File and Image) 3-12 Configuring the Client 3-14 Manually Assigning IP Information 3-15 Checking and Saving the Running Configuration 3-15 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 5
Managing Switch Stacks C H A P T E R Understanding Switch Stacks Switch Stack Membership Stack Master Election and Re-Election Switch Stack Bridge ID and Router MAC Address Stack Member Numbers Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 7
Using SNMP to Manage Switch Clusters 6-17 Administering the Switch C H A P T E R Managing the System Time and Date Understanding the System Clock Understanding Network Time Protocol Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 8
Adding and Removing Static Address Entries 7-27 Configuring Unicast MAC Address Filtering 7-28 Disabling MAC Address Learning on a VLAN 7-29 Displaying Address Table Entries 7-30 Managing the ARP Table 7-31 Catalyst 3750-X and 3560-X Switch Software Configuration Guide viii OL-21521-01...
Page 9
Changing the Default Privilege Level for Lines 10-9 Logging into and Exiting a Privilege Level 10-9 Controlling Switch Access with TACACS+ 10-10 Understanding TACACS+ 10-10 TACACS+ Operation 10-12 Configuring TACACS+ 10-12 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 10
Configuring Kerberos 10-42 Configuring the Switch for Local Authentication and Authorization 10-43 Configuring the Switch for Secure Shell 10-44 Understanding SSH 10-45 SSH Servers, Integrated Clients, and Supported Versions 10-45 Limitations 10-46 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 12
Contents 802.1x Authentication with Downloadable ACLs and Redirect URLs 11-17 Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 11-17 Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 11-18 VLAN ID-based MAC Authentication 11-18 802.1x Authentication with Guest VLAN 11-19 802.1x Authentication with Restricted VLAN...
Page 13
Configuring MACsec on an Interface 11-67 Displaying 802.1x Statistics and Status 11-69 Configuring Web-Based Authentication 12-1 C H A P T E R Understanding Web-Based Authentication 12-1 Device Roles 12-2 Host Detection 12-2 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xiii OL-21521-01...
Page 14
C H A P T E R Interface Types 13-1 Port-Based VLANs 13-2 Switch Ports 13-2 Access Ports 13-3 Trunk Ports 13-3 Tunnel Ports 13-4 Routed Ports 13-4 Switch Virtual Interfaces 13-5 SVI Autostate Exclude 13-6 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 15
13-36 Configuring Layer 3 Interfaces 13-37 Configuring SVI Autostate Exclude 13-39 Configuring the System MTU 13-39 Configuring the Cisco RPS 2300 in a Mixed Stack 13-42 Configuring the Power Supplies 13-44 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 16
Configuring Normal-Range VLANs 15-6 Saving VLAN Configuration 15-6 Default Ethernet VLAN Configuration 15-7 Creating or Modifying an Ethernet VLAN 15-7 Deleting a VLAN 15-8 Assigning Static-Access Ports to a VLAN 15-9 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 17
Troubleshooting Dynamic-Access Port VLAN Membership 15-31 VMPS Configuration Example 15-31 Configuring VTP 16-1 C H A P T E R Understanding VTP 16-1 The VTP Domain 16-2 VTP Modes 16-3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xvii OL-21521-01...
Page 18
Configuring Voice VLAN 17-3 Default Voice VLAN Configuration 17-3 Voice VLAN Configuration Guidelines 17-3 Configuring a Port Connected to a Cisco 7960 IP Phone 17-4 Configuring Cisco IP Phone Voice Traffic 17-5 Configuring the Priority of Incoming Data Frames 17-6...
Page 19
Configuring the SP Edge Switch 19-14 Configuring the Customer Switch 19-16 Monitoring and Maintaining Tunneling Status 19-18 Configuring STP 20-1 C H A P T E R Understanding Spanning-Tree Features 20-1 STP Overview 20-2 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 20
Configuring the Hello Time 20-22 Configuring the Forwarding-Delay Time for a VLAN 20-23 Configuring the Maximum-Aging Time for a VLAN 20-23 Configuring the Transmit Hold-Count 20-24 Displaying the Spanning-Tree Status 20-24 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 21
Configuring the Maximum-Hop Count 21-25 Specifying the Link Type to Ensure Rapid Transitions 21-25 Designating the Neighbor Type 21-26 Restarting the Protocol Migration Process 21-26 Displaying the MST Configuration and Status 21-27 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 22
Learning the Other Flex Link Port as the mrouter Port 23-3 Generating IGMP Reports 23-3 Leaking IGMP Reports 23-4 MAC Address-Table Move Update 23-6 Configuring Flex Links and MAC Address-Table Move Update 23-7 Configuration Guidelines 23-7 Default Configuration 23-8 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxii OL-21521-01...
Page 23
Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port 24-20 Configuring IP Source Guard for Static Hosts on a Private VLAN Host Port 24-24 Displaying IP Source Guard Information 24-25 Understanding DHCP Server Port-Based Address Allocation 24-26 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxiii OL-21521-01...
Page 24
Setting the Snooping Method 26-7 Configuring a Multicast Router Port 26-8 Configuring a Host Statically to Join a Group 26-9 Enabling IGMP Immediate Leave 26-10 Configuring the IGMP Leave Timer 26-10 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxiv OL-21521-01...
Page 25
Configuring IPv6 MLD Snooping 27-5 Default MLD Snooping Configuration 27-6 MLD Snooping Configuration Guidelines 27-6 Enabling or Disabling MLD Snooping 27-7 Configuring a Static Multicast Group 27-8 Configuring a Multicast Router Port 27-8 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 26
Configuring CDP 29-2 Default CDP Configuration 29-2 Configuring the CDP Characteristics 29-2 Disabling and Enabling CDP 29-3 Disabling and Enabling CDP on an Interface 29-4 Monitoring and Maintaining CDP 29-5 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxvi OL-21521-01...
Page 28
C H A P T E R Understanding System Message Logging 34-1 Configuring System Message Logging 34-2 System Log Message Format 34-2 Default System Message Logging Configuration 34-4 Disabling Message Logging 34-4 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxviii OL-21521-01...
Page 29
Configuring Embedded Event Manager 36-1 C H A P T E R Understanding Embedded Event Manager 36-1 Event Detectors 36-3 Embedded Event Manager Actions 36-4 Embedded Event Manager Policies 36-4 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxix OL-21521-01...
Page 30
Time Range Applied to an IP ACL 37-26 Commented IP ACL Entries 37-26 ACL Logging 37-27 Creating Named MAC Extended ACLs 37-28 Applying a MAC ACL to a Layer 2 Interface 37-30 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 31
Classification Based on QoS ACLs 39-7 Classification Based on Class Maps and Policy Maps 39-8 Policing and Marking 39-9 Policing on Physical Ports 39-10 Policing on SVIs 39-11 Mapping Tables 39-13 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxxi OL-21521-01...
Page 32
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps 39-57 Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps 39-61 Classifying, Policing, and Marking Traffic by Using Aggregate Policers 39-68 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxxii OL-21521-01...
Page 36
User Interface for FTP and TFTP 42-82 Configuring Multicast VRFs 42-83 Configuring a VPN Routing Session 42-83 Configuring BGP PE to CE Routing Sessions 42-84 Multi-VRF CE Configuration Example 42-85 Displaying Multi-VRF CE Status 42-88 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxxvi OL-21521-01...
Page 37
Static Routes for IPv6 43-6 RIP for IPv6 43-7 OSPF for IPv6 43-7 EIGRP IPv6 43-7 HSRP for IPv6 43-7 SNMP and Syslog Over IPv6 43-7 HTTP(S) Over IPv6 43-8 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxxvii OL-21521-01...
Page 38
44-10 Enabling HSRP Support for ICMP Redirect Messages 44-12 Configuring HSRP Groups and Clustering 44-12 Troubleshooting HSRP for Mixed Stacks of Catalyst 3750-X, 3750-E and 3750 Switches 44-13 Displaying HSRP Configurations 44-13 Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 39
Configuring IP SLAs Object Tracking 46-8 Configuring Static Routing Support 46-10 Configuring a Primary Interface 46-10 Configuring a Cisco IP SLAs Monitoring Agent and Track Object 46-11 Configuring a Routing Policy and Default Route 46-12 Monitoring Enhanced Object Tracking 46-12...
Page 40
SSM Components Overview 48-14 How SSM Differs from Internet Standard Multicast 48-14 SSM IP Address Range 48-15 SSM Operations 48-15 IGMPv3 Host Signalling 48-15 Configuration Guidelines 48-16 Configuring SSM 48-17 Monitoring SSM 48-17 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 41
Configuring an IP Multicast Boundary 48-47 Configuring Basic DVMRP Interoperability Features 48-49 Configuring DVMRP Interoperability 48-49 Configuring a DVMRP Tunnel 48-51 Advertising Network 0.0.0.0 to DVMRP Neighbors 48-53 Responding to mrinfo Requests 48-54 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 42
Shutting Down an MSDP Peer 49-16 Including a Bordering PIM Dense-Mode Region in MSDP 49-17 Configuring an Originating Address other than the RP Address 49-18 Monitoring and Maintaining MSDP 49-19 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xlii OL-21521-01...
Page 43
Disabled Port Caused by False Link Up 51-14 SFP Module Security and Identification 51-14 Monitoring SFP Module Status 51-14 Monitoring Temperature 51-15 Using Ping 51-15 Understanding Ping 51-15 Executing Ping 51-15 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xliii OL-21521-01...
Page 45
A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
Page 46
Contents Working with Software Images B-25 Image Location on the Switch B-26 File Format of Images on a Server or Cisco.com B-26 Copying Image Files By Using TFTP B-27 Preparing to Download or Upload an Image File By Using TFTP...
Page 48
Unsupported Global Configuration Command C-13 Unsupported Interface Configuration Command C-13 VLAN C-13 Unsupported Global Configuration Command C-13 Unsupported User EXEC Commands C-13 C-14 Unsupported Privileged EXEC Command C-14 N D E X Catalyst 3750-X and 3560-X Switch Software Configuration Guide xlviii OL-21521-01...
Page 49
This guide is for the networking professional managing the standalone Catalyst 3750-X or 3560-X switch or the Catalyst 3750-X switch stack, referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Means reader be careful. In this situation, you might do something that could result in equipment Caution damage or loss of data. Related Publications Documents with complete information about the switch are available from these Cisco.com sites: Catalyst 3750-X http://www.cisco.com/en/US/products/ps10745/tsd_products_support_series_home.html Catalyst 3560-X http://www.cisco.com/en/US/products/ps10744/tsd_products_support_series_home.html...
Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
SSH management session, can be encrypted. You must have a Cisco IOS software license for a specific feature set to enable it. For more information about the software license, see the Cisco IOS Software Installation document on Cisco.com.
User-defined and Cisco-default Smartports macros for creating custom switch configurations for • simplified deployment across the network. Auto Smartports Cisco-default and user-defined macros for dynamic port configuration based on the • device type detected on the port. An embedded device manager GUI for configuring and monitoring a single switch through a web •...
Page 55
For information about the stacking interactions in Catalyst 3750-X, Catalyst 3750-E, and 3750 mixed switch stacks, see the Cisco IOS Software Installation document on Cisco.com. StackPower technology on Catalyst 3750-X switches running the IP base or IP services feature set. •...
AutoSmartPort enhancements, which adds support for macro persistency, LLDP-based triggers, • MAC address and OUI-based triggers, remote macros as well as for automatic configuration based on these two new device types: Cisco Digital Media Player (Cisco DMP) and Cisco IP Video Surveillance Camera (Cisco IPVSC). Performance Features Cisco EnergyWise manages the energy usage of power over Ethernet (PoE) entities.
Network Assistant—Network Assistant is a network management application that can be • downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com.
Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external • source Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 59
IGMPv2 clients to utilize SSM, allowing listeners to connect to multicast sources dynamically and reducing dependencies on the application The HTTP client in Cisco IOS supports can send requests to both IPv4 and IPv6 HTTP servers, and •...
Chapter 1 Overview Features USB Type A port for external Cisco USB flash memory devices (thumb drives or USB keys). You • can use standard Cisco CLI commands to read, write, erase, copy, or boot from the flash memory. For additional descriptions of the management interfaces, see the “Network Configuration Examples”...
Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts • and servers and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch StackPower redundancy option. You can configure power supplies in a stack in redundant mode so •...
Page 62
– Port security for controlling access to IEEE 802.1x ports – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized – or unauthorized state of the port Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 63
Chapter 1 Overview Features IP phone detection enhancement to detect and recognize a Cisco IP phone – Guest VLAN to provide limited services to non-IEEE 802.1x-compliant users – Restricted VLAN to provide limited services to users who are IEEE 802.1x compliant, but do –...
When there is a change in policy for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server, such as Cisco Secure ACS to reinitialize authentication, and apply to the new policies IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to...
Page 65
Trusted port states (CoS, DSCP, and IP precedence–both IPv4 and IPv6) within a QoS domain – and with a port bordering another QoS domain Trusted boundary for detecting the presence of a Cisco IP Phone, trusting the CoS value – received, and ensuring port security Policing •...
DHCP for IPv6 relay, client, server address assignment and prefix delegation • IPv6 unicast routing capability for forwarding IPv6 traffic through configured interfaces (requires • the IP services feature set) Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-14 OL-21521-01...
Ability to monitor the real-time power consumption. On a per-PoE port basis, the switch senses the • total power consumption, polices the power usage, and reports the power usage. StackPower technology on Catalyst 3750-X switches running the IP base or IP services feature set. • Monitoring Features Switch LEDs that provide port- and switch-level status on Catalyst 3560-X switches •...
Default switch IP address, subnet mask, and default gateway is 0.0.0.0. For more information, see • Chapter 3, “Assigning the Switch IP Address and Default Gateway,” Chapter 24, “Configuring DHCP Features and IP Source Guard.” Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-16 OL-21521-01...
Page 69
Switch cluster is disabled. For more information about switch clusters, see Chapter 6, “Clustering • Switches,” and the Getting Started with Cisco Network Assistant, available on Cisco.com. No passwords are defined. For more information, see Chapter 7, “Administering the Switch.” •...
Page 70
Syslog messages are enabled and appear on the console. For more information, see Chapter 34, • “Configuring System Message Logging.” SNMP is enabled (Version 1). For more information, see Chapter 35, “Configuring SNMP.” • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-18 OL-21521-01...
10-Gigabit Ethernet connections. “Design Concepts for Using the Switch” section on page 1-19 • “Small to Medium-Sized Network Using Catalyst 3750-X and 3560-X Switches” section on • page 1-26 “Large Network Using Catalyst 3750-X and 3560-X Switches” section on page 1-28 •...
Page 72
Use VLAN trunks, cross-stack UplinkFast, and BackboneFast for traffic-load • balancing on the uplink ports so that the uplink port with a lower relative port cost is selected to carry the VLAN traffic. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-20 OL-21521-01...
Page 73
1-1)—A cost-effective way to connect many users to the wiring • closet is to have a switch stack of up to nine Catalyst 3750-X switches. To preserve switch connectivity if one switch in the stack fails, connect the switches as recommended in the hardware installation guide, and enable either cross-stack Etherchannel or cross-stack UplinkFast.
Page 74
1-2)—For high-speed access to network resources, you can • use Catalyst 3750-X switches and switch stacks in the access layer to provide Gigabit Ethernet access to the desktop. To prevent congestion, use QoS DSCP marking priorities on these switches. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch in the backbone, such as a Catalyst 4500 Gigabit switch or Catalyst 6500 Gigabit switch.
Page 76
VLANs and subnets. Using HSRP also provides faster network convergence if any network failure occurs. You can connect the Catalyst switches, again in a star configuration, to two Catalyst 3750-X backbone switches. If one of the backbone switches fails, the second backbone switch preserves connectivity between the switches and network resources.
Page 77
Server Aggregation Campus core Catalyst 6500 switches Catalyst 4500 multilayer switches StackWise Plus switch stacks Server racks Campus core Catalyst 6500 switches StackWise switch stacks Access-layer standalone switches Server racks Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-25 OL-21521-01...
Page 78
The switches are using routed uplinks for faster failover. They are also configured with equal-cost routing for load sharing and redundancy. (When the network uses Catalyst 3750-X switches, a Layer 2 switch stack can use cross-stack EtherChannel for load sharing.) The switches are connected to workstations, and local servers, and IEEE 802.3af compliant and...
Page 79
Each PoE switch port provides 15.4 W of power per port. The powered device, such as a Cisco IP Phone, can receive redundant power when it is also connected to an AC power source. Powered devices not connected to Catalyst PoE switches must be connected to AC power sources to receive power.
Figure 1-9 shows a configuration for a network that uses only Catalyst 3750-X switch stacks in the wiring closets and two backbone switches, such as the Catalyst 6500 switches, to aggregate up to ten wiring closets. Figure 1-10...
Page 81
Chapter 1 Overview Network Configuration Examples Figure 1-9 Catalyst 3750-X Switch Stacks in Wiring Closets in a Backbone Configuration Cisco 7x00 routers Catalyst 6500 multilayer switches Mixed hardware Mixed hardware stack, including the stack, including the Catalyst 3750G Integrated Catalyst 3750G Integrated...
Page 82
(such as a web cam) (such as a web cam) Aironet wireless Aironet wireless access points access points Cisco IP Phones with workstations Cisco IP Phones with workstations Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-30 OL-21521-01...
Catalyst Long-Reach Ethernet (LRE) switches, see the documentation sets specific to these switches for LRE information. All ports on the residential Catalyst 3750-X switches (and Catalyst 2950 LRE switches if they are included) are configured as IEEE 802.1Q trunks with protected port and STP root guard features enabled.
The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, see the Cisco CWDM GBIC and CWDM SFP Installation Note. Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Where to Go Next Before configuring the switch, review these sections for startup information: Chapter 2, “Using the Command-Line Interface” • Chapter 3, “Assigning the Switch IP Address and Default Gateway” • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-33 OL-21521-01...
Page 86
Chapter 1 Overview Where to Go Next Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-34 OL-21521-01...
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your standalone Catalyst 3750-X or 3560-X switch or a Catalyst 3750-X switch stack, referred to as the switch.
To return to console command. privileged EXEC mode, press Ctrl-Z or enter end. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
You need to enter only enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command in an abbreviated form: Switch# show conf Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Logging and Notification feature to track changes on a per-session and per-user basis. The logger tracks each configuration command that is applied, the user who entered the command, the time that the Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
You can choose to have the notifications sent to the syslog. For more information, see the “Configuration Change Notification and Logging” section of the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4 at this URL: http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-logger_ps6350_TS...
Although enhanced editing mode is automatically enabled, you can disable it, re-enable it, or configure a specific line to have enhanced editing. These procedures are optional. To globally disable enhanced editing mode, enter this command in line configuration mode: Switch (config-line)# no editing Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Delete the word to the left of the cursor. Press Esc D. Delete from the cursor to the end of the word. Capitalize or lowercase words or Press Esc C. Capitalize at the cursor. capitalize a set of letters. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
If you want to configure a specific stack member port, you must include the stack member number in the CLI command interface notation. For more information about interface notations, see the “Using Interface Configuration Mode” section on page 13-17. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
After you connect through the console port, through the Ethernet management port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 2-10 OL-21521-01...
For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. This chapter consists of these sections: Understanding the Boot Process, page 3-1 •...
You can still manage the stack through the same IP address even if you remove the stack master or any other stack member from the stack, provided there is IP connectivity. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
The switch can act as both a DHCP client and a DHCP server. During DHCP-based autoconfiguration, your switch (DHCP client) is automatically configured at startup with IP address information and a configuration file. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
3-7. If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid (a configuration error exists), the client returns a DHCPDECLINE broadcast message to the DHCP server. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
67 (the configuration filename), option 66 (the DHCP server hostname) option 150 (the TFTP server address), and option 125 (description of the file) settings. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
(Only Configuration File)” section on page 3-11 and the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html After you install the switch in your network, the auto-image update feature starts. The downloaded configuration file is saved in the running configuration of the switch, and the new image is downloaded and installed on the switch.
