Page 1 Catalyst 3750-X and 3560-X Switch Software Configuration Guide Cisco IOS Release 12.2(53)SE2 May 2010 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-21521-01...
Page 2 OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
Page 3: Table Of Contents
Default Settings After Initial Switch Configuration 1-16 Network Configuration Examples 1-19 Design Concepts for Using the Switch 1-19 Small to Medium-Sized Network Using Catalyst 3750-X and 3560-X Switches 1-26 Large Network Using Catalyst 3750-X and 3560-X Switches 1-28 Multidwelling Network Using Catalyst 3750-X Switches 1-31...
Page 4 Configuring DHCP Autoconfiguration (Only Configuration File) 3-11 Configuring DHCP Auto-Image Update (Configuration File and Image) 3-12 Configuring the Client 3-14 Manually Assigning IP Information 3-15 Checking and Saving the Running Configuration 3-15 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 5 Managing Switch Stacks C H A P T E R Understanding Switch Stacks Switch Stack Membership Stack Master Election and Re-Election Switch Stack Bridge ID and Router MAC Address Stack Member Numbers Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 6 Understanding the show switch stack-ports summary Output 5-27 Identifying Loopback Problems 5-28 Software Loopback 5-28 Software Loopback Example: No Connected Stack Cable 5-29 Software Loopback Examples: Connected Stack Cables 5-29 Hardware Loopback 5-30 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 7 Using SNMP to Manage Switch Clusters 6-17 Administering the Switch C H A P T E R Managing the System Time and Date Understanding the System Clock Understanding Network Time Protocol Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 8 Adding and Removing Static Address Entries 7-27 Configuring Unicast MAC Address Filtering 7-28 Disabling MAC Address Learning on a VLAN 7-29 Displaying Address Table Entries 7-30 Managing the ARP Table 7-31 Catalyst 3750-X and 3560-X Switch Software Configuration Guide viii OL-21521-01...
Page 9 Changing the Default Privilege Level for Lines 10-9 Logging into and Exiting a Privilege Level 10-9 Controlling Switch Access with TACACS+ 10-10 Understanding TACACS+ 10-10 TACACS+ Operation 10-12 Configuring TACACS+ 10-12 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 10 Configuring Kerberos 10-42 Configuring the Switch for Local Authentication and Authorization 10-43 Configuring the Switch for Secure Shell 10-44 Understanding SSH 10-45 SSH Servers, Integrated Clients, and Supported Versions 10-45 Limitations 10-46 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 11 802.1x Multiple Authentication Mode 11-12 MAC Move 11-13 802.1x Accounting 11-13 802.1x Accounting Attribute-Value Pairs 11-13 802.1x Readiness Check 11-14 802.1x Authentication with VLAN Assignment 11-15 802.1x Authentication with Per-User ACLs 11-16 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 12 Contents 802.1x Authentication with Downloadable ACLs and Redirect URLs 11-17 Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 11-17 Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 11-18 VLAN ID-based MAC Authentication 11-18 802.1x Authentication with Guest VLAN 11-19 802.1x Authentication with Restricted VLAN...
Page 13 Configuring MACsec on an Interface 11-67 Displaying 802.1x Statistics and Status 11-69 Configuring Web-Based Authentication 12-1 C H A P T E R Understanding Web-Based Authentication 12-1 Device Roles 12-2 Host Detection 12-2 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xiii OL-21521-01...
Page 14 C H A P T E R Interface Types 13-1 Port-Based VLANs 13-2 Switch Ports 13-2 Access Ports 13-3 Trunk Ports 13-3 Tunnel Ports 13-4 Routed Ports 13-4 Switch Virtual Interfaces 13-5 SVI Autostate Exclude 13-6 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 15 13-36 Configuring Layer 3 Interfaces 13-37 Configuring SVI Autostate Exclude 13-39 Configuring the System MTU 13-39 Configuring the Cisco RPS 2300 in a Mixed Stack 13-42 Configuring the Power Supplies 13-44 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 16 Configuring Normal-Range VLANs 15-6 Saving VLAN Configuration 15-6 Default Ethernet VLAN Configuration 15-7 Creating or Modifying an Ethernet VLAN 15-7 Deleting a VLAN 15-8 Assigning Static-Access Ports to a VLAN 15-9 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 17 Troubleshooting Dynamic-Access Port VLAN Membership 15-31 VMPS Configuration Example 15-31 Configuring VTP 16-1 C H A P T E R Understanding VTP 16-1 The VTP Domain 16-2 VTP Modes 16-3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xvii OL-21521-01...
Page 18 Configuring Voice VLAN 17-3 Default Voice VLAN Configuration 17-3 Voice VLAN Configuration Guidelines 17-3 Configuring a Port Connected to a Cisco 7960 IP Phone 17-4 Configuring Cisco IP Phone Voice Traffic 17-5 Configuring the Priority of Incoming Data Frames 17-6...
Page 19 Configuring the SP Edge Switch 19-14 Configuring the Customer Switch 19-16 Monitoring and Maintaining Tunneling Status 19-18 Configuring STP 20-1 C H A P T E R Understanding Spanning-Tree Features 20-1 STP Overview 20-2 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 20 Configuring the Hello Time 20-22 Configuring the Forwarding-Delay Time for a VLAN 20-23 Configuring the Maximum-Aging Time for a VLAN 20-23 Configuring the Transmit Hold-Count 20-24 Displaying the Spanning-Tree Status 20-24 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 21 Configuring the Maximum-Hop Count 21-25 Specifying the Link Type to Ensure Rapid Transitions 21-25 Designating the Neighbor Type 21-26 Restarting the Protocol Migration Process 21-26 Displaying the MST Configuration and Status 21-27 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 22 Learning the Other Flex Link Port as the mrouter Port 23-3 Generating IGMP Reports 23-3 Leaking IGMP Reports 23-4 MAC Address-Table Move Update 23-6 Configuring Flex Links and MAC Address-Table Move Update 23-7 Configuration Guidelines 23-7 Default Configuration 23-8 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxii OL-21521-01...
Page 23 Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port 24-20 Configuring IP Source Guard for Static Hosts on a Private VLAN Host Port 24-24 Displaying IP Source Guard Information 24-25 Understanding DHCP Server Port-Based Address Allocation 24-26 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxiii OL-21521-01...
Page 24 Setting the Snooping Method 26-7 Configuring a Multicast Router Port 26-8 Configuring a Host Statically to Join a Group 26-9 Enabling IGMP Immediate Leave 26-10 Configuring the IGMP Leave Timer 26-10 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxiv OL-21521-01...
Page 25 Configuring IPv6 MLD Snooping 27-5 Default MLD Snooping Configuration 27-6 MLD Snooping Configuration Guidelines 27-6 Enabling or Disabling MLD Snooping 27-7 Configuring a Static Multicast Group 27-8 Configuring a Multicast Router Port 27-8 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 26 Configuring CDP 29-2 Default CDP Configuration 29-2 Configuring the CDP Characteristics 29-2 Disabling and Enabling CDP 29-3 Disabling and Enabling CDP on an Interface 29-4 Monitoring and Maintaining CDP 29-5 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxvi OL-21521-01...
Page 27 Remote SPAN 32-3 SPAN and RSPAN Concepts and Terminology 32-4 SPAN Sessions 32-4 Monitored Traffic 32-6 Source Ports 32-7 Source VLANs 32-7 VLAN Filtering 32-7 Destination Port 32-8 RSPAN VLAN 32-9 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxvii OL-21521-01...
Page 28 C H A P T E R Understanding System Message Logging 34-1 Configuring System Message Logging 34-2 System Log Message Format 34-2 Default System Message Logging Configuration 34-4 Disabling Message Logging 34-4 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxviii OL-21521-01...
Page 29 Configuring Embedded Event Manager 36-1 C H A P T E R Understanding Embedded Event Manager 36-1 Event Detectors 36-3 Embedded Event Manager Actions 36-4 Embedded Event Manager Policies 36-4 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxix OL-21521-01...
Page 30 Time Range Applied to an IP ACL 37-26 Commented IP ACL Entries 37-26 ACL Logging 37-27 Creating Named MAC Extended ACLs 37-28 Applying a MAC ACL to a Layer 2 Interface 37-30 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 31 Classification Based on QoS ACLs 39-7 Classification Based on Class Maps and Policy Maps 39-8 Policing and Marking 39-9 Policing on Physical Ports 39-10 Policing on SVIs 39-11 Mapping Tables 39-13 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxxi OL-21521-01...
Page 32 Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps 39-57 Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps 39-61 Classifying, Policing, and Marking Traffic by Using Aggregate Policers 39-68 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxxii OL-21521-01...
Page 33 EtherChannel On Mode 40-8 Load-Balancing and Forwarding Methods 40-8 EtherChannel and Switch Stacks 40-10 Configuring EtherChannels 40-11 Default EtherChannel Configuration 40-11 EtherChannel Configuration Guidelines 40-12 Configuring Layer 2 EtherChannels 40-13 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxxiii OL-21521-01...
Page 34 Assigning IP Addresses to Network Interfaces 42-7 Use of Subnet Zero 42-7 Classless Routing 42-8 Configuring Address Resolution Methods 42-9 Define a Static ARP Cache 42-10 Set ARP Encapsulation 42-11 Enable Proxy ARP 42-12 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxxiv OL-21521-01...
Page 35 42-40 Configuring EIGRP Route Authentication 42-41 EIGRP Stub Routing 42-42 Monitoring and Maintaining EIGRP 42-43 Configuring BGP 42-43 Default BGP Configuration 42-45 Nonstop Forwarding Awareness 42-47 Enabling BGP Routing 42-48 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxxv OL-21521-01...
Page 36 User Interface for FTP and TFTP 42-82 Configuring Multicast VRFs 42-83 Configuring a VPN Routing Session 42-83 Configuring BGP PE to CE Routing Sessions 42-84 Multi-VRF CE Configuration Example 42-85 Displaying Multi-VRF CE Status 42-88 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxxvi OL-21521-01...
Page 37 Static Routes for IPv6 43-6 RIP for IPv6 43-7 OSPF for IPv6 43-7 EIGRP IPv6 43-7 HSRP for IPv6 43-7 SNMP and Syslog Over IPv6 43-7 HTTP(S) Over IPv6 43-8 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xxxvii OL-21521-01...
Page 38 44-10 Enabling HSRP Support for ICMP Redirect Messages 44-12 Configuring HSRP Groups and Clustering 44-12 Troubleshooting HSRP for Mixed Stacks of Catalyst 3750-X, 3750-E and 3750 Switches 44-13 Displaying HSRP Configurations 44-13 Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 39 Configuring IP SLAs Object Tracking 46-8 Configuring Static Routing Support 46-10 Configuring a Primary Interface 46-10 Configuring a Cisco IP SLAs Monitoring Agent and Track Object 46-11 Configuring a Routing Policy and Default Route 46-12 Monitoring Enhanced Object Tracking 46-12...
Page 40 SSM Components Overview 48-14 How SSM Differs from Internet Standard Multicast 48-14 SSM IP Address Range 48-15 SSM Operations 48-15 IGMPv3 Host Signalling 48-15 Configuration Guidelines 48-16 Configuring SSM 48-17 Monitoring SSM 48-17 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 41 Configuring an IP Multicast Boundary 48-47 Configuring Basic DVMRP Interoperability Features 48-49 Configuring DVMRP Interoperability 48-49 Configuring a DVMRP Tunnel 48-51 Advertising Network 0.0.0.0 to DVMRP Neighbors 48-53 Responding to mrinfo Requests 48-54 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 42 Shutting Down an MSDP Peer 49-16 Including a Bordering PIM Dense-Mode Region in MSDP 49-17 Configuring an Originating Address other than the RP Address 49-18 Monitoring and Maintaining MSDP 49-19 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xlii OL-21521-01...
Page 43 Disabled Port Caused by False Link Up 51-14 SFP Module Security and Identification 51-14 Monitoring SFP Module Status 51-14 Monitoring Temperature 51-15 Using Ping 51-15 Understanding Ping 51-15 Executing Ping 51-15 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xliii OL-21521-01...
Page 44 Configuring Online Diagnostics 52-1 Scheduling Online Diagnostics 52-2 Configuring Health-Monitoring Diagnostics 52-2 Running Online Diagnostic Tests 52-4 Starting Online Diagnostic Tests 52-5 Displaying Online Diagnostic Tests and Test Results 52-5 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xliv OL-21521-01...
Page 45 A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
Page 46 Contents Working with Software Images B-25 Image Location on the Switch B-26 File Format of Images on a Server or Cisco.com B-26 Copying Image Files By Using TFTP B-27 Preparing to Download or Upload an Image File By Using TFTP...
Page 47 C-11 Unsupported Privileged EXEC Commands C-11 Unsupported Global Configuration Commands C-11 NetFlow Commands C-12 Unsupported Global Configuration Commands C-12 Network Address Translation (NAT) Commands C-12 Unsupported Privileged EXEC Commands C-12 Catalyst 3750-X and 3560-X Switch Software Configuration Guide xlvii OL-21521-01...
Page 48 Unsupported Global Configuration Command C-13 Unsupported Interface Configuration Command C-13 VLAN C-13 Unsupported Global Configuration Command C-13 Unsupported User EXEC Commands C-13 C-14 Unsupported Privileged EXEC Command C-14 N D E X Catalyst 3750-X and 3560-X Switch Software Configuration Guide xlviii OL-21521-01...
Page 49 This guide is for the networking professional managing the standalone Catalyst 3750-X or 3560-X switch or the Catalyst 3750-X switch stack, referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Page 50: Related Publications
Means reader be careful. In this situation, you might do something that could result in equipment Caution damage or loss of data. Related Publications Documents with complete information about the switch are available from these Cisco.com sites: Catalyst 3750-X http://www.cisco.com/en/US/products/ps10745/tsd_products_support_series_home.html Catalyst 3560-X http://www.cisco.com/en/US/products/ps10744/tsd_products_support_series_home.html...
Page 51: Obtaining Documentation And Submitting A Service Request
Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 52 Preface Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 53: Features
SSH management session, can be encrypted. You must have a Cisco IOS software license for a specific feature set to enable it. For more information about the software license, see the Cisco IOS Software Installation document on Cisco.com.
Page 54: Chapter 1 Overview
User-defined and Cisco-default Smartports macros for creating custom switch configurations for • simplified deployment across the network. Auto Smartports Cisco-default and user-defined macros for dynamic port configuration based on the • device type detected on the port. An embedded device manager GUI for configuring and monitoring a single switch through a web •...
Page 55 For information about the stacking interactions in Catalyst 3750-X, Catalyst 3750-E, and 3750 mixed switch stacks, see the Cisco IOS Software Installation document on Cisco.com. StackPower technology on Catalyst 3750-X switches running the IP base or IP services feature set. •...
Page 56: Performance Features
AutoSmartPort enhancements, which adds support for macro persistency, LLDP-based triggers, • MAC address and OUI-based triggers, remote macros as well as for automatic configuration based on these two new device types: Cisco Digital Media Player (Cisco DMP) and Cisco IP Video Surveillance Camera (Cisco IPVSC). Performance Features Cisco EnergyWise manages the energy usage of power over Ethernet (PoE) entities.
Page 57: Management Options
Network Assistant—Network Assistant is a network management application that can be • downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com.
Page 58: Manageability Features
Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external • source Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 59 IGMPv2 clients to utilize SSM, allowing listeners to connect to multicast sources dynamically and reducing dependencies on the application The HTTP client in Cisco IOS supports can send requests to both IPv4 and IPv6 HTTP servers, and •...
Page 60: Availability And Redundancy Features
Chapter 1 Overview Features USB Type A port for external Cisco USB flash memory devices (thumb drives or USB keys). You • can use standard Cisco CLI commands to read, write, erase, copy, or boot from the flash memory. For additional descriptions of the management interfaces, see the “Network Configuration Examples”...
Page 61: Vlan Features
Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts • and servers and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch StackPower redundancy option. You can configure power supplies in a stack in redundant mode so •...
Page 62 – Port security for controlling access to IEEE 802.1x ports – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized – or unauthorized state of the port Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 63 Chapter 1 Overview Features IP phone detection enhancement to detect and recognize a Cisco IP phone – Guest VLAN to provide limited services to non-IEEE 802.1x-compliant users – Restricted VLAN to provide limited services to users who are IEEE 802.1x compliant, but do –...
Page 64: Qos And Cos Features
When there is a change in policy for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server, such as Cisco Secure ACS to reinitialize authentication, and apply to the new policies IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to...
Page 65 Trusted port states (CoS, DSCP, and IP precedence–both IPv4 and IPv6) within a QoS domain – and with a port bordering another QoS domain Trusted boundary for detecting the presence of a Cisco IP Phone, trusting the CoS value – received, and ensuring port security Policing •...
Page 66: Layer 3 Features
DHCP for IPv6 relay, client, server address assignment and prefix delegation • IPv6 unicast routing capability for forwarding IPv6 traffic through configured interfaces (requires • the IP services feature set) Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-14 OL-21521-01...
Page 67: Power Over Ethernet Features
Ability to monitor the real-time power consumption. On a per-PoE port basis, the switch senses the • total power consumption, polices the power usage, and reports the power usage. StackPower technology on Catalyst 3750-X switches running the IP base or IP services feature set. • Monitoring Features Switch LEDs that provide port- and switch-level status on Catalyst 3560-X switches •...
Page 68: Default Settings After Initial Switch Configuration
Default switch IP address, subnet mask, and default gateway is 0.0.0.0. For more information, see • Chapter 3, “Assigning the Switch IP Address and Default Gateway,” Chapter 24, “Configuring DHCP Features and IP Source Guard.” Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-16 OL-21521-01...
Page 69 Switch cluster is disabled. For more information about switch clusters, see Chapter 6, “Clustering • Switches,” and the Getting Started with Cisco Network Assistant, available on Cisco.com. No passwords are defined. For more information, see Chapter 7, “Administering the Switch.” •...
Page 70 Syslog messages are enabled and appear on the console. For more information, see Chapter 34, • “Configuring System Message Logging.” SNMP is enabled (Version 1). For more information, see Chapter 35, “Configuring SNMP.” • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-18 OL-21521-01...
Page 71: Network Configuration Examples
10-Gigabit Ethernet connections. “Design Concepts for Using the Switch” section on page 1-19 • “Small to Medium-Sized Network Using Catalyst 3750-X and 3560-X Switches” section on • page 1-26 “Large Network Using Catalyst 3750-X and 3560-X Switches” section on page 1-28 •...
Page 72 Use VLAN trunks, cross-stack UplinkFast, and BackboneFast for traffic-load • balancing on the uplink ports so that the uplink port with a lower relative port cost is selected to carry the VLAN traffic. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-20 OL-21521-01...
Page 73 1-1)—A cost-effective way to connect many users to the wiring • closet is to have a switch stack of up to nine Catalyst 3750-X switches. To preserve switch connectivity if one switch in the stack fails, connect the switches as recommended in the hardware installation guide, and enable either cross-stack Etherchannel or cross-stack UplinkFast.
Page 74 1-2)—For high-speed access to network resources, you can • use Catalyst 3750-X switches and switch stacks in the access layer to provide Gigabit Ethernet access to the desktop. To prevent congestion, use QoS DSCP marking priorities on these switches. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch in the backbone, such as a Catalyst 4500 Gigabit switch or Catalyst 6500 Gigabit switch.
Page 75 Chapter 1 Overview Network Configuration Examples Figure 1-3 High-Performance Workgroup (Gigabit-to-the-Desktop) with Catalyst 3560-X Standalone Switches Stacking-capable switches Access-layer standalone switches Cisco 2600 router Access-layer standalone switches Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-23 OL-21521-01...
Page 76 VLANs and subnets. Using HSRP also provides faster network convergence if any network failure occurs. You can connect the Catalyst switches, again in a star configuration, to two Catalyst 3750-X backbone switches. If one of the backbone switches fails, the second backbone switch preserves connectivity between the switches and network resources.
Page 77 Server Aggregation Campus core Catalyst 6500 switches Catalyst 4500 multilayer switches StackWise Plus switch stacks Server racks Campus core Catalyst 6500 switches StackWise switch stacks Access-layer standalone switches Server racks Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-25 OL-21521-01...
Page 78 The switches are using routed uplinks for faster failover. They are also configured with equal-cost routing for load sharing and redundancy. (When the network uses Catalyst 3750-X switches, a Layer 2 switch stack can use cross-stack EtherChannel for load sharing.) The switches are connected to workstations, and local servers, and IEEE 802.3af compliant and...
Page 79 Each PoE switch port provides 15.4 W of power per port. The powered device, such as a Cisco IP Phone, can receive redundant power when it is also connected to an AC power source. Powered devices not connected to Catalyst PoE switches must be connected to AC power sources to receive power.
Page 80: Large Network Using Catalyst 3750-X And 3560-X Switches
Figure 1-9 shows a configuration for a network that uses only Catalyst 3750-X switch stacks in the wiring closets and two backbone switches, such as the Catalyst 6500 switches, to aggregate up to ten wiring closets. Figure 1-10...
Page 81 Chapter 1 Overview Network Configuration Examples Figure 1-9 Catalyst 3750-X Switch Stacks in Wiring Closets in a Backbone Configuration Cisco 7x00 routers Catalyst 6500 multilayer switches Mixed hardware Mixed hardware stack, including the stack, including the Catalyst 3750G Integrated Catalyst 3750G Integrated...
Page 82 (such as a web cam) (such as a web cam) Aironet wireless Aironet wireless access points access points Cisco IP Phones with workstations Cisco IP Phones with workstations Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-30 OL-21521-01...
Page 83: Small To Medium-Sized Network Using Catalyst 3750-X And 3560-X Switches
Catalyst Long-Reach Ethernet (LRE) switches, see the documentation sets specific to these switches for LRE information. All ports on the residential Catalyst 3750-X switches (and Catalyst 2950 LRE switches if they are included) are configured as IEEE 802.1Q trunks with protected port and STP root guard features enabled.
Page 84: Long-Distance, High-Bandwidth Transport Configuration
The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, see the Cisco CWDM GBIC and CWDM SFP Installation Note. Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 85: Where To Go Next
Where to Go Next Before configuring the switch, review these sections for startup information: Chapter 2, “Using the Command-Line Interface” • Chapter 3, “Assigning the Switch IP Address and Default Gateway” • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-33 OL-21521-01...
Page 86 Chapter 1 Overview Where to Go Next Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-34 OL-21521-01...
Page 87: Understanding Command Modes
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your standalone Catalyst 3750-X or 3560-X switch or a Catalyst 3750-X switch stack, referred to as the switch.
Page 88: C H A P T E R 2 Using The Command-Line Interface
To return to console command. privileged EXEC mode, press Ctrl-Z or enter end. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 89: Understanding The Help System
You need to enter only enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command in an abbreviated form: Switch# show conf Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 90: Understanding No And Default Forms Of Commands
Logging and Notification feature to track changes on a per-session and per-user basis. The logger tracks each configuration command that is applied, the user who entered the command, the time that the Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 91: Using Command History
You can choose to have the notifications sent to the syslog. For more information, see the “Configuration Change Notification and Logging” section of the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4 at this URL: http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-logger_ps6350_TS...
Page 92: Recalling Commands
Although enhanced editing mode is automatically enabled, you can disable it, re-enable it, or configure a specific line to have enhanced editing. These procedures are optional. To globally disable enhanced editing mode, enter this command in line configuration mode: Switch (config-line)# no editing Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 93: Editing Commands Through Keystrokes
Delete the word to the left of the cursor. Press Esc D. Delete from the cursor to the end of the word. Capitalize or lowercase words or Press Esc C. Capitalize at the cursor. capitalize a set of letters. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 94: Editing Command Lines That Wrap
Switch(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1 Switch(config)# $ 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.25 Switch(config)# $t tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq Switch(config)# $108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq 45 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 95: Searching And Filtering Output Of Show And More Commands
If you want to configure a specific stack member port, you must include the stack member number in the CLI command interface notation. For more information about interface notations, see the “Using Interface Configuration Mode” section on page 13-17. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 96: Accessing The Cli Through A Console Connection Or Through Telnet
After you connect through the console port, through the Ethernet management port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 2-10 OL-21521-01...
Page 97: Understanding The Boot Process
For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. This chapter consists of these sections: Understanding the Boot Process, page 3-1 •...
Page 98: C H A P T E R 3 Assigning The Switch Ip Address And Default Gateway
You can still manage the stack through the same IP address even if you remove the stack master or any other stack member from the stack, provided there is IP connectivity. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 99: Default Switch Information
The switch can act as both a DHCP client and a DHCP server. During DHCP-based autoconfiguration, your switch (DHCP client) is automatically configured at startup with IP address information and a configuration file. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 100: Dhcp Client Request Process
3-7. If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid (a configuration error exists), the client returns a DHCPDECLINE broadcast message to the DHCP server. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 101: Understanding Dhcp-Based Autoconfiguration And Image Update
67 (the configuration filename), option 66 (the DHCP server hostname) option 150 (the TFTP server address), and option 125 (description of the file) settings. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 102: Limitations And Restrictions
(Only Configuration File)” section on page 3-11 and the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html After you install the switch in your network, the auto-image update feature starts. The downloaded configuration file is saved in the running configuration of the switch, and the new image is downloaded and installed on the switch.
Page 103: Dhcp Server Configuration Guidelines
TFTP requests. Unavailability of other lease options does not affect autoconfiguration. The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent •...
Page 104: Configuring The Dns
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Page 105: Obtaining Configuration Files
If the switch cannot read the network-confg, cisconet.cfg, or the hostname file, it reads the router-confg file. If the switch cannot read the router-confg file, it reads the ciscortr.cfg file. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 106: Example Configuration
Boot filename (configuration file) switcha-confg switchb-confg switchc-confg switchd-confg (optional) Hostname (optional) switcha switchb switchc switchd DNS Server Configuration The DNS server maps the TFTP server name tftpserver to IP address 10.0.0.3. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-10 OL-21521-01...
Page 107: Configuring The Dhcp Auto Configuration And Image Update Features
Create a name for the DHCP Server address pool, and enter DHCP Step 2 ip dhcp poolname pool configuration mode. Specify the name of the configuration file that is used as a boot image. Step 3 bootfile filename Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-11 OL-21521-01...
Page 108: Configuring Dhcp Auto-Image Update (Configuration File And Image)
In the text file, put the name of the image that you want to download (for example, 3750x-ipservices-mz.122-53.3.SE2.tar). This image must be a tar and not a bin file. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-12...
Page 109 Step 9 copy tftp flash imagename.tar Return to global configuration mode. Step 10 exit Specify the Cisco IOS configuration file on the TFTP server. Step 11 tftp-server flash:config.text Specify the image name on the TFTP server. Step 12 tftp-server flash:imagename.tar...
Page 110: Configuring The Client
DHCP: enabled (next boot: enabled) Switch# You should only configure and enable the Layer 3 interface. Do not assign an IP address or DHCP-based Note autoconfiguration with a saved configuration. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-14 OL-21521-01...
Page 111: Manually Assigning Ip Information
You can check the configuration settings you entered or changes you made by entering this privileged EXEC command: Switch# show running-config Building configuration... Current configuration: 1363 bytes version 12.2 no service pad Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-15 OL-21521-01...
Page 112: Modifying The Startup Configuration
EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Modifying the Startup Configuration...
Page 113: Default Boot Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
Page 114: Booting Manually
Filenames and directory names are case sensitive. (Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To disable manual booting, use the no boot manual global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-18 OL-21521-01...
Page 115: Booting A Specific Software Image
Use all to specify all stack members. • If you enter on a Catalyst 3750-X stack master or member, you can only specify the switch image for other Catalyst 3750-X stack members. If you enter on a Catalyst 3750-E stack master or member, you can only specify the switch image for other Catalyst 3750-E stack members.
Page 116: Controlling Environment Variables
Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 117 CONFIG_FILE flash:/file-url boot config-file flash:/file-url Changes the filename that Cisco IOS uses to Specifies the filename that Cisco IOS uses to read read and write a nonvolatile copy of the system and write a nonvolatile copy of the system configuration.
Page 118: Scheduling A Reload Of The Software Image
This example shows how to reload the software on the switch on the current day at 7:30 p.m: Switch# reload at 19:30 Reload scheduled for 19:30:00 UTC Wed Jun 5 1996 (in 2 hours and 25 minutes) Proceed with reload? [confirm] Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-22 OL-21521-01...
Page 119: Displaying Scheduled Reload Information
EXEC command. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled). Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-23 OL-21521-01...
Page 120 Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-24 OL-21521-01...
Page 121: Understanding Cisco Configuration Engine Software
Configuring Cisco IOS Configuration Engine This chapter describes how to configure the feature on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 122: C H A P T E R 4 Configuring Cisco Ios Configuration Engine
(LDAP) URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
Page 123: Event Service
ID, and event. Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software; for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using any desired naming convention.
Page 124: Deviceid
Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.
Page 125: Understanding Cisco Ios Agents
Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: Initial Configuration, page 4-5 •...
Page 126: Incremental (Partial) Configuration
NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 4-6.
