Page 1
Catalyst 3750-E and 3560-E Switch Software Configuration Guide Cisco IOS Release 12.2(55)SE August 2010 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-9775-08...
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks.
Page 3
Default Settings After Initial Switch Configuration 1-16 Network Configuration Examples 1-19 Design Concepts for Using the Switch 1-19 Small to Medium-Sized Network Using Catalyst 3750-E and 3560-E Switches 1-26 Large Network Using Catalyst 3750-E and 3560-E Switches 1-28 Multidwelling Network Using Catalyst 3750-E Switches 1-31...
Page 4
Configuring DHCP Auto-Image Update (Configuration File and Image) 3-12 Configuring the Client 3-14 Manually Assigning IP Information 3-15 Checking and Saving the Running Configuration 3-16 Configuring the NVRAM Buffer Size 3-17 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 5
Managing Switch Stacks C H A P T E R Understanding Switch Stacks Switch Stack Membership Stack Master Election and Re-Election Switch Stack Bridge ID and Router MAC Address Stack Member Numbers Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Using SNMP to Manage Switch Clusters 6-17 Administering the Switch C H A P T E R Managing the System Time and Date Understanding the System Clock Understanding Network Time Protocol Configuring NTP Default NTP Configuration Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 8
Adding and Removing Static Address Entries 7-27 Configuring Unicast MAC Address Filtering 7-28 Disabling MAC Address Learning on a VLAN 7-29 Displaying Address Table Entries 7-30 Managing the ARP Table 7-31 Catalyst 3750-E and 3560-E Switch Software Configuration Guide viii OL-9775-08...
Page 9
9-17 Displaying the TACACS+ Configuration 9-17 Controlling Switch Access with RADIUS 9-17 Understanding RADIUS 9-18 RADIUS Operation 9-19 RADIUS Change of Authorization 9-19 Change-of-Authorization Requests 9-20 CoA Request Response Code 9-21 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 10
Displaying the SSH Configuration and Status 9-48 Configuring the Switch for Secure Socket Layer HTTP 9-49 Understanding Secure HTTP Servers and Clients 9-49 Certificate Authority Trustpoints 9-49 CipherSuites 9-51 Configuring Secure HTTP Servers and Clients 9-51 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 11
802.1x Authentication with Per-User ACLs 10-18 802.1x Authentication with Downloadable ACLs and Redirect URLs 10-19 Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 10-20 Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 10-20 VLAN ID-based MAC Authentication 10-21 802.1x Authentication with Guest VLAN...
Page 12
Setting the Re-Authentication Number 10-48 Enabling MAC Move 10-49 Enabling MAC Replace 10-49 Configuring 802.1x Accounting 10-50 Configuring a Guest VLAN 10-51 Configuring a Restricted VLAN 10-52 Configuring the Inaccessible Authentication Bypass Feature 10-54 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 13
11-8 Configuring Web-Based Authentication 11-9 Default Web-Based Authentication Configuration 11-9 Web-Based Authentication Configuration Guidelines and Restrictions 11-9 Web-Based Authentication Configuration Task List 11-10 Configuring the Authentication Rule and Interfaces 11-10 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xiii OL-9775-08...
Page 14
Understanding the Ethernet Management Port 12-18 Supported Features on the Ethernet Management Port 12-20 Configuring the Ethernet Management Port 12-20 TFTP and the Ethernet Management Port 12-21 Configuring Ethernet Interfaces 12-21 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 15
Configuring Extended-Range VLANs 13-10 Default VLAN Configuration 13-10 Extended-Range VLAN Configuration Guidelines 13-11 Creating an Extended-Range VLAN 13-11 Creating an Extended-Range VLAN with an Internal VLAN ID 13-13 Displaying VLANs 13-14 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 16
Understanding VTP 14-1 The VTP Domain 14-2 VTP Modes 14-3 VTP Advertisements 14-4 VTP Version 2 14-4 VTP Version 3 14-5 VTP Pruning 14-6 VTP and Switch Stacks 14-7 Configuring VTP 14-8 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 17
Configuring Voice VLAN 15-3 Default Voice VLAN Configuration 15-3 Voice VLAN Configuration Guidelines 15-3 Configuring a Port Connected to a Cisco 7960 IP Phone 15-4 Configuring Cisco IP Phone Voice Traffic 15-5 Configuring the Priority of Incoming Data Frames 15-6...