TFTP requests. Unavailability of other lease options does not affect autoconfiguration. The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent •...
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
If the switch cannot read the network-confg, cisconet.cfg, or the hostname file, it reads the router-confg file. If the switch cannot read the router-confg file, it reads the ciscortr.cfg file. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Boot filename (configuration file) switcha-confg switchb-confg switchc-confg switchd-confg (optional) Hostname (optional) switcha switchb switchc switchd DNS Server Configuration The DNS server maps the TFTP server name tftpserver to IP address 10.0.0.3. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-10 OL-21521-01...
Create a name for the DHCP Server address pool, and enter DHCP Step 2 ip dhcp poolname pool configuration mode. Specify the name of the configuration file that is used as a boot image. Step 3 bootfile filename Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-11 OL-21521-01...
In the text file, put the name of the image that you want to download (for example, 3750x-ipservices-mz.122-53.3.SE2.tar). This image must be a tar and not a bin file. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-12...
Page 109
Step 9 copy tftp flash imagename.tar Return to global configuration mode. Step 10 exit Specify the Cisco IOS configuration file on the TFTP server. Step 11 tftp-server flash:config.text Specify the image name on the TFTP server. Step 12 tftp-server flash:imagename.tar...
DHCP: enabled (next boot: enabled) Switch# You should only configure and enable the Layer 3 interface. Do not assign an IP address or DHCP-based Note autoconfiguration with a saved configuration. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-14 OL-21521-01...
You can check the configuration settings you entered or changes you made by entering this privileged EXEC command: Switch# show running-config Building configuration... Current configuration: 1363 bytes version 12.2 no service pad Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-15 OL-21521-01...
EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Modifying the Startup Configuration...
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
Filenames and directory names are case sensitive. (Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To disable manual booting, use the no boot manual global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-18 OL-21521-01...
Use all to specify all stack members. • If you enter on a Catalyst 3750-X stack master or member, you can only specify the switch image for other Catalyst 3750-X stack members. If you enter on a Catalyst 3750-E stack master or member, you can only specify the switch image for other Catalyst 3750-E stack members.
Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 117
CONFIG_FILE flash:/file-url boot config-file flash:/file-url Changes the filename that Cisco IOS uses to Specifies the filename that Cisco IOS uses to read read and write a nonvolatile copy of the system and write a nonvolatile copy of the system configuration.
This example shows how to reload the software on the switch on the current day at 7:30 p.m: Switch# reload at 19:30 Reload scheduled for 19:30:00 UTC Wed Jun 5 1996 (in 2 hours and 25 minutes) Proceed with reload? [confirm] Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-22 OL-21521-01...
EXEC command. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled). Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-23 OL-21521-01...
Page 120
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-24 OL-21521-01...
Configuring Cisco IOS Configuration Engine This chapter describes how to configure the feature on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
(LDAP) URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
ID, and event. Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software; for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using any desired naming convention.
Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.
Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: Initial Configuration, page 4-5 •...
NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 4-6.
Page 127
For more information about running the setup program and creating templates on the Configuration Note Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux at http://www.cisco.com/en/US/docs/net_mgmt/configuration_engine/1.5/installation_linux/guide/setup_ 1.html Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.27 keepalive 120 10 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: The cns config initial global configuration command enables the Cisco IOS agent and initiates an •...
Page 130
Enter the hostname for the switch. Step 11 hostname name (Optional) Establish a static route to the Configuration Step 12 ip route network-number Engine whose IP address is network-number. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 4-10 OL-21521-01...
Page 131
ID, enter an arbitrary text string for string string as the unique ID, or enter udi to set the unique device identifier (UDI) as the unique ID. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 4-11 OL-21521-01...
Page 132
Verify your entries. Step 17 show running-config To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown (the CNS Zero Touch feature).
RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.129.22 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command Purpose Enter global configuration mode.
Table 4-2 Displaying CNS Configuration Command Purpose Displays the status of the CNS Cisco IOS agent connections. show cns config connections Displays information about incremental (partial) CNS show cns config outstanding configurations that have started but are not yet completed.
LEDs to display switch stack status, see the hardware installation guide. The Catalyst 3750-X stackable switch also supports StackPower, where up to four switches can be connected with power stack cables to allow the switch power supplies to share the load across multiple systems in a stack.
– Catalyst 3750 switches supporting different features as stack members. For example, a stack with the Catalyst 3750-X members running the IP services feature set and the Catalyst 3750 members running the IP services software image. For information about Catalyst 3750 switches, see the “Managing Switch Stacks” chapter in the Catalyst 3750 Switch Software Configuration Guide.
Page 137
Encryption features are unavailable if the stack master is running the IP base or IP services feature set and the noncryptographic software image. In a mixed stack, Catalyst 3750 orCatalyst 3750-E switches running Cisco IOS Release 12.2(53)SE and Note earlier could be running a noncryptographic image. Catalyst 3750-X switches and Catalyst 3750 and 3750-E switches with Cisco IOS Releases later than 12.2(53)SE run only the cryptographic software...
Note their LAN ports, such as the 10/100/1000 ports. For more information about how switch stacks differ from switch clusters, see the “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant on Cisco.com. Switch Stack Membership A switch stack has up to nine stack members connected through their StackWise Plus ports.
We recommend assigning the highest priority value to the switch that you prefer to be the Note stack master. This ensures that the switch is re-elected as stack master if a re-election occurs. The switch that is not using the default interface-level configuration. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 140
The noncryptographic images apply only to mixed stacks that include Catalyst 3750-E or 3750 Note switches running Cisco IOS Release 12.2(53)SE or earlier. Catalyst 3750-X switches and Catalyst 3750-E or 3750 switches running later releases support only the cryprographic image.
If you move a stack member to a different switch stack, the stack member retains its number only if • the number is not being used by another member in the stack. If it is being used, the switch selects the lowest available number in the stack. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
EXEC command. The startup configuration file ensures that the switch stack can reload and can use the saved information whether or not the provisioned switch is part of the switch stack. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
The switch type of the provisioned switch does not match the switch type in the provisioned configuration on the stack. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Hardware Compatibility and SDM Mismatch Mode in Switch Stacks The Catalyst 3750-X switch supports only the desktop Switch Database Management (SDM) templates. All stack members use the SDM template configured on the stack master.
“Hardware Compatibility and SDM Mismatch Mode in Switch Stacks” section on page 5-10. All stack members must run the same Cisco IOS software image and feature set to ensure compatibility between stack members. For example, all stack members should run the universal software image and have the IP services feature set enabled for the Cisco IOS Release 12.2(53)SE2 or later.
Auto-upgrade performs the upgrade only when the two feature sets are the same type. For example, it Note does not automatically upgrade a switch in VM mode from IP services feature set to IP base feature set (or the reverse). Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-12 OL-21521-01...
Page 148
1 *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:Systems with incompatible software *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:have been added to the stack. *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:storage devices on all of the stack Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-14 OL-21521-01...
EXEC command, the proper directory structure is not created. For more information about the info file, see the “File Format of Images on a Server or Cisco.com” section on page B-26. Incompatible Software and Stack Member Image Upgrades You can upgrade a switch that has an incompatible universal software image by using the archive copy-sw privileged EXEC command.
“Working with the Cisco IOS File System, Configuration Files, and Software Images.” Additional Considerations for System-Wide Configuration on Switch Stacks These sections provide additional considerations for configuring system-wide features on switch stacks: “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant, • available on Cisco.com “MAC Addresses and Switch Stacks”...
The noncryptographic software image was available only on Catalyst 3750 or Catalyst 3750-E switches Note running Cisco IOS Release 12.2(53)SE and earlier. The Catalyst 3750-X switches run only the cryptographic software image. Connectivity to the Switch Stack Through Console Ports or Ethernet Management Ports...
Make sure that one stack member has a default configuration and that the other stack member has a saved (nondefault) configuration file. Restart both stack members at the same time. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-18 OL-21521-01...
Page 153
The stack master is retained. The new switch is added to the switch stack. Through their StackWise Plus ports, connect the new switch to a powered-on switch stack. Power on the new switch. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-19 OL-21521-01...
During this time period, if the previous stack master rejoins the stack, the stackcontinues to use its MAC address as the stack MAC address, even if the switch is now a stack member and not a stack master. If Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-20...
Page 155
If you enter the no stack-mac persistent timer command after a new stack master takes over, before the time expires, the switch stack moves to the current stack master MAC address. Return to privileged EXEC mode. Step 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-21 OL-21521-01...
Setting the Stack Member Priority Value, page 5-23 (optional) • Provisioning a New Member for a Switch Stack, page 5-23 (optional) • Assigning a Stack Member Number This task is available only from the stack master. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-22 OL-21521-01...
(Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config Provisioning a New Member for a Switch Stack This task is available only from the stack master. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-23 OL-21521-01...
Page 158
The show running-config command output shows the interfaces associated with the provisioned switch: Switch(config)# switch 2 provision switch_PID Switch(config)# end Switch# show running-config | include switch 2 interface GigabitEthernet2/0/1 interface GigabitEthernet2/0/2 interface GigabitEthernet2/0/3 <output truncated> Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-24 OL-21521-01...
Manually Disabling a Stack Port, page 5-26 • Re-Enabling a Stack Port While Another Member Starts, page 5-26 • Understanding the show switch stack-ports summary Output, page 5-27 • Identifying Loopback Problems, page 5-28 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-25 OL-21521-01...
If Switch 4 is powered on first, you might need to enter the switch 1 stack port 1 enable and the switch 4 stack port 2 enable privileged EXEC commands to bring up the link. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-26...
In Loopback No—At least one stack port on the member has an attached stack • cable. Yes—None of the stack ports on the member has an attached stack • cable. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-27 OL-21521-01...
-------- ------ -------- -------- ---- ------ ---- --------- -------- Down None 50 cm 50 cm Down None 50 cm Switch 1 is a standalone switch. Switch# show switch stack-ports summary Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-28 OL-21521-01...
-------- ---- ------ ---- --------- -------- 50 cm 50 cm The port status shows that Switch 2 is a standalone switch. – The ports can send and receive traffic. – Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-29 OL-21521-01...
If neither stack port has an connected stack cable, the Loopback HW value for both stack ports is Yes. • On a Catalyst 3750-E or Catalyst 3750-X member, If a stack port has an connected stack cable, the Loopback HW value for the stack port is No.
%STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state DOWN %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN This is now the port status: Switch# show switch stack-ports summary Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-32 OL-21521-01...
The Cable Length value is 50 cm. The switch detects and correctly identifies the cable. • The connection between Port 2 on Switch 1 and Port 1 on Switch 2 is unreliable on at least one of the connector pins. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-33 OL-21521-01...
Page 169
Network Assistant has a Cluster Conversion Wizard to help you convert a cluster to a community. For more information about Network Assistant, including introductory information on managing switch clusters and converting a switch cluster to a community , see Getting Started with Cisco Network Assistant, available on Cisco.com.
Cluster members can belong to only one cluster at a time. A switch cluster is different from a switch stack. A switch stack is a set of Catalyst 3750-X, Note Catalyst 3750-E, or Catalyst 3750 switches connected through their stack ports.
It is running a supported software release. • It has an IP address. • It has Cisco Discovery Protocol (CDP) Version 2 enabled (the default). • It is not a command or cluster member switch of another cluster. • It is connected to the standby cluster command switches through the management VLAN and to the •...
This requirement does not apply if you have a Catalyst 2960, Catalyst 2970, Catalyst 3550, Catalyst 3560, Catalyst 3560-E, Catalyst 3750, Catalyst 3750-E, Catalyst 3650-X, or Catalyst 3750-X cluster command switch. Candidate and cluster member switches can connect through any VLAN in common with the cluster command switch.
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Device 15 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Discovery Through Different Management VLANs Catalyst 2960, Catalyst 2970, Catalyst 3550, Catalyst 3560, Catalyst 3560-E, Catalyst 3750, Catalyst 3750-E, Catalyst 3560-X, or Catalyst 3750-X cluster command switches can discover and manage cluster member switches in different VLANs and different management VLANs. As cluster member switches, they must be connected through at least one VLAN in common with the cluster command switch.
Chapter 6 Clustering Switches Planning a Switch Cluster If the switch cluster has a Catalyst 3750-E or Catalyst 3750-X switch or switch stack, that switch or Note switch stack must be the cluster command switch. The cluster command switch and standby command switch in...
The other cluster-capable switch and its access port are assigned to management VLAN 16. • Figure 6-6 Discovery of Newly Installed Switches Command device VLAN 9 VLAN 16 Device A Device B VLAN 9 VLAN 16 New (out-of-box) New (out-of-box) candidate device candidate device Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
These topics also provide more detail about standby cluster command switches: Virtual IP Addresses, page 6-11 • Other Considerations for Cluster Standby Groups, page 6-11 • Automatic Recovery of Cluster Configuration, page 6-12 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 6-10 OL-21521-01...
See the switch configuration guide of other cluster-capable switches for their requirements on standby cluster command switches. If your switch cluster has a Catalyst 3750-X switch or a switch stack, it should be the cluster command switch. If not, when the cluster has a Catalyst 3750-E switch or switch stack, that switch should be the cluster command switch.
Catalyst 3550, Catalyst 3560, Catalyst 3560-E, Catalyst 3560-X, Catalyst 3750, Catalyst 3750-E, and Catalyst 3750-X command and standby cluster command switches: If the active cluster command switch and standby cluster command switch become disabled at the same time, the passive cluster command switch with the highest priority becomes the active cluster command switch.
(such as eng-cluster-5) with the hostname of the cluster command switch in the new cluster (such as mkg-cluster-5). If the switch member number changes in the new cluster (such as 3), the switch retains the previous name (eng-cluster-5). Catalyst 3750-X and 3560-X Switch Software Configuration Guide 6-13 OL-21521-01...
Basic Comparison of Switch Stacks and Switch Clusters Switch Stack Switch Cluster Made up of Catalyst 3750-E or Catalyst 3750-X switches only Made up of cluster-capable switches, such as Catalyst 3750-E, Catalyst 3560-E, Catalyst 3750, and Catalyst 2950 switches Stack members are connected through StackWise Plus ports...
Page 183
You must change the VLAN configuration of the stack master or the stack members and add the stack members back to the switch cluster. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 6-15 OL-21521-01...
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
If a cluster member switch has its own IP address and community strings, they can be used in addition to the access provided by the cluster command switch. For more information about SNMP and community strings, see Chapter 35, “Configuring SNMP.” Catalyst 3750-X and 3560-X Switch Software Configuration Guide 6-17 OL-21521-01...
Page 186
Clustering Switches Using SNMP to Manage Switch Clusters Figure 6-8 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 6-18 OL-21521-01...
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2.
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 189
Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
NTP that provide for accurate timekeeping) with other devices for security purposes: Command Purpose Enter global configuration mode. Step 1 configure terminal Enable the NTP authentication feature, which is disabled by Step 2 ntp authenticate default. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
(meaning that only this switch synchronizes to the other device, and not the other way around). Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, the information flow is one-way only. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 193
Enable the interface to receive NTP broadcast packets. Step 3 ntp broadcast client By default, no interfaces receive NTP broadcast packets. Return to global configuration mode. Step 4 exit Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
NTP control queries and allows the • switch to synchronize to the remote device. For access-list-number, enter a standard IP access list number from 1 to 99. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 195
99. However, the switch restricts access to allow only time requests from access list 42: Switch# configure terminal Switch(config)# ntp access-group peer 99 Switch(config)# ntp access-group serve-only 42 Switch(config)# access-list 99 permit 172.20.130.5 Switch(config)# access list 42 permit 172.20.130.6 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
• • show ntp status For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and.5 means 50 percent. In this case, the necessary command is clock timezone AST -3 30. To set the time to UTC, use the no clock timezone global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-12 OL-21521-01...
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-13 OL-21521-01...
9. When you use this command, the stack member number is appended to the system prompt. For example, is the prompt in privileged EXEC mode for stack member 2, and the system prompt Switch-2# for the switch stack is Switch Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-14 OL-21521-01...
Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS). Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-16 OL-21521-01...
Unix> telnet 172.2.5.4 Trying 172.2.5.4... Connected to 172.2.5.4. Escape character is '^]'. This is a secure site. Only authorized users are allowed. For access, contact technical support. User Access Verification Password: Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-18 OL-21521-01...
(static or dynamic). For complete syntax and usage information for the commands used in this section, see the command Note reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-19 OL-21521-01...
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-20...
VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time can cause the address table to be filled with unused addresses, which prevents new addresses from being learned. Flooding results, which can impact switch performance. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-21 OL-21521-01...
MAC address change notifications are generated for dynamic and secure MAC addresses. Notifications are not generated for self addresses, multicast addresses, or other static addresses. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-22 OL-21521-01...
Page 209
Enable the trap when a MAC address is added • on this interface. Enable the trap when a MAC address is removed • from this interface. Return to privileged EXEC mode. Step 8 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-23 OL-21521-01...
When you configure MAC-move notification, an SNMP notification is generated and sent to the network management system whenever a MAC address moves from one port to another within the same VLAN. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-24...
Configuring MAC Threshold Notification Traps When you configure MAC threshold notification, an SNMP notification is generated and sent to the network management system when a MAC address table threshold limit is reached or exceeded. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-25 OL-21521-01...
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To remove static entries from the address table, use the no mac address-table static mac-addr vlan vlan-id [interface interface-id] global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-27 OL-21521-01...
For vlan-id, specify the VLAN for which the packet with the • specified MAC address is received. Valid VLAN IDs are 1 to 4094. Return to privileged EXEC mode. Step 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-28 OL-21521-01...
If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning • is not disabled on that port. If you disable port security, the configured MAC address learning state is enabled. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-29 OL-21521-01...
Displays the MAC notification parameters and history table. show mac address-table notification Displays only static MAC address table entries. show mac address-table static Displays the MAC address table information for the specified VLAN. show mac address-table vlan Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-30 OL-21521-01...
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, see the Cisco IOS Release 12.2 documentation on Cisco.com. Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 218
Chapter 7 Administering the Switch Managing the ARP Table Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-32 OL-21521-01...
This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Dual IPv4 and IPv6 default template—supports Layer 2, multicast, routing, QoS, and ACLs for • IPv4; and Layer 2, routing, ACLs, and QoS for IPv6 on the switch. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
SDM Templates and Switch Stacks In a Catalyst 3750-X-only or a mixed hardware switch stack, all stack members must use the same SDM desktop template that is stored on the stack master. When a new switch is added to a stack, the SDM configuration that is stored on the stack master overrides the template configured on an individual switch.
If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template, a warning message • appears. Using the dual stack template results in less hardware capacity allowed for each resource, so do not • use it if you plan to forward only IPv4 traffic. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
0.5K number of security aces: On next reload, template will be “desktop vlan” template. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
+ multicast routes: number of unicast routes: number of directly connected hosts: number of indirect routes: number of policy based routing aces: 0.5K Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 225
IPv4/MAC qos aces: 0.5K number of IPv4/MAC security aces: 0.5K number of IPv6 policy based routing aces: 0.25K number of IPv6 qos aces: 0.5K number of IPv6 security aces: 0.5K Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 226
Chapter 8 Configuring SDM Templates Displaying the SDM Templates Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
C H A P T E R Configuring Catalyst 3750-X StackPower The Catalyst 3750-X and 3560-X switches have two power supplies per system, allowing the power load to be split between them. This accommodates the increased maximum power of 30 watts per port provided to a powered device to meet the PoE+ standard (802.3at).