Page 127 For more information about running the setup program and creating templates on the Configuration Note Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux at http://www.cisco.com/en/US/docs/net_mgmt/configuration_engine/1.5/installation_linux/guide/setup_ 1.html Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 128: Enabling The Cns Event Agent
This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.27 keepalive 120 10 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 129: Enabling The Cisco Ios Cns Agent
Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: The cns config initial global configuration command enables the Cisco IOS agent and initiates an •...
Page 130 Enter the hostname for the switch. Step 11 hostname name (Optional) Establish a static route to the Configuration Step 12 ip route network-number Engine whose IP address is network-number. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 4-10 OL-21521-01...
Page 131 ID, enter an arbitrary text string for string string as the unique ID, or enter udi to set the unique device identifier (UDI) as the unique ID. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 4-11 OL-21521-01...
Page 132 Verify your entries. Step 17 show running-config To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown (the CNS Zero Touch feature).
Page 133: Enabling A Partial Configuration
RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.129.22 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command Purpose Enter global configuration mode.
Page 134: Displaying Cns Configuration
Table 4-2 Displaying CNS Configuration Command Purpose Displays the status of the CNS Cisco IOS agent connections. show cns config connections Displays information about incremental (partial) CNS show cns config outstanding configurations that have started but are not yet completed.
Page 135: Managing Switch Stacks
LEDs to display switch stack status, see the hardware installation guide. The Catalyst 3750-X stackable switch also supports StackPower, where up to four switches can be connected with power stack cables to allow the switch power supplies to share the load across multiple systems in a stack.
Page 136: Chapter 5 Managing Switch Stack
– Catalyst 3750 switches supporting different features as stack members. For example, a stack with the Catalyst 3750-X members running the IP services feature set and the Catalyst 3750 members running the IP services software image. For information about Catalyst 3750 switches, see the “Managing Switch Stacks” chapter in the Catalyst 3750 Switch Software Configuration Guide.
Page 137 Encryption features are unavailable if the stack master is running the IP base or IP services feature set and the noncryptographic software image. In a mixed stack, Catalyst 3750 orCatalyst 3750-E switches running Cisco IOS Release 12.2(53)SE and Note earlier could be running a noncryptographic image. Catalyst 3750-X switches and Catalyst 3750 and 3750-E switches with Cisco IOS Releases later than 12.2(53)SE run only the cryptographic software...
Page 138: Switch Stack Membership
Note their LAN ports, such as the 10/100/1000 ports. For more information about how switch stacks differ from switch clusters, see the “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant on Cisco.com. Switch Stack Membership A switch stack has up to nine stack members connected through their StackWise Plus ports.
Page 139: Stack Master Election And Re-Election
We recommend assigning the highest priority value to the switch that you prefer to be the Note stack master. This ensures that the switch is re-elected as stack master if a re-election occurs. The switch that is not using the default interface-level configuration. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 140 The noncryptographic images apply only to mixed stacks that include Catalyst 3750-E or 3750 Note switches running Cisco IOS Release 12.2(53)SE or earlier. Catalyst 3750-X switches and Catalyst 3750-E or 3750 switches running later releases support only the cryprographic image.
Page 141: Switch Stack Bridge Id And Router Mac Address
If you move a stack member to a different switch stack, the stack member retains its number only if • the number is not being used by another member in the stack. If it is being used, the switch selects the lowest available number in the stack. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 142: Stack Member Priority Values
EXEC command. The startup configuration file ensures that the switch stack can reload and can use the saved information whether or not the provisioned switch is part of the switch stack. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 143: Effects Of Adding A Provisioned Switch To A Switch Stack
The switch type of the provisioned switch does not match the switch type in the provisioned configuration on the stack. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 144: Effects Of Replacing A Provisioned Switch In A Switch Stack
Hardware Compatibility and SDM Mismatch Mode in Switch Stacks The Catalyst 3750-X switch supports only the desktop Switch Database Management (SDM) templates. All stack members use the SDM template configured on the stack master.
Page 145: Switch Stack Software Compatibility Recommendations
“Hardware Compatibility and SDM Mismatch Mode in Switch Stacks” section on page 5-10. All stack members must run the same Cisco IOS software image and feature set to ensure compatibility between stack members. For example, all stack members should run the universal software image and have the IP services feature set enabled for the Cisco IOS Release 12.2(53)SE2 or later.
Page 146: Minor Version Number Incompatibility Among Switches
Auto-upgrade performs the upgrade only when the two feature sets are the same type. For example, it Note does not automatically upgrade a switch in VM mode from IP services feature set to IP base feature set (or the reverse). Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-12 OL-21521-01...
Page 147: Auto-Upgrade And Auto-Advise Example Messages
*Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:Stacking Version Number:1.4 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:System Type: 0x00000000 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Ios Image File Size: 0x004BA200 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Total Image File Size:0x00818A00 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-13 OL-21521-01...
Page 148 1 *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:Systems with incompatible software *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:have been added to the stack. *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:storage devices on all of the stack Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-14 OL-21521-01...
Page 149: Incompatible Software And Stack Member Image Upgrades
EXEC command, the proper directory structure is not created. For more information about the info file, see the “File Format of Images on a Server or Cisco.com” section on page B-26. Incompatible Software and Stack Member Image Upgrades You can upgrade a switch that has an incompatible universal software image by using the archive copy-sw privileged EXEC command.
Page 150: Additional Considerations For System-Wide Configuration On Switch Stacks
“Working with the Cisco IOS File System, Configuration Files, and Software Images.” Additional Considerations for System-Wide Configuration on Switch Stacks These sections provide additional considerations for configuring system-wide features on switch stacks: “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant, • available on Cisco.com “MAC Addresses and Switch Stacks”...
Page 151: Switch Stack Management Connectivity
The noncryptographic software image was available only on Catalyst 3750 or Catalyst 3750-E switches Note running Cisco IOS Release 12.2(53)SE and earlier. The Catalyst 3750-X switches run only the cryptographic software image. Connectivity to the Switch Stack Through Console Ports or Ethernet Management Ports...
Page 152: Connectivity To Specific Stack Members
Make sure that one stack member has a default configuration and that the other stack member has a saved (nondefault) configuration file. Restart both stack members at the same time. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-18 OL-21521-01...
Page 153 The stack master is retained. The new switch is added to the switch stack. Through their StackWise Plus ports, connect the new switch to a powered-on switch stack. Power on the new switch. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-19 OL-21521-01...
Page 154: Configuring The Switch Stack
During this time period, if the previous stack master rejoins the stack, the stackcontinues to use its MAC address as the stack MAC address, even if the switch is now a stack member and not a stack master. If Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-20...
Page 155 If you enter the no stack-mac persistent timer command after a new stack master takes over, before the time expires, the switch stack moves to the current stack master MAC address. Return to privileged EXEC mode. Step 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-21 OL-21521-01...
Page 156: Assigning Stack Member Information
Setting the Stack Member Priority Value, page 5-23 (optional) • Provisioning a New Member for a Switch Stack, page 5-23 (optional) • Assigning a Stack Member Number This task is available only from the stack master. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-22 OL-21521-01...
Page 157: Setting The Stack Member Priority Value
(Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config Provisioning a New Member for a Switch Stack This task is available only from the stack master. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-23 OL-21521-01...
Page 158 The show running-config command output shows the interfaces associated with the provisioned switch: Switch(config)# switch 2 provision switch_PID Switch(config)# end Switch# show running-config | include switch 2 interface GigabitEthernet2/0/1 interface GigabitEthernet2/0/2 interface GigabitEthernet2/0/3 <output truncated> Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-24 OL-21521-01...
Page 159: Accessing The Cli Of A Specific Stack Member
Manually Disabling a Stack Port, page 5-26 • Re-Enabling a Stack Port While Another Member Starts, page 5-26 • Understanding the show switch stack-ports summary Output, page 5-27 • Identifying Loopback Problems, page 5-28 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-25 OL-21521-01...
Page 160: Manually Disabling A Stack Port
If Switch 4 is powered on first, you might need to enter the switch 1 stack port 1 enable and the switch 4 stack port 2 enable privileged EXEC commands to bring up the link. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-26...
Page 161: Understanding The Show Switch Stack-Ports Summary Output
In Loopback No—At least one stack port on the member has an attached stack • cable. Yes—None of the stack ports on the member has an attached stack • cable. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-27 OL-21521-01...
Page 162: Identifying Loopback Problems
-------- ------ -------- -------- ---- ------ ---- --------- -------- Down None 50 cm 50 cm Down None 50 cm Switch 1 is a standalone switch. Switch# show switch stack-ports summary Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-28 OL-21521-01...
Page 163: Software Loopback Example: No Connected Stack Cable
-------- ---- ------ ---- --------- -------- 50 cm 50 cm The port status shows that Switch 2 is a standalone switch. – The ports can send and receive traffic. – Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-29 OL-21521-01...
Page 164: Hardware Loopback
If neither stack port has an connected stack cable, the Loopback HW value for both stack ports is Yes. • On a Catalyst 3750-E or Catalyst 3750-X member, If a stack port has an connected stack cable, the Loopback HW value for the stack port is No.
Page 165: Hardware Loop Example: Link Not Ok Event
0000000957 FF08FF00 86033431 55AAFFFF FFFFFFFF 1CE61CE6 Yes/Yes No cable Event type: RAC 0000000958 FF08FF00 86034DAC 5555FFFF FFFFFFFF 1CE61CE6 Yes/Yes No cable 0000000958 FF08FF00 86033431 55AAFFFF FFFFFFFF 1CE61CE6 Yes/Yes No cable Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-31 OL-21521-01...
Page 166: Finding A Disconnected Stack Cable
%STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state DOWN %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN This is now the port status: Switch# show switch stack-ports summary Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-32 OL-21521-01...
Page 167: Fixing A Bad Connection Between Stack Ports
The Cable Length value is 50 cm. The switch detects and correctly identifies the cable. • The connection between Port 2 on Switch 1 and Port 1 on Switch 2 is unreliable on at least one of the connector pins. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-33 OL-21521-01...
Page 168 Chapter 5 Managing Switch Stacks Troubleshooting Stacks Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-34 OL-21521-01...
Page 169 Network Assistant has a Cluster Conversion Wizard to help you convert a cluster to a community. For more information about Network Assistant, including introductory information on managing switch clusters and converting a switch cluster to a community , see Getting Started with Cisco Network Assistant, available on Cisco.com.
Page 170: Understanding Switch Clusters
Cluster members can belong to only one cluster at a time. A switch cluster is different from a switch stack. A switch stack is a set of Catalyst 3750-X, Note Catalyst 3750-E, or Catalyst 3750 switches connected through their stack ports.
Page 171: Chapter 6 Clustering Switche
It is running a supported software release. • It has an IP address. • It has Cisco Discovery Protocol (CDP) Version 2 enabled (the default). • It is not a command or cluster member switch of another cluster. • It is connected to the standby cluster command switches through the management VLAN and to the •...
Page 172: Candidate Switch And Cluster Member Switch Characteristics
This requirement does not apply if you have a Catalyst 2960, Catalyst 2970, Catalyst 3550, Catalyst 3560, Catalyst 3560-E, Catalyst 3750, Catalyst 3750-E, Catalyst 3650-X, or Catalyst 3750-X cluster command switch. Candidate and cluster member switches can connect through any VLAN in common with the cluster command switch.
Page 173: Automatic Discovery Of Cluster Candidates And Members
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 174: Discovery Through Non-Cdp-Capable And Noncluster-Capable Devices
Device 15 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Page 175: Discovery Through Different Vlans
Discovery Through Different Management VLANs Catalyst 2960, Catalyst 2970, Catalyst 3550, Catalyst 3560, Catalyst 3560-E, Catalyst 3750, Catalyst 3750-E, Catalyst 3560-X, or Catalyst 3750-X cluster command switches can discover and manage cluster member switches in different VLANs and different management VLANs. As cluster member switches, they must be connected through at least one VLAN in common with the cluster command switch.
Page 176: Discovery Through Routed Ports
Chapter 6 Clustering Switches Planning a Switch Cluster If the switch cluster has a Catalyst 3750-E or Catalyst 3750-X switch or switch stack, that switch or Note switch stack must be the cluster command switch. The cluster command switch and standby command switch in...
Page 177: Discovery Of Newly Installed Switches
The other cluster-capable switch and its access port are assigned to management VLAN 16. • Figure 6-6 Discovery of Newly Installed Switches Command device VLAN 9 VLAN 16 Device A Device B VLAN 9 VLAN 16 New (out-of-box) New (out-of-box) candidate device candidate device Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 178: Hsrp And Standby Cluster Command Switches
These topics also provide more detail about standby cluster command switches: Virtual IP Addresses, page 6-11 • Other Considerations for Cluster Standby Groups, page 6-11 • Automatic Recovery of Cluster Configuration, page 6-12 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 6-10 OL-21521-01...
Page 179: Virtual Ip Addresses
See the switch configuration guide of other cluster-capable switches for their requirements on standby cluster command switches. If your switch cluster has a Catalyst 3750-X switch or a switch stack, it should be the cluster command switch. If not, when the cluster has a Catalyst 3750-E switch or switch stack, that switch should be the cluster command switch.
Page 180: Automatic Recovery Of Cluster Configuration
Catalyst 3550, Catalyst 3560, Catalyst 3560-E, Catalyst 3560-X, Catalyst 3750, Catalyst 3750-E, and Catalyst 3750-X command and standby cluster command switches: If the active cluster command switch and standby cluster command switch become disabled at the same time, the passive cluster command switch with the highest priority becomes the active cluster command switch.
Page 181: Ip Addresses
(such as eng-cluster-5) with the hostname of the cluster command switch in the new cluster (such as mkg-cluster-5). If the switch member number changes in the new cluster (such as 3), the switch retains the previous name (eng-cluster-5). Catalyst 3750-X and 3560-X Switch Software Configuration Guide 6-13 OL-21521-01...
Page 182: Passwords
Basic Comparison of Switch Stacks and Switch Clusters Switch Stack Switch Cluster Made up of Catalyst 3750-E or Catalyst 3750-X switches only Made up of cluster-capable switches, such as Catalyst 3750-E, Catalyst 3560-E, Catalyst 3750, and Catalyst 2950 switches Stack members are connected through StackWise Plus ports...
Page 183 You must change the VLAN configuration of the stack master or the stack members and add the stack members back to the switch cluster. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 6-15 OL-21521-01...
Page 184: Tacacs+ And Radius
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
Page 185: Catalyst 1900 And Catalyst 2820 Cli Considerations
If a cluster member switch has its own IP address and community strings, they can be used in addition to the access provided by the cluster command switch. For more information about SNMP and community strings, see Chapter 35, “Configuring SNMP.” Catalyst 3750-X and 3560-X Switch Software Configuration Guide 6-17 OL-21521-01...
Page 186 Clustering Switches Using SNMP to Manage Switch Clusters Figure 6-8 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 6-18 OL-21521-01...
Page 187: Managing The System Time And Date
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2.
Page 188: Chapter 7 Administering The Switch
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 189 Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 190: Configuring Ntp
NTP that provide for accurate timekeeping) with other devices for security purposes: Command Purpose Enter global configuration mode. Step 1 configure terminal Enable the NTP authentication feature, which is disabled by Step 2 ntp authenticate default. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 191: Configuring Ntp Associations
(meaning that only this switch synchronizes to the other device, and not the other way around). Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 192: Configuring Ntp Broadcast Service
However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, the information flow is one-way only. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 193 Enable the interface to receive NTP broadcast packets. Step 3 ntp broadcast client By default, no interfaces receive NTP broadcast packets. Return to global configuration mode. Step 4 exit Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 194: Configuring Ntp Access Restrictions
NTP control queries and allows the • switch to synchronize to the remote device. For access-list-number, enter a standard IP access list number from 1 to 99. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 195 99. However, the switch restricts access to allow only time requests from access list 42: Switch# configure terminal Switch(config)# ntp access-group peer 99 Switch(config)# ntp access-group serve-only 42 Switch(config)# access-list 99 permit 172.20.130.5 Switch(config)# access list 42 permit 172.20.130.6 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 196: Configuring The Source Ip Address For Ntp Packets
“Configuring NTP Associations” section on page 7-5. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-10 OL-21521-01...
Page 197: Displaying The Ntp Configuration
• • show ntp status For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
Page 198: Displaying The Time And Date Configuration
Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and.5 means 50 percent. In this case, the necessary command is clock timezone AST -3 30. To set the time to UTC, use the no clock timezone global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-12 OL-21521-01...
Page 199: Configuring Summer Time (Daylight Saving Time)
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-13 OL-21521-01...
Page 200: Configuring A System Name And Prompt
9. When you use this command, the stack member number is appended to the system prompt. For example, is the prompt in privileged EXEC mode for stack member 2, and the system prompt Switch-2# for the switch stack is Switch Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-14 OL-21521-01...
Page 201: Default System Name And Prompt Configuration
Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 202: Default Dns Configuration
If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS). Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-16 OL-21521-01...
Page 203: Displaying The Dns Configuration
If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Page 204: Configuring A Message-Of-The-Day Login Banner
Unix> telnet 172.2.5.4 Trying 172.2.5.4... Connected to 172.2.5.4. Escape character is '^]'. This is a secure site. Only authorized users are allowed. For access, contact technical support. User Access Verification Password: Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-18 OL-21521-01...
Page 205: Configuring A Login Banner
(static or dynamic). For complete syntax and usage information for the commands used in this section, see the command Note reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-19 OL-21521-01...
Page 206: Building The Address Table
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-20...
Page 207: Mac Addresses And Switch Stacks
VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time can cause the address table to be filled with unused addresses, which prevents new addresses from being learned. Flooding results, which can impact switch performance. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-21 OL-21521-01...
Page 208: Removing Dynamic Address Entries
MAC address change notifications are generated for dynamic and secure MAC addresses. Notifications are not generated for self addresses, multicast addresses, or other static addresses. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-22 OL-21521-01...
Page 209 Enable the trap when a MAC address is added • on this interface. Enable the trap when a MAC address is removed • from this interface. Return to privileged EXEC mode. Step 8 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-23 OL-21521-01...
Page 210: Configuring Mac Address Move Notification Traps
When you configure MAC-move notification, an SNMP notification is generated and sent to the network management system whenever a MAC address moves from one port to another within the same VLAN. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-24...
Page 211: Configuring Mac Threshold Notification Traps
Configuring MAC Threshold Notification Traps When you configure MAC threshold notification, an SNMP notification is generated and sent to the network management system when a MAC address table threshold limit is reached or exceeded. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-25 OL-21521-01...
Page 212 Switch(config)# snmp-server host 172.20.10.10 traps private mac-notification Switch(config)# snmp-server enable traps mac-notification threshold Switch(config)# mac address-table notification threshold Switch(config)# mac address-table notification threshold interval 123 Switch(config)# mac address-table notification threshold limit 78 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-26 OL-21521-01...
Page 213: Adding And Removing Static Address Entries
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To remove static entries from the address table, use the no mac address-table static mac-addr vlan vlan-id [interface interface-id] global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-27 OL-21521-01...
Page 214: Configuring Unicast Mac Address Filtering
For vlan-id, specify the VLAN for which the packet with the • specified MAC address is received. Valid VLAN IDs are 1 to 4094. Return to privileged EXEC mode. Step 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-28 OL-21521-01...
Page 215: Disabling Mac Address Learning On A Vlan
If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning • is not disabled on that port. If you disable port security, the configured MAC address learning state is enabled. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-29 OL-21521-01...
Page 216: Displaying Address Table Entries
Displays the MAC notification parameters and history table. show mac address-table notification Displays only static MAC address table entries. show mac address-table static Displays the MAC address table information for the specified VLAN. show mac address-table vlan Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-30 OL-21521-01...
Page 217: Managing The Arp Table
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, see the Cisco IOS Release 12.2 documentation on Cisco.com. Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 218 Chapter 7 Administering the Switch Managing the ARP Table Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-32 OL-21521-01...
Page 219: Understanding The Sdm Templates
This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 220: Dual Ipv4 And Ipv6 Sdm Templates
Dual IPv4 and IPv6 default template—supports Layer 2, multicast, routing, QoS, and ACLs for • IPv4; and Layer 2, routing, ACLs, and QoS for IPv6 on the switch. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 221: Chapter 8 Configuring Sdm Template
SDM Templates and Switch Stacks In a Catalyst 3750-X-only or a mixed hardware switch stack, all stack members must use the same SDM desktop template that is stored on the stack master. When a new switch is added to a stack, the SDM configuration that is stored on the stack master overrides the template configured on an individual switch.
Page 222: Configuring The Switch Sdm Template
If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template, a warning message • appears. Using the dual stack template results in less hardware capacity allowed for each resource, so do not • use it if you plan to forward only IPv4 traffic. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 223: Setting The Sdm Template
0.5K number of security aces: On next reload, template will be “desktop vlan” template. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 224: Displaying The Sdm Templates
+ multicast routes: number of unicast routes: number of directly connected hosts: number of indirect routes: number of policy based routing aces: 0.5K Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 225 IPv4/MAC qos aces: 0.5K number of IPv4/MAC security aces: 0.5K number of IPv6 policy based routing aces: 0.25K number of IPv6 qos aces: 0.5K number of IPv6 security aces: 0.5K Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 226 Chapter 8 Configuring SDM Templates Displaying the SDM Templates Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 227: Understanding Stackpower
C H A P T E R Configuring Catalyst 3750-X StackPower The Catalyst 3750-X and 3560-X switches have two power supplies per system, allowing the power load to be split between them. This accommodates the increased maximum power of 30 watts per port provided to a powered device to meet the PoE+ standard (802.3at).
Page 228: Stackpower Modes
You configure power modes at a power-stack level (that is, the mode is the same for all switches in the power stack). To configure power-stack parameters, enter the stack-power stack global configuration command followed by the name of the power stack to enter stack-power configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 229: C H A P T E R 9 Configuring Catalyst 3750-X Stackpower
Graceful load-shedding can occur when a smaller power supply fails. Switches and powered devices • are shut down in order of their configured priority, starting with devices with priority 27, until the power budget matches the input power. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 230: Immediate Load Shedding Example
Good Good 715/0 Not Present C3KX-PWR-325WAC LIT13330FNM Disabled Good Good 325/0 C3KX-PWR-325WAC LIT13330FN3 Disabled Good Good 325/0 Not Present C3KX-PWR-350WAC DTN1342L00T Good Good 350/0 NG3K-PWR-1100WAC LIT13370577 Good Good 1100/0 <output truncated> Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 231 Devices connected to Switch 1 high priority ports (priority 16) • Devices connected to Switch 2 low priority ports (priority 12) • Devices connected to Switch 2 high priority ports (priority 11) • Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 232: Configuring Stack Power
The default is non-strict. Return to privileged EXEC mode. Step 4 Verify your entries. Step 5 show stack power (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 233: Configuring Power Stack Switch Power Parameters
Switch(config)# stack-power switch 3 Switch(config-switch-stackpower)# stack power2 Switch(config-switch-stackpower)# power-priority switch 5 Switch(config-switch-stackpower)# power-priority high 12 Switch(config-switch-stackpower)# power-priority low 20 Switch(config-switch-stackpower)# exit Switch(config-stackpower)# exit Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 234: Configuring Poe Port Priority
This is an example of setting the power priority of a port to high so that it is one of the last ports to shut down in case of a power failure. Switch(config)# interface gigabitetherent1/0/1 Switch(config-if)# power inline port priority high Switch(config-if)# exit Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01...
Page 235: Preventing Unauthorized Access To Your Switch
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 236: C H A P T E R 10 Configuring Switch-Based Authentication
Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Page 237: Setting Or Changing A Static Enable Password
We recommend that you use the enable secret command because it uses an improved encryption algorithm. If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-3 OL-21521-01...
Page 238 To remove a password and level, use the no enable password [level level] or no enable secret [level level] global configuration command. To disable password encryption, use the no service password-encryption global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-4 OL-21521-01...
Page 239: Disabling Password Recovery
This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 240: Setting A Telnet Password For A Terminal Line
If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-6 OL-21521-01...
Page 241: Configuring Multiple Privilege Levels
Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 242: Setting The Privilege Level For A Command
This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands: Switch(config)# privilege exec level 14 configure Switch(config)# enable password level 14 SecretPswd14 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-8 OL-21521-01...
Page 243: Changing The Default Privilege Level For Lines
Step 1 enable level For level, the range is 0 to 15. Exit to a specified privilege level. Step 2 disable level For level, the range is 0 to 15. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-9 OL-21521-01...
Page 244: Controlling Switch Access With Tacacs+
TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Page 245 TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-11 OL-21521-01...
Page 246: Tacacs+ Operation
These sections contain this configuration information: Default TACACS+ Configuration, page 10-13 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 10-13 • Configuring TACACS+ Login Authentication, page 10-14 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-12 OL-21521-01...
Page 247: Default Tacacs+ Configuration
(Optional) Associate a particular T ACACS+ server with the defined server Step 5 server ip-address group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-13 OL-21521-01...
Page 248: Configuring Tacacs+ Login Authentication
Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Enter global configuration mode. Step 1 configure terminal Enable AAA. Step 2 aaa new-model Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-14 OL-21521-01...
Page 249 {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-15 OL-21521-01...
Page 250: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Page 251: Starting Tacacs+ Accounting
RADIUS is facilitated through AAA and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Page 252: Understanding Radius
Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 253: Radius Operation
This section provides an overview of the RADIUS interface including available primitives and how they are used during a Change of Authorization (CoA). Change-of-Authorization Requests, page 10-20 • CoA Request Response Code, page 10-21 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-19 OL-21521-01...
Page 254: Change-Of-Authorization Requests
• Session termination with port bounce • This feature is integrated with the Cisco Secure Access Control Server (ACS) 5.1. For information about ACS, refer to: http://cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html The RADIUS interface is enabled by default on Catalyst switches. However, some basic configuration is required for the following attributes: Security and Password—refer to the...