Page 18
Spanning-Tree Topology and BPDUs 18-3 Bridge ID, Switch Priority, and Extended System ID 18-4 Spanning-Tree Interface States 18-5 Blocking State 18-6 Listening State 18-7 Learning State 18-7 Forwarding State 18-7 Disabled State 18-7 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xviii OL-9775-08...
Page 19
Operations Between MST Regions 19-3 IEEE 802.1s Terminology 19-5 Hop Count 19-5 Boundary Ports 19-6 IEEE 802.1s Implementation 19-6 Port Role Naming Change 19-6 Interoperation Between Legacy and Standard Switches 19-7 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 20
Understanding Port Fast 20-2 Understanding BPDU Guard 20-2 Understanding BPDU Filtering 20-3 Understanding UplinkFast 20-3 Understanding Cross-Stack UplinkFast 20-5 How CSUF Works 20-6 Events that Cause Fast Convergence 20-7 Understanding BackboneFast 20-7 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 21
Monitoring Flex Links and the MAC Address-Table Move Update 21-14 Configuring DHCP Features and IP Source Guard 22-1 C H A P T E R Understanding DHCP Features 22-1 DHCP Server 22-2 DHCP Relay Agent 22-2 DHCP Snooping 22-2 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 22
Configuring Dynamic ARP Inspection 23-1 C H A P T E R Understanding Dynamic ARP Inspection 23-1 Interface Trust States and Network Security 23-3 Rate Limiting of ARP Packets 23-4 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxii OL-9775-08...
Page 23
Configuring the IGMP Snooping Querier 24-14 Disabling IGMP Report Suppression 24-15 Displaying IGMP Snooping Information 24-16 Understanding Multicast VLAN Registration 24-17 Using MVR in a Multicast Television Application 24-18 Configuring MVR 24-20 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxiii OL-9775-08...
Page 24
Configuring Port-Based Traffic Control 26-1 C H A P T E R Configuring Storm Control 26-1 Understanding Storm Control 26-1 Default Storm Control Configuration 26-3 Configuring Storm Control and Threshold Levels 26-3 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxiv OL-9775-08...
Page 25
Understanding LLDP, LLDP-MED, and Wired Location Service 28-1 LLDP 28-1 LLDP-MED 28-2 Wired Location Service 28-3 Configuring LLDP, LLDP-MED, and Wired Location Service 28-5 Default LLDP Configuration 28-5 Configuration Guidelines 28-5 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 26
SPAN and RSPAN and Switch Stacks 30-11 Understanding Flow-Based SPAN 30-11 Configuring SPAN and RSPAN 30-12 Default SPAN and RSPAN Configuration 30-12 Configuring Local SPAN 30-12 SPAN Configuration Guidelines 30-13 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxvi OL-9775-08...
Page 27
Enabling and Disabling Sequence Numbers in Log Messages 32-8 Defining the Message Severity Level 32-9 Limiting Syslog Messages Sent to the History Table and to SNMP 32-10 Enabling the Configuration-Change Logger 32-11 Configuring UNIX Syslog Servers 32-12 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxvii OL-9775-08...
Page 28
Configuring Embedded Event Manager 34-6 Registering and Defining an Embedded Event Manager Applet 34-6 Registering and Defining an Embedded Event Manager TCL Script 34-7 Displaying Embedded Event Manager Information 34-8 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxviii OL-9775-08...
Page 29
Creating a VLAN Map 35-32 Examples of ACLs and VLAN Maps 35-33 Applying a VLAN Map to a VLAN 35-35 Using VLAN Maps in Your Network 35-35 Wiring Closet Configuration 35-35 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxix OL-9775-08...
Page 30
Queueing and Scheduling Overview 37-14 Weighted Tail Drop 37-15 SRR Shaping and Sharing 37-15 Queueing and Scheduling on Ingress Queues 37-16 Queueing and Scheduling on Egress Queues 37-19 Packet Modification 37-22 Configuring Auto-QoS 37-23 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 31
Classifying Traffic by Using Class Maps and Filtering IPv6 Traffic 37-58 Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps 37-59 Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps 37-64 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxi OL-9775-08...