You configure power modes at a power-stack level (that is, the mode is the same for all switches in the power stack). To configure power-stack parameters, enter the stack-power stack global configuration command followed by the name of the power stack to enter stack-power configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Graceful load-shedding can occur when a smaller power supply fails. Switches and powered devices • are shut down in order of their configured priority, starting with devices with priority 27, until the power budget matches the input power. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Good Good 715/0 Not Present C3KX-PWR-325WAC LIT13330FNM Disabled Good Good 325/0 C3KX-PWR-325WAC LIT13330FN3 Disabled Good Good 325/0 Not Present C3KX-PWR-350WAC DTN1342L00T Good Good 350/0 NG3K-PWR-1100WAC LIT13370577 Good Good 1100/0 <output truncated> Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 231
Devices connected to Switch 1 high priority ports (priority 16) • Devices connected to Switch 2 low priority ports (priority 12) • Devices connected to Switch 2 high priority ports (priority 11) • Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
The default is non-strict. Return to privileged EXEC mode. Step 4 Verify your entries. Step 5 show stack power (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
This is an example of setting the power priority of a port to high so that it is one of the last ports to shut down in case of a power failure. Switch(config)# interface gigabitetherent1/0/1 Switch(config-if)# power inline port priority high Switch(config-if)# exit Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
We recommend that you use the enable secret command because it uses an improved encryption algorithm. If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-3 OL-21521-01...
Page 238
To remove a password and level, use the no enable password [level level] or no enable secret [level level] global configuration command. To disable password encryption, use the no service password-encryption global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-4 OL-21521-01...
This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-6 OL-21521-01...
Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands: Switch(config)# privilege exec level 14 configure Switch(config)# enable password level 14 SecretPswd14 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-8 OL-21521-01...
Step 1 enable level For level, the range is 0 to 15. Exit to a specified privilege level. Step 2 disable level For level, the range is 0 to 15. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-9 OL-21521-01...
TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Page 245
TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-11 OL-21521-01...
(Optional) Associate a particular T ACACS+ server with the defined server Step 5 server ip-address group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-13 OL-21521-01...
Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Enter global configuration mode. Step 1 configure terminal Enable AAA. Step 2 aaa new-model Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-14 OL-21521-01...
Page 249
{default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-15 OL-21521-01...
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
RADIUS is facilitated through AAA and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
This section provides an overview of the RADIUS interface including available primitives and how they are used during a Change of Authorization (CoA). Change-of-Authorization Requests, page 10-20 • CoA Request Response Code, page 10-21 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-19 OL-21521-01...
• Session termination with port bounce • This feature is integrated with the Cisco Secure Access Control Server (ACS) 5.1. For information about ACS, refer to: http://cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html The RADIUS interface is enabled by default on Catalyst switches. However, some basic configuration is required for the following attributes: Security and Password—refer to the...
Page 255
CoA Request Response Code The CoA Request response code can be used to convey a command to the switch. The supported commands are listed in Table 10-4 on page 10-23. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-21 OL-21521-01...
Page 256
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- The attributes field is used to carry Cisco VSAs. CoA ACK Response Code If the authorization state is changed successfully, a positive acknowledgement (ACK) is sent. The attributes returned within CoA ACK will vary based on the CoA Request and are discussed in individual CoA Commands.
Page 257
• CoA Disconnect-Request • CoA Request: Disable Host Port • CoA Request: Bounce-Port • Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Table 10-4. Table 10-4 CoA Commands Supported on the Switch Command Cisco VSA Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate”...
Page 258
To restrict a host’s access to the network, use a CoA Request with the Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is known to be causing problems on the network, and you need to immediately block network access for the host.
Stacking Guidelines for CoA-Request Disable-Port Because the disable-port command is targeted at a session, not a port, if the session is not found, the command cannot be executed. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-25 OL-21521-01...
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication, page 10-36 • (optional) Configuring CoA on the Switch, page 10-37 • Monitoring and Troubleshooting CoA Functionality, page 10-38 • Configuring RADIUS Server Load Balancing, page 10-39 (optional) • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-26 OL-21521-01...
You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 10-31. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-27 OL-21521-01...
Page 262
RADIUS host. Return to privileged EXEC mode. Step 3 Verify your entries. Step 4 show running-config (Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-28 OL-21521-01...
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Page 266
Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. Return to privileged EXEC mode. Step 6 Verify your entries. Step 7 show running-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-32 OL-21521-01...
EXEC access and network services: Command Purpose Enter global configuration mode. Step 1 configure terminal Configure the switch for user RADIUS authorization for all Step 2 aaa authorization network radius network-related service requests. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-33 OL-21521-01...
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Enable AAA. Step 2 aaa new-model Configure the switch as an authentication, authorization, and accounting Step 3 aaa server radius dynamic-author (AAA) server to facilitate interaction with an external policy server. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-37 OL-21521-01...
Monitoring and Troubleshooting CoA Functionality The following Cisco IOS commands can be used to monitor and troubleshoot CoA functionality on the switch: debug radius •...
Configuring RADIUS Server Load Balancing This feature allows access and authentication requests to be evenly across all RADIUS servers in a server group. For more information, see the “RADIUS Server Load Balancing” chapter of the “Cisco IOS Security Configuration Guide”, Release 12.2: http://www.ciscosystems.com/en/US/docs/ios/12_2sb/feature/guide/sbrdldbl.html...
Page 274
The Kerberos server uses the tickets instead of usernames and passwords to authenticate users and network services. A Kerberos server can be a Catalyst 3750-X or 3560-X switch that is configured as a network security Note server and that can authenticate users by using the Kerberos protocol.
4. SRVTAB = server table Kerberos Operation A Kerberos server can be a Catalyst 3750-X or 3560-X switch that is configured as a network security server and that can authenticate remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways, remote users attempting to access network services must pass through three layers of security before they can access network services.
KDC and obtain a TGT from the KDC to access network services. For instructions about how to authenticate to a KDC, see the “Obtaining a TGT from a KDC” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918...
The Kerberos realm name must be in all uppercase characters. • A Kerberos server can be a Catalyst 3750-X or 3560-X switch that is configured as a network security Note server and that can authenticate users by using the Kerberos protocol.
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
SSH server. Generate an RSA key pair for the switch, which automatically enables SSH. Follow this procedure only if you are configuring the switch as an SSH server. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-46 OL-21521-01...
If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-47 OL-21521-01...
Shows the status of the SSH server. show ssh For more information about these commands, see the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter0918 6a00800ca7d0.html...
(pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 284
X.509v3 certificate from the client. Authenticating the client provides more security than server authentication by itself. For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.2. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-50...
Configuring the Secure HTTP Client, page 10-54 • Default SSL Configuration The standard HTTP server is enabled. SSL is enabled. No CA trustpoints are configured. No self-signed certificates are generated. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-51 OL-21521-01...
RSA key pair. Return to privileged EXEC mode. Step 13 Verify the configuration. Step 14 show crypto ca trustpoints (Optional) Save your entries in the configuration file. Step 15 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-52 OL-21521-01...
(Optional) Set the maximum number of concurrent connections that are Step 10 ip http max-connections value allowed to the HTTP server. The range is 1 to 16; the default value is 5. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-53 OL-21521-01...
Using this command assumes that you have already configured a CA trustpoint by using the previous procedure. The command is optional if client authentication is not needed or if a primary trustpoint has been configured. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-54 OL-21521-01...
Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and • Adelman (RSA) key pair. When using SCP, you cannot enter the password into the copy command. You must enter the password Note when prompted. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-55 OL-21521-01...
A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 3750-X or 3560-X switch. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network.Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The devices that can act as intermediaries include the Catalyst 3750-X, Catalyst 3750-E, Catalyst 3750, Catalyst 3650-X, Catalyst 3560-E, Catalyst 3560, Catalyst 3550, Catalyst 2970, Catalyst 2960, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These devices must be running software that supports the RADIUS client and IEEE 802.1x authentication.
Page 295
After 802.1x authentication using a RADIUS server is configured, the switch uses timers based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]). The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which re-authentication occurs. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-5 OL-21521-01...
The specific exchange of EAP frames depends on the authentication method being used. Figure 11-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-6 OL-21521-01...
Page 297
MAC authentication bypass. Figure 11-4 Figure 11-4 Message Exchange During MAC Authentication Bypass Authentication server Client (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity Ethernet packet RADIUS Access/Request RADIUS Access/Accept Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-7 OL-21521-01...
Understanding IEEE 802.1x Port-Based Authentication Authentication Manager In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000.
Understanding IEEE 802.1x Port-Based Authentication Per-User ACLs and Filter-Ids ACLs configured on the switch are compatible with other devices running Cisco IOS releases. You can only set any as the source in the ACL. For any ACL configured for multiple-host mode, the source portion of statement must be any. (For Note example, permit icmp any host 10.10.1.1.)
• the client to authenticate. The switch cannot provide authentication services to the client through the port. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-10 OL-21521-01...
For example, you can have a redundant connection to the stack master and another to a stack member, and if the stack master fails, the switch stack still has connectivity to the RADIUS server. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-11...
For more information about critical authentication mode and the critical VLAN, see the “802.1x Authentication with Inaccessible Authentication Bypass” section on page 11-20. For more information see the “Configuring the Host Mode” section on page 11-44. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-12 OL-21521-01...
RADIUS accounting packets are sent by a switch: START–sent when a new user session starts • INTERIM–sent during an existing session for updates • STOP–sent when a session terminates • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-13 OL-21521-01...
You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_book09186a008...
The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS). Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-15 OL-21521-01...
If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
If a downloadable ACL or redirect URL is configured for a client on the authentication server, a default Note port ACL on the connected client switch port must also be configured. Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL The switch uses these cisco-av-pair VSAs: url-redirect is the HTTP to HTTPS URL.
ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However, if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not configured, the authorization failure is declared.
VLAN if one is specified. For more information, see the“IEEE 802.1x Authentication with MAC Authentication Bypass” section on page 11-25. For more information, see the “Configuring a Guest VLAN” section on page 11-51. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-19 OL-21521-01...
Use the inaccessible authentication bypass feature, also referred to as critical authentication or the AAA fail policy, when the switch cannot reach the configured RADIUS servers and new hosts cannot be authenticated. You can configure the switch to connect those hosts to critical ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-20 OL-21521-01...
If all the RADIUS servers are not available and the client is connected to a critical port, the – switch authenticates the client and puts the critical port in the critical-authentication state in the RADIUS-configured or user-specified access VLAN. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-21 OL-21521-01...
VLAN. Load balancing is achieved by moving the corresponding authorized user to that VLAN. The RADIUS server can send the VLAN information in any combination of VLAN-IDs, VLAN Note names, or VLAN groups. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-22 OL-21521-01...
If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and Note to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
Ethernet frame, known as the magic packet. You can use this feature in environments where administrators need to connect to systems that have been powered down. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-24...
During re-authentication, the port remains in the previously assigned VLAN. If re-authentication is successful, the switch keeps the port in the same VLAN. If re-authentication fails, the switch assigns the port to the guest VLAN, if one is configured. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-25 OL-21521-01...
If the value is RADIUS-Request, the re-authentication process starts. View the NAC posture token, which shows the posture of the client, by using the show dot1x • privileged EXEC command. Configure secondary private VLANs as guest VLANs. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-26 OL-21521-01...
The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
Page 318
When a port host mode is changed from single- or multihost to multidomain mode, an authorized • data device remains authorized on the port. However, a Cisco IP phone that has been allowed on the port voice VLAN is automatically removed and must be reauthenticated on that port.
Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing • user traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)
MACsec are implemented after successful using the 802.1x Extensible Authentication Protocol (EAP) framework. On the Catalyst 3750-X and 3560-X switches running Cisco IOS Release 12.2(53)SE2, only host facing links (links between network access devices and endpoint devices such as a PC or IP phone) can be secured using MACsec.
MAC address of the physical interface concatenated with a 16-bit port ID. MACsec and Stacking A Catalyst 3750-X stack master running MACsec maintains the configuration files that show which ports on a member switch support MACsec. The stack master performs these functions: Processes secure channel and secure association creation and deletion.
You can change this timeout period by using the dot1x timeout server-timeout interface configuration command. Guest VLAN None specified. Inaccessible authentication bypass Disabled. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-35 OL-21521-01...
Query Protocol [VQP]) port, an error message appears, and 802.1x authentication is not enabled. If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-36 OL-21521-01...
EtherChannel configuration from the interfaces on which 802.1x authentication and EtherChannel are configured. If you are using a device running the Cisco Access Control Server (ACS) application for • IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5, make sure that the device is running ACS Version 3.2.1 or later.
In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with • a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN. In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one •...
• shutdown vlan global configuration command. You disable voice aware 802.1x security by entering the no version of this command. This command applies to all 802.1x-configured ports in the switch. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-39 OL-21521-01...
Page 330
This example shows how to re-enable all VLANs that were error disabled on port Gi4/0/2. Switch# clear errdisable interface GigabitEthernet4/0/2 vlan You can verify your settings by entering the show errdisable detect privileged EXEC command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-40 OL-21521-01...
To allow per-user ACLs or VLAN assignment, you must enable AAA authorization to configure the switch for all network-related service requests. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-41 OL-21521-01...
Page 332
IEEE 802.1x authentication, and enter interface configuration mode. (Optional) Set the port to access mode only if you configured the RADIUS Step 9 switchport mode access server in Step 6 and Step 7. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-42 OL-21521-01...
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-43 OL-21521-01...
IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. Use the multi-domain keyword to configure and enable multidomain authentication (MDA), which allows both a host and a voice device, such as an IP phone (Cisco or non-Cisco), on the same switch port. This procedure is optional.
Specify the port to be configured, and enter interface configuration mode. Step 2 interface interface-id Enable periodic re-authentication of the client, which is disabled by Step 3 authentication periodic default. dot1x reauthentication Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-45 OL-21521-01...
“Configuring Periodic Re-Authentication” section on page 11-45. This example shows how to manually re-authenticate the client connected to a port: Switch# dot1x re-authenticate interface gigabitethernet2/0/1 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-46 OL-21521-01...
This procedure is optional. Command Purpose Enter global configuration mode. Step 1 configure terminal Specify the port to be configured, and enter interface configuration mode. Step 2 interface interface-id Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-47 OL-21521-01...
(Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config To return to the default retransmission number, use the no dot1x max-req interface configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-48 OL-21521-01...
Beginning in privileged EXEC mode, follow these steps to globally enable MAC move on the switch. This procedure is optional. Command Purpose Enter global configuration mode. configure terminal Enable authentication mac-move permit Return to privileged EXEC mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-49 OL-21521-01...
(Optional) Saves your entries in the configuration file. Step 7 copy running-config startup-config Use the show radius statistics privileged EXEC command to display the number of RADIUS messages that do not receive the accounting response message. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-50 OL-21521-01...
To disable and remove the guest VLAN, use the no dot1x guest-vlan interface configuration command. The port returns to the unauthorized state. This example shows how to enable VLAN 2 as an 802.1x guest VLAN: Switch(config)# interface gigabitethernet2/0/2 Switch(config-if)# dot1x guest-vlan 2 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-51 OL-21521-01...
To disable and remove the restricted VLAN, use the no dot1x auth-fail vlan interface configuration command. The port returns to the unauthorized state. This example shows how to enable VLAN 2 as an 802.1x restricted VLAN: Switch(config)# interface gigabitethernet2/0/2 Switch(config-if)# dot1x auth-fail vlan 2 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-52 OL-21521-01...
VLAN: Switch(config-if)# dot1x auth-fail max-attempts 2 Configuring the Inaccessible Authentication Bypass Feature You can configure the inaccessible bypass feature, also referred to as critical authentication or the AAA fail policy. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-53 OL-21521-01...
Page 344
This key must match the encryption used on the RADIUS daemon. You can also configure the authentication and encryption key by using the radius-server key {0 string | 7 string | string} global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-54 OL-21521-01...
Specify the port to be configured, and enter interface configuration mode. Step 2 interface interface-id For the supported port types, see the “802.1x Authentication Configuration Guidelines” section on page 11-36. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-56 OL-21521-01...
Group Name Vlans Mapped ------------- -------------- eng-dept hr-dept This example shows how to add a VLAN to an existing VLAN group and to verify that the VLAN was added: Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-57 OL-21521-01...
For more information about these commands, see the Cisco IOS Security Command Reference. Configuring NAC Layer 2 IEEE 802.1x Validation You can configure NAC Layer 2 802.1x validation, which is also referred to as 802.1x authentication with a RADIUS server.
“802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)” section on page 11-29. The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the Note interface as a trunk after the supplicant is successfully authenticated. Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:...
Page 350
Return to privileged EXEC mode. Step 12 Verify your configuration. Step 13 show running-config interface interface-id (Optional) Save your entries in the configuration file. Step 14 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-60 OL-21521-01...
Configure the radius vsa send authentication. Step 5 radius-server vsa send authentication Specify the port to be configured, and enter interface Step 6 interface interface-id configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-61 OL-21521-01...
Enables the IP device tracking table. Step 8 ip device tracking To disable the IP device tracking table, use the no ip device tracking global configuration commands. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-62 OL-21521-01...
There is no show command to confirm the status of VLAN ID-based MAC authentication. You can use the debug radius accounting privileged EXEC command to confirm the RADIUS attribute 32. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_q1.html#wp1123741...
(Optional) Enable or disable open access on a port. Step 6 authentication open authentication order dot1x | mab {webauth} (Optional) Set the order of authentication methods used on a port. Step 7 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-64 OL-21521-01...
Switch(config)# aaa ip auth-proxy auth-proxy-banner C My Switch C Switch(config) end For more information about the ip auth-proxy auth-proxy-banner command, see the “Authentication Proxy Commands” section of the on Cisco.com. Cisco IOS Security Command Reference Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-65 OL-21521-01...
Return to privileged EXEC mode. Step 4 Verify your entries. Step 5 show authentication interface-id show dot1x interface interface-id (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-66 OL-21521-01...
(Optional) Specify that the switch processes authentication link-security Step 6 authentication event linksec fail action failures resulting from unrecognized user credentials by authorizing a authorize vlan vlan-id restricted VLAN on the port after a failed authentication attempt. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-67 OL-21521-01...
Page 358
Interface: GigabitEthernet1/0/25 MAC Address: 001b.2140.ec3c IP Address: 1.1.1.103 User-Name: ms1 Status: Authz Success Domain: DATA Security Policy: Must Secure ß--- New Security Status: Secured ß--- New Oper host mode: multi-domain Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-68 OL-21521-01...
EXEC command. For detailed information about the fields in these displays, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-69 OL-21521-01...
Page 360
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Displaying 802.1x Statistics and Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-70 OL-21521-01...
C H A P T E R Configuring Web-Based Authentication This chapter describes how to configure web-based authentication on the Catalyst 3750-X or 3560-X switch. It contains these sections: Understanding Web-Based Authentication, page 12-1 • Configuring Web-Based Authentication, page 12-9 •...
ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static • IP address or a dynamic IP address. Dynamic ARP inspection • DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding • entry for the host. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-2 OL-21521-01...
• server. The terminate action is included in the response from the server. If the terminate action is default, the session is dismantled, and the applied policy is removed. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-3 OL-21521-01...
You create a banner by using the ip admission auth-proxy-banner http global configuration command. The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page, as shown in Figure 12-2.
Page 365
Figure 12-4. Figure 12-4 Login Screen With No Banner For more information, see the Cisco IOS Security Command Reference and the “Configuring a Web Authentication Local Banner” section on page 12-16. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-5 OL-21521-01...
You must include an HTML redirect command in the success page to access a specific URL. • The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL • might cause page not found or similar errors on a web browser.