Page 255 CoA Request Response Code The CoA Request response code can be used to convey a command to the switch. The supported commands are listed in Table 10-4 on page 10-23. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-21 OL-21521-01...
Page 256 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- The attributes field is used to carry Cisco VSAs. CoA ACK Response Code If the authorization state is changed successfully, a positive acknowledgement (ACK) is sent. The attributes returned within CoA ACK will vary based on the CoA Request and are discussed in individual CoA Commands.
Page 257 • CoA Disconnect-Request • CoA Request: Disable Host Port • CoA Request: Bounce-Port • Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Table 10-4. Table 10-4 CoA Commands Supported on the Switch Command Cisco VSA Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate”...
Page 258 To restrict a host’s access to the network, use a CoA Request with the Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is known to be causing problems on the network, and you need to immediately block network access for the host.
Page 259: Stacking Guidelines For Session Termination
Stacking Guidelines for CoA-Request Disable-Port Because the disable-port command is targeted at a session, not a port, if the session is not found, the command cannot be executed. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-25 OL-21521-01...
Page 260: Configuring Radius
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication, page 10-36 • (optional) Configuring CoA on the Switch, page 10-37 • Monitoring and Troubleshooting CoA Functionality, page 10-38 • Configuring RADIUS Server Load Balancing, page 10-39 (optional) • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-26 OL-21521-01...
Page 261: Default Radius Configuration
You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 10-31. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-27 OL-21521-01...
Page 262 RADIUS host. Return to privileged EXEC mode. Step 3 Verify your entries. Step 4 show running-config (Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-28 OL-21521-01...
Page 263: Configuring Radius Login Authentication
Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Enter global configuration mode. Step 1 configure terminal Enable AAA. Step 2 aaa new-model Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-29 OL-21521-01...
Page 264 • login command. Return to privileged EXEC mode. Step 6 Verify your entries. Step 7 show running-config (Optional) Save your entries in the configuration file. Step 8 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-30 OL-21521-01...
Page 265: Defining Aaa Server Groups
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Page 266 Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. Return to privileged EXEC mode. Step 6 Verify your entries. Step 7 show running-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-32 OL-21521-01...
Page 267: Configuring Radius Authorization For User Privileged Access And Network Services
EXEC access and network services: Command Purpose Enter global configuration mode. Step 1 configure terminal Configure the switch for user RADIUS authorization for all Step 2 aaa authorization network radius network-related service requests. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-33 OL-21521-01...
Page 268: Starting Radius Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 269: Configuring Settings For All Radius Servers
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 270: Configuring The Switch For Vendor-Proprietary Radius Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Page 271: Configuring Coa On The Switch
Enable AAA. Step 2 aaa new-model Configure the switch as an authentication, authorization, and accounting Step 3 aaa server radius dynamic-author (AAA) server to facilitate interaction with an external policy server. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-37 OL-21521-01...
Page 272: Monitoring And Troubleshooting Coa Functionality
Monitoring and Troubleshooting CoA Functionality The following Cisco IOS commands can be used to monitor and troubleshoot CoA functionality on the switch: debug radius •...
Page 273: Configuring Radius Server Load Balancing
Configuring RADIUS Server Load Balancing This feature allows access and authentication requests to be evenly across all RADIUS servers in a server group. For more information, see the “RADIUS Server Load Balancing” chapter of the “Cisco IOS Security Configuration Guide”, Release 12.2: http://www.ciscosystems.com/en/US/docs/ios/12_2sb/feature/guide/sbrdldbl.html...
Page 274 The Kerberos server uses the tickets instead of usernames and passwords to authenticate users and network services. A Kerberos server can be a Catalyst 3750-X or 3560-X switch that is configured as a network security Note server and that can authenticate users by using the Kerberos protocol.
Page 275: Kerberos Operation
4. SRVTAB = server table Kerberos Operation A Kerberos server can be a Catalyst 3750-X or 3560-X switch that is configured as a network security server and that can authenticate remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways, remote users attempting to access network services must pass through three layers of security before they can access network services.
Page 276: Authenticating To A Boundary Switch
KDC and obtain a TGT from the KDC to access network services. For instructions about how to authenticate to a KDC, see the “Obtaining a TGT from a KDC” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918...
Page 277: Configuring The Switch For Local Authentication And Authorization
The Kerberos realm name must be in all uppercase characters. • A Kerberos server can be a Catalyst 3750-X or 3560-X switch that is configured as a network security Note server and that can authenticate users by using the Kerberos protocol.
Page 278: Configuring The Switch For Secure Shell
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Page 279: Understanding Ssh
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 280: Limitations
SSH server. Generate an RSA key pair for the switch, which automatically enables SSH. Follow this procedure only if you are configuring the switch as an SSH server. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-46 OL-21521-01...
Page 281: Configuring The Ssh Server
If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-47 OL-21521-01...
Page 282: Displaying The Ssh Configuration And Status
Shows the status of the SSH server. show ssh For more information about these commands, see the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter0918 6a00800ca7d0.html...
Page 283: Configuring The Switch For Secure Socket Layer Http
(pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 284 X.509v3 certificate from the client. Authenticating the client provides more security than server authentication by itself. For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.2. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-50...
Page 285: Ciphersuites
Configuring the Secure HTTP Client, page 10-54 • Default SSL Configuration The standard HTTP server is enabled. SSL is enabled. No CA trustpoints are configured. No self-signed certificates are generated. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-51 OL-21521-01...
Page 286: Ssl Configuration Guidelines
RSA key pair. Return to privileged EXEC mode. Step 13 Verify the configuration. Step 14 show crypto ca trustpoints (Optional) Save your entries in the configuration file. Step 15 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-52 OL-21521-01...
Page 287: Configuring The Secure Http Server
(Optional) Set the maximum number of concurrent connections that are Step 10 ip http max-connections value allowed to the HTTP server. The range is 1 to 16; the default value is 5. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-53 OL-21521-01...
Page 288: Configuring The Secure Http Client
Using this command assumes that you have already configured a CA trustpoint by using the previous procedure. The command is optional if client authentication is not needed or if a primary trustpoint has been configured. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-54 OL-21521-01...
Page 289: Displaying Secure Http Server And Client Status
Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and • Adelman (RSA) key pair. When using SCP, you cannot enter the password into the copy command. You must enter the password Note when prompted. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 10-55 OL-21521-01...
Page 290: Information About Secure Copy
A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
Page 291: Understanding Ieee 802.1X Port-Based Authentication
This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 3750-X or 3560-X switch. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network.Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 292: C H A P T E R 11 Configuring Ieee 802.1X Port-Based Authentication
Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Page 293: Device Roles
Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 294: Authentication Process
Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The devices that can act as intermediaries include the Catalyst 3750-X, Catalyst 3750-E, Catalyst 3750, Catalyst 3650-X, Catalyst 3560-E, Catalyst 3560, Catalyst 3550, Catalyst 2970, Catalyst 2960, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These devices must be running software that supports the RADIUS client and IEEE 802.1x authentication.
Page 295 After 802.1x authentication using a RADIUS server is configured, the switch uses timers based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]). The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which re-authentication occurs. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-5 OL-21521-01...
Page 296: Authentication Initiation And Message Exchange
The specific exchange of EAP frames depends on the authentication method being used. Figure 11-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-6 OL-21521-01...
Page 297 MAC authentication bypass. Figure 11-4 Figure 11-4 Message Exchange During MAC Authentication Bypass Authentication server Client (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity Ethernet packet RADIUS Access/Request RADIUS Access/Accept Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-7 OL-21521-01...
Page 298: Authentication Manager
Understanding IEEE 802.1x Port-Based Authentication Authentication Manager In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000.
Page 299: Per-User Acls And Filter-Ids
Understanding IEEE 802.1x Port-Based Authentication Per-User ACLs and Filter-Ids ACLs configured on the switch are compatible with other devices running Cisco IOS releases. You can only set any as the source in the ACL. For any ACL configured for multiple-host mode, the source portion of statement must be any. (For Note example, permit icmp any host 10.10.1.1.)
Page 300: Ports In Authorized And Unauthorized States
• the client to authenticate. The switch cannot provide authentication services to the client through the port. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-10 OL-21521-01...
Page 301: X Authentication And Switch Stacks
For example, you can have a redundant connection to the stack master and another to a stack member, and if the stack master fails, the switch stack still has connectivity to the RADIUS server. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-11...
Page 302: X Host Mode
For more information about critical authentication mode and the critical VLAN, see the “802.1x Authentication with Inaccessible Authentication Bypass” section on page 11-20. For more information see the “Configuring the Host Mode” section on page 11-44. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-12 OL-21521-01...
Page 303: Mac Move
RADIUS accounting packets are sent by a switch: START–sent when a new user session starts • INTERIM–sent during an existing session for updates • STOP–sent when a session terminates • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-13 OL-21521-01...
Page 304: X Readiness Check
You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_book09186a008...
Page 305: X Authentication With Vlan Assignment
The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS). Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-15 OL-21521-01...
Page 306: X Authentication With Per-User Acls
If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Page 307: X Authentication With Downloadable Acls And Redirect Urls
If a downloadable ACL or redirect URL is configured for a client on the authentication server, a default Note port ACL on the connected client switch port must also be configured. Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL The switch uses these cisco-av-pair VSAs: url-redirect is the HTTP to HTTPS URL.
Page 308: Cisco Secure Acs And Attribute-Value Pairs For Downloadable Acls
ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However, if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not configured, the authorization failure is declared.
Page 309: X Authentication With Guest Vlan
VLAN if one is specified. For more information, see the“IEEE 802.1x Authentication with MAC Authentication Bypass” section on page 11-25. For more information, see the “Configuring a Guest VLAN” section on page 11-51. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-19 OL-21521-01...
Page 310: X Authentication With Restricted Vlan
Use the inaccessible authentication bypass feature, also referred to as critical authentication or the AAA fail policy, when the switch cannot reach the configured RADIUS servers and new hosts cannot be authenticated. You can configure the switch to connect those hosts to critical ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-20 OL-21521-01...
Page 311: Support On Multiple-Authentication Ports
If all the RADIUS servers are not available and the client is connected to a critical port, the – switch authenticates the client and puts the critical port in the critical-authentication state in the RADIUS-configured or user-specified access VLAN. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-21 OL-21521-01...
Page 312: X User Distribution
VLAN. Load balancing is achieved by moving the corresponding authorized user to that VLAN. The RADIUS server can send the VLAN information in any combination of VLAN-IDs, VLAN Note names, or VLAN groups. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-22 OL-21521-01...
Page 313: X User Distribution Configuration Guidelines
If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and Note to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
Page 314: Ieee 802.1X Authentication With Port Security
Ethernet frame, known as the magic packet. You can use this feature in environments where administrators need to connect to systems that have been powered down. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-24...
Page 315: Ieee 802.1X Authentication With Mac Authentication Bypass
During re-authentication, the port remains in the previously assigned VLAN. If re-authentication is successful, the switch keeps the port in the same VLAN. If re-authentication fails, the switch assigns the port to the guest VLAN, if one is configured. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-25 OL-21521-01...
Page 316: Network Admission Control Layer 2 Ieee 802.1X Validation
If the value is RADIUS-Request, the re-authentication process starts. View the NAC posture token, which shows the posture of the client, by using the show dot1x • privileged EXEC command. Configure secondary private VLANs as guest VLANs. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-26 OL-21521-01...
Page 317: Flexible Authentication Ordering
The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
Page 318 When a port host mode is changed from single- or multihost to multidomain mode, an authorized • data device remains authorized on the port. However, a Cisco IP phone that has been allowed on the port voice VLAN is automatically removed and must be reauthenticated on that port.
Page 319: X Supplicant And Authenticator Switches With Network Edge Access Topology (Neat)
Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing • user traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)
Page 320: Voice Aware 802.1X Security
1w0d: %AUTHMGR-5-START: Starting 'mab' for client (0000.0000.0203) on Interface Fa4/0/4 AuditSessionID 160000050000000B288508E5 1w0d: %MAB-5-SUCCESS: Authentication successful for client (0000.0000.0203) on Interface Fa4/0/4 AuditSessionID 160000050000000B288508E5 1w0d: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0000.0000.0203) on Interface Fa4/0/4 AuditSessionID 160000050000000B288508E5 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-30 OL-21521-01...
Page 321: Understanding Media Access Control Security And Macsec Key Agreement
MACsec are implemented after successful using the 802.1x Extensible Authentication Protocol (EAP) framework. On the Catalyst 3750-X and 3560-X switches running Cisco IOS Release 12.2(53)SE2, only host facing links (links between network access devices and endpoint devices such as a PC or IP phone) can be secured using MACsec.
Page 322: Mka Policies
MAC address of the physical interface concatenated with a 16-bit port ID. MACsec and Stacking A Catalyst 3750-X stack master running MACsec maintains the configuration files that show which ports on a member switch support MACsec. The stack master performs these functions: Processes secure channel and secure association creation and deletion.
Page 323: Macsec, Mka And 802.1X Host Modes
See Figure 11-8. Figure 11-8 MACsec in Standard Multiple-Host Mode - Unsecured Primary host Secondary host Switch with Access-control system MACsec configured Secondary host Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-33 OL-21521-01...
Page 324: Mka Statistics
Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs, page 11-61 • (optional) Configuring VLAN ID-based MAC Authentication, page 11-63 (optional) • Configuring Flexible Authentication Ordering, page 11-64 (optional) • Configuring Open1x, page 11-64 (optional) • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-34 OL-21521-01...
Page 325: Default 802.1X Authentication Configuration
You can change this timeout period by using the dot1x timeout server-timeout interface configuration command. Guest VLAN None specified. Inaccessible authentication bypass Disabled. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-35 OL-21521-01...
Page 326: X Authentication Configuration Guidelines
Query Protocol [VQP]) port, an error message appears, and 802.1x authentication is not enabled. If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-36 OL-21521-01...
Page 327: Vlan Assignment, Guest Vlan, Restricted Vlan, And Inaccessible Authentication Bypass
EtherChannel configuration from the interfaces on which 802.1x authentication and EtherChannel are configured. If you are using a device running the Cisco Access Control Server (ACS) application for • IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5, make sure that the device is running ACS Version 3.2.1 or later.
Page 328: Mac Authentication Bypass
In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with • a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN. In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one •...
Page 329: Configuring Voice Aware 802.1X Security
• shutdown vlan global configuration command. You disable voice aware 802.1x security by entering the no version of this command. This command applies to all 802.1x-configured ports in the switch. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-39 OL-21521-01...
Page 330 This example shows how to re-enable all VLANs that were error disabled on port Gi4/0/2. Switch# clear errdisable interface GigabitEthernet4/0/2 vlan You can verify your settings by entering the show errdisable detect privileged EXEC command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-40 OL-21521-01...
Page 331: Configuring 802.1X Violation Modes
To allow per-user ACLs or VLAN assignment, you must enable AAA authorization to configure the switch for all network-related service requests. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-41 OL-21521-01...
Page 332 IEEE 802.1x authentication, and enter interface configuration mode. (Optional) Set the port to access mode only if you configured the RADIUS Step 9 switchport mode access server in Step 6 and Step 7. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-42 OL-21521-01...
Page 333: Configuring The Switch-To-Radius-Server Communication
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-43 OL-21521-01...
Page 334: Configuring The Host Mode
IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. Use the multi-domain keyword to configure and enable multidomain authentication (MDA), which allows both a host and a voice device, such as an IP phone (Cisco or non-Cisco), on the same switch port. This procedure is optional.
Page 335: Configuring Periodic Re-Authentication
Specify the port to be configured, and enter interface configuration mode. Step 2 interface interface-id Enable periodic re-authentication of the client, which is disabled by Step 3 authentication periodic default. dot1x reauthentication Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-45 OL-21521-01...
Page 336: Manually Re-Authenticating A Client Connected To A Port
“Configuring Periodic Re-Authentication” section on page 11-45. This example shows how to manually re-authenticate the client connected to a port: Switch# dot1x re-authenticate interface gigabitethernet2/0/1 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-46 OL-21521-01...
Page 337: Changing The Quiet Period
This procedure is optional. Command Purpose Enter global configuration mode. Step 1 configure terminal Specify the port to be configured, and enter interface configuration mode. Step 2 interface interface-id Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-47 OL-21521-01...
Page 338: Setting The Switch-To-Client Frame-Retransmission Number
(Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config To return to the default retransmission number, use the no dot1x max-req interface configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-48 OL-21521-01...
Page 339: Setting The Re-Authentication Number
Beginning in privileged EXEC mode, follow these steps to globally enable MAC move on the switch. This procedure is optional. Command Purpose Enter global configuration mode. configure terminal Enable authentication mac-move permit Return to privileged EXEC mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-49 OL-21521-01...
Page 340: Configuring 802.1X Accounting
(Optional) Saves your entries in the configuration file. Step 7 copy running-config startup-config Use the show radius statistics privileged EXEC command to display the number of RADIUS messages that do not receive the accounting response message. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-50 OL-21521-01...
Page 341: Configuring A Guest Vlan
To disable and remove the guest VLAN, use the no dot1x guest-vlan interface configuration command. The port returns to the unauthorized state. This example shows how to enable VLAN 2 as an 802.1x guest VLAN: Switch(config)# interface gigabitethernet2/0/2 Switch(config-if)# dot1x guest-vlan 2 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-51 OL-21521-01...
Page 342: Configuring A Restricted Vlan
To disable and remove the restricted VLAN, use the no dot1x auth-fail vlan interface configuration command. The port returns to the unauthorized state. This example shows how to enable VLAN 2 as an 802.1x restricted VLAN: Switch(config)# interface gigabitethernet2/0/2 Switch(config-if)# dot1x auth-fail vlan 2 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-52 OL-21521-01...
Page 343: Configuring The Inaccessible Authentication Bypass Feature
VLAN: Switch(config-if)# dot1x auth-fail max-attempts 2 Configuring the Inaccessible Authentication Bypass Feature You can configure the inaccessible bypass feature, also referred to as critical authentication or the AAA fail policy. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-53 OL-21521-01...
Page 344 This key must match the encryption used on the RADIUS daemon. You can also configure the authentication and encryption key by using the radius-server key {0 string | 7 string | string} global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-54 OL-21521-01...
Page 345 Switch(config)# radius-server host 1.1.1.2 acct-port 1550 auth-port 1560 test username user1 idle-time 30 key abc1234 Switch(config)# dot1x critical eapol Switch(config)# dot1x critical recovery delay 2000 Switch(config)# interface gigabitethernet 1/0/1 Switch(config)# radius-server deadtime 60 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-55 OL-21521-01...
Page 346: Configuring 802.1X Authentication With Wol
Specify the port to be configured, and enter interface configuration mode. Step 2 interface interface-id For the supported port types, see the “802.1x Authentication Configuration Guidelines” section on page 11-36. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-56 OL-21521-01...
Page 347: Configuring 802.1X User Distribution
Group Name Vlans Mapped ------------- -------------- eng-dept hr-dept This example shows how to add a VLAN to an existing VLAN group and to verify that the VLAN was added: Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-57 OL-21521-01...
Page 348: Configuring Nac Layer 2 Ieee 802.1X Validation
For more information about these commands, see the Cisco IOS Security Command Reference. Configuring NAC Layer 2 IEEE 802.1x Validation You can configure NAC Layer 2 802.1x validation, which is also referred to as 802.1x authentication with a RADIUS server.
Page 349: Configuring An Authenticator And A Supplicant Switch With Neat
“802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)” section on page 11-29. The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the Note interface as a trunk after the supplicant is successfully authenticated. Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:...
Page 350 Return to privileged EXEC mode. Step 12 Verify your configuration. Step 13 show running-config interface interface-id (Optional) Save your entries in the configuration file. Step 14 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-60 OL-21521-01...
Page 351: Configuring Neat With Asp
Configure the radius vsa send authentication. Step 5 radius-server vsa send authentication Specify the port to be configured, and enter interface Step 6 interface interface-id configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-61 OL-21521-01...
Page 352: Configuring A Downloadable Policy
Enables the IP device tracking table. Step 8 ip device tracking To disable the IP device tracking table, use the no ip device tracking global configuration commands. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-62 OL-21521-01...
Page 353: Configuring Vlan Id-Based Mac Authentication
There is no show command to confirm the status of VLAN ID-based MAC authentication. You can use the debug radius accounting privileged EXEC command to confirm the RADIUS attribute 32. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_q1.html#wp1123741...
Page 354: Configuring Flexible Authentication Ordering
(Optional) Enable or disable open access on a port. Step 6 authentication open authentication order dot1x | mab {webauth} (Optional) Set the order of authentication methods used on a port. Step 7 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-64 OL-21521-01...
Page 355: Configuring A Web Authentication Local Banner
Switch(config)# aaa ip auth-proxy auth-proxy-banner C My Switch C Switch(config) end For more information about the ip auth-proxy auth-proxy-banner command, see the “Authentication Proxy Commands” section of the on Cisco.com. Cisco IOS Security Command Reference Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-65 OL-21521-01...
Page 356: Disabling 802.1X Authentication On The Port
Return to privileged EXEC mode. Step 4 Verify your entries. Step 5 show authentication interface-id show dot1x interface interface-id (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-66 OL-21521-01...
Page 357: Configuring Mka And Macsec
(Optional) Specify that the switch processes authentication link-security Step 6 authentication event linksec fail action failures resulting from unrecognized user credentials by authorizing a authorize vlan vlan-id restricted VLAN on the port after a failed authentication attempt. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-67 OL-21521-01...
Page 358 Interface: GigabitEthernet1/0/25 MAC Address: 001b.2140.ec3c IP Address: 1.1.1.103 User-Name: ms1 Status: Authz Success Domain: DATA Security Policy: Must Secure ß--- New Security Status: Secured ß--- New Oper host mode: multi-domain Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-68 OL-21521-01...
Page 359: Displaying 802.1X Statistics And Status
EXEC command. For detailed information about the fields in these displays, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-69 OL-21521-01...
Page 360 Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Displaying 802.1x Statistics and Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 11-70 OL-21521-01...
Page 361: Understanding Web-Based Authentication
C H A P T E R Configuring Web-Based Authentication This chapter describes how to configure web-based authentication on the Catalyst 3750-X or 3560-X switch. It contains these sections: Understanding Web-Based Authentication, page 12-1 • Configuring Web-Based Authentication, page 12-9 •...
Page 362: C H A P T E R 12 Configuring Web-Based Authentication
ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static • IP address or a dynamic IP address. Dynamic ARP inspection • DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding • entry for the host. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-2 OL-21521-01...
Page 363: Session Creation
• server. The terminate action is included in the response from the server. If the terminate action is default, the session is dismantled, and the applied policy is removed. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-3 OL-21521-01...
Page 364: Local Web Authentication Banner
You create a banner by using the ip admission auth-proxy-banner http global configuration command. The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page, as shown in Figure 12-2.
Page 365 Figure 12-4. Figure 12-4 Login Screen With No Banner For more information, see the Cisco IOS Security Command Reference and the “Configuring a Web Authentication Local Banner” section on page 12-16. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-5 OL-21521-01...
Page 366: Web Authentication Customizable Web Pages
You must include an HTML redirect command in the success page to access a specific URL. • The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL • might cause page not found or similar errors on a web browser.
Page 367: Web-Based Authentication Interactions With Other Features
You can then limit the number or group of clients that can access the network through the port. For more information about enabling port security, see the “Configuring Port Security” section on page 28-8. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-7 OL-21521-01...
Page 368: Gateway Ip
ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied. For Layer 2 web-based authentication, you must configure a port ACL (PACL) as the default access policy for ingress traffic from hosts connected to the port.
Page 369: Configuring Web-Based Authentication
You must configure the default ACL on the interface before configuring web-based authentication. • Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface. You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts •...
Page 370: Web-Based Authentication Configuration Task List
Switch(config-if)# exit Switch(config)# ip device tracking This example shows how to verify the configuration: Switch# show ip admission configuration Authentication Proxy Banner not configured Authentication global cache time is 60 minutes Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-10 OL-21521-01...
Page 371: Configuring Aaa Authentication
The RADIUS host entries are chosen in the order that they were configured. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-11 OL-21521-01...
Page 372 For more information, see Cisco IOS Security Configuration Guide, Release 12.2 and the Cisco IOS Security Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html You need to configure some settings on the RADIUS server, including: the switch IP address, the key Note string to be shared by both the server and the switch, and the downloadable ACL (DACL).
Page 373: Configuring The Http Server
Specify the location of the custom HTML file to use in Step 4 ip admission proxy http login expired page file place of the default login expired page. device:expired-filename Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-13 OL-21521-01...
Page 374 Authentication global init state time is 2 minutes Authentication Proxy Session ratelimit is 100 Authentication Proxy Watch-list is disabled Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-14 OL-21521-01...
Page 375: Specifying A Redirection Url For Successful Login
AAA down state to avoid flooding the AAA server when it returns to number_of_sessions service. This example shows how to apply an AAA failure policy: Switch(config)# ip admission name AAA_FAIL_POLICY proxy http event timeout aaa policy identity GLOBAL_POLICY1 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-15 OL-21521-01...
Page 376: Configuring The Web-Based Authentication Parameters
(Optional) Create a custom banner by entering C banner-text C, where C is a delimiting character or a file-path indicates a file (for example, a logo or text file) that appears in the banner. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-16 OL-21521-01...