Page 32
LACP Interaction with Other Features 38-8 EtherChannel On Mode 38-8 Load-Balancing and Forwarding Methods 38-8 EtherChannel and Switch Stacks 38-10 Configuring EtherChannels 38-11 Default EtherChannel Configuration 38-11 EtherChannel Configuration Guidelines 38-12 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxii OL-9775-08...
Page 33
Classless Routing 40-8 Configuring Address Resolution Methods 40-9 Define a Static ARP Cache 40-10 Set ARP Encapsulation 40-11 Enable Proxy ARP 40-12 Routing Assistance When IP Routing is Disabled 40-12 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxiii OL-9775-08...
Page 35
User Interface for FTP and TFTP 40-83 Configuring Multicast VRFs 40-84 Configuring a VPN Routing Session 40-84 Configuring BGP PE to CE Routing Sessions 40-85 Multi-VRF CE Configuration Example 40-86 Displaying Multi-VRF CE Status 40-89 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxv OL-9775-08...
Page 36
RIP for IPv6 41-7 OSPF for IPv6 41-7 EIGRP IPv6 41-7 HSRP for IPv6 41-7 SNMP and Syslog Over IPv6 41-7 HTTP(S) Over IPv6 41-8 Unsupported IPv6 Unicast Routing Features 41-8 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxvi OL-9775-08...
Page 37
Enabling HSRP Support for ICMP Redirect Messages 42-12 Configuring HSRP Groups and Clustering 42-12 Troubleshooting HSRP for Mixed Stacks of Catalyst 3750-X, 3750-E and 3750 Switches 42-12 Displaying HSRP Configurations 42-13 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxvii OL-9775-08...
Page 38
Configuring IP SLAs Object Tracking 44-8 Configuring Static Routing Support 44-10 Configuring a Primary Interface 44-10 Configuring a Cisco IP SLAs Monitoring Agent and Track Object 44-11 Configuring a Routing Policy and Default Route 44-12 Monitoring Enhanced Object Tracking 44-12...
Page 39
46-14 How SSM Differs from Internet Standard Multicast 46-14 SSM IP Address Range 46-15 SSM Operations 46-15 IGMPv3 Host Signalling 46-15 Configuration Guidelines 46-16 Configuring SSM 46-17 Monitoring SSM 46-17 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxix OL-9775-08...
Page 40
Configuring an IP Multicast Boundary 46-47 Configuring Basic DVMRP Interoperability Features 46-49 Configuring DVMRP Interoperability 46-49 Configuring a DVMRP Tunnel 46-51 Advertising Network 0.0.0.0 to DVMRP Neighbors 46-53 Responding to mrinfo Requests 46-54 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 41
Configuring an Originating Address other than the RP Address 47-18 Monitoring and Maintaining MSDP 47-19 Configuring Fallback Bridging 48-1 C H A P T E R Understanding Fallback Bridging 48-1 Fallback Bridging Overview 48-1 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 42
Using Ping 49-15 Understanding Ping 49-15 Executing Ping 49-15 Using Layer 2 Traceroute 49-16 Understanding Layer 2 Traceroute 49-16 Usage Guidelines 49-17 Displaying the Physical Path 49-17 Using IP Traceroute 49-18 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xlii OL-9775-08...
Page 43
Starting Online Diagnostic Tests 50-5 Displaying Online Diagnostic Tests and Test Results 50-6 Supported MIBs A P P E N D I X MIB List Using FTP to Access the MIB Files Catalyst 3750-E and 3560-E Switch Software Configuration Guide xliii OL-9775-08...
Page 44
Contents Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System Displaying Available File Systems Setting the Default File System Displaying Information about Files on a File System...
Page 45
Unsupported Commands in Applet Configuration Mode Unsupported Commands in Event Trigger Configuration Mode Fallback Bridging Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands HSRP Unsupported Global Configuration Commands Unsupported Interface Configuration Commands Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 49
This guide is for the networking professional managing the standalone Catalyst 3750-E or 3560-E switch or the Catalyst 3750-E switch stack, referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Means reader be careful. In this situation, you might do something that could result in equipment Caution damage or loss of data. Related Publications Documents with complete information about the switch are available from these Cisco.com sites: Catalyst 3750-E: http://www.cisco.com/en/US/products/ps7077/tsd_products_support_series_home.html Catalyst 3560-E: http://www.cisco.com/en/US/products/ps7078/tsd_products_support_series_home.html...
Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 53
IP base and the IP services feature sets. You must have a Cisco IOS software license for a specific feature set to enable it. For more information about the software license, see the Cisco IOS Software Installation document on Cisco.com.
User-defined and Cisco-default Smartports macros for creating custom switch configurations for • simplified deployment across the network. Auto Smartports Cisco-default and user-defined macros for dynamic port configuration based on the • device type detected on the port. •...
Page 55
Using a single IP address and configuration file to manage the entire switch stack. – – Automatic Cisco IOS version-check of new stack members with the option to automatically load images from the stack master or from a TFTP server. –...
Auto SmartPort enhancements, which adds support for macro persistency, LLDP-based triggers, • MAC address and OUI-based triggers, remote macros as well as for automatic configuration based on these two new device types: Cisco Digital Media Player (Cisco DMP) and Cisco IP Video Surveillance Camera (Cisco IPVSC). Performance Features Cisco EnergyWise manages the energy usage of power over Ethernet (PoE) entities.
Network Assistant—Network Assistant is a network management application that can be • downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com.
MAC address table • Disabling MAC address learning on a VLAN Cisco Discovery Protocol (CDP) Versions 1 and 2 for network topology discovery and mapping • between the switch and other Cisco devices on the network Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED) for •...
Page 59
Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external source • Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses Configuration logging to log and to view changes to the switch configuration •...
Chapter 1 Overview Features • Cisco EnergyWise to manage the power usage of EnergyWise entities, such as power over Ethernet (PoE) devices and end points running daemons. For additional descriptions of the management interfaces, see the “Network Configuration Examples” Note section on page 1-19.
• Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts and servers and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch RPS support through the Cisco Redundant Power System 2300, also referred to as the RPS 2300, •...
Page 62
Multidomain authentication (MDA) to allow both a data device and a voice device, such as an – IP phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled switch port VLAN assignment for restricting IEEE 802.1x-authenticated users to a specified VLAN –...
Page 63
Port security for controlling access to IEEE 802.1x ports – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized or unauthorized state of the port IP phone detection enhancement to detect and recognize a Cisco IP phone –...
When there is a change in policy for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server, such as Cisco Secure ACS to reinitialize authentication, and apply to the new policies IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to...
Page 65
Trusted port states (CoS, DSCP, and IP precedence–both IPv4 and IPv6) within a QoS domain – and with a port bordering another QoS domain Trusted boundary for detecting the presence of a Cisco IP Phone, trusting the CoS value – received, and ensuring port security Policing •...
Full OSPF (requires the IP services feature set) – Starting with Cisco IOS Release 12.2(55)SE, the IP base feature set supports OSPF for routed access to enable customers to extend Layer 3 routing capabilities to the access or wiring closet.
Cisco IOS Release 12.2(44)SE and later supports enhanced PoE. An enhanced PoE port can support any additional powered device that requires up to 20 W of power, such as a Cisco AP1250 wireless access point. Support for CDP with power consumption. The powered device notifies the switch of the amount of •...
For information about assigning an IP address by using the browser-based Express Setup program, see the getting started guide. For information about assigning an IP address by using the CLI-based setup program, see the hardware installation guide. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-16 OL-9775-08...
Page 69
Switch cluster is disabled. For more information about switch clusters, see Chapter 6, “Clustering • Switches,” and the Getting Started with Cisco Network Assistant, available on Cisco.com. • No passwords are defined. For more information, see Chapter 7, “Administering the Switch.”...
Page 70
Chapter 26, “Configuring Port-Based – Traffic Control.” CDP is enabled. For more information, see Chapter 27, “Configuring CDP.” • UDLD is disabled. For more information, see Chapter 29, “Configuring UDLD.” • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-18 OL-9775-08...
10-Gigabit Ethernet connections. “Design Concepts for Using the Switch” section on page 1-19 • “Small to Medium-Sized Network Using Catalyst 3750-E and 3560-E Switches” section on • page 1-26 “Large Network Using Catalyst 3750-E and 3560-E Switches” section on page 1-28 •...