You can then limit the number or group of clients that can access the network through the port. For more information about enabling port security, see the “Configuring Port Security” section on page 28-8. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-7 OL-21521-01...
ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied. For Layer 2 web-based authentication, you must configure a port ACL (PACL) as the default access policy for ingress traffic from hosts connected to the port.
You must configure the default ACL on the interface before configuring web-based authentication. • Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface. You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts •...
Switch(config-if)# exit Switch(config)# ip device tracking This example shows how to verify the configuration: Switch# show ip admission configuration Authentication Proxy Banner not configured Authentication global cache time is 60 minutes Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-10 OL-21521-01...
The RADIUS host entries are chosen in the order that they were configured. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-11 OL-21521-01...
Page 372
For more information, see Cisco IOS Security Configuration Guide, Release 12.2 and the Cisco IOS Security Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html You need to configure some settings on the RADIUS server, including: the switch IP address, the key Note string to be shared by both the server and the switch, and the downloadable ACL (DACL).
Specify the location of the custom HTML file to use in Step 4 ip admission proxy http login expired page file place of the default login expired page. device:expired-filename Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-13 OL-21521-01...
Page 374
Authentication global init state time is 2 minutes Authentication Proxy Session ratelimit is 100 Authentication Proxy Watch-list is disabled Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-14 OL-21521-01...
AAA down state to avoid flooding the AAA server when it returns to number_of_sessions service. This example shows how to apply an AAA failure policy: Switch(config)# ip admission name AAA_FAIL_POLICY proxy http event timeout aaa policy identity GLOBAL_POLICY1 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-15 OL-21521-01...
(Optional) Create a custom banner by entering C banner-text C, where C is a delimiting character or a file-path indicates a file (for example, a logo or text file) that appears in the banner. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-16 OL-21521-01...
This example shows how to view only the global web-based authentication status: Switch# show authentication sessions This example shows how to view the web-based authentication settings for gigabit interface 3/27: Switch# show authentication sessions interface gigabitethernet 3/27 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-17 OL-21521-01...
The rest of the chapter describes configuration procedures for physical interface characteristics. The stack ports on the rear of the Catalyst 3750-X switch are not Ethernet ports and cannot be Note configured.
Dynamic Trunking Protocol (DTP) operate on a per-port basis to set the switchport mode by negotiating with the port on the other end of the link. You must manually Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-2...
Catalyst 6500 series switch; the Catalyst 3750-X or 3560-X switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 17, “Configuring Voice VLAN.”...
When you put an interface that is in Layer 2 mode into Layer 3 mode, the previous configuration information related to the affected interface might be lost. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-4 OL-21521-01...
SVIs support routing protocols and bridging configurations. For more information about configuring IP routing, see Chapter 42, “Configuring IP Unicast Routing,” Chapter 48, “Configuring IP Multicast Routing,”and Chapter 50, “Configuring Fallback Bridging.” Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-5 OL-21521-01...
RIP. For more advanced routing or for fallback bridging, enable the IP services feature set on the standalone switch or the stack master. For information about using the software activation feature to install a software license for a specific feature set, see the Cisco IOS Software Activation document. SVI Autostate Exclude The line state of an SVI with multiple ports on a VLAN is in the up state when it meets these conditions: The VLAN exists and is active in the VLAN database on the switch.
Interface Types 10-Gigabit Ethernet Interfaces The Catalyst 3750-X and 3560-X switches have a network module slot into which you can insert a 10-Gigabit Ethernet network module, a 1-Gigabit Ethernet network module, or a blank module. A 10-Gigabit Ethernet interface operates only in full-duplex mode. The interface can be configured as a switched or routed port.
After power is applied to the port, the switch uses CDP to determine the CDP-specific power consumption requirement of the connected Cisco powered devices, which is the amount of power to allocate based on the CDP messages. The switch adjusts the power budget accordingly. This does not apply to third-party PoE devices.
(TLVs), Power-via-MDA TLVs, for negotiating power up to 30 W. Cisco pre-standard devices and Cisco IEEE powered devices can use CDP or the IEEE 802.3at power-via-MDI power negotiation mechanism to request power levels up to 30 W.
The switch also polices the power usage with the power policing feature. Power monitoring is backward-compatible with Cisco intelligent power management and CDP-based power consumption. It works with these features to ensure that the PoE port can supply power to the powered device.
Page 389
6300 interface configuration command, the configured maximum power allocation on the PoE port is 6.3 W Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-11...
The Catalyst 3750-X stackable switch also supports StackPower, which allows power supplies to share the load across multiple systems in a stack by connecting the switches with power stack cables. You can...
USB console, the first log from switch 1 shows the RJ-45 console. A short time later, the console changes and the USB console log appears. Switch 2 and switch 3 have connected RJ-45 console cables. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-13 OL-21521-01...
If a USB console cable is connected to switch 2, it is prevented from providing input. *Mar 1 00:34:27.498: %USB_CONSOLE-6-CONFIG_DISALLOW: Console media-type USB is disallowed by system configuration, media-type remains RJ45. (switch-stk-2) Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-14 OL-21521-01...
At this point, the only way to reactivate the USB console is to disconnect and reconnect the cable. When the USB cable on the switch has been disconnected and reconnected, a log similar to this appears: *Mar 1 00:48:28.640: %USB_CONSOLE-6-MEDIA_USB: Console media-type is USB. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-15 OL-21521-01...
Page 394
The USB Type A port provides access to external Cisco USB flash devices, also known as thumb drives or USB keys. The switch supports Cisco 64 MB, 256 MB, 512 MB, and 1 GB flash drives. You can use standard Cisco IOS command- line interface (CLI) commands to read, write, erase, and copy to or from the flash device.
13-19). To configure a physical interface (port), specify the interface type, stack member number (only Catalyst 3750-X switches), module number, and switch port number, and enter interface configuration mode. Type—Gigabit Ethernet (gigabitethernet or gi) for 10/100/1000 Mb/s Ethernet ports, 10-Gigabit •...
Enter the interface global configuration command. Identify the interface type, the switch number (only Step 2 on Catalyst 3750-X switches), and the number of the connector. In this example, Gigabit Ethernet port 1 on switch 1 is selected: Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# You do not need to add aspace between the interface type and the interf ace number.
When using the interface range global configuration command, note these guidelines: Valid entries for port-range: • vlan vlan-ID - vlan-ID, where the VLAN ID is 1 to 4094 – Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-19 OL-21521-01...
Page 398
If you exit interface-range configuration mode while the commands are being executed, some commands might not be executed on all interfaces in the range. Wait until the command prompt reappears before exiting interface-range configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-20 OL-21521-01...
- port-channel-number, where the port-channel-number – is 1 to 48. When you use the interface ranges with port channels, the first and last port-channel Note number must be active port channels. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-21 OL-21521-01...
Network cloud In a stack with only Catalyst 3750-X or Catalyst 3750-E switches, all the Ethernet management ports on the stack members are connected to a hub to which the PC is connected. The active link is from the Ethernet management port on the stack master through the hub, to the PC. If the stack master fails and a new stack master is elected, the active link is now from the Ethernet management port on the new stack master to the PC.
Page 402
If this happens, data packet loops occur between the ports, which disrupt the switch and network operation. To prevent the loops, configure route filters to avoid routes between the Ethernet management port and the network ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-24 OL-21521-01...
LED is green (on) when the link is active, and the LED is off when the link is down. The LED is amber when there is a POST failure. To display the link status, use the show interfaces fastethernet 0 privileged EXEC command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-25 OL-21521-01...
Loads and boots an executable image from the TFTP server and enters the command-line interface. For more details, see the command reference for this release. Copies a Cisco IOS image from the TFTP server to the specified copy tftp:/source-file-url location.
Port security Disabled (Layer 2 interfaces only). See the “Default Port Security Configuration” section on page 28-11. Port Fast Disabled. See the “Default Optional Spanning-Tree Configuration” section on page 22-12. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-27 OL-21521-01...
The switch might not support a pre-standard powered device—such as Note Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether auto-MIDX is enabled on the switch port.
Use the no speed and no duplex interface configuration commands to return the interface to the default speed and duplex settings (autonegotiate). To return all interface settings to the defaults, use the default interface interface-id interface configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-29 OL-21521-01...
Upon receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data packets during the congestion period. Catalyst 3750-X or 3560-X ports can receive, but not send, pause frames. Note You use the flowcontrol interface configuration command to set the interface’s ability to receive pause...
Verify the operational state of the auto-MDIX feature on the interface. Step 7 show controllers ethernet-controller interface-id phy (Optional) Save your entries in the configuration file. Step 8 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-31 OL-21521-01...
Catalyst 3750-X switches also support StackPower, which allows switch power supplies to share theload across multiple systems in a stack by connecting up to four switches with power stack cables. See Chapter 9, “Configuring Catalyst 3750-X StackPower”...
Chapter 17, “Configuring Voice VLAN.” Budgeting Power for Devices Connected to a PoE Port When Cisco powered devices are connected to PoE ports, the switch uses Cisco Discovery Protocol (CDP) to determine the CDP-specific power consumption of the devices, and the switch adjusts the power budget accordingly.
Page 412
Enter global configuration mode. Step 1 configure terminal (Optional) Disable CDP. Step 2 no cdp run Specify the physical port to be configured, and enter interface Step 3 interface interface-id configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-34 OL-21521-01...
If you do not enter the action log keywords, the default action shuts down the port and puts the port in the error-disabled state. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-35 OL-21521-01...
(Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config Use the no description interface configuration command to delete the description. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-36 OL-21521-01...
If you try to create an extended-range VLAN, an error message is generated, and the extended-range • VLAN is rejected. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-37 OL-21521-01...
Page 416
This example shows how to configure a port as a routed port and to assign it an IP address: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# no switchport Switch(config-if)# ip address 192.20.135.21 255.255.255.0 Switch(config-if)# no shutdown Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-38 OL-21521-01...
Use the system mtu routing bytes global configuration command to specify the system routing MTU value. When configuring the system MTU values, follow these guidelines: The switch does not support the MTU on a per-interface basis. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-39 OL-21521-01...
Page 418
Unlike the system MTU routing configuration, the MTU settings you enter with the system mtu and system mtu jumbo commands are not saved in the switch Cisco IOS configuration file, even if you enter the copy running-config startup-config privileged EXEC command.
Page 419
MTU value (in bytes). 1. If you use the system mtu bytes command on a Catalyst 3750-X or 3750-E member in a mixed hardware stack, the setting takes effect on the Fast Ethernet ports of Catalyst 3750 members.
Configuring the Cisco RPS 2300 in a Mixed Stack In a mixed stack with Catalyst 3750-X and 3750-E switches, one or more Catalyst 3750-E switches can be connected to a Cisco Redundant Power System 2300, also known as the RPS 2300. You can configure and manage an RPS 2300 connected to a Catalyst 3750-E switch in the stack.
Page 421
Chapter 13 Configuring Interface Characteristics Configuring the Cisco RPS 2300 in a Mixed Stack Beginning in user EXEC mode, follow these steps to configure and manage the RPS 2300: Command Purpose power rps switch-number name {string | serialnumber} Specify the name of the RPS 2300.
The switch does not support the no power supply user EXEC command. To return to the default setting, use the power supply switch-number slot {A | B} on} For more information about using the power supply user EXEC command, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-44 OL-21521-01...
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2. Table 13-6...
EXEC command. The clear counters command clears all current interface counters from the interface unless you specify optional arguments that clear only a specific interface type from a specific interface number. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-46 OL-21521-01...
Use the no shutdown interface configuration command to restart the interface. To verify that an interface is disabled, enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the display. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-47 OL-21521-01...
Page 426
Chapter 13 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-48 OL-21521-01...
When there is a link-down event on the port, the switch removes the macro. For example, when you connect a Cisco IP phone to a port, Auto Smartports automatically applies the IP phone macro. The IP phone macro enables quality of service (QoS), security features, and a dedicated voice VLAN to ensure proper treatment of delay-sensitive voice traffic.
Auto Smartports macro to enable the appropriate VLAN and QoS settings for the device. The switch also uses a built-in MAC-address group to detect the legacy Cisco DMP, based on an OUI of of4400 or 23ac00. You can also create custom user-defined macros for any video device.
Auto Smartports Built-In Macros Macro Name Description CISCO_PHONE_AUTO_ This macro applies the IP phone macro for Cisco IP phones. It enables QoS, port-security, SMARTPORT storm-control, DHCP snooping, and spanning-tree protection. It also configures the access and voice VLANs for that interface.
Auto Smartports Built-In Macros (continued) Macro Name Description CISCO_ROUTER_AUTO_ This macro applies the router macro for Cisco routers. It enables QoS and trunking with 802.1Q SMARTPORT encapsulation, and spanning-tree BPDU protection. CISCO_AP_AUTO_ This macro applies the wireless access point macro for Cisco APs. It enables QoS and trunking SMARTPORT with 802.1Q encapsulation.
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports For 802.1x authentication or MAB, configure the RADIUS server to support the Cisco • attribute-value (av) pair auto-smart-port=event trigger to detect non-Cisco devices. For stationary devices that do not support CDP, MAB, or 802.1x authentication, such as network •...
Entering no macro auto execute mac-address-group only removes the mapping of the trigger to the macro. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-7 OL-21521-01...
To disable the Auto Smartports macro persistent feature, use the no macro auto sticky global configuration command. This example shows how to enable the Auto Smartports auto-sticky feature on the switch: Switch(config)# macro auto sticky Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-8 OL-21521-01...
Specify the parameter values: ACCESS_VLAN=1 and VOICE_VLAN=2. CISCO_SWITCH_AUTO_SMARTPORT • Specify the parameter values: NATIVE_VLAN=1. CISCO_ROUTER_AUTO_SMARTPORT • Specify the parameter values: NATIVE_VLAN=1. CISCO_AP_AUTO_SMARTPORT • Specify the parameter values: NATIVE_VLAN=1. CISCO_LWAP_AUTO_SMARTPORT • Specify the parameter values: ACCESS_VLAN=1. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-9 OL-21521-01...
Page 436
This example shows how to use two built-in Auto Smartports macros for connecting Cisco switches and Cisco IP phones to the sw itch. This example modifies the default voice VLAN, access VLAN, and native VLAN for the trunk interface:...
Creating User-Defined Event Triggers When using MAB or 802.1x authentication to trigger Auto Smartports macros, you need to create an event trigger that corresponds to the Cisco attribute-value pair (auto-smart-port=event trigger) sent by the RADIUS server. This procedure is optional.
Page 438
Switch(config)# macro auto execute RADIUS_MAB_EVENT builtin CISCO_AP_AUTO_SMARTPORT ACCESS_VLAN=10 Switch(config)# exit Switch# show shell triggers User defined triggers --------------------- Trigger Id: RADIUS_MAB_EVENT Trigger description: MAC_AuthBypass Event Trigger environment: Trigger mapping function: CISCO_AP_SMARTPORT <output truncated> Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-12 OL-21521-01...
Page 439
Switch# show shell functions #User defined functions: #Built-in functions: function CISCO_AP_AUTO_SMARTPORT () { if [[ $LINKUP -eq YES ]]; then conf t interface $INTERFACE macro description $TRIGGER switchport trunk encapsulation dot1q Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-13 OL-21521-01...
Page 440
$NATIVE_VLAN no switchport trunk allowed vlan ALL exit <output truncated> Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-14 OL-21521-01...
Configuring Auto Smartports Configuring Auto Smartports User-Defined Macros The Cisco IOS shell provides basic scripting capabilities for configuring the user-defined Auto Smartports macros. These macros can contain multiple lines and can include any CLI command. You can also define variable substitution, conditionals, functions, and triggers within the macro. This procedure is optional.
Page 442
Use the # character to enter comment text. Table 14-3 Unsupported Cisco IOS Shell Reserved Keywords Command Description Pipeline. case Conditional construct. esac Conditional construct. Looping construct. function Shell function. Conditional construct. select Conditional construct. time Pipeline. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-16 OL-21521-01...
PC, to a switch port. Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP cisco-phone Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Applying Static Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a static Smartports macro: Command Purpose Display the Cisco-default static Smartports macros embedded in the Step 1 show parser macro switch software. Display the specific macro that you want to apply.
Page 445
You can delete a macro-applied configuration on a port by entering the default interface interface-id interface configuration command. This example shows how to display the cisco-desktop macro, to apply the macro and to set the access VLAN ID to 25 on an interface:...
[interface Displays the static Smartports macro description for all interfaces or for a specified interface. interface-id] Displays information about Auto Smartports event triggers and show shell macros. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-20 OL-21521-01...
VLAN assignment from a VLAN Membership Policy Server (VMPS). Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Although the switch or switch stack supports a total of 1005 (normal range and extended range) VLANs, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-2...
Dynamic-Access Ports on VMPS Clients” section on page 15-28. Voice VLAN A voice VLAN port is an access port attached to a Cisco IP VTP is not required; it has no effect on Phone, configured to use one VLAN for voice traffic and a voice VLAN.
EXEC command. The vlan.dat file is stored in flash memory. On a Catalyst 3750-X switch, thevlan.dat file is stored in flash memory on the stack master. Stack members have a vlan.dat file that is consistent with the stack master.
The switch does not support Token Ring or FDDI media. The switch does not forward FDDI, • FDDI-Net, TrCRF, or TrBRF traffic, but it does propagate the VLAN configuration through VTP. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-5 OL-21521-01...
If the VTP mode or domain name in the startup configuration does not match the VLAN database, • the domain name and VTP mode and configuration for the first 1005 VLANs use the VLAN database information. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-6 OL-21521-01...
“Configuring Extended-Range VLANs” section on page 15-10. For the list of default parameters that are assigned when you add a VLAN, see the “Configuring Normal-Range VLANs” section on page 15-4. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-7 OL-21521-01...
When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated Caution with the VLAN (and thus inactive) until you assign them to a new VLAN. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-8 OL-21521-01...
This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet0/1 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-9 OL-21521-01...
VLANs. If VTP mode is server or client, an error message is generated, and the extended-range VLAN is rejected. VTP version 3 supports extended VLANs in server and transparent modes. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-10 OL-21521-01...
1 or 2, if you enter an extended-range VLAN ID when the switch is not in VTP transparent mode, an error message is generated when you exit VLAN configuration mode, and the extended-range VLAN is not created. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-11 OL-21521-01...
Page 458
This example shows how to create a new extended-range VLAN with all default characteristics, enter VLAN configuration mode, and save the new VLAN in the switch startup configuration file: Switch(config)# vtp mode transparent Switch(config)# vlan 2000 Switch(config-vlan)# end Switch# copy running-config startup config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-12 OL-21521-01...
VTP server mode, and the extended-range VLAN IDs will not be saved. This step is not required for VTP version 3 because VLANs are Note saved in the VLAN database. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-13 OL-21521-01...
Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network. Two trunking encapsulations are available on all Ethernet interfaces: Inter-Switch Link (ISL)—Cisco-proprietary trunking encapsulation. • IEEE 802.1Q— industry-standard trunking encapsulation. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-14 OL-21521-01...
Page 461
You can also specify on DTP interfaces whether the trunk uses ISL or IEEE 802.1Q encapsulation or if the encapsulation type is autonegotiated. The DTP supports autonegotiation of both ISL and IEEE 802.1Q trunks. DTP is not supported on private-VLAN ports or tunnel ports. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-15 OL-21521-01...
The trunking mode, the trunk encapsulation type, and the hardware capabilities of the two connected interfaces decide whether a link becomes an ISL or IEEE 802.1Q trunk. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-16 OL-21521-01...
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Qswitch.
Configure the port to support ISL or IEEE 802.1Q encapsulation or to Step 3 negotiate (the default) with the neighboring interface for encapsulation dot1q | negotiate} type. You must configure each end of the link with the same encapsulation type. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-18 OL-21521-01...