Page 377: Removing Web-Based Authentication Cache Entries
This example shows how to view only the global web-based authentication status: Switch# show authentication sessions This example shows how to view the web-based authentication settings for gigabit interface 3/27: Switch# show authentication sessions interface gigabitethernet 3/27 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-17 OL-21521-01...
Page 378 Chapter 12 Configuring Web-Based Authentication Displaying Web-Based Authentication Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-18 OL-21521-01...
Page 379: Interface Types
The rest of the chapter describes configuration procedures for physical interface characteristics. The stack ports on the rear of the Catalyst 3750-X switch are not Ethernet ports and cannot be Note configured.
Page 380: C H A P T E R 13 Configuring Interface Characteristics
Dynamic Trunking Protocol (DTP) operate on a per-port basis to set the switchport mode by negotiating with the port on the other end of the link. You must manually Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-2...
Page 381: Access Ports
Catalyst 6500 series switch; the Catalyst 3750-X or 3560-X switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 17, “Configuring Voice VLAN.”...
Page 382: Tunnel Ports
When you put an interface that is in Layer 2 mode into Layer 3 mode, the previous configuration information related to the affected interface might be lost. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-4 OL-21521-01...
Page 383: Switch Virtual Interfaces
SVIs support routing protocols and bridging configurations. For more information about configuring IP routing, see Chapter 42, “Configuring IP Unicast Routing,” Chapter 48, “Configuring IP Multicast Routing,”and Chapter 50, “Configuring Fallback Bridging.” Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-5 OL-21521-01...
Page 384: Svi Autostate Exclude
RIP. For more advanced routing or for fallback bridging, enable the IP services feature set on the standalone switch or the stack master. For information about using the software activation feature to install a software license for a specific feature set, see the Cisco IOS Software Activation document. SVI Autostate Exclude The line state of an SVI with multiple ports on a VLAN is in the up state when it meets these conditions: The VLAN exists and is active in the VLAN database on the switch.
Page 385: Gigabit Ethernet Interfaces
Interface Types 10-Gigabit Ethernet Interfaces The Catalyst 3750-X and 3560-X switches have a network module slot into which you can insert a 10-Gigabit Ethernet network module, a 1-Gigabit Ethernet network module, or a blank module. A 10-Gigabit Ethernet interface operates only in full-duplex mode. The interface can be configured as a switched or routed port.
Page 386: Powered-Device Detection And Initial Power Allocation
After power is applied to the port, the switch uses CDP to determine the CDP-specific power consumption requirement of the connected Cisco powered devices, which is the amount of power to allocate based on the CDP messages. The switch adjusts the power budget accordingly. This does not apply to third-party PoE devices.
Page 387: Power Management Modes
(TLVs), Power-via-MDA TLVs, for negotiating power up to 30 W. Cisco pre-standard devices and Cisco IEEE powered devices can use CDP or the IEEE 802.3at power-via-MDI power negotiation mechanism to request power levels up to 30 W.
Page 388: Power Monitoring And Power Policing
The switch also polices the power usage with the power policing feature. Power monitoring is backward-compatible with Cisco intelligent power management and CDP-based power consumption. It works with these features to ensure that the PoE port can supply power to the powered device.
Page 389 6300 interface configuration command, the configured maximum power allocation on the PoE port is 6.3 W Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-11...
Page 390: Connecting Interfaces
The Catalyst 3750-X stackable switch also supports StackPower, which allows power supplies to share the load across multiple systems in a stack by connecting the switches with power stack cables. You can...
Page 391: Using The Switch Usb Ports
USB console, the first log from switch 1 shows the RJ-45 console. A short time later, the console changes and the USB console log appears. Switch 2 and switch 3 have connected RJ-45 console cables. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-13 OL-21521-01...
Page 392: Configuring The Console Media Type
If a USB console cable is connected to switch 2, it is prevented from providing input. *Mar 1 00:34:27.498: %USB_CONSOLE-6-CONFIG_DISALLOW: Console media-type USB is disallowed by system configuration, media-type remains RJ45. (switch-stk-2) Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-14 OL-21521-01...
Page 393: Configuring The Usb Inactivity Timeout
At this point, the only way to reactivate the USB console is to disconnect and reconnect the cable. When the USB cable on the switch has been disconnected and reconnected, a log similar to this appears: *Mar 1 00:48:28.640: %USB_CONSOLE-6-MEDIA_USB: Console media-type is USB. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-15 OL-21521-01...
Page 394 The USB Type A port provides access to external Cisco USB flash devices, also known as thumb drives or USB keys. The switch supports Cisco 64 MB, 256 MB, 512 MB, and 1 GB flash drives. You can use standard Cisco IOS command- line interface (CLI) commands to read, write, erase, and copy to or from the flash device.
Page 395: Using Interface Configuration Mode
13-19). To configure a physical interface (port), specify the interface type, stack member number (only Catalyst 3750-X switches), module number, and switch port number, and enter interface configuration mode. Type—Gigabit Ethernet (gigabitethernet or gi) for 10/100/1000 Mb/s Ethernet ports, 10-Gigabit •...
Page 396: Procedures For Configuring Interfaces
Enter the interface global configuration command. Identify the interface type, the switch number (only Step 2 on Catalyst 3750-X switches), and the number of the connector. In this example, Gigabit Ethernet port 1 on switch 1 is selected: Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# You do not need to add aspace between the interface type and the interf ace number.
Page 397: Configuring A Range Of Interfaces
When using the interface range global configuration command, note these guidelines: Valid entries for port-range: • vlan vlan-ID - vlan-ID, where the VLAN ID is 1 to 4094 – Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-19 OL-21521-01...
Page 398 If you exit interface-range configuration mode while the commands are being executed, some commands might not be executed on all interfaces in the range. Wait until the command prompt reappears before exiting interface-range configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-20 OL-21521-01...
Page 399: Configuring And Using Interface Range Macros
- port-channel-number, where the port-channel-number – is 1 to 48. When you use the interface ranges with port channels, the first and last port-channel Note number must be active port channels. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-21 OL-21521-01...
Page 400: Using The Ethernet Management Port
Understanding the Ethernet Management Port, page 13-23 • Supported Features on the Ethernet Management Port, page 13-25 • Configuring the Ethernet Management Port, page 13-25 • TFTP and the Ethernet Management Port, page 13-26 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-22 OL-21521-01...
Page 401: Understanding The Ethernet Management Port
Network cloud In a stack with only Catalyst 3750-X or Catalyst 3750-E switches, all the Ethernet management ports on the stack members are connected to a hub to which the PC is connected. The active link is from the Ethernet management port on the stack master through the hub, to the PC. If the stack master fails and a new stack master is elected, the active link is now from the Ethernet management port on the new stack master to the PC.
Page 402 If this happens, data packet loops occur between the ports, which disrupt the switch and network operation. To prevent the loops, configure route filters to avoid routes between the Ethernet management port and the network ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-24 OL-21521-01...
Page 403: Supported Features On The Ethernet Management Port
LED is green (on) when the link is active, and the LED is off when the link is down. The LED is amber when there is a POST failure. To display the link status, use the show interfaces fastethernet 0 privileged EXEC command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-25 OL-21521-01...
Page 404: Tftp And The Ethernet Management Port
Loads and boots an executable image from the TFTP server and enters the command-line interface. For more details, see the command reference for this release. Copies a Cisco IOS image from the TFTP server to the specified copy tftp:/source-file-url location.
Page 405: Default Ethernet Interface Configuration
Port security Disabled (Layer 2 interfaces only). See the “Default Port Security Configuration” section on page 28-11. Port Fast Disabled. See the “Default Optional Spanning-Tree Configuration” section on page 22-12. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-27 OL-21521-01...
Page 406: Configuring Interface Speed And Duplex Mode
The switch might not support a pre-standard powered device—such as Note Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether auto-MIDX is enabled on the switch port.
Page 407: Setting The Interface Speed And Duplex Parameters
Use the no speed and no duplex interface configuration commands to return the interface to the default speed and duplex settings (autonegotiate). To return all interface settings to the defaults, use the default interface interface-id interface configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-29 OL-21521-01...
Page 408: Configuring Ieee 802.3X Flow Control
Upon receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data packets during the congestion period. Catalyst 3750-X or 3560-X ports can receive, but not send, pause frames. Note You use the flowcontrol interface configuration command to set the interface’s ability to receive pause...
Page 409: Configuring Auto-Mdix On An Interface
Verify the operational state of the auto-MDIX feature on the interface. Step 7 show controllers ethernet-controller interface-id phy (Optional) Save your entries in the configuration file. Step 8 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-31 OL-21521-01...
Page 410: Configuring A Power Management Mode On A Poe Port
Catalyst 3750-X switches also support StackPower, which allows switch power supplies to share theload across multiple systems in a stack by connecting up to four switches with power stack cables. See Chapter 9, “Configuring Catalyst 3750-X StackPower”...
Page 411: Budgeting Power For Devices Connected To A Poe Port
Chapter 17, “Configuring Voice VLAN.” Budgeting Power for Devices Connected to a PoE Port When Cisco powered devices are connected to PoE ports, the switch uses Cisco Discovery Protocol (CDP) to determine the CDP-specific power consumption of the devices, and the switch adjusts the power budget accordingly.
Page 412 Enter global configuration mode. Step 1 configure terminal (Optional) Disable CDP. Step 2 no cdp run Specify the physical port to be configured, and enter interface Step 3 interface interface-id configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-34 OL-21521-01...
Page 413: Configuring Power Policing
If you do not enter the action log keywords, the default action shuts down the port and puts the port in the error-disabled state. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-35 OL-21521-01...
Page 414: Adding A Description For An Interface
(Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config Use the no description interface configuration command to delete the description. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-36 OL-21521-01...
Page 415: Configuring Layer 3 Interfaces
If you try to create an extended-range VLAN, an error message is generated, and the extended-range • VLAN is rejected. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-37 OL-21521-01...
Page 416 This example shows how to configure a port as a routed port and to assign it an IP address: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# no switchport Switch(config-if)# ip address 192.20.135.21 255.255.255.0 Switch(config-if)# no shutdown Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-38 OL-21521-01...
Page 417: Configuring Svi Autostate Exclude
Use the system mtu routing bytes global configuration command to specify the system routing MTU value. When configuring the system MTU values, follow these guidelines: The switch does not support the MTU on a per-interface basis. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-39 OL-21521-01...
Page 418 Unlike the system MTU routing configuration, the MTU settings you enter with the system mtu and system mtu jumbo commands are not saved in the switch Cisco IOS configuration file, even if you enter the copy running-config startup-config privileged EXEC command.
Page 419 MTU value (in bytes). 1. If you use the system mtu bytes command on a Catalyst 3750-X or 3750-E member in a mixed hardware stack, the setting takes effect on the Fast Ethernet ports of Catalyst 3750 members.
Page 420: Configuring The Cisco Rps 2300 In A Mixed Stack
Configuring the Cisco RPS 2300 in a Mixed Stack In a mixed stack with Catalyst 3750-X and 3750-E switches, one or more Catalyst 3750-E switches can be connected to a Cisco Redundant Power System 2300, also known as the RPS 2300. You can configure and manage an RPS 2300 connected to a Catalyst 3750-E switch in the stack.
Page 421 Chapter 13 Configuring Interface Characteristics Configuring the Cisco RPS 2300 in a Mixed Stack Beginning in user EXEC mode, follow these steps to configure and manage the RPS 2300: Command Purpose power rps switch-number name {string | serialnumber} Specify the name of the RPS 2300.
Page 422: Configuring The Power Supplies
The switch does not support the no power supply user EXEC command. To return to the default setting, use the power supply switch-number slot {A | B} on} For more information about using the power supply user EXEC command, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-44 OL-21521-01...
Page 423: Monitoring And Maintaining The Interfaces
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2. Table 13-6...
Page 424: Clearing And Resetting Interfaces And Counters
EXEC command. The clear counters command clears all current interface counters from the interface unless you specify optional arguments that clear only a specific interface type from a specific interface number. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-46 OL-21521-01...
Page 425: Shutting Down And Restarting The Interface
Use the no shutdown interface configuration command to restart the interface. To verify that an interface is disabled, enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the display. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-47 OL-21521-01...
Page 426 Chapter 13 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-48 OL-21521-01...
Page 427: Understanding Auto Smartports And Static Smartports Macros
When there is a link-down event on the port, the switch removes the macro. For example, when you connect a Cisco IP phone to a port, Auto Smartports automatically applies the IP phone macro. The IP phone macro enables quality of service (QoS), security features, and a dedicated voice VLAN to ensure proper treatment of delay-sensitive voice traffic.
Page 428: C H A P T E R 14 Configuring Auto Smartports Macros
Auto Smartports macro to enable the appropriate VLAN and QoS settings for the device. The switch also uses a built-in MAC-address group to detect the legacy Cisco DMP, based on an OUI of of4400 or 23ac00. You can also create custom user-defined macros for any video device.
Page 429: Configuring Auto Smartports
Auto Smartports Built-In Macros Macro Name Description CISCO_PHONE_AUTO_ This macro applies the IP phone macro for Cisco IP phones. It enables QoS, port-security, SMARTPORT storm-control, DHCP snooping, and spanning-tree protection. It also configures the access and voice VLANs for that interface.
Page 430: Auto Smartports Configuration Guidelines
Auto Smartports Built-In Macros (continued) Macro Name Description CISCO_ROUTER_AUTO_ This macro applies the router macro for Cisco routers. It enables QoS and trunking with 802.1Q SMARTPORT encapsulation, and spanning-tree BPDU protection. CISCO_AP_AUTO_ This macro applies the wireless access point macro for Cisco APs. It enables QoS and trunking SMARTPORT with 802.1Q encapsulation.
Page 431: Enabling Auto Smartports
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports For 802.1x authentication or MAB, configure the RADIUS server to support the Cisco • attribute-value (av) pair auto-smart-port=event trigger to detect non-Cisco devices. For stationary devices that do not support CDP, MAB, or 802.1x authentication, such as network •...
Page 432: Configuring Auto Smartports Default Parameter Values
Default Macro:CISCO_PHONE_AUTO_SMARTPORT Current Macro:CISCO_PHONE_AUTO_SMARTPORT Configurable Parameters:ACCESS_VLAN VOICE_VLAN Defaults Parameters:ACCESS_VLAN=1 VOICE_VLAN=2 Current Parameters:ACCESS_VLAN=1 VOICE_VLAN=2 Switch# configure terminal Switch(config)# macro auto device phone VOICE_VLAN=20 Switch(config)# end Switch# show macro auto device phone Device:phone Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-6 OL-21521-01...
Page 433: Configuring Auto Smartports Mac-Address Groups
Entering no macro auto execute mac-address-group only removes the mapping of the trigger to the macro. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-7 OL-21521-01...
Page 434: Configuring Auto Smartports Macro Persistent
To disable the Auto Smartports macro persistent feature, use the no macro auto sticky global configuration command. This example shows how to enable the Auto Smartports auto-sticky feature on the switch: Switch(config)# macro auto sticky Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-8 OL-21521-01...
Page 435: Configuring Auto Smartports Built-In Macro Options
Specify the parameter values: ACCESS_VLAN=1 and VOICE_VLAN=2. CISCO_SWITCH_AUTO_SMARTPORT • Specify the parameter values: NATIVE_VLAN=1. CISCO_ROUTER_AUTO_SMARTPORT • Specify the parameter values: NATIVE_VLAN=1. CISCO_AP_AUTO_SMARTPORT • Specify the parameter values: NATIVE_VLAN=1. CISCO_LWAP_AUTO_SMARTPORT • Specify the parameter values: ACCESS_VLAN=1. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-9 OL-21521-01...
Page 436 This example shows how to use two built-in Auto Smartports macros for connecting Cisco switches and Cisco IP phones to the sw itch. This example modifies the default voice VLAN, access VLAN, and native VLAN for the trunk interface:...
Page 437: Creating User-Defined Event Triggers
Creating User-Defined Event Triggers When using MAB or 802.1x authentication to trigger Auto Smartports macros, you need to create an event trigger that corresponds to the Cisco attribute-value pair (auto-smart-port=event trigger) sent by the RADIUS server. This procedure is optional.
Page 438 Switch(config)# macro auto execute RADIUS_MAB_EVENT builtin CISCO_AP_AUTO_SMARTPORT ACCESS_VLAN=10 Switch(config)# exit Switch# show shell triggers User defined triggers --------------------- Trigger Id: RADIUS_MAB_EVENT Trigger description: MAC_AuthBypass Event Trigger environment: Trigger mapping function: CISCO_AP_SMARTPORT <output truncated> Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-12 OL-21521-01...
Page 439 Switch# show shell functions #User defined functions: #Built-in functions: function CISCO_AP_AUTO_SMARTPORT () { if [[ $LINKUP -eq YES ]]; then conf t interface $INTERFACE macro description $TRIGGER switchport trunk encapsulation dot1q Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-13 OL-21521-01...
Page 440 $NATIVE_VLAN no switchport trunk allowed vlan ALL exit <output truncated> Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-14 OL-21521-01...
Page 441: Configuring Auto Smartports User-Defined Macros
Configuring Auto Smartports Configuring Auto Smartports User-Defined Macros The Cisco IOS shell provides basic scripting capabilities for configuring the user-defined Auto Smartports macros. These macros can contain multiple lines and can include any CLI command. You can also define variable substitution, conditionals, functions, and triggers within the macro. This procedure is optional.
Page 442 Use the # character to enter comment text. Table 14-3 Unsupported Cisco IOS Shell Reserved Keywords Command Description Pipeline. case Conditional construct. esac Conditional construct. Looping construct. function Shell function. Conditional construct. select Conditional construct. time Pipeline. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-16 OL-21521-01...
Page 443: Configuring Static Smartports Macros
PC, to a switch port. Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP cisco-phone Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Page 444: Applying Static Smartports Macros
Applying Static Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a static Smartports macro: Command Purpose Display the Cisco-default static Smartports macros embedded in the Step 1 show parser macro switch software. Display the specific macro that you want to apply.
Page 445 You can delete a macro-applied configuration on a port by entering the default interface interface-id interface configuration command. This example shows how to display the cisco-desktop macro, to apply the macro and to set the access VLAN ID to 25 on an interface:...
Page 446: Displaying Auto Smartports And Static Smartports Macros
[interface Displays the static Smartports macro description for all interfaces or for a specified interface. interface-id] Displays information about Auto Smartports event triggers and show shell macros. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 14-20 OL-21521-01...
Page 447: Understanding Vlans
VLAN assignment from a VLAN Membership Policy Server (VMPS). Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 448: Chapter 15 Configuring Vlan
Although the switch or switch stack supports a total of 1005 (normal range and extended range) VLANs, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-2...
Page 449: Vlan Port Membership Modes
Dynamic-Access Ports on VMPS Clients” section on page 15-28. Voice VLAN A voice VLAN port is an access port attached to a Cisco IP VTP is not required; it has no effect on Phone, configured to use one VLAN for voice traffic and a voice VLAN.
Page 450: Configuring Normal-Range Vlans
EXEC command. The vlan.dat file is stored in flash memory. On a Catalyst 3750-X switch, thevlan.dat file is stored in flash memory on the stack master. Stack members have a vlan.dat file that is consistent with the stack master.
Page 451: Token Ring Vlans
The switch does not support Token Ring or FDDI media. The switch does not forward FDDI, • FDDI-Net, TrCRF, or TrBRF traffic, but it does propagate the VLAN configuration through VTP. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-5 OL-21521-01...
Page 452: Saving Vlan Configuration
If the VTP mode or domain name in the startup configuration does not match the VLAN database, • the domain name and VTP mode and configuration for the first 1005 VLANs use the VLAN database information. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-6 OL-21521-01...
Page 453: Default Ethernet Vlan Configuration
“Configuring Extended-Range VLANs” section on page 15-10. For the list of default parameters that are assigned when you add a VLAN, see the “Configuring Normal-Range VLANs” section on page 15-4. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-7 OL-21521-01...
Page 454: Deleting A Vlan
When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated Caution with the VLAN (and thus inactive) until you assign them to a new VLAN. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-8 OL-21521-01...
Page 455: Assigning Static-Access Ports To A Vlan
This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet0/1 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-9 OL-21521-01...
Page 456: Configuring Extended-Range Vlans
VLANs. If VTP mode is server or client, an error message is generated, and the extended-range VLAN is rejected. VTP version 3 supports extended VLANs in server and transparent modes. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-10 OL-21521-01...
Page 457: Creating An Extended-Range Vlan
1 or 2, if you enter an extended-range VLAN ID when the switch is not in VTP transparent mode, an error message is generated when you exit VLAN configuration mode, and the extended-range VLAN is not created. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-11 OL-21521-01...
Page 458 This example shows how to create a new extended-range VLAN with all default characteristics, enter VLAN configuration mode, and save the new VLAN in the switch startup configuration file: Switch(config)# vtp mode transparent Switch(config)# vlan 2000 Switch(config-vlan)# end Switch# copy running-config startup config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-12 OL-21521-01...
Page 459: Creating An Extended-Range Vlan With An Internal Vlan Id
VTP server mode, and the extended-range VLAN IDs will not be saved. This step is not required for VTP version 3 because VLANs are Note saved in the VLAN database. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-13 OL-21521-01...
Page 460: Displaying Vlans
Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network. Two trunking encapsulations are available on all Ethernet interfaces: Inter-Switch Link (ISL)—Cisco-proprietary trunking encapsulation. • IEEE 802.1Q— industry-standard trunking encapsulation. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-14 OL-21521-01...
Page 461 You can also specify on DTP interfaces whether the trunk uses ISL or IEEE 802.1Q encapsulation or if the encapsulation type is autonegotiated. The DTP supports autonegotiation of both ISL and IEEE 802.1Q trunks. DTP is not supported on private-VLAN ports or tunnel ports. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-15 OL-21521-01...
Page 462: Encapsulation Types
The trunking mode, the trunk encapsulation type, and the hardware capabilities of the two connected interfaces decide whether a link becomes an ISL or IEEE 802.1Q trunk. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-16 OL-21521-01...
Page 463: Ieee 802.1Q Configuration Considerations
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Qswitch.
Page 464: Interaction With Other Features
Configure the port to support ISL or IEEE 802.1Q encapsulation or to Step 3 negotiate (the default) with the neighboring interface for encapsulation dot1q | negotiate} type. You must configure each end of the link with the same encapsulation type. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-18 OL-21521-01...
Page 465: Defining The Allowed Vlans On A Trunk
VLANs from the allowed list. VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a Note requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 mini m ization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
Page 466: Changing The Pruning-Eligible List
VLAN 1 from the allowed list. When you remove VLAN 1 from a trunk port, the interface continues to sent and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1.
Page 467: Configuring The Native Vlan For Untagged Traffic
Command Purpose Enter global configuration mode. Step 1 configure terminal Define the interface that is configured as the IEEE 802.1Q trunk, and Step 2 interface interface-id enter interface configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-21 OL-21521-01...
Page 468: Configuring Trunk Ports For Load Sharing
6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs. No duplication of traffic occurs over any trunk port. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-22...
Page 469 Repeat Steps 7 through 11on Switch A for a second port in the switch Step 13 or switch stack. Repeat Steps 7 through 11on Switch B to configure the trunk ports that Step 14 connect to the trunk ports configured on Switch A. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-23 OL-21521-01...
Page 470: Load Sharing Using Stp Path Cost
VLANs 2 – 4 (path cost 30) VLANs 8 – 10 (path cost 30) VLANs 8 – 10 (path cost 19) VLANs 2 – 4 (path cost 19) Switch B Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-24 OL-21521-01...
Page 471: Configuring Vmps
Step 5 exit Repeat Steps 2 through 5 on a second interface in Switch A (for a Step 6 Catalyst 3560-X switch) or in the Switch A stack (for a Catalyst 3750-X switch). Return to privileged EXEC mode. Step 7 Verify your entries.
Page 472: Understanding Vmps
The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic-access port and attempts to match the MAC address to a VLAN in the VMPS database. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-26...
Page 473: Default Vmps Client Configuration
You must turn off trunking on the port before the dynamic-access setting takes effect. Dynamic-access ports cannot be monitor ports. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-27 OL-21521-01...
Page 474: Configuring The Vmps Client
If you are configuring a port on a cluster member switch as a dynamic-access port, first use the rcommand privileged EXEC command to log in to the cluster member switch. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-28 OL-21521-01...
Page 475: Reconfirming Vlan Memberships
If you are configuring a member switch in a cluster, this parameter must be equal to or greater than the reconfirmation setting on the command switch. You must also first use the rcommand privileged EXEC command to log in to the member switch. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-29 OL-21521-01...
Page 476: Changing The Retry Count
VMPS Action—the result of the most recent reconfirmation attempt. A reconfirmation attempt can • occur automatically when the reconfirmation interval expires, or you can force it by entering the vmps reconfirm privileged EXEC command or its Network Assistant or SNMP equivalent. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-30 OL-21521-01...
Page 477: Troubleshooting Dynamic-Access Port Vlan Membership
• End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-31 OL-21521-01...
Page 478 Switch E 172.20.26.155 Switch F 172.20.26.156 Switch G 172.20.26.157 Switch H Client switch I Dynamic-access port 172.20.26.158 station 2 Trunk port 172.20.26.159 Catalyst 6500 series Secondary VMPS Switch J Server 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 15-32 OL-21521-01...
Page 479: Understanding Vtp
VLANs with the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 480: Chapter 16 Configuring Vtp
VLAN in a suspended state. VTP version 1 and version 2 support only normal-range VLANs (VLAN IDs 1 to 1005). Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094).
Page 481: Vtp Modes
VTP off A switch in VTP off mode functions in the same manner as a VTP transparent switch, except that it does not forward VTP advertisements on trunks. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-3 OL-21521-01...
Page 482: Vtp Advertisements
Although VTP version 2 supports only one domain, a VTP version 2 transparent switch forwards a message only when the domain name matches. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-4 OL-21521-01...
Page 483: Vtp Version 3
For example, you can configure the switch as a VTP server for the VLAN database but with VTP off for the MST database. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-5...
Page 484: Vtp Pruning
F have no ports in the Red VLAN. Figure 16-1 Flooding Traffic without VTP Pruning Switch D Port 2 Switch E Switch B VLAN Port 1 Switch F Switch C Switch A Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-6 OL-21521-01...
Page 485: Vtp And Switch Stacks
VTP. When a switch joins the stack, it inherits the VTP and VLAN properties of the stack master. • All VTP updates are carried across the stack. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-7 OL-21521-01...
Page 486: Configuring Vtp
The mode is the same as the mode in VTP version 1 or 2 before conversion to version 3. VTP version Version 1 (Version 2 is disabled). MST database mode Transparent. VTP version 3 server type Secondary. VTP password None. VTP pruning Disabled. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-8 OL-21521-01...
Page 487: Vtp Configuration Guidelines
If you are adding a new switch to an existing network with VTP capability, the new switch learns the domain name only after the applicable password has been configured on it. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-9...
Page 488: Vtp Version
2. If there is a version 1-only switch, it does not exchange VTP information with switches that have version 2 enabled. Cisco recommends placing VTP version 1 and 2 switches at the edge of the network because they •...
Page 489: Configuration Requirements
VTP server mode (the default). VTP version 3 supports extended-range VLANs. If extended VLANs are configured, you cannot • convert from VTP version 3 to VTP version 2. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-11 OL-21521-01...
Page 490 When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-12 OL-21521-01...
Page 491: Configuring A Vtp Version 3 Password
This example shows how to configure a hidden password and how it appears. Switch(config)# vtp password mypassword hidden Generating the secret associated to the password. Switch(config)# end Switch# show vtp password VTP password: 89914640C8D90868B6A0D8103847A733 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-13 OL-21521-01...
Page 492: Configuring A Vtp Version 3 Primary Server
In TrCRF and TrBRF Token ring environments, you must enable VTP version 2 or VTP version 3 • for Token Ring VLAN switching to function properly. For Token Ring and Token Ring-Net media, disable VTP version 2 must be disabled. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-14 OL-21521-01...