Page 72
Use VLAN trunks, cross-stack UplinkFast, and BackboneFast for traffic-load • balancing on the uplink ports so that the uplink port with a lower relative port cost is selected to carry the VLAN traffic. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-20 OL-9775-08...
Page 73
1-1)—A cost-effective way to connect many users to the wiring closet is to have a switch stack of up to nine Catalyst 3750-E switches. To preserve switch connectivity if one switch in the stack fails, connect the switches as recommended in the hardware installation guide, and enable either cross-stack Etherchannel or cross-stack UplinkFast.
Page 74
(Figure 1-2)—For high-speed access to network resources, you can use Catalyst 3750-E switches and switch stacks in the access layer to provide Gigabit Ethernet access to the desktop. To prevent congestion, use QoS DSCP marking priorities on these switches. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch in the backbone, such as a Catalyst 4500 Gigabit switch or Catalyst 6500 Gigabit switch.
Page 76
VLANs and subnets. Using HSRP also provides faster network convergence if any network failure occurs. You can connect the Catalyst switches, again in a star configuration, to two Catalyst 3750-E backbone switches. If one of the backbone switches fails, the second backbone switch preserves connectivity between the switches and network resources.
Page 77
Server Aggregation Campus core Catalyst 6500 switches Catalyst 4500 multilayer switches StackWise Plus switch stacks Server racks Campus core Catalyst 6500 switches StackWise switch stacks Access-layer standalone switches Server racks Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-25 OL-9775-08...
Page 78
When an end station in one VLAN needs to communicate with an end station in another VLAN, a router or Layer 3 switch routes the traffic to the destination VLAN. In this network, the Catalyst 3750-E-only switch stack or Catalyst 3560-E switches are providing inter-VLAN routing. VLAN access control lists (VLAN maps) on the switch stack or switch provide intra-VLAN security and prevent unauthorized users from accessing critical areas of the network.
Page 79
Each PoE switch port provides 15.4 W of power per port. The powered device, such as a Cisco IP Phone, can receive redundant power when it is also connected to an AC power source. Powered devices not connected to Catalyst PoE switches must be connected to AC power sources to receive power.
Page 80
Figure 1-9 shows a configuration for a network that uses only Catalyst 3750-E switch stacks in the wiring closets and two backbone switches, such as the Catalyst 6500 switches, to aggregate up to ten wiring closets. Figure 1-10...
Page 81
Chapter 1 Overview Network Configuration Examples Figure 1-9 Catalyst 3750-E Catalyst Switch Stacks in Wiring Closets in a Backbone Configuration Cisco 7x00 routers Catalyst 6500 multilayer switches Mixed hardware Mixed hardware stack, including the stack, including the Catalyst 3750G Integrated...
Page 82
(such as a web cam) (such as a web cam) Aironet wireless Aironet wireless access points access points Cisco IP Phones with workstations Cisco IP Phones with workstations Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-30 OL-9775-08...
Page 83
Catalyst Long-Reach Ethernet (LRE) switches, see the documentation sets specific to these switches for LRE information. All ports on the residential Catalyst 3750-E switches (and Catalyst 2950 LRE switches if they are included) are configured as IEEE 802.1Q trunks with protected port and STP root guard features enabled.
Page 84
The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, see the Cisco CWDM GBIC and CWDM SFP Installation Note. Catalyst 3750-E and 3560-E Switch Software Configuration Guide...
Where to Go Next Before configuring the switch, review these sections for startup information: • Chapter 2, “Using the Command-Line Interface” Chapter 3, “Assigning the Switch IP Address and Default Gateway” • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-33 OL-9775-08...
Page 86
Chapter 1 Overview Where to Go Next Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-34 OL-9775-08...
Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your standalone Catalyst 3750-E or 3560-E switch or a Catalyst 3750-E switch stack, referred to as the switch. It contains these sections: Understanding Command Modes, page 2-1 •...