VLANs from the allowed list. VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a Note requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 mini m ization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
VLAN 1 from the allowed list. When you remove VLAN 1 from a trunk port, the interface continues to sent and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1.
Command Purpose Enter global configuration mode. Step 1 configure terminal Define the interface that is configured as the IEEE 802.1Q trunk, and Step 2 interface interface-id enter interface configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-21 OL-21521-01...
6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs. No duplication of traffic occurs over any trunk port. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-22...
Page 469
Repeat Steps 7 through 11on Switch A for a second port in the switch Step 13 or switch stack. Repeat Steps 7 through 11on Switch B to configure the trunk ports that Step 14 connect to the trunk ports configured on Switch A. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-23 OL-21521-01...
Step 5 exit Repeat Steps 2 through 5 on a second interface in Switch A (for a Step 6 Catalyst 3560-X switch) or in the Switch A stack (for a Catalyst 3750-X switch). Return to privileged EXEC mode. Step 7 Verify your entries.
The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic-access port and attempts to match the MAC address to a VLAN in the VMPS database. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-26...
You must turn off trunking on the port before the dynamic-access setting takes effect. Dynamic-access ports cannot be monitor ports. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-27 OL-21521-01...
If you are configuring a port on a cluster member switch as a dynamic-access port, first use the rcommand privileged EXEC command to log in to the cluster member switch. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-28 OL-21521-01...
If you are configuring a member switch in a cluster, this parameter must be equal to or greater than the reconfirmation setting on the command switch. You must also first use the rcommand privileged EXEC command to log in to the member switch. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-29 OL-21521-01...
VMPS Action—the result of the most recent reconfirmation attempt. A reconfirmation attempt can • occur automatically when the reconfirmation interval expires, or you can force it by entering the vmps reconfirm privileged EXEC command or its Network Assistant or SNMP equivalent. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-30 OL-21521-01...
• End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-31 OL-21521-01...
Page 478
Switch E 172.20.26.155 Switch F 172.20.26.156 Switch G 172.20.26.157 Switch H Client switch I Dynamic-access port 172.20.26.158 station 2 Trunk port 172.20.26.159 Catalyst 6500 series Secondary VMPS Switch J Server 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-32 OL-21521-01...
VLANs with the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
VLAN in a suspended state. VTP version 1 and version 2 support only normal-range VLANs (VLAN IDs 1 to 1005). Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094).
VTP off A switch in VTP off mode functions in the same manner as a VTP transparent switch, except that it does not forward VTP advertisements on trunks. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-3 OL-21521-01...
Although VTP version 2 supports only one domain, a VTP version 2 transparent switch forwards a message only when the domain name matches. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-4 OL-21521-01...
For example, you can configure the switch as a VTP server for the VLAN database but with VTP off for the MST database. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-5...
F have no ports in the Red VLAN. Figure 16-1 Flooding Traffic without VTP Pruning Switch D Port 2 Switch E Switch B VLAN Port 1 Switch F Switch C Switch A Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-6 OL-21521-01...
VTP. When a switch joins the stack, it inherits the VTP and VLAN properties of the stack master. • All VTP updates are carried across the stack. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-7 OL-21521-01...
The mode is the same as the mode in VTP version 1 or 2 before conversion to version 3. VTP version Version 1 (Version 2 is disabled). MST database mode Transparent. VTP version 3 server type Secondary. VTP password None. VTP pruning Disabled. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-8 OL-21521-01...
If you are adding a new switch to an existing network with VTP capability, the new switch learns the domain name only after the applicable password has been configured on it. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-9...
2. If there is a version 1-only switch, it does not exchange VTP information with switches that have version 2 enabled. Cisco recommends placing VTP version 1 and 2 switches at the edge of the network because they •...
VTP server mode (the default). VTP version 3 supports extended-range VLANs. If extended VLANs are configured, you cannot • convert from VTP version 3 to VTP version 2. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-11 OL-21521-01...
Page 490
When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-12 OL-21521-01...
This example shows how to configure a hidden password and how it appears. Switch(config)# vtp password mypassword hidden Generating the secret associated to the password. Switch(config)# end Switch# show vtp password VTP password: 89914640C8D90868B6A0D8103847A733 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-13 OL-21521-01...
In TrCRF and TrBRF Token ring environments, you must enable VTP version 2 or VTP version 3 • for Token Ring VLAN switching to function properly. For Token Ring and Token Ring-Net media, disable VTP version 2 must be disabled. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-14 OL-21521-01...
Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning-eligible on trunk ports. Reserved VLANs and extended-range VLANs cannot be pruned. To change the pruning-eligible VLANs, see the “Changing the Pruning-Eligible List” section on page 15-20. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-15 OL-21521-01...
Step 3 vtp domain domain-name The VLAN information on the switch is updated and the configuration revision Step 4 number is reset to 0. You return to privileged EXEC mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-16 OL-21521-01...
Display the VTP password. The form of the password displayed depends show vtp password on whether or not the hidden keyword was entered and if encryption is enabled on the switch. Display the VTP switch configuration information. show vtp status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-17 OL-21521-01...
This chapter describes how to configure the voice VLAN feature on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation.
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLA N for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...
For more information, see Chapter 39, “Configuring QoS.” You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration • to the phone. (CDP is globally enabled by default on all switch interfaces.)
• voice VLAN, the Port Fast feature is not automatically disabled. If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the • same IP subnet. These conditions indicate that they are in the same VLAN: They both use IEEE 802.1p or untagged frames.
Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends v oice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value.
Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
Step 6 copy running-config startup-config This example shows how to configure a port connected to a Cisco IP Phone to not change the priority of frames received from the PC or the attached device: Switch# configure terminal Enter configuration commands, one per line.
Configuring Private VLANs This chapter describes how to configure private VLANs on the Catalyst 3750- or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN. Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-2 OL-21521-01...
VLAN. Subsequent IP addresses can be assigned to customer devices in different secondary VLANs, but in the same primary VLAN. When new devices are added, the DHCP server assigns them the next available address from a large pool of subnet addresses. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-3 OL-21521-01...
Multicast traffic is routed or bridged across private-VLAN boundaries and within a single community VLAN. Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in different secondary VLANs. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-4 OL-21521-01...
VLAN, you should not change the VTP mode to client or server. For information about VTP, see Chapter 16, “Configuring VTP.” VTP version 3 supports private VLANs in all modes. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-6 OL-21521-01...
Page 511
– on the secondary VLAN is applied. For frames going downstream from a promiscuous port to a host port, the VLAN map – configured on the primary VLAN is applied. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-7 OL-21521-01...
Chapter 32, “Configuring SPAN and RSPAN.” Do not configure private-VLAN ports on interfaces configured for these other features: • dynamic-access port VLAN membership – Dynamic Trunking Protocol (DTP) – Port Aggregation Protocol (PAgP) – Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-8 OL-21521-01...
VLAN that will be an isolated VLAN. The VLAN ID range is 2 to 1001 and 1006 to 4094. Designate the VLAN as an isolated VLAN. Step 7 private-vlan isolated Return to global configuration mode. Step 8 exit Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-9 OL-21521-01...
VLAN. The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it. Switch# configure terminal Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport private-vlan mapping 20 add 501-503 Switch(config-if)# end Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-12 OL-21521-01...
This is an example of the output from the show vlan private-vlan command: Switch(config)# show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ isolated Gi2/0/1, Gi3/0/1, Gi3/0/2 community Gi2/0/11, Gi3/0/1, Gi3/0/4 non-operational Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-14 OL-21521-01...
The Catalyst 3750-X or 3560-X switch supports IEEE 802.1Q tunneling and Layer 2 protocol tunneling. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
When the packet exits another trunk port on the same core switch, the same metro tag is again added to the packet. Figure 19-2 shows the tag structures of the double-tagged packets. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-2 OL-21521-01...
Page 521
(The default is zero if none is configured.) On Catalyst 3750-X switches, because 802.1Q tunneling is configured on a per-port basis, it does not matter whether the switch is a standalone switch or a stack member. All configuration is done on the stack master.
The packet carries only the VLAN 30 tag through the service-provider network to the trunk port of the egress-edge switch (Switch C) and is misdirected through the egress switch tunnel port to Customer Y. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-4 OL-21521-01...
IEEE 802.1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added,you must configure all switches in the service-provider network to be able to process maximum frames by adding 4 bytes to the system MTU and system jumbo MTU sizes. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-5 OL-21521-01...
When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit • (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) and the Layer Link Discovery Protocol (LLDP) are automatically disabled on the interface.
Switch(config-if)# exit Switch(config)# vlan dot1q tag native Switch(config)# end Switch# show dot1q-tunnel interface gigabitethernet1/0/7 Port ----- Gi1/0/1Port ----- Switch# show vlan dot1q tag native dot1q native vlan tagging is enabled Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-7 OL-21521-01...
VLAN should build a proper spanning tree that includes the local site and all remote sites across the service-provider network. Cisco Discovery Protocol (CDP) must discover neighboring Cisco devices from local and remote sites. VLAN Trunking Protocol (VTP) must provide consistent VLAN configuration throughout all sites in the customer network.
Page 527
When you enable protocol tunneling (PAgP or LACP) on the SP switch, remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-9 OL-21521-01...
When the Layer 2 PDUs that entered the service-provider inbound edge switch through a Layer 2 protocol-enabled port exit through the trunk port into the service-provider network, the switch overwrites the customer PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0). If IEEE 802.1Q tunneling is enabled, packets are also double-tagged; the outer tag is the customer metro tag, and the inner tag is the customer’s VLAN tag.
BPDU CoS value for Layer 2 protocol tunneling. If no CoS value is configured at the interface level, the default value for CoS marking of L2 protocol tunneling BPDUs is 5. This does not apply to data traffic. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-11 OL-21521-01...
PDUs higher priority within the service-provider network than data packets received from the same tunnel port. By default, the PDUs use the same CoS value as data packets. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-12 OL-21521-01...
Display the Layer 2 tunnel ports on the switch, including the protocols Step 11 show l2protocol configured, the thresholds, and the counters. (Optional) Save your entries in the configuration file. Step 12 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-13 OL-21521-01...
If no keyword is entered, tunneling is enabled for all three protocols. To avoid a network failure, make sure that the network is a Caution point-to-point topology before you enable tunneling for PAgP, LACP, or UDLD packets. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-14 OL-21521-01...
Page 533
[point-to-point [pagp | lacp | udld]] and the no l2protocol-tunnel drop-threshold [[point-to-point [pagp | lacp | udld]] commands to return the shutdown and drop thresholds to the default settings. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-15 OL-21521-01...
Display the status of native VLAN tagging on the switch. show vlan dot1q tag native For detailed information about these displays, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-18 OL-21521-01...
By default, the switch sends keepalive messages (to ensure the connection is up) only on interfaces that Note do not have small form-factor pluggable (SFP) modules. You can change the default for an interface by entering the [no] keepalive interface configuration command with no keywords. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-2 OL-21521-01...
Selects the lowest path cost to the root switch – Selects the lowest designated bridge ID – Selects the lowest designated path cost – Selects the lowest port ID – Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-3 OL-21521-01...
VLAN. Each VLAN on the switch has a unique 8-byte bridge ID. The 2 most-significant bytes are used for the switch priority, and the remaining 6 bytes are derived from the switch MAC address. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-4...
An interface moves through these states: From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-5 OL-21521-01...
An interface always enters the blocking state after switch initialization. An interface in the blocking state performs these functions: Discards frames received on the interface • Discards frames switched from another interface for forwarding • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-6 OL-21521-01...
A disabled interface performs these functions: Discards frames received on the interface • Discards frames switched from another interface for forwarding • Does not learn addresses • Does not receive BPDUs • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-7 OL-21521-01...
Spanning-Tree Address Management IEEE 802.1D specifies 17 multicast addresses, ranging from 0x00180C2000000 to 0x0180C2000010, to be used by different bridge protocols. These addresses are static addresses that cannot be removed. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-8 OL-21521-01...
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
The standard requires only one spanning-tree instance for all VLANs allowed on the trunks. However, in a network of Cisco switches connected through IEEE 802.1Q trunks, the switches maintain one spanning-tree instance for each VLAN allowed on the trunks.
Configuring STP Understanding Spanning-Tree Features When you connect a Cisco switch toa non-Cisco device through an IEEE 802.1Q trunk, the Ciscoswitch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+. The switch combines the spanning-tree instance of the IEEE 802.1Q VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
Spanning-tree port priority (configurable on a per-interface basis) 128. Spanning-tree port cost (configurable on a per-interface basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100. Spanning-tree VLAN port priority (configurable on a per-VLAN basis) 128. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-12 OL-21521-01...
You can prevent this possibility by setting up allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances. Setting up allowed lists is not necessary in many cases and can make it more labor-intensive to add another VLAN to the network. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-13 OL-21521-01...
ID, consisting of the switch priority and the switch MAC address, is associated with each instance. For each VLAN, the switch with the lowest bridge ID becomes the root switch for that VLAN. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-15...
Page 552
After configuring the switch as the root switch, we recommend that you avoid manually configuring the Note hello time, forward-delay time, and maximum-age time through the spanning-tree vlan vlan-id hello-time, spanning-tree vlan vlan-id forward-time, and the spanning-tree vlan vlan-id max-age global configuration commands. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-16 OL-21521-01...
You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree vlan vlan-id root primary global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-17 OL-21521-01...
Assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last. For more information, see the “Configuring Path Cost” section on page 20-20. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-18 OL-21521-01...
Page 555
For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing” section on page 15-22. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-19 OL-21521-01...
The show spanning-tree interface interface-id privileged EXEC command displays information only Note for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-20 OL-21521-01...
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To return to the default setting, use the no spanning-tree vlan vlan-id priority global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-21 OL-21521-01...
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To return to the default setting, use the no spanning-tree vlan vlan-id hello-time global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-22 OL-21521-01...
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To return to the default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-23 OL-21521-01...
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-24 OL-21521-01...
C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 3750-X or 3560-X switch. The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard.
Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST). All other MST instances are numbered from 1 to 4094. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-2 OL-21521-01...
CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-3...
Page 564
VLAN cost, and port VLAN priority) can be configured on both the CST instance and the MST instance. MSTP switches use Version 3 RSTP BPDUs or IEEE 802.1D STP BPDUs to communicate with legacy IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-4 OL-21521-01...
Understanding MSTP IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network. Because the CIST is the only spanning-tree instance that spans the whole network, only the CIST parameters require the external rather than the internal or regional qualifiers.
The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.
Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
IEEE 802.1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. A switch might also continue to assign a boundary role Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-8...
A port with the root or a designated port role is included in the active topology. A port with the alternate or backup port role is excluded from the active topology. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-9...
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
RSTP forces it to synchronize with new root information. In general, when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions, its port state is set to blocking. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-11 OL-21521-01...
IEEE 802.1D switch and a configuration BPDU with the TCA bit set is received, the TC-while timer is reset. This behavior is only required to support IEEE 802.1D switches. The RSTP BPDUs never have the TCA bit set. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-13 OL-21521-01...
• VLAN-to-instance map, the same configuration revision number, and the same name. For two or more stacked Catalyst 3750-X switches to be in the same MST region, they must have • the same VLAN-to-instance map, the same configuration revision number, and the same name.
Beginning in privileged EXEC mode, follow these steps to specify the MST region configuration and enable MSTP. This procedure is required. Command Purpose Enter global configuration mode. Step 1 configure terminal Enter MST configuration mode. Step 2 spanning-tree mst configuration Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-16 OL-21521-01...
Page 577
Switch(config)# spanning-tree mst configuration Switch(config-mst)# instance 1 vlan 10-20 Switch(config-mst)# name region1 Switch(config-mst)# revision 1 Switch(config-mst)# show pending Pending MST configuration Name [region1] Revision Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-17 OL-21521-01...
After configuring the switch as the root switch, we recommend that you avoid manually configuring the Note hello time, forward-delay time, and maximum-age time through the spanning-tree mst hello-time, spanning-tree mst forward-time, and the spanning-tree mst max-age global configuration commands. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-18 OL-21521-01...
You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-19 OL-21521-01...
MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. If your Catalyst 3750-X switch is a member of a switch stack, you must use the spanning-tree mst Note [instance-id] cost cost interface configuration command instead of the spanning-tree mst [instance-id] port-priority priority interface configuration command to select a port to put in the forwarding state.
If all interfaces have the same cost value, the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-21 OL-21521-01...
Exercise care when using this command. For most situations, we recommend that you use the Note spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-22 OL-21521-01...
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To return the switch to its default setting, use the no spanning-tree mst hello-time global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-23 OL-21521-01...
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To return the switch to its default setting, use the no spanning-tree mst max-age global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-24 OL-21521-01...
(Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-25 OL-21521-01...
To restart the protocol migration process (force the renegotiation with neighboring switches) on the switch, use the clear spanning-tree detected-protocols privileged EXEC command. To restart the protocol migration process on a specific interface, use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-26 OL-21521-01...
Displays MST information for the specified interface. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-27 OL-21521-01...
Page 588
Chapter 21 Configuring MSTP Displaying the MST Configuration and Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-28 OL-21521-01...
(PVST+). You can configure only the noted features when your switch or switch stack is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-2 OL-21521-01...
Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 22-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-3 OL-21521-01...
Page 592
Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-4...
Switch C Understanding Cross-Stack UplinkFast For Catalyst 3750-X switches, the UplinkFast feature is the cross-stack UplinkFast feature. Cross-stack UplinkFast (CSUF) provides a fast spanning-tree transition (fast convergence in less than 1 second under normal network conditions) across a switch stack. During the fast transition, an alternate redundant link on the switch stack is placed in the forwarding state without causing temporary spanning-tree loops or loss of connectivity to the backbone.
The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-6 OL-21521-01...
BPDU is a signal that the other switch might have lost its path to the root, and BackboneFast tries to find an alternate path to the root. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-7...
Page 596
If the switch has alternate paths to the root switch, it uses these alternate paths to send a root link query (RLQ) request. The Catalyst 3750-X switch sends the RLQ request on all alternate paths to learn if any stack member has an alternate root to the root switch and waits for an RLQ reply from other switches in the network and in the stack.TCatalyst 3560-X switch sends the RLQ request on all alternate paths and...
Page 597
Switch A, the root switch. Figure 22-8 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch B Switch C (Designated bridge) Blocked port Added switch Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-9 OL-21521-01...
MST instance. You can enable this feature by using the spanning-tree guard root interface configuration command. Misuse of the root-guard feature can cause a loss of connectivity. Caution Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-10 OL-21521-01...
UplinkFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. On a Catalyst 3750-X switch, you can configure the UplinkFast or the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-13 OL-21521-01...
Configure Port Fast only on interfaces that connect to end stations; otherwise, an accidental topology Caution loop could cause a data packet loop and disrupt switch and network operation. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-14 OL-21521-01...
You can configure the UplinkFast or the CSUF feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-15 OL-21521-01...
To disable UplinkFast on the switch and all its VLANs, use the no spanning-tree uplinkfast global configuration command. Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-16 OL-21521-01...
EXEC command to verify the EtherChannel configuration. After the configuration is corrected, enter the shutdown and no shutdown interface configuration commands on the port-channel interfaces that were misconfigured. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-17 OL-21521-01...
Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional. Command Purpose Verify which interfaces are alternate or root ports. Step 1 show spanning-tree active show spanning-tree mst Enter global configuration mode. Step 2 configure terminal Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-18 OL-21521-01...
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-19 OL-21521-01...
Page 608
Chapter 22 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-20 OL-21521-01...
Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 3750-X or 3560-X switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature.
You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link. On Catalyst 3750-X switches, the Flex Link can be on the same switch or on another switch in the stack. When one of the links is up and forwarding traffic, the other link is in standby mode, ready to begin forwarding traffic if the other link shuts down.