Page 493: Enabling Vtp Pruning
Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning-eligible on trunk ports. Reserved VLANs and extended-range VLANs cannot be pruned. To change the pruning-eligible VLANs, see the “Changing the Pruning-Eligible List” section on page 15-20. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-15 OL-21521-01...
Page 494: Configuring Vtp On A Per-Port Basis
Step 3 vtp domain domain-name The VLAN information on the switch is updated and the configuration revision Step 4 number is reset to 0. You return to privileged EXEC mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-16 OL-21521-01...
Page 495: Monitoring Vtp
Display the VTP password. The form of the password displayed depends show vtp password on whether or not the hidden keyword was entered and if encryption is enabled on the switch. Display the VTP switch configuration information. show vtp status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-17 OL-21521-01...
Page 496 Chapter 16 Configuring VTP Monitoring VTP Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-18 OL-21521-01...
Page 497: Understanding Voice Vlan
This chapter describes how to configure the voice VLAN feature on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation.
Page 498: Chapter 17 Configuring Voice Vlan
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLA N for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...
Page 499: Configuring Voice Vlan
For more information, see Chapter 39, “Configuring QoS.” You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration • to the phone. (CDP is globally enabled by default on all switch interfaces.)
Page 500: Configuring A Port Connected To A Cisco 7960 Ip Phone
• voice VLAN, the Port Fast feature is not automatically disabled. If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the • same IP subnet. These conditions indicate that they are in the same VLAN: They both use IEEE 802.1p or untagged frames.
Page 501: Configuring Cisco Ip Phone Voice Traffic
Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends v oice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value.
Page 502: Configuring The Priority Of Incoming Data Frames
Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
Page 503: Displaying Voice Vlan
Step 6 copy running-config startup-config This example shows how to configure a port connected to a Cisco IP Phone to not change the priority of frames received from the PC or the attached device: Switch# configure terminal Enter configuration commands, one per line.
Page 504 Chapter 17 Configuring Voice VLAN Displaying Voice VLAN Catalyst 3750-X and 3560-X Switch Software Configuration Guide 17-8 OL-21521-01...
Page 505: Understanding Private Vlans
Configuring Private VLANs This chapter describes how to configure private VLANs on the Catalyst 3750- or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 506: Chapter 18 Configuring Private Vlan
These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN. Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-2 OL-21521-01...
Page 507: Ip Addressing Scheme With Private Vlans
VLAN. Subsequent IP addresses can be assigned to customer devices in different secondary VLANs, but in the same primary VLAN. When new devices are added, the DHCP server assigns them the next available address from a large pool of subnet addresses. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-3 OL-21521-01...
Page 508: Private Vlans Across Multiple Switches
Multicast traffic is routed or bridged across private-VLAN boundaries and within a single community VLAN. Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in different secondary VLANs. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-4 OL-21521-01...
Page 509: Private Vlans And Svis
Configuring a Layer 2 Interface as a Private-VLAN Host Port, page 18-11 • Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port, page 18-12 • Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface, page 18-13 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-5 OL-21521-01...
Page 510: Tasks For Configuring Private Vlans
VLAN, you should not change the VTP mode to client or server. For information about VTP, see Chapter 16, “Configuring VTP.” VTP version 3 supports private VLANs in all modes. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-6 OL-21521-01...
Page 511 – on the secondary VLAN is applied. For frames going downstream from a promiscuous port to a host port, the VLAN map – configured on the primary VLAN is applied. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-7 OL-21521-01...
Page 512: Private-Vlan Port Configuration
Chapter 32, “Configuring SPAN and RSPAN.” Do not configure private-VLAN ports on interfaces configured for these other features: • dynamic-access port VLAN membership – Dynamic Trunking Protocol (DTP) – Port Aggregation Protocol (PAgP) – Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-8 OL-21521-01...
Page 513: Configuring And Associating Vlans In A Private Vlan
VLAN that will be an isolated VLAN. The VLAN ID range is 2 to 1001 and 1006 to 4094. Designate the VLAN as an isolated VLAN. Step 7 private-vlan isolated Return to global configuration mode. Step 8 exit Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-9 OL-21521-01...
Page 514 Switch(config)# vlan 501 Switch(config-vlan)# private-vlan isolated Switch(config-vlan)# exit Switch(config)# vlan 502 Switch(config-vlan)# private-vlan community Switch(config-vlan)# exit Switch(config)# vlan 503 Switch(config-vlan)# private-vlan community Switch(config-vlan)# exit Switch(config)# vlan 20 Switch(config-vlan)# private-vlan association 501-503 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-10 OL-21521-01...
Page 515: Configuring A Layer 2 Interface As A Private-Vlan Host Port
Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: 20 501 Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-11 OL-21521-01...
Page 516: Configuring A Layer 2 Interface As A Private-Vlan Promiscuous Port
VLAN. The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it. Switch# configure terminal Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport private-vlan mapping 20 add 501-503 Switch(config-if)# end Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-12 OL-21521-01...
Page 517: Mapping Secondary Vlans To A Primary Vlan Layer 3 Vlan Interface
VLAN ingress traffic from private VLANs 501 to 502: Switch# configure terminal Switch(config)# interface vlan 10 Switch(config-if)# private-vlan mapping 501-502 Switch(config-if)# end Switch# show interfaces private-vlan mapping Interface Secondary VLAN Type Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-13 OL-21521-01...
Page 518: Monitoring Private Vlans
This is an example of the output from the show vlan private-vlan command: Switch(config)# show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ isolated Gi2/0/1, Gi3/0/1, Gi3/0/2 community Gi2/0/11, Gi3/0/1, Gi3/0/4 non-operational Catalyst 3750-X and 3560-X Switch Software Configuration Guide 18-14 OL-21521-01...
Page 519: Understanding Ieee 802.1Q Tunneling
The Catalyst 3750-X or 3560-X switch supports IEEE 802.1Q tunneling and Layer 2 protocol tunneling. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 520: C H A P T E R 19 Configuring Ieee 802.1Q And Layer 2 Protocol Tunneling
When the packet exits another trunk port on the same core switch, the same metro tag is again added to the packet. Figure 19-2 shows the tag structures of the double-tagged packets. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-2 OL-21521-01...
Page 521 (The default is zero if none is configured.) On Catalyst 3750-X switches, because 802.1Q tunneling is configured on a per-port basis, it does not matter whether the switch is a standalone switch or a stack member. All configuration is done on the stack master.
Page 522: Configuring Ieee 802.1Q Tunneling
The packet carries only the VLAN 30 tag through the service-provider network to the trunk port of the egress-edge switch (Switch C) and is misdirected through the egress switch tunnel port to Customer Y. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-4 OL-21521-01...
Page 523: System Mtu
IEEE 802.1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added,you must configure all switches in the service-provider network to be able to process maximum frames by adding 4 bytes to the system MTU and system jumbo MTU sizes. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-5 OL-21521-01...
Page 524: Ieee 802.1Q Tunneling And Other Features
When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit • (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) and the Layer Link Discovery Protocol (LLDP) are automatically disabled on the interface.
Page 525: Configuring An Ieee 802.1Q Tunneling Port
Switch(config-if)# exit Switch(config)# vlan dot1q tag native Switch(config)# end Switch# show dot1q-tunnel interface gigabitethernet1/0/7 Port ----- Gi1/0/1Port ----- Switch# show vlan dot1q tag native dot1q native vlan tagging is enabled Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-7 OL-21521-01...
Page 526: Understanding Layer 2 Protocol Tunneling
VLAN should build a proper spanning tree that includes the local site and all remote sites across the service-provider network. Cisco Discovery Protocol (CDP) must discover neighboring Cisco devices from local and remote sites. VLAN Trunking Protocol (VTP) must provide consistent VLAN configuration throughout all sites in the customer network.
Page 527 When you enable protocol tunneling (PAgP or LACP) on the SP switch, remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-9 OL-21521-01...
Page 528: Configuring Layer 2 Protocol Tunneling
When the Layer 2 PDUs that entered the service-provider inbound edge switch through a Layer 2 protocol-enabled port exit through the trunk port into the service-provider network, the switch overwrites the customer PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0). If IEEE 802.1Q tunneling is enabled, packets are also double-tagged; the outer tag is the customer metro tag, and the inner tag is the customer’s VLAN tag.
Page 529: Default Layer 2 Protocol Tunneling Configuration
BPDU CoS value for Layer 2 protocol tunneling. If no CoS value is configured at the interface level, the default value for CoS marking of L2 protocol tunneling BPDUs is 5. This does not apply to data traffic. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-11 OL-21521-01...
Page 530: Layer 2 Protocol Tunneling Configuration Guidelines
PDUs higher priority within the service-provider network than data packets received from the same tunnel port. By default, the PDUs use the same CoS value as data packets. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-12 OL-21521-01...
Page 531: Configuring Layer 2 Protocol Tunneling
Display the Layer 2 tunnel ports on the switch, including the protocols Step 11 show l2protocol configured, the thresholds, and the counters. (Optional) Save your entries in the configuration file. Step 12 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-13 OL-21521-01...
Page 532: Configuring Layer 2 Tunneling For Etherchannels
If no keyword is entered, tunneling is enabled for all three protocols. To avoid a network failure, make sure that the network is a Caution point-to-point topology before you enable tunneling for PAgP, LACP, or UDLD packets. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-14 OL-21521-01...
Page 533 [point-to-point [pagp | lacp | udld]] and the no l2protocol-tunnel drop-threshold [[point-to-point [pagp | lacp | udld]] commands to return the shutdown and drop thresholds to the default settings. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-15 OL-21521-01...
Page 534: Configuring The Customer Switch
Switch(config-if)# l2protocol-tunnel point-to-point udld Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000 Switch(config-if)# exit Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport access vlan 18 Switch(config-if)# switchport mode dot1q-tunnel Switch(config-if)# l2protocol-tunnel point-to-point pagp Switch(config-if)# l2protocol-tunnel point-to-point udld Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-16 OL-21521-01...
Page 535 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# udld enable Switch(config-if)# channel-group 1 mode desirable Switch(config-if)# exit Switch(config)# interface port-channel 1 Switch(config-if)# shutdown Switch(config-if)# no shutdown Switch(config-if)# exit Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-17 OL-21521-01...
Page 536: Monitoring And Maintaining Tunneling Status
Display the status of native VLAN tagging on the switch. show vlan dot1q tag native For detailed information about these displays, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 19-18 OL-21521-01...
Page 537: Understanding Spanning-Tree Features
ID. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 538: Chapter 20 Configuring Stp
By default, the switch sends keepalive messages (to ensure the connection is up) only on interfaces that Note do not have small form-factor pluggable (SFP) modules. You can change the default for an interface by entering the [no] keepalive interface configuration command with no keywords. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-2 OL-21521-01...
Page 539: Spanning-Tree Topology And Bpdus
Selects the lowest path cost to the root switch – Selects the lowest designated bridge ID – Selects the lowest designated path cost – Selects the lowest port ID – Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-3 OL-21521-01...
Page 540: Bridge Id, Switch Priority, And Extended System Id
VLAN. Each VLAN on the switch has a unique 8-byte bridge ID. The 2 most-significant bytes are used for the switch priority, and the remaining 6 bytes are derived from the switch MAC address. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-4...
Page 541: Spanning-Tree Interface States
An interface moves through these states: From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-5 OL-21521-01...
Page 542: Blocking State
An interface always enters the blocking state after switch initialization. An interface in the blocking state performs these functions: Discards frames received on the interface • Discards frames switched from another interface for forwarding • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-6 OL-21521-01...
Page 543: Listening State
A disabled interface performs these functions: Discards frames received on the interface • Discards frames switched from another interface for forwarding • Does not learn addresses • Does not receive BPDUs • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-7 OL-21521-01...
Page 544: How A Switch Or Port Becomes The Root Switch Or Root Port
Spanning-Tree Address Management IEEE 802.1D specifies 17 multicast addresses, ranging from 0x00180C2000000 to 0x0180C2000010, to be used by different bridge protocols. These addresses are static addresses that cannot be removed. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-8 OL-21521-01...
Page 545: Accelerated Aging To Retain Connectivity
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Page 546: Supported Spanning-Tree Instances
The standard requires only one spanning-tree instance for all VLANs allowed on the trunks. However, in a network of Cisco switches connected through IEEE 802.1Q trunks, the switches maintain one spanning-tree instance for each VLAN allowed on the trunks.
Page 547: Vlan-Bridge Spanning Tree
Configuring STP Understanding Spanning-Tree Features When you connect a Cisco switch toa non-Cisco device through an IEEE 802.1Q trunk, the Ciscoswitch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+. The switch combines the spanning-tree instance of the IEEE 802.1Q VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
Page 548: Configuring Spanning-Tree Features
Spanning-tree port priority (configurable on a per-interface basis) 128. Spanning-tree port cost (configurable on a per-interface basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100. Spanning-tree VLAN port priority (configurable on a per-VLAN basis) 128. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-12 OL-21521-01...
Page 549: Spanning-Tree Configuration Guidelines
You can prevent this possibility by setting up allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances. Setting up allowed lists is not necessary in many cases and can make it more labor-intensive to add another VLAN to the network. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-13 OL-21521-01...
Page 550: Changing The Spanning-Tree Mode
Return to privileged EXEC mode. Step 5 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-14 OL-21521-01...
Page 551: Disabling Spanning Tree
ID, consisting of the switch priority and the switch MAC address, is associated with each instance. For each VLAN, the switch with the lowest bridge ID becomes the root switch for that VLAN. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-15...
Page 552 After configuring the switch as the root switch, we recommend that you avoid manually configuring the Note hello time, forward-delay time, and maximum-age time through the spanning-tree vlan vlan-id hello-time, spanning-tree vlan vlan-id forward-time, and the spanning-tree vlan vlan-id max-age global configuration commands. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-16 OL-21521-01...
Page 553: Configuring A Secondary Root Switch
You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree vlan vlan-id root primary global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-17 OL-21521-01...
Page 554: Configuring Port Priority
Assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last. For more information, see the “Configuring Path Cost” section on page 20-20. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-18 OL-21521-01...
Page 555 For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing” section on page 15-22. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-19 OL-21521-01...
Page 556: Configuring Path Cost
The show spanning-tree interface interface-id privileged EXEC command displays information only Note for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-20 OL-21521-01...
Page 557: Configuring The Switch Priority Of A Vlan
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To return to the default setting, use the no spanning-tree vlan vlan-id priority global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-21 OL-21521-01...
Page 558: Configuring Spanning-Tree Timers
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To return to the default setting, use the no spanning-tree vlan vlan-id hello-time global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-22 OL-21521-01...
Page 559: Configuring The Forwarding-Delay Time For A Vlan
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To return to the default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-23 OL-21521-01...
Page 560: Configuring The Transmit Hold-Count
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 20-24 OL-21521-01...
Page 561: Configuring Mstp
C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 3750-X or 3560-X switch. The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard.
Page 562: Chapter 21 Configuring Mstp
Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST). All other MST instances are numbered from 1 to 4094. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-2 OL-21521-01...
Page 563: Operations Within An Mst Region
CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-3...
Page 564 VLAN cost, and port VLAN priority) can be configured on both the CST instance and the MST instance. MSTP switches use Version 3 RSTP BPDUs or IEEE 802.1D STP BPDUs to communicate with legacy IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-4 OL-21521-01...
Page 565: Ieee 802.1S Terminology
Understanding MSTP IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network. Because the CIST is the only spanning-tree instance that spans the whole network, only the CIST parameters require the external rather than the internal or regional qualifiers.
Page 566: Boundary Ports
The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.
Page 567: Interoperation Between Legacy And Standard Switches
Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
Page 568: Mstp And Switch Stacks
IEEE 802.1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. A switch might also continue to assign a boundary role Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-8...
Page 569: Understanding Rstp
A port with the root or a designated port role is included in the active topology. A port with the alternate or backup port role is excluded from the active topology. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-9...
Page 570: Rapid Convergence
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
Page 571: Synchronization Of Port Roles
RSTP forces it to synchronize with new root information. In general, when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions, its port state is set to blocking. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-11 OL-21521-01...
Page 572: Bridge Protocol Data Unit Format And Processing
RSTP flag fields. Table 21-3 RSTP BPDU Flags Function Topology change (TC) Proposal 2–3: Port role: Unknown Alternate port Root port Designated port Learning Forwarding Agreement Topology change acknowledgement (TCA) Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-12 OL-21521-01...
Page 573: Processing Superior Bpdu Information
IEEE 802.1D switch and a configuration BPDU with the TCA bit set is received, the TC-while timer is reset. This behavior is only required to support IEEE 802.1D switches. The RSTP BPDUs never have the TCA bit set. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-13 OL-21521-01...
Page 574: Configuring Mstp Features
MSTP configuration. Table 21-4 Default MSTP Configuration Feature Default Setting Spanning-tree mode PVST+ (Rapid PVST+ and MSTP are disabled). Switch priority (configurable on a per-CIST port basis) 32768. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-14 OL-21521-01...
Page 575: Mstp Configuration Guidelines
• VLAN-to-instance map, the same configuration revision number, and the same name. For two or more stacked Catalyst 3750-X switches to be in the same MST region, they must have • the same VLAN-to-instance map, the same configuration revision number, and the same name.
Page 576: Specifying The Mst Region Configuration And Enabling Mstp
Beginning in privileged EXEC mode, follow these steps to specify the MST region configuration and enable MSTP. This procedure is required. Command Purpose Enter global configuration mode. Step 1 configure terminal Enter MST configuration mode. Step 2 spanning-tree mst configuration Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-16 OL-21521-01...
Page 577 Switch(config)# spanning-tree mst configuration Switch(config-mst)# instance 1 vlan 10-20 Switch(config-mst)# name region1 Switch(config-mst)# revision 1 Switch(config-mst)# show pending Pending MST configuration Name [region1] Revision Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-17 OL-21521-01...
Page 578: Configuring The Root Switch
After configuring the switch as the root switch, we recommend that you avoid manually configuring the Note hello time, forward-delay time, and maximum-age time through the spanning-tree mst hello-time, spanning-tree mst forward-time, and the spanning-tree mst max-age global configuration commands. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-18 OL-21521-01...
Page 579: Configuring A Secondary Root Switch
You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-19 OL-21521-01...
Page 580: Configuring Port Priority
MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. If your Catalyst 3750-X switch is a member of a switch stack, you must use the spanning-tree mst Note [instance-id] cost cost interface configuration command instead of the spanning-tree mst [instance-id] port-priority priority interface configuration command to select a port to put in the forwarding state.
Page 581: Configuring Path Cost
If all interfaces have the same cost value, the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-21 OL-21521-01...
Page 582: Configuring The Switch Priority
Exercise care when using this command. For most situations, we recommend that you use the Note spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-22 OL-21521-01...
Page 583: Configuring The Hello Time
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To return the switch to its default setting, use the no spanning-tree mst hello-time global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-23 OL-21521-01...
Page 584: Configuring The Forwarding-Delay Time
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To return the switch to its default setting, use the no spanning-tree mst max-age global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-24 OL-21521-01...
Page 585: Configuring The Maximum-Hop Count
(Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-25 OL-21521-01...
Page 586: Designating The Neighbor Type
To restart the protocol migration process (force the renegotiation with neighboring switches) on the switch, use the clear spanning-tree detected-protocols privileged EXEC command. To restart the protocol migration process on a specific interface, use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-26 OL-21521-01...
Page 587: Displaying The Mst Configuration And Status
Displays MST information for the specified interface. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-27 OL-21521-01...
Page 588 Chapter 21 Configuring MSTP Displaying the MST Configuration and Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-28 OL-21521-01...
Page 589: Understanding Optional Spanning-Tree Features
(PVST+). You can configure only the noted features when your switch or switch stack is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 590: C H A P T E R 22 Configuring Optional Spanning-Tree Features
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-2 OL-21521-01...
Page 591: Understanding Bpdu Filtering
Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 22-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-3 OL-21521-01...
Page 592 Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-4...
Page 593: Understanding Cross-Stack Uplinkfast
Switch C Understanding Cross-Stack UplinkFast For Catalyst 3750-X switches, the UplinkFast feature is the cross-stack UplinkFast feature. Cross-stack UplinkFast (CSUF) provides a fast spanning-tree transition (fast convergence in less than 1 second under normal network conditions) across a switch stack. During the fast transition, an alternate redundant link on the switch stack is placed in the forwarding state without causing temporary spanning-tree loops or loss of connectivity to the backbone.
Page 594: How Csuf Works
The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-6 OL-21521-01...
Page 595: Events That Cause Fast Convergence
BPDU is a signal that the other switch might have lost its path to the root, and BackboneFast tries to find an alternate path to the root. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-7...
Page 596 If the switch has alternate paths to the root switch, it uses these alternate paths to send a root link query (RLQ) request. The Catalyst 3750-X switch sends the RLQ request on all alternate paths to learn if any stack member has an alternate root to the root switch and waits for an RLQ reply from other switches in the network and in the stack.TCatalyst 3560-X switch sends the RLQ request on all alternate paths and...
Page 597 Switch A, the root switch. Figure 22-8 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch B Switch C (Designated bridge) Blocked port Added switch Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-9 OL-21521-01...
Page 598: Understanding Etherchannel Guard
MST instance. You can enable this feature by using the spanning-tree guard root interface configuration command. Misuse of the root-guard feature can cause a loss of connectivity. Caution Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-10 OL-21521-01...
Page 599: Understanding Loop Guard
Enabling BPDU Guard, page 22-13 (optional) • Enabling BPDU Filtering, page 22-14 (optional) • Enabling UplinkFast for Use with Redundant Links, page 22-15 (optional) • Enabling Cross-Stack UplinkFast, page 22-16 (optional) • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-11 OL-21521-01...
Page 600: Default Optional Spanning-Tree Configuration
UplinkFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. On a Catalyst 3750-X switch, you can configure the UplinkFast or the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
Page 601: Enabling Bpdu Guard
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-13 OL-21521-01...
Page 602: Enabling Bpdu Filtering
Configure Port Fast only on interfaces that connect to end stations; otherwise, an accidental topology Caution loop could cause a data packet loop and disrupt switch and network operation. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-14 OL-21521-01...
Page 603: Enabling Uplinkfast For Use With Redundant Links
You can configure the UplinkFast or the CSUF feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-15 OL-21521-01...
Page 604: Enabling Cross-Stack Uplinkfast
To disable UplinkFast on the switch and all its VLANs, use the no spanning-tree uplinkfast global configuration command. Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-16 OL-21521-01...
Page 605: Enabling Etherchannel Guard
EXEC command to verify the EtherChannel configuration. After the configuration is corrected, enter the shutdown and no shutdown interface configuration commands on the port-channel interfaces that were misconfigured. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-17 OL-21521-01...
Page 606: Enabling Root Guard
Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional. Command Purpose Verify which interfaces are alternate or root ports. Step 1 show spanning-tree active show spanning-tree mst Enter global configuration mode. Step 2 configure terminal Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-18 OL-21521-01...
Page 607: Displaying The Spanning-Tree Status
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-19 OL-21521-01...
Page 608 Chapter 22 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-20 OL-21521-01...
Page 609: Understanding Flex Links And The Mac Address-Table Move Update
Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 3750-X or 3560-X switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature.
Page 610: Vlan Flex Link Load Balancing And Support
You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link. On Catalyst 3750-X switches, the Flex Link can be on the same switch or on another switch in the stack. When one of the links is up and forwarding traffic, the other link is in standby mode, ready to begin forwarding traffic if the other link shuts down.
Page 611: C H A P T E R 23 Configuring Flex Links And The Mac Address-Table Move Update Feature
When the backup link starts forwarding, to achieve faster convergence of multicast data, the downstream switch immediately sends proxy reports for all the learned groups on this port without waiting for a general query. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-3 OL-21521-01...
Page 612: Leaking Igmp Reports
Here is output for the show ip igmp snooping mrouter command for VLANs 1 and 401: Switch# show ip igmp snooping mrouter Vlan ports ---- ----- Gi1/0/11(dynamic), Gi1/0/12(dynamic) Gi1/0/11(dynamic), Gi1/0/12(dynamic) Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-4 OL-21521-01...
Page 613 GigabitEthernet2/0/11 is a receiver/host in VLAN 1, which is interested in two multicast groups: Switch# show ip igmp snooping groups Vlan Group Type Version Port List ----------------------------------------------------------------------- 228.1.5.1 igmp Gi1/0/11, Gi1/0/12, Gi2/0/11 228.1.5.2 igmp Gi1/0/11, Gi1/0/12, Gi2/0/11 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-5 OL-21521-01...
Page 614: Mac Address-Table Move Update
100 milliseconds (ms). The PC is directly connected to switch A, and the connection status does not change. Switch A does not need to update the PC entry in the MAC address table. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-6...
Page 615: Configuring Flex Links And Mac Address-Table Move Update
You can configure up to 16 backup links. • You can configure only one Flex Link backup link for any active link, and it must be a different • interface from the active interface. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-7 OL-21521-01...
Page 616: Default Configuration
Configure a physical Layer 2 interface (or port channel) Step 3 switchport backup interface interface-id as part of a Flex Link pair with the interface. When one link is forwarding traffic, the other interface is in standby mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-8 OL-21521-01...
Page 617 Configure the time delay until a port preempts another Step 5 switchport backup interface interface-id preemption port. delay delay-time Setting a delay time only works with forced and Note bandwidth modes. Return to privileged EXEC mode. Step 6 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-9 OL-21521-01...
Page 618: Configuring Vlan Load Balancing On Flex Links
(Optional) Save your entries in the switch startup Step 6 copy running-config startup config configuration file. To disable the VLAN load balancing feature, use the no switchport backup interface interface-id prefer vlan vlan-range interface configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-10 OL-21521-01...
Page 619 Vlans Preferred on Active Interface: 1-2,5-4094 Vlans Preferred on Backup Interface: 3-4 Preemption Mode : off Bandwidth : 10000 Kbit (Fa1/0/3), 100000 Kbit (Fa1/0/4) Mac Address Move Update Vlan : auto Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-11 OL-21521-01...
Page 620: Configuring The Mac Address-Table Move Update Feature