Page 88
To return to console command. privileged EXEC mode, press Ctrl-Z or enter end. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
You need to enter only enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command in an abbreviated form: Switch# show conf Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Logging and Notification feature to track changes on a per-session and per-user basis. The logger tracks each configuration command that is applied, the user who entered the command, the time that the Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
You can choose to have the notifications sent to the syslog. For more information, see the “Configuration Change Notification and Logging” section of the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4 at this URL: http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-logger_ps6350_TS...
Although enhanced editing mode is automatically enabled, you can disable it, re-enable it, or configure a specific line to have enhanced editing. These procedures are optional. To globally disable enhanced editing mode, enter this command in line configuration mode: Switch (config-line)# no editing Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Delete the word to the left of the cursor. Press Esc D. Delete from the cursor to the end of the word. Capitalize or lowercase words or Press Esc C. Capitalize at the cursor. capitalize a set of letters. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
If you want to configure a specific stack member port, you must include the stack member number in the CLI command interface notation. For more information about interface notations, see the “Using Interface Configuration Mode” section on page 12-12. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
After you connect through the console port, through the Ethernet management port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 2-10 OL-9775-08...
Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. This chapter consists of these sections: Understanding the Boot Process, page 3-1 •...
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The normal boot process involves the operation of the boot loader software and includes these activities: Performs low-level CPU initialization. It initializes the CPU registers, which control where physical •...
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Stack members retain their IP address when you remove them from a switch stack. To avoid a conflict Note by having two devices with the same IP address in your network, change the IP address of the switch that you removed from the switch stack.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch. However, you need to configure the DHCP server for various lease options associated with IP addresses. If you are using DHCP to relay the configuration file location on the network, you might also need to configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server.
Page 101
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The DHCP server sends the client a DHCPNAK denial broadcast message, which means that the offered configuration parameters have not been assigned, that an error has occurred during the negotiation of the parameters, or that the client has been slow in responding to the DHCPOFFER message (the DHCP server assigned the parameters to another client).
Page 102
(Only Configuration File)” section on page 3-11 and the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html After you install the switch in your network, the auto-image update feature starts. The downloaded configuration file is saved in the running configuration of the switch, and the new image is downloaded and installed on the switch.
Page 103
• The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational. If your DHCP server is a Cisco device, for additional information about configuring DHCP, see the “Configuring DHCP”...
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Page 105
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Figure 3-2 Relay Device Used in Autoconfiguration Switch Cisco router (DHCP client) (Relay) 10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2 20.0.0.3 20.0.0.4 DHCP server TFTP server DNS server Obtaining Configuration Files...
Page 106
Figure 3-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (tftpserver) Table 3-2 shows the configuration of the reserved leases on the DHCP server.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the hostname to be assigned to the switch based on its IP address.
Page 108
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Command Purpose Step 4 network network-number mask Specify the subnet network number and mask of the DHCP address prefix-length pool. Note The prefix length specifies the number of bits that comprise the address prefix.
Page 109
Upload the tar file for the new image to the switch. Step 10 exit Return to global configuration mode. Step 11 tftp-server flash:config.text Specify the Cisco IOS configuration file on the TFTP server. Step 12 tftp-server flash:imagename.tar Specify the image name on the TFTP server. Step 13 tftp-server flash:filename.txt...
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the Client Beginning in privileged EXEC mode, follow these steps to configure a switch to download a configuration file and new image from a DHCP server: Command Purpose Step 1...
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs): If the switch is running the IP services feature set, you can also manually assign IP information to a port Note if you first put the port into Layer 3 mode by using the no switchport interface configuration command.
EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 113
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Configuring the NVRAM Buffer Size The default NVRAM buffer size is 512 kB. In some cases, the configuration file might be too large to save to NVRAM.
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Command Purpose Step 4 show boot Verify your entries. The boot manual global command changes the setting of the MANUAL_BOOT environment variable. The next time you reboot the system, the switch is in boot loader mode, shown by the switch: prompt.
Environment variables store two kinds of data: • Data that controls code, which does not read the Cisco IOS configuration file. For example, the name of a boot loader helper file, which extends or patches the functionality of the boot loader can be stored as an environment variable.
Page 118
Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 119
Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Table 3-4 Environment Variables (continued) Variable Boot Loader Command Cisco IOS Global Configuration Command SWITCH_NUMBER set SWITCH_NUMBER switch current-stack-member-number renumber stack-member-number new-stack-member-number Changes the member number of a stack Changes the member number of a stack member.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example, late at night or during the weekend when the switch is used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network).