When the backup link starts forwarding, to achieve faster convergence of multicast data, the downstream switch immediately sends proxy reports for all the learned groups on this port without waiting for a general query. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-3 OL-21521-01...
Here is output for the show ip igmp snooping mrouter command for VLANs 1 and 401: Switch# show ip igmp snooping mrouter Vlan ports ---- ----- Gi1/0/11(dynamic), Gi1/0/12(dynamic) Gi1/0/11(dynamic), Gi1/0/12(dynamic) Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-4 OL-21521-01...
Page 613
GigabitEthernet2/0/11 is a receiver/host in VLAN 1, which is interested in two multicast groups: Switch# show ip igmp snooping groups Vlan Group Type Version Port List ----------------------------------------------------------------------- 228.1.5.1 igmp Gi1/0/11, Gi1/0/12, Gi2/0/11 228.1.5.2 igmp Gi1/0/11, Gi1/0/12, Gi2/0/11 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-5 OL-21521-01...
100 milliseconds (ms). The PC is directly connected to switch A, and the connection status does not change. Switch A does not need to update the PC entry in the MAC address table. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-6...
You can configure up to 16 backup links. • You can configure only one Flex Link backup link for any active link, and it must be a different • interface from the active interface. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-7 OL-21521-01...
Configure a physical Layer 2 interface (or port channel) Step 3 switchport backup interface interface-id as part of a Flex Link pair with the interface. When one link is forwarding traffic, the other interface is in standby mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-8 OL-21521-01...
Page 617
Configure the time delay until a port preempts another Step 5 switchport backup interface interface-id preemption port. delay delay-time Setting a delay time only works with forced and Note bandwidth modes. Return to privileged EXEC mode. Step 6 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-9 OL-21521-01...
(Optional) Save your entries in the switch startup Step 6 copy running-config startup config configuration file. To disable the VLAN load balancing feature, use the no switchport backup interface interface-id prefer vlan vlan-range interface configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-10 OL-21521-01...
Page 619
Vlans Preferred on Active Interface: 1-2,5-4094 Vlans Preferred on Backup Interface: 3-4 Preemption Mode : off Bandwidth : 10000 Kbit (Fa1/0/3), 100000 Kbit (Fa1/0/4) Mac Address Move Update Vlan : auto Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-11 OL-21521-01...
This example shows how to configure an access switch to send MAC address-table move update messages: Switch# configure terminal Switch(conf)# interface gigabitethernet1/0/1 Switch(conf-if)# switchport backup interface gigabitethernet0/2 mmu primary vlan 2 Switch(conf-if)# exit Switch(conf)# mac address-table move update transmit Switch(conf)# end Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-12 OL-21521-01...
Page 621
EXEC command. This example shows how to configure a switch to get and process MAC address-table move update messages: Switch# configure terminal Switch(conf)# mac address-table move update receive Switch(conf)# end Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-13 OL-21521-01...
Flex Links and the state of each active and backup interface (up or standby mode). backup Displays the MAC address-table move update information on the show mac address-table switch. move update Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-14 OL-21521-01...
This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the Catalyst 3750-X or 3560-X switch. It also describes how to configure the IP source guard feature.Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
• For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them.
DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-3 OL-21521-01...
Page 626
Circuit-ID type – Length of the circuit-ID type – Remote-ID suboption fields • Suboption type – Length of the suboption type – Remote-ID type – Length of the remote-ID type – Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-4 OL-21521-01...
Page 627
The length values are variable, depending on the length of the string that you configure. – Remote-ID suboption fields • The remote-ID type is 1. – The length values are variable, depending on the length of the string that you configure. – Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-5 OL-21521-01...
An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.
DHCP snooping configuration from the stack master. When a member leaves the stack, all DHCP snooping address bindings associated with the switch age out. All snooping statistics are generated on the stack master. If a new stack master is elected, the statistics counters reset. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-7 OL-21521-01...
• DHCP server and the DHCP relay agent are configured and enabled. When you globally enable DHCP snooping on the switch, these Cisco IOS commands are not • available until snooping is disabled. If you enter these commands, the switch returns an error message, and the configuration is not applied.
RSPAN VLANs, DHCP packets might not reach the RSPAN destination port. Configuring the DHCP Server The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational.
To disable the DHCP server and relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for these procedures: Checking (validating) the relay agent information •...
Configured hostname for the switch • If the hostname is longer than 63 characters, it is truncated to 63 Note characters in the remote-ID configuration. The default remote ID is the switch MAC address. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-12 OL-21521-01...
Page 635
To configure an aggregation switch to drop incoming DHCP snooping packets with option-82 information from an edge switch, use the no ip dhcp snooping information option allow-untrusted global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-13 OL-21521-01...
VLANs, on which DHCP snooping is enabled. Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
To delete binding entries from the DHCP snooping binding database, use the no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id privileged EXEC command. Enter this command for each entry that you want to delete. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-15 OL-21521-01...
These sections contain this information: Source IP Address Filtering, page 24-17 • Source IP and MAC Address Filtering, page 24-17 • IP Source Guard for Static Hosts, page 24-17 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-16 OL-21521-01...
In a stacked environment, when the master failover occurs, the IP source guardentries for static hosts attached to member ports are retained. When you enter the show ip device tracking all EXEC command, the IP device tracking table displays the entries as ACTIVE. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-17 OL-21521-01...
VLANs, the source IP address filter is applied on all the VLANs. If IP source guard is enabled and you enable or disable DHCP snooping on a VLAN on the Note trunk interface, the switch might not properly filter traffic. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-18 OL-21521-01...
The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic. Return to global configuration mode. Step 4 exit Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-19 OL-21521-01...
IP device tracking globally or by setting an IP device tracking maximum on that interface, IPSG with static hosts rejects all the IP traffic from that interface. This requirement also applies to IPSG with static hosts on a private VLAN host port. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-20 OL-21521-01...
Page 643
IP or MAC • binding entries This example shows how to stop IPSG with static hosts on an interface. Switch(config-if)# no ip verify source Switch(config-if)# no ip device tracking max Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-21 OL-21521-01...
Page 644
INACTIVE. Switch# show ip device tracking all IP Device Tracking = Enabled IP Device Tracking Probe Count = 3 IP Device Tracking Probe Interval = 30 --------------------------------------------------------------------- Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-22 OL-21521-01...
Page 645
This example displays the count of all IP device tracking host entries for all interfaces: Switch# show ip device tracking all count Total IP Device Tracking Host entries: 5 --------------------------------------------------------------------- Interface Maximum Limit Number of Entries --------------------------------------------------------------------- Gi1/0/3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-23 OL-21521-01...
Verify the configuration. Step 17 show ip device tracking all Verify the IP source guard configuration. Display IPSG Step 18 show ip verify source interface interface-id permit ACLs for static hosts. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-24 OL-21521-01...
Commands for Displaying IP Source Guard Information Command Purpose Display the IP source bindings on a switch. show ip source binding Display the IP source guard configuration on the switch. show ip verify source Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-25 OL-21521-01...
In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
DHCP address pool. address ip-address client-id string [ascii] Reserve an IP address for a DHCP client identified by Step 4 the interface name. string—can be an ASCII value or a hexadecimal value. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-27 OL-21521-01...
Page 650
1 subnet is currently in the pool: Current index IP address range Leased/Excluded/Total 10.1.1.1 10.1.1.1 - 10.1.1.254 / 4 / 254 1 reserved address is currently in the pool Address Client 10.1.1.7 Et1/0 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-28 OL-21521-01...
For more information about configuring the DHCP server port-based address allocation feature, go to Cisco.com, and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation. You can also access the documentation here: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html...
Page 652
Chapter 24 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port-Based Address Allocation Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-30 OL-21521-01...
Catalyst 3750-X or 3560-X switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
“Configuring ARP ACLs for Non-DHCP Environments” section on page 25-8. The switch logs dropped packets. For more information about the log buffer, see the “Logging of Dropped Packets” section on page 25-5. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-2 OL-21521-01...
If Switch A is not running dynamic ARP inspection, Host 1 can easily poison the ARP cache of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-3 OL-21521-01...
The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-4 OL-21521-01...
The rate is unlimited on all trusted interfaces. The burst interval is 1 second. ARP ACLs for non-DHCP No ARP ACLs are defined. environments Validation checks No checks are performed. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-5 OL-21521-01...
30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2, each port can receive packets at 29 pps without causing the EtherChannel to become error-disabled. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-6 OL-21521-01...
This procedure is required. Command Purpose Verify the connection between the switches. Step 1 show cdp neighbors Enter global configuration mode. Step 2 configure terminal Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-7 OL-21521-01...
Configuring ARP ACLs for Non-DHCP Environments This procedure shows how to configure dynamic ARP inspection when Switch B shown in Figure 25-2 on page 25-3 does not support dynamic ARP inspection or DHCP snooping. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-8 OL-21521-01...
Page 661
ACL. Packets are permitted only if the access list permits them. Specify the Switch A interface that is connected to Switch B, and Step 6 interface interface-id enter interface configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-9 OL-21521-01...
If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-10 OL-21521-01...
Page 663
To return to the default rate-limit configuration, use the no ip arp inspection limit interface configuration command. To disable error recovery for dynamic ARP inspection, use the no errdisable recovery cause arp-inspection global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-11 OL-21521-01...
To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure packets, use the show ip arp inspection statistics privileged EXEC command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-12 OL-21521-01...
The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-13 OL-21521-01...
ARP inspection for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active). Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-14 OL-21521-01...
Page 667
Displays the configuration and contents of the dynamic ARP show ip arp inspection log inspection log buffer. For more information about these commands, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-15 OL-21521-01...
Page 669
Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
For more information on IP multicast and IGMP, see RFC 1112 and RFC 2236. Note The multicast router (which could be a Catalyst 3750-X switch with the IP services feature set on the stack master) sends out periodic general queries to all VLANs. All hosts interested in this multicast traffic send join requests and are added to the forwarding table entry.
Table 26-1, that includes the port numbers connected to Host 1and the router. Table 26-1 IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 224.1.2.3 IGMP 1, 2 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-3 OL-21521-01...
If the router receives no reports from a VLAN, it removes the group for the VLAN from its IGMP cache. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-4...
IGMPv2, and IGMPv3 reports for a group to the multicast devices. If you disable IGMP report suppression, all IGMP reports are forwarded to the multicast routers. For configuration steps, see the “Disabling IGMP Report Suppression” section on page 26-14. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-5 OL-21521-01...
Snooping on IGMP queries, Protocol-Independent Multicast (PIM) packets, and Distance Vector • Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global •...
To add a multicast router port (add a static connection to a multicast router), use the ip igmp snooping vlan mrouter global configuration command on the switch. Static connections to multicast routers are supported only on switch ports. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-8 OL-21521-01...
Step 5 copy running-config startup-config To remove the Layer 2 port from the multicast group, use the no ip igmp snooping vlan vlan-id static mac-address interface interface-id global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-9 OL-21521-01...
The actual leave latency in the network is usually the configured leave time. However, the leave time • might vary around the configured time, depending on real-time CPU load conditions, network delays and the amount of traffic sent through the interface. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-10 OL-21521-01...
Specify the number of IGMP general queries for which the multicast Step 2 ip igmp snooping tcn flood query count traffic is flooded. The range is 1 to 10. By default, the flooding query count count is 2. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-11 OL-21521-01...
Beginning in privileged EXEC mode, follow these steps to disable multicast flooding on an interface: Command Purpose Enter global configuration mode. Step 1 configure terminal Specify the interface to be configured, and enter interface Step 2 interface interface-id configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-12 OL-21521-01...
IP address, the querier tries to use the global IP ip_address address configured for the IGMP querier. The IGMP snooping querier does not generate an IGMP Note general query if it cannot find an IP address on the switch. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-13 OL-21521-01...
IGMP report suppression is enabled by default. When it is enabled, the switch forwards only one IGMP report per multicast router query. When report suppression is disabled, all IGMP reports are forwarded to the multicast routers. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-14 OL-21521-01...
IGMP snooping. • ip_address—Display characteristics of the multicast group with the • specified group IP address. user—Display only the user-configured multicast entries. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-15 OL-21521-01...
VLAN from the source. This forwarding behavior selectively allows traffic to cross between different VLANs. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-16 OL-21521-01...
VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-17 OL-21521-01...
Page 686
VLAN. The IGMP leave and join messages are in the VLAN to which the subscriber port is assigned. These messages dynamically register for streams of multicast traffic in the multicast VLAN on the Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-18...
If you try to enable MVR while multicast routing and a multicast routing protocol are enabled, the operation to enable MVR is cancelled, and you receive an error message. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-19 OL-21521-01...
(Optional) Save your entries in the configuration file. Step 9 copy running-config startup-config To return the switch to its default settings, use the no mvr [mode | group ip-address | querytime | vlan] global configuration commands. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-20 OL-21521-01...
This command applies to only receiver ports and should only be Note enabled on receiver ports to which a single receiver device is connected. Return to privileged EXEC mode. Step 7 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-21 OL-21521-01...
VLAN ID range is 1 to 1001 and 1006 to 4094. show mvr members [ip-address] Displays all receiver and source ports that are members of any IP multicast group or the specified IP multicast group IP address. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-22 OL-21521-01...
Default IGMP Filtering Configuration Feature Default Setting IGMP filters None applied IGMP maximum number of IGMP groups No maximum set IGMP profiles None defined IGMP profile action Deny the range addresses Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-23 OL-21521-01...
To delete a profile, use the no ip igmp profile profile number global configuration command. To delete an IP multicast address or range of IP multicast addresses, use the no range ip multicast address IGMP profile configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-24 OL-21521-01...
To remove a profile from an interface, use the no ip igmp filter profile number interface configuration command. This example shows how to apply IGMP profile 4 to a port: Switch(config)# interface gigabitethernet0/2 Switch(config-if)# ip igmp filter 4 Switch(config-if)# end Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-25 OL-21521-01...
EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group. When the maximum group limitation is set to the default (no maximum), entering the ip igmp • max-groups action {deny | replace} command has no effect. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-26 OL-21521-01...
Page 695
(Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config To return to the default action of dropping the report, use the no ip igmp max-groups action interface configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-27 OL-21521-01...
Displays the configuration of the specified interface or the configuration of all interfaces on the switch, including (if configured) the maximum number of IGMP groups to which interface-id] an interface can belong and the IGMP profile applied to the interface. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-28 OL-21521-01...
You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP Version 6 (IPv6) multicast data to clients and routers in a switched network on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
You can configure port membership removal from addresses based on the number of queries. A port is removed from membership to an address only when there are no reports to the address on the port for the configured number of queries. The default number is 2. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-3 OL-21521-01...
MASQs. A port is removed from membership to an address when there are no MLDv1 reports to the address on the port for the configured number of queries. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-4...
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 3750-X or 3560-X switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 3750-X or 3560-X switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
(add a static connection to a multicast router), use the ipv6 mld snooping vlan mrouter global configuration command on the switch. Static connections to multicast routers are supported only on switch ports. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-8 OL-21521-01...
To disable MLD Immediate Leave on a VLAN, use the no ipv6 mld snooping vlan vlan-id immediate-leave global configuration command. This example shows how to enable MLD Immediate Leave on VLAN 130: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 130 immediate-leave Switch(config)# exit Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-9 OL-21521-01...
(Optional) Verify that the MLD snooping querier information for the Step 11 switch or for the VLAN. vlan-id] (Optional) Save your entries in the configuration file. Step 12 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-10 OL-21521-01...
Step 3 Verify that IPv6 MLD snooping report suppression is Step 4 show ipv6 mld snooping disabled. (Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-11 OL-21521-01...
Enter user to display MLD snooping user-configured group • information for the switch or for a VLAN. Display MLD snooping for the specified VLAN and IPv6 multicast show ipv6 mld snooping multicast-address vlan vlan-id [ipv6-multicast-address] address. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-12 OL-21521-01...
This chapter describes how to configure the port-based traffic control features on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 710
When the storm control threshold for multicast traffic is reached, all multicast traffic except control Note traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic, so both types of traffic are blocked.
Beginning in privileged EXEC mode, follow these steps to storm control and threshold levels: Command Purpose Enter global configuration mode. Step 1 configure terminal Specify the interface to be configured, and enter interface Step 2 interface interface-id configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-3 OL-21521-01...
Page 712
Select the shutdown keyword to error-disable the port during • a storm. Select the trap keyword to generate an SNMP trap when a • storm is detected. Return to privileged EXEC mode. Step 5 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-4 OL-21521-01...
Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. In Cisco IOS Release 12.2(44)SE and later, you can configure a port to be error disabled if small frames arrive at a specified rate (threshold).
Default Protected Port Configuration, page 28-6 • Protected Port Configuration Guidelines, page 28-7 • Configuring a Protected Port, page 28-7 • Default Protected Port Configuration The default is to have no protected ports defined. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-6 OL-21521-01...
With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets that Note contain IPv4 or IPv6 information in the header are not blocked. Default Port Blocking Configuration, page 28-8 • Blocking Flooded Traffic on an Interface, page 28-8 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-7 OL-21521-01...
MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-8...
If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-9 OL-21521-01...
In this mode, the VLAN is error • disabled instead of the entire port when a violation occurs Table 28-1 shows the violation mode and the actions taken when you configure an interface for port security. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-10 OL-21521-01...
When you enable port security on an interface that is also configured with a voice VLAN, set the • maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice...
Page 720
Configuring Port Security VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
The voice keyword is available only if a voice VLAN is configured on Note a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-13 OL-21521-01...
Page 722
You can manually re-enable it by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface vlan privileged EXEC command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-14 OL-21521-01...
Page 723
VLAN. Return to privileged EXEC mode. Step 11 Verify your entries. Step 12 show port-security (Optional) Save your entries in the configuration file. Step 13 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-15 OL-21521-01...
Return to privileged EXEC mode. Step 4 show port-security [interface interface-id] Verify your entries. Step 5 [address] (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-17 OL-21521-01...
Return to privileged EXEC mode. Step 5 show port-security [interface interface-id] Verify your entries. Step 6 [address] (Optional) Save your entries in the configuration file. Step 7 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-18 OL-21521-01...
Displays the number of secure MAC addresses configured per VLAN show port-security interface interface-id vlan on the specified interface. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-19 OL-21521-01...
Page 728
Chapter 28 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-20 OL-21521-01...
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
(Optional) Specify the amount of time a receiving device should hold the Step 3 cdp holdtime seconds information sent by your device before discarding it. The range is 10 to 255 seconds; the default is 180 seconds. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 29-2 OL-21521-01...
29-5. Disabling and Enabling CDP CDP is enabled by default. Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Note Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 6, “Clustering Switches”...
Step 5 copy running-config startup-config This example shows how to enable CDP on a port when it has been disabled. Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# cdp enable Switch(config-if)# end Catalyst 3750-X and 3560-X Switch Software Configuration Guide 29-4 OL-21521-01...
You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information. Display CDP counters, including the number of packets sent and received and show cdp traffic checksum errors. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 29-5 OL-21521-01...
Page 734
Chapter 29 Configuring CDP Monitoring and Maintaining CDP Catalyst 3750-X and 3560-X Switch Software Configuration Guide 29-6 OL-21521-01...
Page 735
This chapter describes how to configure the Link Layer Discovery Protocol (LLDP), LLDP Media Endpoint Discovery (LLDP-MED) and wired location service on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Enables advanced power management between LLDP-MED endpoint and network connectivity devices. Allows switches and phones to convey power information, such as how the device is powered, power priority, and how much power the device needs. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-2 OL-21521-01...