This example shows how to configure an access switch to send MAC address-table move update messages: Switch# configure terminal Switch(conf)# interface gigabitethernet1/0/1 Switch(conf-if)# switchport backup interface gigabitethernet0/2 mmu primary vlan 2 Switch(conf-if)# exit Switch(conf)# mac address-table move update transmit Switch(conf)# end Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-12 OL-21521-01...
Page 621 EXEC command. This example shows how to configure a switch to get and process MAC address-table move update messages: Switch# configure terminal Switch(conf)# mac address-table move update receive Switch(conf)# end Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-13 OL-21521-01...
Page 622: Monitoring Flex Links And The Mac Address-Table Move Update
Flex Links and the state of each active and backup interface (up or standby mode). backup Displays the MAC address-table move update information on the show mac address-table switch. move update Catalyst 3750-X and 3560-X Switch Software Configuration Guide 23-14 OL-21521-01...
Page 623: Understanding Dhcp Features
This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the Catalyst 3750-X or 3560-X switch. It also describes how to configure the IP source guard feature.Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 624: C H A P T E R 24 Configuring Dhcp Features And Ip Source Guard
• For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them.
Page 625: Option-82 Data Insertion
DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-3 OL-21521-01...
Page 626 Circuit-ID type – Length of the circuit-ID type – Remote-ID suboption fields • Suboption type – Length of the suboption type – Remote-ID type – Length of the remote-ID type – Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-4 OL-21521-01...
Page 627 The length values are variable, depending on the length of the string that you configure. – Remote-ID suboption fields • The remote-ID type is 1. – The length values are variable, depending on the length of the string that you configure. – Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-5 OL-21521-01...
Page 628: Cisco Ios Dhcp Server Database
An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.
Page 629: Dhcp Snooping And Switch Stacks
DHCP snooping configuration from the stack master. When a member leaves the stack, all DHCP snooping address bindings associated with the switch age out. All snooping statistics are generated on the stack master. If a new stack master is elected, the statistics counters reset. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-7 OL-21521-01...
Page 630: Configuring Dhcp Features
Enabling DHCP Snooping and Option 82, page 24-12 • Enabling DHCP Snooping on Private VLANs, page 24-14 • Enabling the Cisco IOS DHCP Server Database, page 24-14 • Enabling the DHCP Snooping Binding Database Agent, page 24-15 • Default DHCP Configuration...
Page 631: Dhcp Snooping Configuration Guidelines
• DHCP server and the DHCP relay agent are configured and enabled. When you globally enable DHCP snooping on the switch, these Cisco IOS commands are not • available until snooping is disabled. If you enter these commands, the switch returns an error message, and the configuration is not applied.
Page 632: Configuring The Dhcp Server
RSPAN VLANs, DHCP packets might not reach the RSPAN destination port. Configuring the DHCP Server The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational.
Page 633: Configuring The Dhcp Relay Agent
To disable the DHCP server and relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for these procedures: Checking (validating) the relay agent information •...
Page 634: Enabling Dhcp Snooping And Option 82
Configured hostname for the switch • If the hostname is longer than 63 characters, it is truncated to 63 Note characters in the remote-ID configuration. The default remote ID is the switch MAC address. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-12 OL-21521-01...
Page 635 To configure an aggregation switch to drop incoming DHCP snooping packets with option-82 information from an edge switch, use the no ip dhcp snooping information option allow-untrusted global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-13 OL-21521-01...
Page 636: Enabling Dhcp Snooping On Private Vlans
VLANs, on which DHCP snooping is enabled. Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 637: Enabling The Dhcp Snooping Binding Database Agent
To delete binding entries from the DHCP snooping binding database, use the no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id privileged EXEC command. Enter this command for each entry that you want to delete. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-15 OL-21521-01...
Page 638: Displaying Dhcp Snooping Information
These sections contain this information: Source IP Address Filtering, page 24-17 • Source IP and MAC Address Filtering, page 24-17 • IP Source Guard for Static Hosts, page 24-17 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-16 OL-21521-01...
Page 639: Source Ip Address Filtering
In a stacked environment, when the master failover occurs, the IP source guardentries for static hosts attached to member ports are retained. When you enter the show ip device tracking all EXEC command, the IP device tracking table displays the entries as ACTIVE. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-17 OL-21521-01...
Page 640: Configuring Ip Source Guard
VLANs, the source IP address filter is applied on all the VLANs. If IP source guard is enabled and you enable or disable DHCP snooping on a VLAN on the Note trunk interface, the switch might not properly filter traffic. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-18 OL-21521-01...
Page 641: Enabling Ip Source Guard
The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic. Return to global configuration mode. Step 4 exit Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-19 OL-21521-01...
Page 642: Configuring Ip Source Guard For Static Hosts
IP device tracking globally or by setting an IP device tracking maximum on that interface, IPSG with static hosts rejects all the IP traffic from that interface. This requirement also applies to IPSG with static hosts on a private VLAN host port. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-20 OL-21521-01...
Page 643 IP or MAC • binding entries This example shows how to stop IPSG with static hosts on an interface. Switch(config-if)# no ip verify source Switch(config-if)# no ip device tracking max Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-21 OL-21521-01...
Page 644 INACTIVE. Switch# show ip device tracking all IP Device Tracking = Enabled IP Device Tracking Probe Count = 3 IP Device Tracking Probe Interval = 30 --------------------------------------------------------------------- Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-22 OL-21521-01...
Page 645 This example displays the count of all IP device tracking host entries for all interfaces: Switch# show ip device tracking all count Total IP Device Tracking Host entries: 5 --------------------------------------------------------------------- Interface Maximum Limit Number of Entries --------------------------------------------------------------------- Gi1/0/3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-23 OL-21521-01...
Page 646: Configuring Ip Source Guard For Static Hosts On A Private Vlan Host Port
Verify the configuration. Step 17 show ip device tracking all Verify the IP source guard configuration. Display IPSG Step 18 show ip verify source interface interface-id permit ACLs for static hosts. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-24 OL-21521-01...
Page 647: Displaying Ip Source Guard Information
Commands for Displaying IP Source Guard Information Command Purpose Display the IP source bindings on a switch. show ip source binding Display the IP source guard configuration on the switch. show ip verify source Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-25 OL-21521-01...
Page 648: Understanding Dhcp Server Port-Based Address Allocation
In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
Page 649: Enabling Dhcp Server Port-Based Address Allocation
DHCP address pool. address ip-address client-id string [ascii] Reserve an IP address for a DHCP client identified by Step 4 the interface name. string—can be an ASCII value or a hexadecimal value. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-27 OL-21521-01...
Page 650 1 subnet is currently in the pool: Current index IP address range Leased/Excluded/Total 10.1.1.1 10.1.1.1 - 10.1.1.254 / 4 / 254 1 reserved address is currently in the pool Address Client 10.1.1.7 Et1/0 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-28 OL-21521-01...
Page 651: Displaying Dhcp Server Port-Based Address Allocation
For more information about configuring the DHCP server port-based address allocation feature, go to Cisco.com, and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation. You can also access the documentation here: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html...
Page 652 Chapter 24 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port-Based Address Allocation Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-30 OL-21521-01...
Page 653: Understanding Dynamic Arp Inspection
Catalyst 3750-X or 3560-X switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 654: C H A P T E R 25 Configuring Dynamic Arp Inspection
“Configuring ARP ACLs for Non-DHCP Environments” section on page 25-8. The switch logs dropped packets. For more information about the log buffer, see the “Logging of Dropped Packets” section on page 25-5. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-2 OL-21521-01...
Page 655: Interface Trust States And Network Security
If Switch A is not running dynamic ARP inspection, Host 1 can easily poison the ARP cache of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-3 OL-21521-01...
Page 656: Rate Limiting Of Arp Packets
The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-4 OL-21521-01...
Page 657: Logging Of Dropped Packets
The rate is unlimited on all trusted interfaces. The burst interval is 1 second. ARP ACLs for non-DHCP No ARP ACLs are defined. environments Validation checks No checks are performed. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-5 OL-21521-01...
Page 658: Dynamic Arp Inspection Configuration Guidelines
30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2, each port can receive packets at 29 pps without causing the EtherChannel to become error-disabled. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-6 OL-21521-01...
Page 659: Configuring Dynamic Arp Inspection In Dhcp Environments
This procedure is required. Command Purpose Verify the connection between the switches. Step 1 show cdp neighbors Enter global configuration mode. Step 2 configure terminal Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-7 OL-21521-01...
Page 660: Configuring Arp Acls For Non-Dhcp Environments
Configuring ARP ACLs for Non-DHCP Environments This procedure shows how to configure dynamic ARP inspection when Switch B shown in Figure 25-2 on page 25-3 does not support dynamic ARP inspection or DHCP snooping. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-8 OL-21521-01...
Page 661 ACL. Packets are permitted only if the access list permits them. Specify the Switch A interface that is connected to Switch B, and Step 6 interface interface-id enter interface configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-9 OL-21521-01...
Page 662: Limiting The Rate Of Incoming Arp Packets
If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-10 OL-21521-01...
Page 663 To return to the default rate-limit configuration, use the no ip arp inspection limit interface configuration command. To disable error recovery for dynamic ARP inspection, use the no errdisable recovery cause arp-inspection global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-11 OL-21521-01...
Page 664: Performing Validation Checks
To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure packets, use the show ip arp inspection statistics privileged EXEC command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-12 OL-21521-01...
Page 665: Configuring The Log Buffer
The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-13 OL-21521-01...
Page 666: Displaying Dynamic Arp Inspection Information
ARP inspection for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active). Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-14 OL-21521-01...
Page 667 Displays the configuration and contents of the dynamic ARP show ip arp inspection log inspection log buffer. For more information about these commands, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-15 OL-21521-01...
Page 668 Chapter 25 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-16 OL-21521-01...
Page 669 Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 670: Chapter 26 Configuring Igmp Snooping And Mvr
For more information on IP multicast and IGMP, see RFC 1112 and RFC 2236. Note The multicast router (which could be a Catalyst 3750-X switch with the IP services feature set on the stack master) sends out periodic general queries to all VLANs. All hosts interested in this multicast traffic send join requests and are added to the forwarding table entry.
Page 671: Igmp Versions
Table 26-1, that includes the port numbers connected to Host 1and the router. Table 26-1 IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 224.1.2.3 IGMP 1, 2 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-3 OL-21521-01...
Page 672: Leaving A Multicast Group
If the router receives no reports from a VLAN, it removes the group for the VLAN from its IGMP cache. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-4...
Page 673: Immediate Leave
IGMPv2, and IGMPv3 reports for a group to the multicast devices. If you disable IGMP report suppression, all IGMP reports are forwarded to the multicast routers. For configuration steps, see the “Disabling IGMP Report Suppression” section on page 26-14. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-5 OL-21521-01...
Page 674: Igmp Snooping And Switch Stacks
IGMP snooping Immediate Leave Disabled Static groups None configured flood query count TCN query solicitation Disabled IGMP snooping querier Disabled IGMP report suppression Enabled 1. TCN = Topology Change Notification Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-6 OL-21521-01...
Page 675: Enabling Or Disabling Igmp Snooping
Snooping on IGMP queries, Protocol-Independent Multicast (PIM) packets, and Distance Vector • Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global •...
Page 676: Configuring A Multicast Router Port
To add a multicast router port (add a static connection to a multicast router), use the ip igmp snooping vlan mrouter global configuration command on the switch. Static connections to multicast routers are supported only on switch ports. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-8 OL-21521-01...
Page 677: Configuring A Host Statically To Join A Group
Step 5 copy running-config startup-config To remove the Layer 2 port from the multicast group, use the no ip igmp snooping vlan vlan-id static mac-address interface interface-id global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-9 OL-21521-01...
Page 678: Enabling Igmp Immediate Leave
The actual leave latency in the network is usually the configured leave time. However, the leave time • might vary around the configured time, depending on real-time CPU load conditions, network delays and the amount of traffic sent through the interface. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-10 OL-21521-01...
Page 679: Configuring Tcn-Related Commands
Specify the number of IGMP general queries for which the multicast Step 2 ip igmp snooping tcn flood query count traffic is flooded. The range is 1 to 10. By default, the flooding query count count is 2. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-11 OL-21521-01...
Page 680: Recovering From Flood Mode
Beginning in privileged EXEC mode, follow these steps to disable multicast flooding on an interface: Command Purpose Enter global configuration mode. Step 1 configure terminal Specify the interface to be configured, and enter interface Step 2 interface interface-id configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-12 OL-21521-01...
Page 681: Configuring The Igmp Snooping Querier
IP address, the querier tries to use the global IP ip_address address configured for the IGMP querier. The IGMP snooping querier does not generate an IGMP Note general query if it cannot find an IP address on the switch. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-13 OL-21521-01...
Page 682: Disabling Igmp Report Suppression
IGMP report suppression is enabled by default. When it is enabled, the switch forwards only one IGMP report per multicast router query. When report suppression is disabled, all IGMP reports are forwarded to the multicast routers. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-14 OL-21521-01...
Page 683: Displaying Igmp Snooping Information
IGMP snooping. • ip_address—Display characteristics of the multicast group with the • specified group IP address. user—Display only the user-configured multicast entries. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-15 OL-21521-01...
Page 684: Understanding Multicast Vlan Registration
VLAN from the source. This forwarding behavior selectively allows traffic to cross between different VLANs. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-16 OL-21521-01...
Page 685: Using Mvr In A Multicast Television Application
VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-17 OL-21521-01...
Page 686 VLAN. The IGMP leave and join messages are in the VLAN to which the subscriber port is assigned. These messages dynamically register for streams of multicast traffic in the multicast VLAN on the Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-18...
Page 687: Configuring Mvr
If you try to enable MVR while multicast routing and a multicast routing protocol are enabled, the operation to enable MVR is cancelled, and you receive an error message. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-19 OL-21521-01...
Page 688: Configuring Mvr Global Parameters
(Optional) Save your entries in the configuration file. Step 9 copy running-config startup-config To return the switch to its default settings, use the no mvr [mode | group ip-address | querytime | vlan] global configuration commands. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-20 OL-21521-01...
Page 689: Configuring Mvr Interfaces
This command applies to only receiver ports and should only be Note enabled on receiver ports to which a single receiver device is connected. Return to privileged EXEC mode. Step 7 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-21 OL-21521-01...
Page 690: Displaying Mvr Information
VLAN ID range is 1 to 1001 and 1006 to 4094. show mvr members [ip-address] Displays all receiver and source ports that are members of any IP multicast group or the specified IP multicast group IP address. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-22 OL-21521-01...
Page 691: Configuring Igmp Filtering And Throttling
Default IGMP Filtering Configuration Feature Default Setting IGMP filters None applied IGMP maximum number of IGMP groups No maximum set IGMP profiles None defined IGMP profile action Deny the range addresses Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-23 OL-21521-01...
Page 692: Configuring Igmp Profiles
To delete a profile, use the no ip igmp profile profile number global configuration command. To delete an IP multicast address or range of IP multicast addresses, use the no range ip multicast address IGMP profile configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-24 OL-21521-01...
Page 693: Applying Igmp Profiles
To remove a profile from an interface, use the no ip igmp filter profile number interface configuration command. This example shows how to apply IGMP profile 4 to a port: Switch(config)# interface gigabitethernet0/2 Switch(config-if)# ip igmp filter 4 Switch(config-if)# end Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-25 OL-21521-01...
Page 694: Setting The Maximum Number Of Igmp Groups
EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group. When the maximum group limitation is set to the default (no maximum), entering the ip igmp • max-groups action {deny | replace} command has no effect. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-26 OL-21521-01...
Page 695 (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config To return to the default action of dropping the report, use the no ip igmp max-groups action interface configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-27 OL-21521-01...
Page 696: Displaying Igmp Filtering And Throttling Configuration
Displays the configuration of the specified interface or the configuration of all interfaces on the switch, including (if configured) the maximum number of IGMP groups to which interface-id] an interface can belong and the IGMP profile applied to the interface. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 26-28 OL-21521-01...
Page 697: Understanding Mld Snooping
You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP Version 6 (IPv6) multicast data to clients and routers in a switched network on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 698: Chapter 27 Configuring Ipv6 Mld Snooping
Multicast Router Discovery, page 27-4 • MLD Reports, page 27-4 • MLD Done Messages and Immediate-Leave, page 27-4 • Topology Change Notification Processing, page 27-5 • MLD Snooping in Switch Stacks, page 27-5 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-2 OL-21521-01...
Page 699: Mld Messages
You can configure port membership removal from addresses based on the number of queries. A port is removed from membership to an address only when there are no reports to the address on the port for the configured number of queries. The default number is 2. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-3 OL-21521-01...
Page 700: Multicast Router Discovery
MASQs. A port is removed from membership to an address when there are no MLDv1 reports to the address on the port for the configured number of queries. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-4...
Page 701: Topology Change Notification Processing
Configuring a Multicast Router Port, page 27-8 • Enabling MLD Immediate Leave, page 27-9 • Configuring MLD Snooping Queries, page 27-10 • Disabling MLD Listener Message Suppression, page 27-11 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-5 OL-21521-01...
Page 702: Default Mld Snooping Configuration
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 3750-X or 3560-X switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
Page 703: Enabling Or Disabling Mld Snooping
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 3750-X or 3560-X switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
Page 704: Configuring A Static Multicast Group
(add a static connection to a multicast router), use the ipv6 mld snooping vlan mrouter global configuration command on the switch. Static connections to multicast routers are supported only on switch ports. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-8 OL-21521-01...
Page 705: Enabling Mld Immediate Leave
To disable MLD Immediate Leave on a VLAN, use the no ipv6 mld snooping vlan vlan-id immediate-leave global configuration command. This example shows how to enable MLD Immediate Leave on VLAN 130: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 130 immediate-leave Switch(config)# exit Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-9 OL-21521-01...
Page 706: Configuring Mld Snooping Queries
(Optional) Verify that the MLD snooping querier information for the Step 11 switch or for the VLAN. vlan-id] (Optional) Save your entries in the configuration file. Step 12 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-10 OL-21521-01...
Page 707: Disabling Mld Listener Message Suppression
Step 3 Verify that IPv6 MLD snooping report suppression is Step 4 show ipv6 mld snooping disabled. (Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-11 OL-21521-01...
Page 708: Displaying Mld Snooping Information
Enter user to display MLD snooping user-configured group • information for the switch or for a VLAN. Display MLD snooping for the specified VLAN and IPv6 multicast show ipv6 mld snooping multicast-address vlan vlan-id [ipv6-multicast-address] address. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 27-12 OL-21521-01...
Page 709: Configuring Storm Control
This chapter describes how to configure the port-based traffic control features on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 710 When the storm control threshold for multicast traffic is reached, all multicast traffic except control Note traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic, so both types of traffic are blocked.
Page 711: C H A P T E R 28 Configuring Port-Based Traffic Control
Beginning in privileged EXEC mode, follow these steps to storm control and threshold levels: Command Purpose Enter global configuration mode. Step 1 configure terminal Specify the interface to be configured, and enter interface Step 2 interface interface-id configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-3 OL-21521-01...
Page 712 Select the shutdown keyword to error-disable the port during • a storm. Select the trap keyword to generate an SNMP trap when a • storm is detected. Return to privileged EXEC mode. Step 5 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-4 OL-21521-01...
Page 713: Configuring Small-Frame Arrival Rate
Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. In Cisco IOS Release 12.2(44)SE and later, you can configure a port to be error disabled if small frames arrive at a specified rate (threshold).
Page 714: Configuring Protected Ports
Default Protected Port Configuration, page 28-6 • Protected Port Configuration Guidelines, page 28-7 • Configuring a Protected Port, page 28-7 • Default Protected Port Configuration The default is to have no protected ports defined. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-6 OL-21521-01...
Page 715: Protected Port Configuration Guidelines
With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets that Note contain IPv4 or IPv6 information in the header are not blocked. Default Port Blocking Configuration, page 28-8 • Blocking Flooded Traffic on an Interface, page 28-8 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-7 OL-21521-01...
Page 716: Default Port Blocking Configuration
MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-8...
Page 717: Understanding Port Security
If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-9 OL-21521-01...
Page 718: Security Violations
In this mode, the VLAN is error • disabled instead of the entire port when a violation occurs Table 28-1 shows the violation mode and the actions taken when you configure an interface for port security. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-10 OL-21521-01...
Page 719: Default Port Security Configuration
When you enable port security on an interface that is also configured with a voice VLAN, set the • maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice...
Page 720 Configuring Port Security VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Page 721: Enabling And Configuring Port Security
The voice keyword is available only if a voice VLAN is configured on Note a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-13 OL-21521-01...
Page 722 You can manually re-enable it by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface vlan privileged EXEC command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-14 OL-21521-01...
Page 723 VLAN. Return to privileged EXEC mode. Step 11 Verify your entries. Step 12 show port-security (Optional) Save your entries in the configuration file. Step 13 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-15 OL-21521-01...
Page 724 Switch(config-if)# switchport mode access Switch(config-if)# switchport voice vlan 22 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 20 Switch(config-if)# switchport port-security violation restrict Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-16 OL-21521-01...
Page 725: Enabling And Configuring Port Security Aging
Return to privileged EXEC mode. Step 4 show port-security [interface interface-id] Verify your entries. Step 5 [address] (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-17 OL-21521-01...
Page 726: Port Security And Switch Stacks
Return to privileged EXEC mode. Step 5 show port-security [interface interface-id] Verify your entries. Step 6 [address] (Optional) Save your entries in the configuration file. Step 7 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-18 OL-21521-01...
Page 727: Displaying Port-Based Traffic Control Settings
Displays the number of secure MAC addresses configured per VLAN show port-security interface interface-id vlan on the specified interface. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-19 OL-21521-01...
Page 728 Chapter 28 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-20 OL-21521-01...
Page 729: Understanding Cdp
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 730: Cdp And Switch Stacks
(Optional) Specify the amount of time a receiving device should hold the Step 3 cdp holdtime seconds information sent by your device before discarding it. The range is 10 to 255 seconds; the default is 180 seconds. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 29-2 OL-21521-01...
Page 731: Chapter 29 Configuring Cdp
29-5. Disabling and Enabling CDP CDP is enabled by default. Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Note Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 6, “Clustering Switches”...
Page 732: Disabling And Enabling Cdp On An Interface
Step 5 copy running-config startup-config This example shows how to enable CDP on a port when it has been disabled. Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# cdp enable Switch(config-if)# end Catalyst 3750-X and 3560-X Switch Software Configuration Guide 29-4 OL-21521-01...
Page 733: Monitoring And Maintaining Cdp
You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information. Display CDP counters, including the number of packets sent and received and show cdp traffic checksum errors. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 29-5 OL-21521-01...
Page 734 Chapter 29 Configuring CDP Monitoring and Maintaining CDP Catalyst 3750-X and 3560-X Switch Software Configuration Guide 29-6 OL-21521-01...
Page 735 This chapter describes how to configure the Link Layer Discovery Protocol (LLDP), LLDP Media Endpoint Discovery (LLDP-MED) and wired location service on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 736: C H A P T E R 30 Configuring Lldp, Lldp-Med, And Wired Location Service
Enables advanced power management between LLDP-MED endpoint and network connectivity devices. Allows switches and phones to convey power information, such as how the device is powered, power priority, and how much power the device needs. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-2 OL-21521-01...
Page 737: Lldp-Med
The switch uses the location service feature to send location and attachment tracking information for its connected devices to a Cisco Mobility Services Engine (MSE). The tracked device can be a wireless endpoint, a wired endpoint, or a wired switch or controller. The switch notifies the MSE of device link up and link down events through the Network Mobility Services Protocol (NMSP) location and attachment notifications.
Page 738: Wired Location Service
If you change a location address on the switch, the switch sends an NMSP location notification message that identifies the affected ports and the changed address information. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-4 OL-21521-01...
Page 739: Default Lldp Configuration
You cannot configure static secure MAC addresses on an interface that has a network-policy profile. • You cannot configure a network-policy profile on a private-VLAN port. • For wired location to function, you must first enter the ip device tracking global configuration • command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-5 OL-21521-01...
Page 740: Configuring Lldp, Lldp-Med, And Wired Location Service
(Optional) Specify the amount of time a receiving device should hold the Step 2 lldp holdtime seconds information from your device before discarding it. The range is 0 to 65535 seconds; the default is 120 seconds. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-6 OL-21521-01...
Page 741 Command Purpose Enter global configuration mode. Step 1 configure terminal Specify the interface on which you are configuring an LLDP-MED Step 2 interface interface-id TLV, and enter interface configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-7 OL-21521-01...
Page 742 Specify the interface on which you are configuring a network-policy Step 5 interface interface-id profile, and enter interface configuration mode. Specify the network-policy profile number. Step 6 network-policy profile number Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-8 OL-21521-01...
Page 743: Configuring Location Tlv And Wired Location Service
• format. Return to global configuration mode. Step 3 exit Specify the interface on which you are configuring the location Step 4 interface interface-id information, and enter interface configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-9 OL-21521-01...
Page 744 30. Return to privileged EXEC mode. Step 4 Verify the configuration. Step 5 show network-policy profile (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-10 OL-21521-01...
Page 745 TLVs. Display the location information for an endpoint. show location Display the configured network-policy profiles. show network-policy profile Display the NMSP information. show nmsp Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-11 OL-21521-01...
Page 746: Monitoring And Maintaining Lldp, Lldp-Med, And Wired Location Service
Chapter 30 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-12 OL-21521-01...
Page 747: Understanding Udld
This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 748: Chapter 31 Configuring Udld