The switch uses the location service feature to send location and attachment tracking information for its connected devices to a Cisco Mobility Services Engine (MSE). The tracked device can be a wireless endpoint, a wired endpoint, or a wired switch or controller. The switch notifies the MSE of device link up and link down events through the Network Mobility Services Protocol (NMSP) location and attachment notifications.
If you change a location address on the switch, the switch sends an NMSP location notification message that identifies the affected ports and the changed address information. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-4 OL-21521-01...
You cannot configure static secure MAC addresses on an interface that has a network-policy profile. • You cannot configure a network-policy profile on a private-VLAN port. • For wired location to function, you must first enter the ip device tracking global configuration • command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-5 OL-21521-01...
(Optional) Specify the amount of time a receiving device should hold the Step 2 lldp holdtime seconds information from your device before discarding it. The range is 0 to 65535 seconds; the default is 120 seconds. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-6 OL-21521-01...
Page 741
Command Purpose Enter global configuration mode. Step 1 configure terminal Specify the interface on which you are configuring an LLDP-MED Step 2 interface interface-id TLV, and enter interface configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-7 OL-21521-01...
Page 742
Specify the interface on which you are configuring a network-policy Step 5 interface interface-id profile, and enter interface configuration mode. Specify the network-policy profile number. Step 6 network-policy profile number Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-8 OL-21521-01...
• format. Return to global configuration mode. Step 3 exit Specify the interface on which you are configuring the location Step 4 interface interface-id information, and enter interface configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-9 OL-21521-01...
Page 744
30. Return to privileged EXEC mode. Step 4 Verify the configuration. Step 5 show network-policy profile (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-10 OL-21521-01...
Page 745
TLVs. Display the location information for an endpoint. show location Display the configured network-policy profiles. show network-policy profile Display the NMSP information. show nmsp Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-11 OL-21521-01...
Chapter 30 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-12 OL-21521-01...
This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
UDLD sends at least one message to inform the neighbors to flush the part of their caches affected by the status change. The message is intended to keep the caches synchronized. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-2...
Page 749
If UDLD is in normal mode, the logical link is considered undetermined, and UDLD does not disable the interface. Switch B Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-3 OL-21521-01...
Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-4 OL-21521-01...
To disable UDLD globally, use the no udld enable global configuration command to disable normal mode UDLD on all fiber-optic ports. Use the no udld aggressive global configuration command to disable aggressive mode UDLD on all fiber-optic ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-5 OL-21521-01...
The errdisable recovery cause udld global configuration command enables the timer to • automatically recover from the UDLD error-disabled state, and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error-disabled state. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-6 OL-21521-01...
To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-7 OL-21521-01...
Page 754
Chapter 31 Configuring UDLD Displaying UDLD Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-8 OL-21521-01...
This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Example of Local SPAN Configuration on a Single Switch Port 5 traffic mirrored 1 2 3 4 5 6 7 8 9 10 11 12 on Port 10 Network analyzer Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-2 OL-21521-01...
RSPAN VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port, as shown on Switch C in the figure. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-3 OL-21521-01...
SPAN sessions gather a set of ingress and egress packets specified by the user and form them into a stream of SPAN data, which is directed to the destination port. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-4 OL-21521-01...
Page 759
An RSPAN destination session cannot have a local source port. – An RSPAN destination session and an RSPAN source session that are using the same RSPAN – VLAN cannot run on the same switch or switch stack. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-5 OL-21521-01...
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
VLAN filtering applies only to trunk ports or to voice VLAN ports. • VLAN filtering applies only to port-based sessions and is not allowed in sessions with VLAN • sources. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-7 OL-21521-01...
A destination port that belongs to a source VLAN of any SPAN session is excluded from the source • list and is not monitored. The maximum number of destination ports in a switch or switch stack is 64. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-8 OL-21521-01...
CDP—A SPAN destination port does not participate in CDP while the SPAN session is active. After • the SPAN session is disabled, the port again participates in CDP. VTP—You can use VTP to prune an RSPAN VLAN between switches. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-9 OL-21521-01...
For more information about switch stacks, see Chapter 5, “Managing Switch Stacks.” Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-10 OL-21521-01...
IPv4 and MAC FSPAN ACLs are supported on all feature sets. IPv6 FSPAN ACLs are supported only in the advanced IP services feature set. For information on configuring the switch for FSPAN and FRSPAN, see the “Configuring FSPAN and FRSPAN” section on page 32-24. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-11 OL-21521-01...
Entering SPAN configuration commands does not remove previously configured SPAN parameters. • You must enter the no monitor session {session_number | all | local | remote} global configuration command to delete configured SPAN parameters. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-12 OL-21521-01...
This is the default. • rx—Monitor received traffic. • tx—Monitor sent traffic. • You can use the monitor session session_number source Note command multiple times to configure multiple source ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-13 OL-21521-01...
Page 768
Switch(config)# no monitor session 1 source interface gigabitethernet1/0/1 rx The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-14 OL-21521-01...
VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating a Local SPAN Session”...
(Optional) Use a comma (,) to specify a series of VLANs, or use a hyphen (-) to specify a range of V LANs. Enter a space before and after the comma; enter a space before and after the hyphen. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-16 OL-21521-01...
RSPAN VLANs; do not assign access ports to these VLANs. You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets. • Specify these ACLs on the RSPAN VLAN in the RSPAN source switches. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-17 OL-21521-01...
(Optional) Save the configuration in the configuration file. Step 5 copy running-config startup-config To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN, use the no remote-span VLAN configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-18 OL-21521-01...
For session_number, enter the number defined in Step 3. For vlan-id, specify the source RSPAN VLAN to monitor. Return to privileged EXEC mode. Step 5 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-19 OL-21521-01...
(Optional) Use a comma (,) to specify a series of VLANs or use a hyphen (-) to specify a range of V LANs. Enter a space before and after the comma; enter a space before and after the hyphen. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-20 OL-21521-01...
| remote} For session_number, the range is 1 to 66. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-21 OL-21521-01...
RSPAN VLAN and the destination port, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating an RSPAN Destination...
Page 777
VLAN 6 as the default receiving VLAN. Switch(config)# monitor session 2 source remote vlan 901 Switch(config)# monitor session 2 destination interface gigabitethernet0/2 ingress vlan 6 Switch(config)# end Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-23 OL-21521-01...
Port-based FSPAN sessions can be configured on a stack that includes Catalyst 3750 or Catalyst • 3750-E switches as long as the session only includes Catalyst 3750-X ports as source ports. If the session has any Catalyst 3750 or Catalyst 3750-E ports as source ports, the FSPAN ACL command is rejected.
This is the default. • rx—Monitor received traffic. • tx—Monitor sent traffic. • You can use the monitor session session_number source Note command multiple times to configure multiple source ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-25 OL-21521-01...
| remote} For session_number, the range is 1 to 66. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-26 OL-21521-01...
Page 781
Return to privileged EXEC mode. Step 9 show monitor [session session_number] Verify the configuration. Step 10 show running-config (Optional) Save the configuration in the configuration file. Step 11 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-27 OL-21521-01...
To display the current SPAN, RSPAN, FSPAN, or FRSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured sessions. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-28 OL-21521-01...
Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
(Optional) For event-number, specify the event • number to trigger when the rising or falling threshold exceeds its limit. (Optional) For owner string, specify the owner • of the alarm. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 33-3 OL-21521-01...
Page 786
This example also generates an SNMP trap when the event is triggered. Switch(config)# rmon event 1 log trap eventtrap description "High ifOutErrors" owner jjones Catalyst 3750-X and 3560-X Switch Software Configuration Guide 33-4 OL-21521-01...
This procedure is optional. Command Purpose Enter global configuration mode. Step 1 configure terminal Specify the interface on which to collect statistics, and enter Step 2 interface interface-id interface configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 33-5 OL-21521-01...
Displays the RMON statistics table. show rmon statistics For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 33-6...
Unless otherwise noted, the term switch refers to a Catalyst3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2.
The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-2 OL-21521-01...
00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to up (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/1, changed state to down 2 (Switch-2) Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-3 OL-21521-01...
To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 34-12. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-5 OL-21521-01...
Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-6 OL-21521-01...
Page 795
(Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-7 OL-21521-01...
Beginning in privileged EXEC mode, follow these steps to enable sequence numbers in log messages. This procedure is optional. Command Purpose Enter global configuration mode. Step 1 configure terminal Enable sequence numbers. Step 2 service sequence-numbers Return to privileged EXEC mode. Step 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-8 OL-21521-01...
To disable logging to syslog servers, use the no logging trap global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-9 OL-21521-01...
By default, one message of the level warning and numerically lower levels (see Table 34-3 on page 34-10) are stored in the history table even if syslog traps are not enabled. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-10 OL-21521-01...
[end-number] | statistics} [provisioning] privileged EXEC command to display the complete configuration log or the log for specified parameters. The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter0918 6a00801a8086.html#wp1114989...
Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. This procedure is optional. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-12 OL-21521-01...
Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
MAC address tracking, closing of a TCP connection, loss of connection to a neighbor, or other significant events. On the Catalyst 3750-X switch, the stack master handles the SNMP requests and traps for the whole switch stack. The stack master transparently manages any requests or traps that are related to all stack members.
A combination of the security level and the security model determine which security mechanism is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and SNMPv3. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-2 OL-21521-01...
1. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table. 2. The get-bulk command only works with SNMPv2 or later. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-3 OL-21521-01...
(@esN, where N is the switch number) to the first configured RW and RO community strings on the command switch and propagates them to the member switches. For more information, see Chapter 6, “Clustering Switches” and see Getting Started with Cisco Network Assistant, available on Cisco.com. Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software.
The switch uses one of the values in Table 35-3 to assign an ifIndex value to an interface: Table 35-3 ifIndex Values Interface Type ifIndex Range 1–4999 EtherChannel 5000–5012 Loopback 5013–5077 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-5 OL-21521-01...
If no type is specified, all notifications are sent. 1. This is the default when the switch starts and the startup configuration does not have any snmp-server global configuration commands. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-6 OL-21521-01...
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
MIB objects. By default, the community string permits read-only access to all objects. (Optional) For access-list-number, enter an IP standard access • list numbered from 1 to 99 and 1300 to 1999. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-8 OL-21521-01...
You can specify an identification name (engine ID) for the local or remote SNMP server engine on the switch. You can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users to the SNMP group. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-9 OL-21521-01...
Page 812
64 characters) that is the name of the view in which you specify a notify, inform, or trap. (Optional) Enter access access-list with a string (not to exceed • 64 characters) that is the name of the access list. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-10 OL-21521-01...
Page 813
To display SNMPv3 information about auth | noauth | Note priv mode configuration, you must enter the show snmp user EXEC command. (Optional) Save your entries in the configuration file. Step 7 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-11 OL-21521-01...
By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Many commands use the word traps in the command syntax. Unless there is an option in the command Note to select either traps or informs , the keyword traps refers to traps, informs, or both.
Page 815
You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 35-5. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-13 OL-21521-01...
Page 816
Avoid using the @ symbol as part of the SNMP community string when configuring this command. (Optional) For notification-type, use the keywords listed in • Table 35-5 on page 35-12. If no type is specified, all notifications are sent. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-14 OL-21521-01...
Page 817
To disable informs, use the no snmp-server host informs global configuration command. To disable a specific trap type, use the no snmp-server enable traps notification-types global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-15 OL-21521-01...
Dial System Operator at beeper 21555. Set the system location string. Step 3 snmp-server location text For example: snmp-server location Building 3/Room 222 Return to privileged EXEC mode. Step 4 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-16 OL-21521-01...
Return to privileged EXEC mode. Step 4 Verify your entries. Step 5 show running-config (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-17 OL-21521-01...
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
EXEC command. You also can use the other privileged EXEC commands in Table 35-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference. Table 35-6 Commands for Displaying SNMP Information Feature Default Setting Displays SNMP statistics.
Page 822
Chapter 35 Configuring SNMP Displaying SNMP Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-20 OL-21521-01...
An EEM policy defines an event and the actions to be taken when that event occurs. This chapter tells how to use EEM and how to configure it on a Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a standalone switch or a Catalyst 3750-X switch stack.
Page 824
EEM APPLET EEM SCRIPT See the for examples of EEM EEM Configuration for Cisco Integrated Services Router Platforms Guide deployment. Event Detectors, page 36-3 • Embedded Event Manager Actions, page 36-4 • Embedded Event Manager Policies, page 36-4 •...
Counter event detector—Publishes an event when a named counter crosses a specified threshold. • Interface counter event detector—Publishes an event when a generic Cisco IOS interf a ce counter for • a specified interface crosses a defined threshold. A threshold can be specified as an absolute value or an incremental value.For example, if the incremental value is set to 50 an event would be...
Watchdog event detector (IOSWDSysMon)—Publishes an event only on the master switch when • Publishes an event when one of these events occurs: CPU utilization for a Cisco IOS process crosses a threshold. – Memory utilization for a Cisco IOS process crosses a threshold.
Cisco built-in variables (available in EEM applets) • Defined by Cisco and can be read-only or read-write. The read-only variables are set by the system before an applet starts to execute. The single read-write variable, _exit_status, allows you to set the exit status for policies triggered from synchronous events.
Registering and Defining an Embedded Event Manager TCL Script, page 36-7 • For complete information about configuring embedded event manager, see the Cisco IOS Network Management Configuration Guide, Release 12.4T. To configure EEM, you must have the IP services feature set installed on the switch.
This example shows the sample output for the show event manager environment command: Switch# show event manager environment all Name Value _cron_entry 0-59/2 0-23/1 * * 0-6 _show_cmd show ver _syslog_pattern .*UPDOWN.*Ethernet1/0.* Catalyst 3750-X and 3560-X Switch Software Configuration Guide 36-7 OL-21521-01...
Switch(config)# event manager environment_cron_entry 0-59/2 0-23/1 * * 0-6 This example shows the sample EEM policy named tm_cli_cmd.tcl registered as a system policy. The system policies are part of the Cisco IOS image. User-defined TCL scripts must first be copied to flash memory.
Page 831
C H A P T E R Configuring Network Security with ACLs This chapter describes how to configure network security on the Catalyst 3750-X or 3560-X switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists.Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch...
Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces in • a specific direction (inbound or outbound). For more information, see the “Router ACLs” section on page 37-4. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-2 OL-21521-01...
Host A to access the Human Resources network, but prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-3...
The switch supports these access lists for IPv4 traffic: Standard IP access lists use source addresses for matching operations. • Extended IP access lists use source and destination addresses and optional protocol type information • for matching operations. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-4 OL-21521-01...
Layer 4 information, such as TCP or UDP port numbers, ICMP type and code, and so on. All other fragments are missing this information. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-5...
The stack master performs these ACL functions: It processes the ACL configuration and propagates the information to all stack members. • It distributes the ACL information to any switch that joins the stack. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-6 OL-21521-01...
ACL information to all switches in the stack. Configuring IPv4 ACLs Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services”...
AppleTalk access list 700–799 48-bit MAC address access list 800–899 IPX standard access list 900–999 IPX extended access list 1000–1099 IPX SAP access list 1100–1199 Extended 48-bit MAC address access list Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-8 OL-21521-01...
IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-9...
Switch (config)# access-list 2 deny host 171.69.198.102 Switch (config)# access-list 2 permit any Switch(config)# end Switch# show access-lists Standard IP access list 2 10 deny 171.69.198.102 20 permit any Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-10 OL-21521-01...
For more details on the specific keywords for each protocol, see these command references: • Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 • Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 •...
Page 842
DSCP value specified by a number • from 0 to 63, or use the question mark (?) to see a list of available values. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-12 OL-21521-01...
Page 843
TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
Page 844
ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. (Optional) Define an extended IGMP access list and the access conditions.
The ACL must be an extended named ACL. Note – match input-interface interface-id-list – match ip dscp dscp-list – match ip precedence ip-precedence-list You cannot enter the match access-group acl-index command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-15 OL-21521-01...
Page 846
Step 5 (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config To remove a named extended ACL, use the no ip access-list extended name global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-16 OL-21521-01...
The time range relies on the switch system clock; therefore, you need a reliable clock source. We Note recommend that you use Network Time Protocol (NTP) to synchronize the switch clock. For more information, see the “Managing the System Time and Date” section on page 7-1. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-17 OL-21521-01...
Page 848
Switch(config)# access-list 188 permit tcp any any time-range workhours Switch(config)# end Switch# show access-lists Extended IP access list 188 10 deny tcp any any time-range new_year_day_2006 (inactive) 20 permit tcp any any time-range workhours (inactive) Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-18 OL-21521-01...
For procedures for applying ACLs to interfaces, see the “Applying an IPv4 ACL to an Interface” section on page 37-20. For applying ACLs to VLANs, see the “Configuring VLAN Maps” section on page 37-31. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-19 OL-21521-01...
These access-group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP-unreachable message. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-20...
Page 851
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network security. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-21 OL-21521-01...
Logical operation units are needed for a TCP flag match or a test other than eq (ne, gt, lt, or range) on TCP, UDP, or SCTP port numbers. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-22...
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Note that with extended ACLs, you must enter the protocol (IP) before the source and destination information. Switch(config)# access-list 106 permit ip any 172.20.128.64 0.0.0.31 Switch(config)# end Switch# show access-lists Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-24 OL-21521-01...
Smith is not allowed access: Switch(config)# access-list 1 remark Permit only Jones workstation through Switch(config)# access-list 1 permit 171.69.2.88 Switch(config)# access-list 1 remark Do not allow Smith workstation through Switch(config)# access-list 1 deny 171.69.3.13 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-26 OL-21521-01...
0.0.0.255 and denies all UDP packets. Switch(config)# ip access-list extended ext1 Switch(config-ext-nacl)# permit icmp any 10.1.1.0 0.0.0.255 log Switch(config-ext-nacl)# deny udp any any log Switch(config-std-nacl)# exit Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# ip access-group ext1 in Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-27 OL-21521-01...
Though visible in the command-line help strings, appletalk is not supported as a matching condition for Note the deny and permit MAC access-list configuration mode commands. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-28 OL-21521-01...
Page 859
Switch(config)# mac access-list extended mac1 Switch(config-ext-macl)# deny any any decnet-iv Switch(config-ext-macl)# permit any any Switch(config-ext-macl)# end Switch # show access-lists Extended MAC access list mac1 10 deny any any decnet-iv 20 permit any any Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-29 OL-21521-01...
ACL to an interface, the switch acts as ifthe ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-30 OL-21521-01...
A packet that comes into the switch is tested against the first entry in the VLAN map. If it matches, the action specified for that part of the VLAN map is taken. If there is no match, the packet is tested against the next entry in the map. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-31 OL-21521-01...
Entering this command changes to access-map configuration mode. action {drop | forward} (Optional) Set the action for the map entry. The default is to forward. Step 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-32 OL-21521-01...
ACLs (that is, packets that are not TCP packets or UDP packets) would get dropped. Switch(config)# ip access-list extended ip2 Switch(config-ext-nacl)# permit udp any any Switch(config-ext-nacl)# exit Switch(config)# vlan access-map map_1 20 Switch(config-access-map)# match ip address ip2 Switch(config-access-map)# action forward Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-33 OL-21521-01...
Page 864
Switch(config-ext-nacl)# exit Switch(config)# vlan access-map drop-mac-default 10 Switch(config-access-map)# match mac address good-hosts Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-mac-default 20 Switch(config-access-map)# match mac address good-protocols Switch(config-access-map)# action forward Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-34 OL-21521-01...
Host X to Host Y is eventually being routed by Switch B, a Layer 3 switch with routing enabled. Traffic from Host X to Host Y can be access-controlled at the traffic entry point, Switch A. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-35...
(see Figure 37-5): Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access. • Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-36 OL-21521-01...
ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN interfaces, and you can define a VLAN map to access control the bridged traffic. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-37...
If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/ICMP ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. This gives priority to the filtering of traffic based on IP addresses. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-38 OL-21521-01...