UDLD sends at least one message to inform the neighbors to flush the part of their caches affected by the status change. The message is intended to keep the caches synchronized. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-2...
Page 749 If UDLD is in normal mode, the logical link is considered undetermined, and UDLD does not disable the interface. Switch B Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-3 OL-21521-01...
Page 750: Configuration Guidelines
Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-4 OL-21521-01...
Page 751: Enabling Udld Globally
To disable UDLD globally, use the no udld enable global configuration command to disable normal mode UDLD on all fiber-optic ports. Use the no udld aggressive global configuration command to disable aggressive mode UDLD on all fiber-optic ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-5 OL-21521-01...
Page 752: Enabling Udld On An Interface
The errdisable recovery cause udld global configuration command enables the timer to • automatically recover from the UDLD error-disabled state, and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error-disabled state. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-6 OL-21521-01...
Page 753: Displaying Udld Status
To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-7 OL-21521-01...
Page 754 Chapter 31 Configuring UDLD Displaying UDLD Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-8 OL-21521-01...
Page 755: Understanding Span And Rspan
This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 756: Chapter 32 Configuring Span And Rspan
Example of Local SPAN Configuration on a Single Switch Port 5 traffic mirrored 1 2 3 4 5 6 7 8 9 10 11 12 on Port 10 Network analyzer Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-2 OL-21521-01...
Page 757: Remote Span
RSPAN VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port, as shown on Switch C in the figure. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-3 OL-21521-01...
Page 758: Span And Rspan Concepts And Terminology
SPAN sessions gather a set of ingress and egress packets specified by the user and form them into a stream of SPAN data, which is directed to the destination port. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-4 OL-21521-01...
Page 759 An RSPAN destination session cannot have a local source port. – An RSPAN destination session and an RSPAN source session that are using the same RSPAN – VLAN cannot run on the same switch or switch stack. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-5 OL-21521-01...
Page 760: Monitored Traffic
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Page 761: Source Ports
VLAN filtering applies only to trunk ports or to voice VLAN ports. • VLAN filtering applies only to port-based sessions and is not allowed in sessions with VLAN • sources. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-7 OL-21521-01...
Page 762: Destination Port
A destination port that belongs to a source VLAN of any SPAN session is excluded from the source • list and is not monitored. The maximum number of destination ports in a switch or switch stack is 64. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-8 OL-21521-01...
Page 763: Rspan Vlan
CDP—A SPAN destination port does not participate in CDP while the SPAN session is active. After • the SPAN session is disabled, the port again participates in CDP. VTP—You can use VTP to prune an RSPAN VLAN between switches. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-9 OL-21521-01...
Page 764: Span And Rspan And Switch Stacks
For more information about switch stacks, see Chapter 5, “Managing Switch Stacks.” Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-10 OL-21521-01...
Page 765: Understanding Flow-Based Span
IPv4 and MAC FSPAN ACLs are supported on all feature sets. IPv6 FSPAN ACLs are supported only in the advanced IP services feature set. For information on configuring the switch for FSPAN and FRSPAN, see the “Configuring FSPAN and FRSPAN” section on page 32-24. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-11 OL-21521-01...
Page 766: Configuring Span And Rspan
Entering SPAN configuration commands does not remove previously configured SPAN parameters. • You must enter the no monitor session {session_number | all | local | remote} global configuration command to delete configured SPAN parameters. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-12 OL-21521-01...
Page 767: Creating A Local Span Session
This is the default. • rx—Monitor received traffic. • tx—Monitor sent traffic. • You can use the monitor session session_number source Note command multiple times to configure multiple source ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-13 OL-21521-01...
Page 768 Switch(config)# no monitor session 1 source interface gigabitethernet1/0/1 rx The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-14 OL-21521-01...
Page 769: Creating A Local Span Session And Configuring Incoming Traffic
VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating a Local SPAN Session”...
Page 770: Specifying Vlans To Filter
(Optional) Use a comma (,) to specify a series of VLANs, or use a hyphen (-) to specify a range of V LANs. Enter a space before and after the comma; enter a space before and after the hyphen. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-16 OL-21521-01...
Page 771: Configuring Rspan
RSPAN VLANs; do not assign access ports to these VLANs. You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets. • Specify these ACLs on the RSPAN VLAN in the RSPAN source switches. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-17 OL-21521-01...
Page 772: Configuring A Vlan As An Rspan Vlan
(Optional) Save the configuration in the configuration file. Step 5 copy running-config startup-config To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN, use the no remote-span VLAN configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-18 OL-21521-01...
Page 773: Creating An Rspan Source Session
For session_number, enter the number defined in Step 3. For vlan-id, specify the source RSPAN VLAN to monitor. Return to privileged EXEC mode. Step 5 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-19 OL-21521-01...
Page 774: Specifying Vlans To Filter
(Optional) Use a comma (,) to specify a series of VLANs or use a hyphen (-) to specify a range of V LANs. Enter a space before and after the comma; enter a space before and after the hyphen. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-20 OL-21521-01...
Page 775: Creating An Rspan Destination Session
| remote} For session_number, the range is 1 to 66. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-21 OL-21521-01...
Page 776: Creating An Rspan Destination Session And Configuring Incoming Traffic
RSPAN VLAN and the destination port, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating an RSPAN Destination...
Page 777 VLAN 6 as the default receiving VLAN. Switch(config)# monitor session 2 source remote vlan 901 Switch(config)# monitor session 2 destination interface gigabitethernet0/2 ingress vlan 6 Switch(config)# end Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-23 OL-21521-01...
Page 778: Configuring Fspan And Frspan
Port-based FSPAN sessions can be configured on a stack that includes Catalyst 3750 or Catalyst • 3750-E switches as long as the session only includes Catalyst 3750-X ports as source ports. If the session has any Catalyst 3750 or Catalyst 3750-E ports as source ports, the FSPAN ACL command is rejected.
Page 779: Configuring An Fspan Session
This is the default. • rx—Monitor received traffic. • tx—Monitor sent traffic. • You can use the monitor session session_number source Note command multiple times to configure multiple source ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-25 OL-21521-01...
Page 780: Configuring An Frspan Session
| remote} For session_number, the range is 1 to 66. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-26 OL-21521-01...
Page 781 Return to privileged EXEC mode. Step 9 show monitor [session session_number] Verify the configuration. Step 10 show running-config (Optional) Save the configuration in the configuration file. Step 11 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-27 OL-21521-01...
Page 782: Displaying Span, Rspan. Fspan, And Frspan Status
To display the current SPAN, RSPAN, FSPAN, or FRSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured sessions. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 32-28 OL-21521-01...
Page 783: Understanding Rmon
Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 784: Chapter 33 Configuring Rmon
64-bit counters are not supported for RMON alarms. Note Configuring RMON Default RMON Configuration, page 33-3 • Configuring RMON Alarms and Events, page 33-3 (required) • Collecting Group History Statistics on an Interface, page 33-5 (optional) • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 33-2 OL-21521-01...
Page 785: Default Rmon Configuration
(Optional) For event-number, specify the event • number to trigger when the rising or falling threshold exceeds its limit. (Optional) For owner string, specify the owner • of the alarm. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 33-3 OL-21521-01...
Page 786 This example also generates an SNMP trap when the event is triggered. Switch(config)# rmon event 1 log trap eventtrap description "High ifOutErrors" owner jjones Catalyst 3750-X and 3560-X Switch Software Configuration Guide 33-4 OL-21521-01...
Page 787: Collecting Group History Statistics On An Interface
This procedure is optional. Command Purpose Enter global configuration mode. Step 1 configure terminal Specify the interface on which to collect statistics, and enter Step 2 interface interface-id interface configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 33-5 OL-21521-01...
Page 788: Displaying Rmon Status
Displays the RMON statistics table. show rmon statistics For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 33-6...
Page 789: Understanding System Message Logging
Unless otherwise noted, the term switch refers to a Catalyst3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2.
Page 790: Configuring System Message Logging
The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-2 OL-21521-01...
Page 791: C H A P T E R 34 Configuring System Message Logging
00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to up (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/1, changed state to down 2 (Switch-2) Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-3 OL-21521-01...
Page 792: Default System Message Logging Configuration
Beginning in privileged EXEC mode, follow these steps to disable message logging. This procedure is optional. Command Purpose Enter global configuration mode. Step 1 configure terminal Disable message logging. Step 2 no logging console Return to privileged EXEC mode. Step 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-4 OL-21521-01...
Page 793: Setting The Message Display Destination Device
To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 34-12. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-5 OL-21521-01...
Page 794: Synchronizing Log Messages
Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-6 OL-21521-01...
Page 795 (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-7 OL-21521-01...
Page 796: Enabling And Disabling Time Stamps On Log Messages
Beginning in privileged EXEC mode, follow these steps to enable sequence numbers in log messages. This procedure is optional. Command Purpose Enter global configuration mode. Step 1 configure terminal Enable sequence numbers. Step 2 service sequence-numbers Return to privileged EXEC mode. Step 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-8 OL-21521-01...
Page 797: Defining The Message Severity Level
To disable logging to syslog servers, use the no logging trap global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-9 OL-21521-01...
Page 798: Limiting Syslog Messages Sent To The History Table And To Snmp
By default, one message of the level warning and numerically lower levels (see Table 34-3 on page 34-10) are stored in the history table even if syslog traps are not enabled. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-10 OL-21521-01...
Page 799: Enabling The Configuration-Change Logger
[end-number] | statistics} [provisioning] privileged EXEC command to display the complete configuration log or the log for specified parameters. The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter0918 6a00801a8086.html#wp1114989...
Page 800: Configuring Unix Syslog Servers
Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. This procedure is optional. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-12 OL-21521-01...
Page 801: Configuring The Unix System Logging Facility
Configure the syslog facility. See Table 34-4 on page 34-14 Step 4 logging facility facility-type facility-type keywords. The default is local7. Return to privileged EXEC mode. Step 5 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 34-13 OL-21521-01...
Page 802: Displaying The Logging Configuration
Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Page 803: Understanding Snmp
MAC address tracking, closing of a TCP connection, loss of connection to a neighbor, or other significant events. On the Catalyst 3750-X switch, the stack master handles the SNMP requests and traps for the whole switch stack. The stack master transparently manages any requests or traps that are related to all stack members.
Page 804: Chapter 35 Configuring Snmp
A combination of the security level and the security model determine which security mechanism is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and SNMPv3. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-2 OL-21521-01...
Page 805: Snmp Manager Functions
1. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table. 2. The get-bulk command only works with SNMPv2 or later. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-3 OL-21521-01...
Page 806: Snmp Agent Functions
(@esN, where N is the switch number) to the first configured RW and RO community strings on the command switch and propagates them to the member switches. For more information, see Chapter 6, “Clustering Switches” and see Getting Started with Cisco Network Assistant, available on Cisco.com. Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software.
Page 807: Snmp Notifications
The switch uses one of the values in Table 35-3 to assign an ifIndex value to an interface: Table 35-3 ifIndex Values Interface Type ifIndex Range 1–4999 EtherChannel 5000–5012 Loopback 5013–5077 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-5 OL-21521-01...
Page 808: Configuring Snmp
If no type is specified, all notifications are sent. 1. This is the default when the switch starts and the startup configuration does not have any snmp-server global configuration commands. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-6 OL-21521-01...
Page 809: Snmp Configuration Guidelines
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 810: Configuring Community Strings
MIB objects. By default, the community string permits read-only access to all objects. (Optional) For access-list-number, enter an IP standard access • list numbered from 1 to 99 and 1300 to 1999. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-8 OL-21521-01...
Page 811: Configuring Snmp Groups And Users
You can specify an identification name (engine ID) for the local or remote SNMP server engine on the switch. You can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users to the SNMP group. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-9 OL-21521-01...
Page 812 64 characters) that is the name of the view in which you specify a notify, inform, or trap. (Optional) Enter access access-list with a string (not to exceed • 64 characters) that is the name of the access list. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-10 OL-21521-01...
Page 813 To display SNMPv3 information about auth | noauth | Note priv mode configuration, you must enter the show snmp user EXEC command. (Optional) Save your entries in the configuration file. Step 7 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-11 OL-21521-01...
Page 814: Configuring Snmp Notifications
By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Many commands use the word traps in the command syntax. Unless there is an option in the command Note to select either traps or informs , the keyword traps refers to traps, informs, or both.
Page 815 You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 35-5. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-13 OL-21521-01...
Page 816 Avoid using the @ symbol as part of the SNMP community string when configuring this command. (Optional) For notification-type, use the keywords listed in • Table 35-5 on page 35-12. If no type is specified, all notifications are sent. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-14 OL-21521-01...
Page 817 To disable informs, use the no snmp-server host informs global configuration command. To disable a specific trap type, use the no snmp-server enable traps notification-types global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-15 OL-21521-01...
Page 818: Setting The Cpu Threshold Notification Types And Values
Dial System Operator at beeper 21555. Set the system location string. Step 3 snmp-server location text For example: snmp-server location Building 3/Room 222 Return to privileged EXEC mode. Step 4 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-16 OL-21521-01...
Page 819: Limiting Tftp Servers Used Through Snmp
Return to privileged EXEC mode. Step 4 Verify your entries. Step 5 show running-config (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-17 OL-21521-01...
Page 820: Snmp Examples
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 821: Displaying Snmp Status
EXEC command. You also can use the other privileged EXEC commands in Table 35-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference. Table 35-6 Commands for Displaying SNMP Information Feature Default Setting Displays SNMP statistics.
Page 822 Chapter 35 Configuring SNMP Displaying SNMP Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-20 OL-21521-01...
Page 823: Understanding Embedded Event Manager
An EEM policy defines an event and the actions to be taken when that event occurs. This chapter tells how to use EEM and how to configure it on a Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a standalone switch or a Catalyst 3750-X switch stack.
Page 824 EEM APPLET EEM SCRIPT See the for examples of EEM EEM Configuration for Cisco Integrated Services Router Platforms Guide deployment. Event Detectors, page 36-3 • Embedded Event Manager Actions, page 36-4 • Embedded Event Manager Policies, page 36-4 •...
Page 825: C H A P T E R 36 Configuring Embedded Event Manager
Counter event detector—Publishes an event when a named counter crosses a specified threshold. • Interface counter event detector—Publishes an event when a generic Cisco IOS interf a ce counter for • a specified interface crosses a defined threshold. A threshold can be specified as an absolute value or an incremental value.For example, if the incremental value is set to 50 an event would be...
Page 826: Embedded Event Manager Actions
Watchdog event detector (IOSWDSysMon)—Publishes an event only on the master switch when • Publishes an event when one of these events occurs: CPU utilization for a Cisco IOS process crosses a threshold. – Memory utilization for a Cisco IOS process crosses a threshold.
Page 827: Embedded Event Manager Environment Variables
Cisco built-in variables (available in EEM applets) • Defined by Cisco and can be read-only or read-write. The read-only variables are set by the system before an applet starts to execute. The single read-write variable, _exit_status, allows you to set the exit status for policies triggered from synchronous events.
Page 828: Configuring Embedded Event Manager
Registering and Defining an Embedded Event Manager TCL Script, page 36-7 • For complete information about configuring embedded event manager, see the Cisco IOS Network Management Configuration Guide, Release 12.4T. To configure EEM, you must have the IP services feature set installed on the switch.
Page 829: Registering And Defining An Embedded Event Manager Tcl Script
This example shows the sample output for the show event manager environment command: Switch# show event manager environment all Name Value _cron_entry 0-59/2 0-23/1 * * 0-6 _show_cmd show ver _syslog_pattern .*UPDOWN.*Ethernet1/0.* Catalyst 3750-X and 3560-X Switch Software Configuration Guide 36-7 OL-21521-01...
Page 830: Displaying Embedded Event Manager Information
Switch(config)# event manager environment_cron_entry 0-59/2 0-23/1 * * 0-6 This example shows the sample EEM policy named tm_cli_cmd.tcl registered as a system policy. The system policies are part of the Cisco IOS image. User-defined TCL scripts must first be copied to flash memory.
Page 831 C H A P T E R Configuring Network Security with ACLs This chapter describes how to configure network security on the Catalyst 3750-X or 3560-X switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists.Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch...
Page 832: C H A P T E R 37 Configuring Network Security With Acls
Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces in • a specific direction (inbound or outbound). For more information, see the “Router ACLs” section on page 37-4. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-2 OL-21521-01...
Page 833: Port Acls
Host A to access the Human Resources network, but prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-3...
Page 834: Router Acls
The switch supports these access lists for IPv4 traffic: Standard IP access lists use source addresses for matching operations. • Extended IP access lists use source and destination addresses and optional protocol type information • for matching operations. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-4 OL-21521-01...
Page 835: Vlan Maps
Layer 4 information, such as TCP or UDP port numbers, ICMP type and code, and so on. All other fragments are missing this information. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-5...
Page 836: Acls And Switch Stacks
The stack master performs these ACL functions: It processes the ACL configuration and propagates the information to all stack members. • It distributes the ACL information to any switch that joins the stack. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-6 OL-21521-01...
Page 837: Configuring Ipv4 Acls
ACL information to all switches in the stack. Configuring IPv4 ACLs Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services”...
Page 838: Creating Standard And Extended Ipv4 Acls
AppleTalk access list 700–799 48-bit MAC address access list 800–899 IPX standard access list 900–999 IPX extended access list 1000–1099 IPX SAP access list 1100–1199 Extended 48-bit MAC address access list Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-8 OL-21521-01...
Page 839: Acl Logging
IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-9...
Page 840: Creating A Numbered Standard Acl
Switch (config)# access-list 2 deny host 171.69.198.102 Switch (config)# access-list 2 permit any Switch(config)# end Switch# show access-lists Standard IP access list 2 10 deny 171.69.198.102 20 permit any Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-10 OL-21521-01...
Page 841: Creating A Numbered Extended Acl
For more details on the specific keywords for each protocol, see these command references: • Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 • Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 •...
Page 842 DSCP value specified by a number • from 0 to 63, or use the question mark (?) to see a list of available values. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-12 OL-21521-01...
Page 843 TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
Page 844 ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. (Optional) Define an extended IGMP access list and the access conditions.
Page 845: Resequencing Aces In An Acl
The ACL must be an extended named ACL. Note – match input-interface interface-id-list – match ip dscp dscp-list – match ip precedence ip-precedence-list You cannot enter the match access-group acl-index command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-15 OL-21521-01...
Page 846 Step 5 (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config To remove a named extended ACL, use the no ip access-list extended name global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-16 OL-21521-01...
Page 847: Using Time Ranges With Acls
The time range relies on the switch system clock; therefore, you need a reliable clock source. We Note recommend that you use Network Time Protocol (NTP) to synchronize the switch clock. For more information, see the “Managing the System Time and Date” section on page 7-1. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-17 OL-21521-01...
Page 848 Switch(config)# access-list 188 permit tcp any any time-range workhours Switch(config)# end Switch# show access-lists Extended IP access list 188 10 deny tcp any any time-range new_year_day_2006 (inactive) 20 permit tcp any any time-range workhours (inactive) Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-18 OL-21521-01...
Page 849: Including Comments In Acls
For procedures for applying ACLs to interfaces, see the “Applying an IPv4 ACL to an Interface” section on page 37-20. For applying ACLs to VLANs, see the “Configuring VLAN Maps” section on page 37-31. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-19 OL-21521-01...
Page 850: Applying An Ipv4 Acl To An Interface
These access-group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP-unreachable message. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-20...
Page 851 When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network security. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-21 OL-21521-01...
Page 852: Hardware And Software Treatment Of Ip Acls
Logical operation units are needed for a TCP flag match or a test other than eq (ne, gt, lt, or range) on TCP, UDP, or SCTP port numbers. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-22...
Page 853: Ipv4 Acl Configuration Examples
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 854: Acls In A Small Networked Office
Note that with extended ACLs, you must enter the protocol (IP) before the source and destination information. Switch(config)# access-list 106 permit ip any 172.20.128.64 0.0.0.31 Switch(config)# end Switch# show access-lists Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-24 OL-21521-01...
Page 855: Numbered Acls
Internet. Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established Switch(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25 Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip access-group 102 in Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-25 OL-21521-01...
Page 856: Named Acls
Smith is not allowed access: Switch(config)# access-list 1 remark Permit only Jones workstation through Switch(config)# access-list 1 permit 171.69.2.88 Switch(config)# access-list 1 remark Do not allow Smith workstation through Switch(config)# access-list 1 deny 171.69.3.13 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-26 OL-21521-01...
Page 857: Acl Logging
0.0.0.255 and denies all UDP packets. Switch(config)# ip access-list extended ext1 Switch(config-ext-nacl)# permit icmp any 10.1.1.0 0.0.0.255 log Switch(config-ext-nacl)# deny udp any any log Switch(config-std-nacl)# exit Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# ip access-group ext1 in Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-27 OL-21521-01...
Page 858: Creating Named Mac Extended Acls
Though visible in the command-line help strings, appletalk is not supported as a matching condition for Note the deny and permit MAC access-list configuration mode commands. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-28 OL-21521-01...
Page 859 Switch(config)# mac access-list extended mac1 Switch(config-ext-macl)# deny any any decnet-iv Switch(config-ext-macl)# permit any any Switch(config-ext-macl)# end Switch # show access-lists Extended MAC access list mac1 10 deny any any decnet-iv 20 permit any any Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-29 OL-21521-01...
Page 860: Applying A Mac Acl To A Layer 2 Interface
ACL to an interface, the switch acts as ifthe ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-30 OL-21521-01...
Page 861: Configuring Vlan Maps
A packet that comes into the switch is tested against the first entry in the VLAN map. If it matches, the action specified for that part of the VLAN map is taken. If there is no match, the packet is tested against the next entry in the map. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-31 OL-21521-01...
Page 862: Creating A Vlan Map
Entering this command changes to access-map configuration mode. action {drop | forward} (Optional) Set the action for the map entry. The default is to forward. Step 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-32 OL-21521-01...
Page 863: Examples Of Acls And Vlan Maps
ACLs (that is, packets that are not TCP packets or UDP packets) would get dropped. Switch(config)# ip access-list extended ip2 Switch(config-ext-nacl)# permit udp any any Switch(config-ext-nacl)# exit Switch(config)# vlan access-map map_1 20 Switch(config-access-map)# match ip address ip2 Switch(config-access-map)# action forward Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-33 OL-21521-01...
Page 864 Switch(config-ext-nacl)# exit Switch(config)# vlan access-map drop-mac-default 10 Switch(config-access-map)# match mac address good-hosts Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-mac-default 20 Switch(config-access-map)# match mac address good-protocols Switch(config-access-map)# action forward Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-34 OL-21521-01...
Page 865: Applying A Vlan Map To A Vlan
Host X to Host Y is eventually being routed by Switch B, a Layer 3 switch with routing enabled. Traffic from Host X to Host Y can be access-controlled at the traffic entry point, Switch A. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-35...
Page 866: Denying Access To A Server On Another A Vlan
(see Figure 37-5): Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access. • Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access. • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-36 OL-21521-01...
Page 867: Using Vlan Maps With Router Acls
ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN interfaces, and you can define a VLAN map to access control the bridged traffic. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-37...
Page 868: Vlan Maps And Router Acl Configuration Guidelines
If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/ICMP ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. This gives priority to the filtering of traffic based on IP addresses. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-38 OL-21521-01...
Page 869: Examples Of Router Acls And Vlan Maps Applied To Vlans
Figure 37-7 shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN. Only non-IP, non-ARP packets can be fallback-bridged. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-39 OL-21521-01...
Page 870: Acls And Routed Packets
Figure 37-8 Applying ACLs on Routed Packets Input Output VLAN 10 router router VLAN 20 Frame Host A Host B (VLAN 10) (VLAN 20) Routing function VLAN 10 VLAN 20 Packet Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-40 OL-21521-01...
Page 871: Acls And Multicast Packets
(numbered or named). show ip access-lists [number | name] Display the contents of all current IP access lists or a specific IP access list (numbered or named). Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-41 OL-21521-01...
Page 872 Show information about all VLAN access maps or the specified access map. show vlan filter [access-map name | vlan vlan-id] Show information about all VLAN filters or about a specified VLAN or VLAN access map. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 37-42 OL-21521-01...
Page 873: Configuring Ipv6 Acls
Note This chapter includes information about configuring IPv6 ACLs on the switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template Note on the switch.
Page 874: Chapter 38 Configuring Ipv6 Acl
The same statistics supported in IPv4 are supported for IPv6 ACLs. • If the switch runs out of hardware space, packets associated with the ACL are forwarded to the CPU, • and the ACLs are applied in software. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 38-2 OL-21521-01...
Page 875: Ipv6 Acl Limitations
With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs. The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions: The switch does not support matching on these keywords: flowlabel, routing header, and •...
Page 876: Configuring Ipv6 Acls
You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can only filter non-IP frames. • If the hardware memory is full, for any additional configured ACLs, packets are forwarded to the • CPU, and the ACLs are applied in software. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 38-4 OL-21521-01...
Page 877: Creating Ipv6 Acls
(Optional) Enter sequence value to specify the sequence number for the access list • statement. The acceptable range is from 1 to 4294967295. (Optional) Enter time-range name to specify the time range that applies to the • deny or permit statement. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 38-5 OL-21521-01...
Page 878 [dscp and code names, use the ? key or see command reference for this release. value] [log] [log-input] [routing] [sequence value] [time-range name] Return to privileged EXEC mode. Step 4 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 38-6 OL-21521-01...
Page 879: Applying An Ipv6 Acl To An Interface
This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.
Page 880: Displaying Ipv6 Acls
Use the no ipv6 traffic-filter access-list-name interface configuration command to remove an access list from an interface. This example shows how to apply the access list Cisco to outbound traffic on a Layer 3 interface: Switch(config)# interface gigabitethernet 1/0/3 Switch(config-if)# no switchport...