Figure 37-7 shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN. Only non-IP, non-ARP packets can be fallback-bridged. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-39 OL-21521-01...
(numbered or named). show ip access-lists [number | name] Display the contents of all current IP access lists or a specific IP access list (numbered or named). Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-41 OL-21521-01...
Page 872
Show information about all VLAN access maps or the specified access map. show vlan filter [access-map name | vlan vlan-id] Show information about all VLAN filters or about a specified VLAN or VLAN access map. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-42 OL-21521-01...
Note This chapter includes information about configuring IPv6 ACLs on the switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template Note on the switch.
The same statistics supported in IPv4 are supported for IPv6 ACLs. • If the switch runs out of hardware space, packets associated with the ACL are forwarded to the CPU, • and the ACLs are applied in software. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 38-2 OL-21521-01...
With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs. The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions: The switch does not support matching on these keywords: flowlabel, routing header, and •...
You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can only filter non-IP frames. • If the hardware memory is full, for any additional configured ACLs, packets are forwarded to the • CPU, and the ACLs are applied in software. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 38-4 OL-21521-01...
(Optional) Enter sequence value to specify the sequence number for the access list • statement. The acceptable range is from 1 to 4294967295. (Optional) Enter time-range name to specify the time range that applies to the • deny or permit statement. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 38-5 OL-21521-01...
Page 878
[dscp and code names, use the ? key or see command reference for this release. value] [log] [log-input] [routing] [sequence value] [time-range name] Return to privileged EXEC mode. Step 4 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 38-6 OL-21521-01...
This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.
Use the no ipv6 traffic-filter access-list-name interface configuration command to remove an access list from an interface. This example shows how to apply the access list Cisco to outbound traffic on a Layer 3 interface: Switch(config)# interface gigabitethernet 1/0/3 Switch(config-if)# no switchport...
It sends the packets without any assurance of reliability, delay bounds, or throughput. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
You must reload the switch after configuring the dual IPv4 and IPv6 templates. For more information, see Chapter 8, “Configuring SDM Templates.” IPv6 QoS is not supported on switches running the LAN base feature set. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-2 OL-21521-01...
Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices, the traffic types and patterns in your network, and the granularity of control that you need over incoming and outgoing traffic. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-3 OL-21521-01...
Scheduling services the four egress queues based on their configured SRR shared or shaped weights. • One of the queues (queue 1) can be the expedited queue, which is serviced until empty before the other queues are serviced. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-4 OL-21521-01...
0 as the DSCP and CoS values, which means best-effort traffic. Otherwise, the policy-map action specifies a DSCP or CoS value to assign to the incoming frame. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-5...
Page 886
IPv6 QoS is not supported on switches running the LAN base feature set. Note After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-6 OL-21521-01...
You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). You can also classify IP traffic based on IPv6 ACLs. IPv6 ACLs are not supported on switches running the LAN base feature set. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-7 OL-21521-01...
The policy map can contain the police and police aggregate policy-map class configuration commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-8 OL-21521-01...
“Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps” section on page 39-60, and the “Classifying, Policing, and Marking Traffic by Using Aggregate Policers” section on page 39-67. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-9 OL-21521-01...
A nonhierarchical policy map on a physical port. • The interface level of a hierarchical policy map attached to an SVI. The physical ports are specified • in this secondary policy map. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-10 OL-21521-01...
SVI. The second level, the interface level, specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface-level policy map. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-11 OL-21521-01...
Page 892
Pass through Drop Verify the out-of-profile action Drop packet. configured for this policer. Mark Modify DSCP according to the policed-DSCP map. Generate a new QoS label. Done Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-12 OL-21521-01...
Scheduling on Ingress Queues” section on page 39-16. For information about the DSCP and CoS output queue threshold maps, see the “Queueing and Scheduling on Egress Queues” section on page 39-19. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-13 OL-21521-01...
Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 39-6 Figure 39-7. Figure 39-6 Ingress and Egress Queue Location on Catalyst 3750-X Switches Policer Marker Egress queues Stack ring Policer...
Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic. With shaping, the absolute value of each weight is used to compute the bandwidth available for the queues. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-15 OL-21521-01...
Queueing and Scheduling on Ingress Queues Figure 39-9 Figure 39-10 show the queueing and scheduling flowcharts for ingress ports. Figure 39-9 Queueing and Scheduling Flowchart for Ingress Ports on Catalyst 3750-X Switches Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds.
Page 897
You can configure the bandwidth required for this traffic as a percentage of the total traffic or total stack traffic on Catalyst 3750-X switches by using the mls qos srr-queue input priority-queue global configuration command. The expedite queue has guaranteed bandwidth.
Page 898
DSCPs or CoSs into certain queues, by allocating a large queue size or by servicing the queue more frequently, and by adjusting queue thresholds so that packets with lower priorities are dropped. For configuration information, see the “Configuring Ingress Queue Characteristics” section on page 39-75. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-18 OL-21521-01...
If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Note Figure 39-11 Queueing and Scheduling Flowchart for Egress Ports on Catalyst 3750-X Switches Start Receive packet from the stack ring.
Page 900
(under-limit), whether it has consumed all of its maximum buffers (over limit), and whether the common pool is empty (no free Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-20...
Page 901
You can display the DSCP output queue threshold map and the CoS output queue threshold map by using the show mls qos maps privileged EXEC command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-21 OL-21521-01...
For IP packets, the packet modification occurs at a later stage; for non-IP packets the DSCP is converted to CoS and used for queueing and scheduling decisions. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-22 OL-21521-01...
IPv6 Auto-QoS is not supported on switches running the LAN base feature set. Note You use auto-QoS commands to identify ports connected to Cisco IP Phones and to devices running the Cisco SoftPhone application. You also use the commands to identify ports that receive trusted traffic through an uplink.
The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the port is set to Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 905
DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The...
Page 907
DSCP value received in the packet on a routed port by using the mls qos trust dscp command. If you entered the auto qos voip cisco-phone command, the Switch(config-if)# mls qos trust device cisco-phone switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone.
Auto-QoS Configuration Guidelines Before configuring auto-QoS, you should be aware of this information: Auto-QoS configures the switch for VoIP with Cisco IP Phones on nonrouted and routed ports. • Auto-QoS also configures the switch for VoIP with devices running the Cisco SoftPhone application.
By default, the CDP is enabled on all ports. For auto-QoS to function properly, do not disable the • CDP. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address • to the IP phone.
Auto-QoS Configuration Example This section describes how you could implement auto-QoS in a network, as shown in Figure 39-14. For optimum QoS performance, enable auto-QoS on all the devices in the network. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-30 OL-21521-01...
Page 911
You should not configure any standard QoS commands before entering the auto-QoS commands. You Note can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-31 OL-21521-01...
Page 912
Return to global configuration mode. Step 6 exit Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone. Step 7 Specify the switch port identified as connected to a trusted switch or router, and...
(optional, unless you need to use the • DSCP-to-DSCP-mutation map or the policed-DSCP map) Configuring Ingress Queue Characteristics, page 39-75 (optional) • Configuring Egress Queue Characteristics, page 39-79 (optional) • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-33 OL-21521-01...
Whenever possible, you should minimize the number of lines is a QoS ACL. IPv6 QoS ACL Guidelines Understanding IPv6 ACLs, page 38-2. IPv6 QoS ACLs are not supported on switches running the LAN base feature set. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-36 OL-21521-01...
IPv6 QoS is not supported on switches running the LAN base feature set. Note You can enable IPv6 QoS on a switch or a switch stack. If the stack includes only Catalyst 3750-X and Catalyst 3750-E switches, the QoS configuration applies to all traffic. These are the guidelines for IPv6 QoS in a stack that includes one or more Catalyst 3750 switches: Any switch can be the stack master.
QoS policies that include IPv6-specific classification (such as an IPv6 ACL or the match protocol • ipv6 command) are supported on Catalyst 3750-X and Catalyst 3750-E interfaces and on any SVI when a Catalyst 3750-X or Catalyst 3750-E switch is part of the stack.
By default, VLAN-based QoS is disabled on all physical switch ports. The switch applies QoS, including class maps and policy maps, only on a physical-port basis. In Cisco IOS Release 12.2(25)SE or later, yYou can enable VLAN-based QoS on a switch port.
QoS domain. Figure 39-15 shows a sample network topology. Figure 39-15 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here Trusted boundary Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-40 OL-21521-01...
Command Purpose Enter global configuration mode. Step 1 configure terminal Specify the port to be configured, and enter interface configuration mode. Step 2 interface interface-id Valid interfaces include physical ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-41 OL-21521-01...
CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.
Configuring QoS Configuring Standard QoS In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
Figure 39-16 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 IP traffic Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-44 OL-21521-01...
When you create an access list, remember that by default the end of the Note access list contains an implicit deny statement for everything if it did not find a match before reaching the end. Return to privileged EXEC mode. Step 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-46 OL-21521-01...
Page 927
When creating an access list, remember that, by default, the end Note of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-47 OL-21521-01...
Page 928
Create an IPv6 ACL, and enter IPv6 access-list configuration mode. Step 2 ipv6 access-list access-list-name Access list names cannot contain a space or quotation mark or begin with a numeric. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-48 OL-21521-01...
Page 929
(Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config To delete an access list, use the no ipv6 access-list access-list-number global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-49 OL-21521-01...
Page 930
Step 5 access-list-name] (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config To delete an access list, use the no mac access-list extended access-list-name global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-50 OL-21521-01...
Page 932
You can use the match protocol command with the match ip dscp or match precedence commands, but not with the match access-group command. For more information about the match protocol command, see Cisco IOS Quality of Service Solutions Command Reference. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-52 OL-21521-01...
Page 933
This example shows how to create a class map called class3, which matches incoming traffic with IP-precedence values of 5, 6, and 7: Switch(config)# class-map class3 Switch(config-cmap)# match ip precedence 5 6 7 Switch(config-cmap)# end Switch# Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-53 OL-21521-01...
For ip precedence ip-precedence-list, enter a list of up to eight • IP-precedence values to match against incoming packets. Separate each value with a space. The range is 0 to 7. Return to privileged EXEC mode. Step 5 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-54 OL-21521-01...
Page 935
Switch(config-pmap)# class cm-1 Switch(config-pmap-c)# set dscp 4 Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-2 Switch(config-pmap-c)# set dscp 6 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface G0/1 Switch(config-if)# switch mode access Switch(config-if)# service-policy input pm1 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-55 OL-21521-01...
Using Hierarchical Policy Maps” section on page 39-60. A policy-map and a port trust state can both run on a physical interface. The policy-map is applied before • the port trust state. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-56 OL-21521-01...
Page 937
By default, no policy map class-maps are defined. If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-57 OL-21521-01...
Page 938
DSCP value (by using the policed-DSCP map) and to send the packet. For more information, see the “Configuring the Policed-DSCP Map” section on page 39-72. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-58 OL-21521-01...
Use the interface-level policy map to specify the physical ports that are affected by individual policers. Beginning with Cisco IOS Release 12.2(52)SE, you can configure hierarchical policy maps that filter IPv4 and IPv6 traffic. Follow these guidelines when configuring hierarchical policy maps: Before configuring a hierarchical policy map, you must enable VLAN-based QoS on the physical •...
Page 941
When the switch stack divides into two or more switch stacks, the stack master in each switch – stack re-enables and reconfigures these features on all applicable interfaces on the stack members, including the stack master. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-61 OL-21521-01...
Page 942
For ip precedence ip-precedence-list, enter a list of up to eight • IP-precedence values to match against incoming packets. Separate each value with a space. The range is 0 to 7. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-62 OL-21521-01...
Page 943
This command can only be used in the child-level policy map and must be the only match condition in the child-level policy map. Return to class-map configuration mode. Step 9 exit Return to global configuration mode. Step 10 exit Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-63 OL-21521-01...
Page 944
By default, no policy-map class-maps are defined. If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-64 OL-21521-01...
Page 945
Step 21 exit Return to global configuration mode. Step 22 exit Specify the SVI to which to attach the hierarchical policy map, and Step 23 interface interface-id enter interface configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-65 OL-21521-01...
However, you cannot use the aggregate policer across different policy maps or ports. You can configure aggregate policers only in nonhierarchical policy maps on physical ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-67 OL-21521-01...
Page 948
Valid interfaces include physical ports. Specify the policy-map name, and apply it to an ingress port. Step 9 service-policy input policy-map-name Only one policy map per ingress port is supported. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-68 OL-21521-01...
Configuring the DSCP-to-DSCP-Mutation Map, page 39-74 (optional, unless the null settings in the • map are not appropriate) All the maps, except the DSCP-to-DSCP-mutation map, are globally defined and are applied to all ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-69 OL-21521-01...
DSCP. The intersection of the d1 and d2 values provides the marked-down value. For example, an original DSCP value of 53 corresponds to a marked-down DSCP value of 0. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-72 OL-21521-01...
Return to privileged EXEC mode. Step 6 Verify your entries. Step 7 show mls qos maps dscp-mutation (Optional) Save your entries in the configuration file. Step 8 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-74 OL-21521-01...
To return to the default WTD threshold percentages, use the no mls qos srr-queue input threshold queue-id global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-76 OL-21521-01...
SRR scheduler sends packets from each queue. The bandwidth and the buffer allocation control how much data can be buffered before packets are dropped. On ingress queues, SRR operates only in shared mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-77 OL-21521-01...
Then, SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-78 OL-21521-01...
Does the bandwidth of the port need to be rate limited? • How often should the egress queues be serviced and which technique (shaped, shared, or both) • should be used? Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-79 OL-21521-01...
The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-80 OL-21521-01...
Page 961
For qset-id, enter the ID of the queue-set specified in Step 2. The range is 1 to 2. The default is 1. Return to privileged EXEC mode. Step 6 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-81 OL-21521-01...
The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of egress queues and if these settings do not meet your QoS solution. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-82 OL-21521-01...
Page 963
This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2: Switch(config)# mls qos srr-queue output dscp-map queue 1 threshold 2 10 11 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-83...
2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-84 OL-21521-01...
You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-85...
The range is 10 to 90. By default, the port is not rate limited and is set to 100 percent. Return to privileged EXEC mode. Step 4 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-86 OL-21521-01...
The control-plane and interface keywords are not supported, and the statistics shown in the display should be ignored. Display the DSCP transparency setting. show running-config | include rewrite Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-87 OL-21521-01...
Note This chapter also describes how to configure link-state tracking. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Layer 3 mode by using the no switchport interface configuration command. For more information, see the Chapter 13, “Configuring Interface Characteristics.” Layer 3 EtherChannels are not supported on switches running the LAN base feature set. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-2 OL-21521-01...
Page 971
EtherChannel are blocked from returning on any other link of the EtherChannel. Figure 40-2 Single-Switch EtherChannel Switch stack Switch 1 Channel group 1 StackWise Plus port connections Switch A Channel Switch 2 group 2 Switch 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-3 OL-21521-01...
Figure 40-4. Each EtherChannel has a port-channel logical interface numbered from 1 to 48. This port-channel interface number corresponds to the one specified with the channel-group interface configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-4 OL-21521-01...
Layer 2 EtherChannel as a trunk. Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
If the VSL between two switches fails, one switch does not know the status of the other. Both switches could change to the active mode, causing a dual-active situation in the network with duplicate configurations (including duplicate IP addresses and bridge identifiers). The network might go down. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-6 OL-21521-01...
PAgP Interaction with Other Features The Dynamic Trunking Protocol (DTP) and the Cisco Discovery Protocol (CDP) send and receive packets over the physical ports in the EtherChannel. Trunk ports send and receive PAgP protocol data units (PDUs) on the lowest numbered VLAN.
Therefore, to provide load-balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-8 OL-21521-01...
Page 977
MAC address, using the destination-MAC address always chooses the same link in the channel. Using source addresses or IP addresses might result in better load-balancing. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-9...
LACP system-id can change. If the LACP system-id changes, the entire EtherChannel will flap, and there will be an STP reconvergence. Use the stack-mac persistent timer command to control whether or not the stack MAC address changes during a master failover. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-10 OL-21521-01...
32768. LACP system ID LACP system priority and the switch or stack MAC address. Load-balancing Load distribution on the switch is based on the source-MAC address of the incoming packet. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-11 OL-21521-01...
Layer 2 EtherChannel. If the allowed range of VLANs is not the same, the ports do not form an EtherChannel even when PAgP is set to the auto or desirable mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-12...
Step 3 configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-13 OL-21521-01...
Page 982
(Optional) Save your entries in the configuration file. Step 7 copy running-config startup-config To remove a port from the EtherChannel group, use the no channel-group interface configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-14 OL-21521-01...
To move an IP address from a physical port to an EtherChannel, you must delete the IP address from the Note physical port before configuring it on the port-channel interface. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-15 OL-21521-01...
Ensure that there is no IP address assigned to the physical port. Step 3 no ip address Put the port into Layer 3 mode. Step 4 no switchport Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-16 OL-21521-01...
Page 985
“LACP Modes” section on page 40-7. Return to privileged EXEC mode. Step 6 Verify your entries. Step 7 show running-config (Optional) Save your entries in the configuration file. Step 8 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-17 OL-21521-01...
• source-and-destination host-MAC address. src-ip—Load distribution is based on the source-host IP • address. src-mac—Load distribution is based on the source-MAC • address of the incoming packet. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-18 OL-21521-01...
Catalyst 1900 switch. When the link partner of the Catalyst 3750-X or 3560-X switch is a physical learner (such as a Catalyst 1900 series switch), we recommend that you configure the Catalyst 3750-X or 3560-X switch as a physical-port learner by using the pagp learn-method physical-port interface configuration command.
16 ports. Only eight LACP links can be active at one time. The software places any additional links in a hot-standby mode. If one of the active links becomes inactive, a link that is in the hot-standby mode becomes active in its place. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-20 OL-21521-01...
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To return the LACP system priority to the default value, use the no lacp system-priority global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-21 OL-21521-01...
[channel-group-number] {counters | Displays PAgP information such as traffic information, the internal | neighbor} internal PAgP configuration, and neighbor information. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-22 OL-21521-01...
Interfaces connected to servers are referred to as downstream interfaces, and interfaces connected to distribution switches and network devices are referred to as upstream interfaces. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-23 OL-21521-01...
Page 992
1. Port 5 and port 6 are connected to distribution switch 1 through link-state group 1. Port 5 and – port 6 are the upstream interfaces in link-state group 1. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-24 OL-21521-01...
Catalyst 3560-X switches, the group number can be 1 to 2. For Catalyst 3750-X switches, the group number can be 1 to 10. The default is 1. Specify a physical interface or range of interfaces to configure,...
Upstream Interfaces : Gi1/0/15(Dwn) Gi1/0/16(Dwn) Gi1/0/17(Dwn) Downstream Interfaces : Gi1/0/11(Dis) Gi1/0/12(Dis) Gi1/0/13(Dis) Gi1/0/14(Dis) (Up):Interface up (Dwn):Interface Down (Dis):Interface disabled For detailed information about the fields in the display, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-27 OL-21521-01...
Understanding TelePresence E911 IP Phone Support You can use a Cisco IP phone as a user interface in a Cisco TelePresence System. See in Figure 1. In this configuration, the IP phone must always be on and available for emergency calls. If the power to the codec in the Cisco TelePresence System fails, is disrupted or if the codec fails, the IP phone is not available.
When a CDP-enabled IP phone is connected to the codec through a switch, you can configure the switch to forward CDP packets from the IP phone only to the codec in the Cisco TelePresence System. The switch adds ingress-egress port pairs to the CDP forwarding table. An ingress-egress port pair is a one-to-one mapping between an ingress switch port connected to the IP phone and an egress switch port connected to the codec.