Page 881: Configuring Qos
It sends the packets without any assurance of reliability, delay bounds, or throughput. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 882: Understanding Qos
You must reload the switch after configuring the dual IPv4 and IPv6 templates. For more information, see Chapter 8, “Configuring SDM Templates.” IPv6 QoS is not supported on switches running the LAN base feature set. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-2 OL-21521-01...
Page 883: Chapter 39 Configuring Qo
Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices, the traffic types and patterns in your network, and the granularity of control that you need over incoming and outgoing traffic. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-3 OL-21521-01...
Page 884: Basic Qos Model
Scheduling services the four egress queues based on their configured SRR shared or shaped weights. • One of the queues (queue 1) can be the expedited queue, which is serviced until empty before the other queues are serviced. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-4 OL-21521-01...
Page 885: Classification
0 as the DSCP and CoS values, which means best-effort traffic. Otherwise, the policy-map action specifies a DSCP or CoS value to assign to the incoming frame. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-5...
Page 886 IPv6 QoS is not supported on switches running the LAN base feature set. Note After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-6 OL-21521-01...
Page 887: Classification Based On Qos Acls
You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). You can also classify IP traffic based on IPv6 ACLs. IPv6 ACLs are not supported on switches running the LAN base feature set. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-7 OL-21521-01...
Page 888: Classification Based On Class Maps And Policy Maps
The policy map can contain the police and police aggregate policy-map class configuration commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-8 OL-21521-01...
Page 889: Policing And Marking
“Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps” section on page 39-60, and the “Classifying, Policing, and Marking Traffic by Using Aggregate Policers” section on page 39-67. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-9 OL-21521-01...
Page 890: Policing On Physical Ports
A nonhierarchical policy map on a physical port. • The interface level of a hierarchical policy map attached to an SVI. The physical ports are specified • in this secondary policy map. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-10 OL-21521-01...
Page 891: Policing On Svis
SVI. The second level, the interface level, specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface-level policy map. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-11 OL-21521-01...
Page 892 Pass through Drop Verify the out-of-profile action Drop packet. configured for this policer. Mark Modify DSCP according to the policed-DSCP map. Generate a new QoS label. Done Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-12 OL-21521-01...
Page 893: Mapping Tables
Scheduling on Ingress Queues” section on page 39-16. For information about the DSCP and CoS output queue threshold maps, see the “Queueing and Scheduling on Egress Queues” section on page 39-19. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-13 OL-21521-01...
Page 894: Queueing And Scheduling Overview
Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 39-6 Figure 39-7. Figure 39-6 Ingress and Egress Queue Location on Catalyst 3750-X Switches Policer Marker Egress queues Stack ring Policer...
Page 895: Weighted Tail Drop
Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic. With shaping, the absolute value of each weight is used to compute the bandwidth available for the queues. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-15 OL-21521-01...
Page 896: Queueing And Scheduling On Ingress Queues
Queueing and Scheduling on Ingress Queues Figure 39-9 Figure 39-10 show the queueing and scheduling flowcharts for ingress ports. Figure 39-9 Queueing and Scheduling Flowchart for Ingress Ports on Catalyst 3750-X Switches Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds.
Page 897 You can configure the bandwidth required for this traffic as a percentage of the total traffic or total stack traffic on Catalyst 3750-X switches by using the mls qos srr-queue input priority-queue global configuration command. The expedite queue has guaranteed bandwidth.
Page 898 DSCPs or CoSs into certain queues, by allocating a large queue size or by servicing the queue more frequently, and by adjusting queue thresholds so that packets with lower priorities are dropped. For configuration information, see the “Configuring Ingress Queue Characteristics” section on page 39-75. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-18 OL-21521-01...
Page 899: Queueing And Scheduling On Egress Queues
If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Note Figure 39-11 Queueing and Scheduling Flowchart for Egress Ports on Catalyst 3750-X Switches Start Receive packet from the stack ring.
Page 900 (under-limit), whether it has consumed all of its maximum buffers (over limit), and whether the common pool is empty (no free Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-20...
Page 901 You can display the DSCP output queue threshold map and the CoS output queue threshold map by using the show mls qos maps privileged EXEC command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-21 OL-21521-01...
Page 902: Packet Modification
For IP packets, the packet modification occurs at a later stage; for non-IP packets the DSCP is converted to CoS and used for queueing and scheduling decisions. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-22 OL-21521-01...
Page 903: Configuring Auto-Qos
IPv6 Auto-QoS is not supported on switches running the LAN base feature set. Note You use auto-QoS commands to identify ports connected to Cisco IP Phones and to devices running the Cisco SoftPhone application. You also use the commands to identify ports that receive trusted traffic through an uplink.
Page 904: Generated Auto-Qos Configuration
The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the port is set to Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 905 DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The...
Page 906 Switch(config)# mls qos srr-queue input bandwidth 90 Switch(config)# mls qos srr-queue input threshold 1 8 16 Switch(config)# mls qos srr-queue input threshold 2 34 66 Switch(config)# mls qos srr-queue input buffers 67 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-26 OL-21521-01...
Page 907 DSCP value received in the packet on a routed port by using the mls qos trust dscp command. If you entered the auto qos voip cisco-phone command, the Switch(config-if)# mls qos trust device cisco-phone switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone.
Page 908: Effects Of Auto-Qos On The Configuration
Auto-QoS Configuration Guidelines Before configuring auto-QoS, you should be aware of this information: Auto-QoS configures the switch for VoIP with Cisco IP Phones on nonrouted and routed ports. • Auto-QoS also configures the switch for VoIP with devices running the Cisco SoftPhone application.
Page 909: Enabling Auto-Qos For Voip
By default, the CDP is enabled on all ports. For auto-QoS to function properly, do not disable the • CDP. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address • to the IP phone.
Page 910: Auto-Qos Configuration Example
Auto-QoS Configuration Example This section describes how you could implement auto-QoS in a network, as shown in Figure 39-14. For optimum QoS performance, enable auto-QoS on all the devices in the network. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-30 OL-21521-01...
Page 911 You should not configure any standard QoS commands before entering the auto-QoS commands. You Note can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-31 OL-21521-01...
Page 912 Return to global configuration mode. Step 6 exit Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone. Step 7 Specify the switch port identified as connected to a trusted switch or router, and...
Page 913: Displaying Auto-Qos Information
(optional, unless you need to use the • DSCP-to-DSCP-mutation map or the policed-DSCP map) Configuring Ingress Queue Characteristics, page 39-75 (optional) • Configuring Egress Queue Characteristics, page 39-79 (optional) • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-33 OL-21521-01...
Page 914: Default Standard Qos Configuration
DSCP input queue threshold map when QoS is enabled. Table 39-8 Default DSCP Input Queue Threshold Map DSCP Value Queue ID–Threshold ID 0–39 1–1 40–47 2–1 48–63 1–1 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-34 OL-21521-01...
Page 915: Default Egress Queue Configuration
DSCP output queue threshold map when QoS is enabled. Table 39-11 Default DSCP Output Queue Threshold Map DSCP Value Queue ID–Threshold ID 0–15 2–1 16–31 3–1 32–39 4–1 40–47 1–1 48–63 4–1 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-35 OL-21521-01...
Page 916: Default Mapping Table Configuration
Whenever possible, you should minimize the number of lines is a QoS ACL. IPv6 QoS ACL Guidelines Understanding IPv6 ACLs, page 38-2. IPv6 QoS ACLs are not supported on switches running the LAN base feature set. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-36 OL-21521-01...
Page 917: Applying Qos On Interfaces
IPv6 QoS is not supported on switches running the LAN base feature set. Note You can enable IPv6 QoS on a switch or a switch stack. If the stack includes only Catalyst 3750-X and Catalyst 3750-E switches, the QoS configuration applies to all traffic. These are the guidelines for IPv6 QoS in a stack that includes one or more Catalyst 3750 switches: Any switch can be the stack master.
Page 918: Policing Guidelines
QoS policies that include IPv6-specific classification (such as an IPv6 ACL or the match protocol • ipv6 command) are supported on Catalyst 3750-X and Catalyst 3750-E interfaces and on any SVI when a Catalyst 3750-X or Catalyst 3750-E switch is part of the stack.
Page 919: Enabling Vlan-Based Qos On Physical Ports
By default, VLAN-based QoS is disabled on all physical switch ports. The switch applies QoS, including class maps and policy maps, only on a physical-port basis. In Cisco IOS Release 12.2(25)SE or later, yYou can enable VLAN-based QoS on a switch port.
Page 920: Configuring Classification Using Port Trust States
QoS domain. Figure 39-15 shows a sample network topology. Figure 39-15 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here Trusted boundary Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-40 OL-21521-01...
Page 921: Configuring The Cos Value For An Interface
Command Purpose Enter global configuration mode. Step 1 configure terminal Specify the port to be configured, and enter interface configuration mode. Step 2 interface interface-id Valid interfaces include physical ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-41 OL-21521-01...
Page 922: Configuring A Trusted Boundary To Ensure Port Security
CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.
Page 923: Enabling Dscp Transparency Mode
Configuring QoS Configuring Standard QoS In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
Page 924: Configuring The Dscp Trust State On A Port Bordering Another Qos Domain
Figure 39-16 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 IP traffic Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-44 OL-21521-01...
Page 925 DSCP 30: Switch(config)# mls qos map dscp-mutation gigabitethernet1/0/2-mutation 10 11 12 13 to 30 Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# mls qos trust dscp Switch(config-if)# mls qos dscp-mutation gigabitethernet1/0/2-mutation Switch(config-if)# end Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-45 OL-21521-01...
Page 926: Configuring A Qos Policy
When you create an access list, remember that by default the end of the Note access list contains an implicit deny statement for everything if it did not find a match before reaching the end. Return to privileged EXEC mode. Step 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-46 OL-21521-01...
Page 927 When creating an access list, remember that, by default, the end Note of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-47 OL-21521-01...
Page 928 Create an IPv6 ACL, and enter IPv6 access-list configuration mode. Step 2 ipv6 access-list access-list-name Access list names cannot contain a space or quotation mark or begin with a numeric. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-48 OL-21521-01...
Page 929 (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config To delete an access list, use the no ipv6 access-list access-list-number global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-49 OL-21521-01...
Page 930 Step 5 access-list-name] (Optional) Save your entries in the configuration file. Step 6 copy running-config startup-config To delete an access list, use the no mac access-list extended access-list-name global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-50 OL-21521-01...
Page 931: Classifying Traffic By Using Class Maps
[operator [port-number]] [dscp value] [fragments] [log] [log-input] [routing] [sequence value] [time-range name] mac access-list extended name {permit | deny} {host src-MAC-addr mask | any | host dst-MAC-addr | dst-MAC-addr mask} [type mask] Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-51 OL-21521-01...
Page 932 You can use the match protocol command with the match ip dscp or match precedence commands, but not with the match access-group command. For more information about the match protocol command, see Cisco IOS Quality of Service Solutions Command Reference. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-52 OL-21521-01...
Page 933 This example shows how to create a class map called class3, which matches incoming traffic with IP-precedence values of 5, 6, and 7: Switch(config)# class-map class3 Switch(config-cmap)# match ip precedence 5 6 7 Switch(config-cmap)# end Switch# Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-53 OL-21521-01...
Page 934: Classifying Traffic By Using Class Maps And Filtering Ipv6 Traffic
For ip precedence ip-precedence-list, enter a list of up to eight • IP-precedence values to match against incoming packets. Separate each value with a space. The range is 0 to 7. Return to privileged EXEC mode. Step 5 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-54 OL-21521-01...
Page 935 Switch(config-pmap)# class cm-1 Switch(config-pmap-c)# set dscp 4 Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-2 Switch(config-pmap-c)# set dscp 6 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface G0/1 Switch(config-if)# switch mode access Switch(config-if)# service-policy input pm1 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-55 OL-21521-01...
Page 936: Classifying, Policing, And Marking Traffic On Physical Ports By Using Policy Maps
Using Hierarchical Policy Maps” section on page 39-60. A policy-map and a port trust state can both run on a physical interface. The policy-map is applied before • the port trust state. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-56 OL-21521-01...
Page 937 By default, no policy map class-maps are defined. If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-57 OL-21521-01...
Page 938 DSCP value (by using the policed-DSCP map) and to send the packet. For more information, see the “Configuring the Policed-DSCP Map” section on page 39-72. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-58 OL-21521-01...
Page 939 Switch(config-ext-mac)# permit 0001.0000.0001 0.0.0 0002.0000.0001 0.0.0 Switch(config-ext-mac)# permit 0001.0000.0002 0.0.0 0002.0000.0002 0.0.0 xns-idp Switch(config-ext-mac)# exit Switch(config)# mac access-list extended maclist2 Switch(config-ext-mac)# permit 0001.0000.0003 0.0.0 0002.0000.0003 0.0.0 Switch(config-ext-mac)# permit 0001.0000.0004 0.0.0 0002.0000.0004 0.0.0 aarp Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-59 OL-21521-01...
Page 940: Classifying, Policing, And Marking Traffic On Svis By Using Hierarchical Policy Maps
Use the interface-level policy map to specify the physical ports that are affected by individual policers. Beginning with Cisco IOS Release 12.2(52)SE, you can configure hierarchical policy maps that filter IPv4 and IPv6 traffic. Follow these guidelines when configuring hierarchical policy maps: Before configuring a hierarchical policy map, you must enable VLAN-based QoS on the physical •...
Page 941 When the switch stack divides into two or more switch stacks, the stack master in each switch – stack re-enables and reconfigures these features on all applicable interfaces on the stack members, including the stack master. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-61 OL-21521-01...
Page 942 For ip precedence ip-precedence-list, enter a list of up to eight • IP-precedence values to match against incoming packets. Separate each value with a space. The range is 0 to 7. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-62 OL-21521-01...
Page 943 This command can only be used in the child-level policy map and must be the only match condition in the child-level policy map. Return to class-map configuration mode. Step 9 exit Return to global configuration mode. Step 10 exit Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-63 OL-21521-01...
Page 944 By default, no policy-map class-maps are defined. If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-64 OL-21521-01...
Page 945 Step 21 exit Return to global configuration mode. Step 22 exit Specify the SVI to which to attach the hierarchical policy map, and Step 23 interface interface-id enter interface configuration mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-65 OL-21521-01...
Page 946 Switch(config-cmap)# exit Switch(config)# policy-map port-plcmap Switch(config-pmap)# class-map cm-interface-1 Switch(config-pmap-c)# police 900000 9000 exc policed-dscp-transmit Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# policy-map vlan-plcmap Switch(config-pmap)# class-map cm-1 Switch(config-pmap-c)# set dscp 7 Switch(config-pmap-c)# service-policy port-plcmap-1 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-66 OL-21521-01...
Page 947: Classifying, Policing, And Marking Traffic By Using Aggregate Policers
However, you cannot use the aggregate policer across different policy maps or ports. You can configure aggregate policers only in nonhierarchical policy maps on physical ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-67 OL-21521-01...
Page 948 Valid interfaces include physical ports. Specify the policy-map name, and apply it to an ingress port. Step 9 service-policy input policy-map-name Only one policy map per ingress port is supported. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-68 OL-21521-01...
Page 949: Configuring Dscp Maps
Configuring the DSCP-to-DSCP-Mutation Map, page 39-74 (optional, unless the null settings in the • map are not appropriate) All the maps, except the DSCP-to-DSCP-mutation map, are globally defined and are applied to all ports. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-69 OL-21521-01...
Page 950: Configuring The Cos-To-Dscp Map
Switch(config)# mls qos map cos-dscp 10 15 20 25 30 35 40 45 Switch(config)# end Switch# show mls qos maps cos-dscp Cos-dscp map: cos: -------------------------------- dscp: 10 15 20 25 30 35 40 45 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-70 OL-21521-01...
Page 951: Configuring The Ip-Precedence-To-Dscp Map
Switch(config)# mls qos map ip-prec-dscp 10 15 20 25 30 35 40 45 Switch(config)# end Switch# show mls qos maps ip-prec-dscp IpPrecedence-dscp map: ipprec: -------------------------------- dscp: 10 15 20 25 30 35 40 45 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-71 OL-21521-01...
Page 952: Configuring The Policed-Dscp Map
DSCP. The intersection of the d1 and d2 values provides the marked-down value. For example, an original DSCP value of 53 corresponds to a marked-down DSCP value of 0. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-72 OL-21521-01...
Page 953: Configuring The Dscp-To-Cos Map
00 00 00 00 00 00 00 00 00 01 01 01 01 01 01 01 00 02 02 02 02 02 02 02 00 03 03 03 03 03 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-73 OL-21521-01...
Page 954: Configuring The Dscp-To-Dscp-Mutation Map
Return to privileged EXEC mode. Step 6 Verify your entries. Step 7 show mls qos maps dscp-mutation (Optional) Save your entries in the configuration file. Step 8 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-74 OL-21521-01...
Page 955: Configuring Ingress Queue Characteristics
Allocating Buffer Space Between the Ingress Queues, page 39-77 (optional) • Allocating Bandwidth Between the Ingress Queues, page 39-77 (optional) • Configuring the Ingress Priority Queue, page 39-78 (optional) • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-75 OL-21521-01...
Page 956: Mapping Dscp Or Cos Values To An Ingress Queue And Setting Wtd Thresholds
To return to the default WTD threshold percentages, use the no mls qos srr-queue input threshold queue-id global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-76 OL-21521-01...
Page 957: Allocating Buffer Space Between The Ingress Queues
SRR scheduler sends packets from each queue. The bandwidth and the buffer allocation control how much data can be buffered before packets are dropped. On ingress queues, SRR operates only in shared mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-77 OL-21521-01...
Page 958: Configuring The Ingress Priority Queue
Then, SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-78 OL-21521-01...
Page 959: Configuring Egress Queue Characteristics
Does the bandwidth of the port need to be rate limited? • How often should the egress queues be serviced and which technique (shaped, shared, or both) • should be used? Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-79 OL-21521-01...
Page 960: Allocating Buffer Space To And Setting Wtd Thresholds For An Egress Queue-Set
The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-80 OL-21521-01...
Page 961 For qset-id, enter the ID of the queue-set specified in Step 2. The range is 1 to 2. The default is 1. Return to privileged EXEC mode. Step 6 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-81 OL-21521-01...
Page 962: Mapping Dscp Or Cos Values To An Egress Queue And To A Threshold Id
The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of egress queues and if these settings do not meet your QoS solution. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-82 OL-21521-01...
Page 963 This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2: Switch(config)# mls qos srr-queue output dscp-map queue 1 threshold 2 10 11 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-83...
Page 964: Configuring Srr Shaped Weights On Egress Queues
2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-84 OL-21521-01...
Page 965: Configuring Srr Shared Weights On Egress Queues
You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-85...
Page 966: Limiting The Bandwidth On An Egress Interface
The range is 10 to 90. By default, the port is not rate limited and is set to 100 percent. Return to privileged EXEC mode. Step 4 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-86 OL-21521-01...
Page 967: Displaying Standard Qos Information
The control-plane and interface keywords are not supported, and the statistics shown in the display should be ignored. Display the DSCP transparency setting. show running-config | include rewrite Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-87 OL-21521-01...
Page 968: Displaying Standard Qos Information
Chapter 39 Configuring QoS Displaying Standard QoS Information Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-88 OL-21521-01...
Page 969: Understanding Etherchannels
Note This chapter also describes how to configure link-state tracking. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 970: C H A P T E R 40 Configuring Etherchannels And Link-State Tracking
Layer 3 mode by using the no switchport interface configuration command. For more information, see the Chapter 13, “Configuring Interface Characteristics.” Layer 3 EtherChannels are not supported on switches running the LAN base feature set. Note Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-2 OL-21521-01...
Page 971 EtherChannel are blocked from returning on any other link of the EtherChannel. Figure 40-2 Single-Switch EtherChannel Switch stack Switch 1 Channel group 1 StackWise Plus port connections Switch A Channel Switch 2 group 2 Switch 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-3 OL-21521-01...
Page 972: Port-Channel Interfaces
Figure 40-4. Each EtherChannel has a port-channel logical interface numbered from 1 to 48. This port-channel interface number corresponds to the one specified with the channel-group interface configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-4 OL-21521-01...
Page 973: Port Aggregation Protocol
Layer 2 EtherChannel as a trunk. Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
Page 974: Pagp Modes
If the VSL between two switches fails, one switch does not know the status of the other. Both switches could change to the active mode, causing a dual-active situation in the network with duplicate configurations (including duplicate IP addresses and bridge identifiers). The network might go down. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-6 OL-21521-01...
Page 975: Pagp Interaction With Other Features
PAgP Interaction with Other Features The Dynamic Trunking Protocol (DTP) and the Cisco Discovery Protocol (CDP) send and receive packets over the physical ports in the EtherChannel. Trunk ports send and receive PAgP protocol data units (PDUs) on the lowest numbered VLAN.
Page 976: Lacp Interaction With Other Features
Therefore, to provide load-balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-8 OL-21521-01...
Page 977 MAC address, using the destination-MAC address always chooses the same link in the channel. Using source addresses or IP addresses might result in better load-balancing. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-9...
Page 978: Etherchannel And Switch Stacks
LACP system-id can change. If the LACP system-id changes, the entire EtherChannel will flap, and there will be an STP reconvergence. Use the stack-mac persistent timer command to control whether or not the stack MAC address changes during a master failover. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-10 OL-21521-01...
Page 979: Configuring Etherchannels
32768. LACP system ID LACP system priority and the switch or stack MAC address. Load-balancing Load distribution on the switch is based on the source-MAC address of the incoming packet. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-11 OL-21521-01...
Page 980: Etherchannel Configuration Guidelines
Layer 2 EtherChannel. If the allowed range of VLANs is not the same, the ports do not form an EtherChannel even when PAgP is set to the auto or desirable mode. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-12...
Page 981: Configuring Layer 2 Etherchannels
Step 3 configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-13 OL-21521-01...
Page 982 (Optional) Save your entries in the configuration file. Step 7 copy running-config startup-config To remove a port from the EtherChannel group, use the no channel-group interface configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-14 OL-21521-01...
Page 983: Configuring Layer 3 Etherchannels
To move an IP address from a physical port to an EtherChannel, you must delete the IP address from the Note physical port before configuring it on the port-channel interface. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-15 OL-21521-01...
Page 984: Configuring The Physical Interfaces
Ensure that there is no IP address assigned to the physical port. Step 3 no ip address Put the port into Layer 3 mode. Step 4 no switchport Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-16 OL-21521-01...
Page 985 “LACP Modes” section on page 40-7. Return to privileged EXEC mode. Step 6 Verify your entries. Step 7 show running-config (Optional) Save your entries in the configuration file. Step 8 copy running-config startup-config Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-17 OL-21521-01...
Page 986: Configuring Etherchannel Load-Balancing
• source-and-destination host-MAC address. src-ip—Load distribution is based on the source-host IP • address. src-mac—Load distribution is based on the source-MAC • address of the incoming packet. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-18 OL-21521-01...
Page 987: Configuring The Pagp Learn Method And Priority
Catalyst 1900 switch. When the link partner of the Catalyst 3750-X or 3560-X switch is a physical learner (such as a Catalyst 1900 series switch), we recommend that you configure the Catalyst 3750-X or 3560-X switch as a physical-port learner by using the pagp learn-method physical-port interface configuration command.
Page 988: Configuring Lacp Hot-Standby Ports
16 ports. Only eight LACP links can be active at one time. The software places any additional links in a hot-standby mode. If one of the active links becomes inactive, a link that is in the hot-standby mode becomes active in its place. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-20 OL-21521-01...
Page 989: Configuring The Lacp System Priority
(Optional) Save your entries in the configuration file. Step 5 copy running-config startup-config To return the LACP system priority to the default value, use the no lacp system-priority global configuration command. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-21 OL-21521-01...
Page 990: Configuring The Lacp Port Priority
[channel-group-number] {counters | Displays PAgP information such as traffic information, the internal | neighbor} internal PAgP configuration, and neighbor information. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-22 OL-21521-01...
Page 991: Understanding Link-State Tracking
Interfaces connected to servers are referred to as downstream interfaces, and interfaces connected to distribution switches and network devices are referred to as upstream interfaces. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-23 OL-21521-01...
Page 992 1. Port 5 and port 6 are connected to distribution switch 1 through link-state group 1. Port 5 and – port 6 are the upstream interfaces in link-state group 1. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-24 OL-21521-01...
Page 993: Configuring Link-State Tracking
Configuring Link-State Tracking Default Link-State Tracking Configuration, page 40-26 • Link-State Tracking Configuration Guidelines, page 40-26 • Configuring Link-State Tracking, page 40-26 • Displaying Link-State Tracking Status, page 40-27 • Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-25 OL-21521-01...
Page 994: Default Link-State Tracking Configuration
Catalyst 3560-X switches, the group number can be 1 to 2. For Catalyst 3750-X switches, the group number can be 1 to 10. The default is 1. Specify a physical interface or range of interfaces to configure,...
Page 995: Displaying Link-State Tracking Status
Upstream Interfaces : Gi1/0/15(Dwn) Gi1/0/16(Dwn) Gi1/0/17(Dwn) Downstream Interfaces : Gi1/0/11(Dis) Gi1/0/12(Dis) Gi1/0/13(Dis) Gi1/0/14(Dis) (Up):Interface up (Dwn):Interface Down (Dis):Interface disabled For detailed information about the fields in the display, see the command reference for this release. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-27 OL-21521-01...
Page 996 Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-28 OL-21521-01...
Page 997: Understanding Telepresence E911 Ip Phone Support
Understanding TelePresence E911 IP Phone Support You can use a Cisco IP phone as a user interface in a Cisco TelePresence System. See in Figure 1. In this configuration, the IP phone must always be on and available for emergency calls. If the power to the codec in the Cisco TelePresence System fails, is disrupted or if the codec fails, the IP phone is not available.
Page 998: C H A P T E R 41 Configuring Telepresence E911 Ip Phone Support
When a CDP-enabled IP phone is connected to the codec through a switch, you can configure the switch to forward CDP packets from the IP phone only to the codec in the Cisco TelePresence System. The switch adds ingress-egress port pairs to the CDP forwarding table. An ingress-egress port pair is a one-to-one mapping between an ingress switch port connected to the IP phone and an egress switch port connected to the codec.
Page 999: Enabling Telepresence E911 Ip Phone Support
Switch(config)# no cdp forward ingress gigabitethernet2/0/1 Switch(config)# end Switch# *Mar 1 13:39:14.120: %SYS-5-CONFIG_I: Configured from console by console Switch# show running-config | include cdp cdp forward ingress GigabitEthernet2/0/2 egress GigabitEthernet2/0/13 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 41-3 OL-21521-01...
Page 1000 Configuring TelePresence E911 IP Phone Support Configuring TelePresence E911 IP Phone Support Switch# show cdp forward Ingress Egress # packets # packets Port Port forwarded dropped ------------------------------------------------------------- Gi2/0/2 Gi2/0/13 Switch# Catalyst 3750-X and 3560-X Switch Software Configuration Guide 41-4 OL-21521-01...

This manual is also suitable for:

Catalyst 3560-x

Cisco Catalyst 3750-X Software Configuration Manual

Chapter 1 Overview

CHAPTER 2 Using the Command-Line Interface

CHAPTER 3 Assigning the Switch IP Address and Default Gateway

CHAPTER 4 Configuring Cisco IOS Configuration Engine

Managing Switch Stacks

Chapter 5 Managing Switch Stack

Chapter 6 Clustering Switche

Chapter 7 Administering the Switch

Chapter 8 Configuring SDM Template

CHAPTER 9 Configuring Catalyst 3750-X Stackpower

CHAPTER 10 Configuring Switch-Based Authentication

Quick Links

Troubleshooting

Related Manuals for Cisco Catalyst 3750-X

Summary of Contents for Cisco Catalyst 3750-X