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image If you modify your configuration file, the switch prompts you to save the configuration before reloading. During the save operation, the system requests whether you want to proceed with the save if the CONFIG_FILE environment variable points to a startup configuration file that no longer exists.
Page 122
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-26 OL-21521-01...
Configuring Cisco IOS Configuration Engine This chapter describes how to configure the feature on the Catalyst 3750-E and 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
(LDAP) URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
ID, and event. Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software; for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using any desired naming convention.
Page 126
Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.
Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: •...
NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 4-6.
Page 129
Note For more information about running the setup program and creating templates on the Configuration Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux at http://www.cisco.com/en/US/docs/net_mgmt/configuration_engine/1.5/installation_linux/guide/setup_ 1.html Catalyst 3750-E and 3560-E Switch Software Configuration Guide...
This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.27 keepalive 120 10 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: •...
Page 132
Return to global configuration mode. Step 11 hostname name Enter the hostname for the switch. Step 12 ip route network-number (Optional) Establish a static route to the Configuration Engine whose IP address is network-number. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 4-10 OL-9775-08...
Page 133
ID, enter an arbitrary text string for string string as the unique ID, or enter udi to set the unique device identifier (UDI) as the unique ID. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 4-11 OL-9775-08...
Page 134
Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown (the CNS Zero Touch feature).
RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.129.22 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...
Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed. show cns config stats Displays statistics about the Cisco IOS agent.
Catalyst3750-X-only stack with only Catalyst 3750-X switches as stack members. Mixed stack • A mixed hardware stack with a mixture of Catalyst 3750-X, Catalyst 3750-E, and 3750 switches – as stack members. For example, a stack with Catalyst 3750-E and 3750 switches supporting the IP services features.
Page 138
One of the switches controls the operation of the stack and is called the stack master. The stack master and the other switches in the stack are all stack members. The Catalyst 3750-E stack members use the Cisco StackWise Plus technology to work together as a unified system. Layer 2 and Layer 3 protocols present the entire switch stack as a single entity to the network.
Note their LAN ports, such as the 10/100/1000 ports. For more information about how switch stacks differ from switch clusters, see the “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant on Cisco.com. Switch Stack Membership A switch stack has up to nine stack members connected through their StackWise Plus ports.
Page 140
For more information about cabling and powering switch stacks, see the “Switch Installation” chapter in the hardware installation guide. Figure 5-1 Creating a Switch Stack from Two Standalone Switches Stack member 1 Stack member 1 Stack member 1 Stack member 2 and stack master Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 141
We recommend assigning the highest priority value to the switch that you prefer to be the Note stack master. This ensures that the switch is re-elected as stack master if a re-election occurs. The switch that is not using the default interface-level configuration. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 142
As described in the hardware installation guide, you can use the Master LED on the switch to see if the switch is the stack master. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
“Switch Stack Membership” section on page 5-3. As described in the hardware installation guide, you can use the switch port LEDs in Stack mode to visually determine the stack member number of each stack member. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
When you add a provisioned switch to the switch stack, the stack applies either the provisioned configuration or the default configuration. Table 5-1 lists the events that occur when the switch stack compares the provisioned configuration with the provisioned switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 145
The stack member number of The switch stack applies the default the provisioned switch is not configuration to the provisioned switch found in the provisioned and adds it to the stack. configuration. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Hardware Compatibility and SDM Mismatch Mode in Switch Stacks The Catalyst 3750-E switch supports only the desktop Switch Database Management (SDM) templates. All stack members use the SDM template configured on the stack master.
“Hardware Compatibility and SDM Mismatch Mode in Switch Stacks” section on page 5-10. All stack members must run the same Cisco IOS software image and feature set to ensure compatibility between stack members. For example, all stack members should run the universal software image and have the IP services feature set enabled for the Cisco IOS Release 12.2(35)SE2 or later.
Page 148
(including the switch in VM mode). If an appropriate image is not found in the stack flash file systems, the auto-advise process tells you to install new software on the switch stack. Auto-advise cannot be disabled, and there is no command to check its status. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-12 OL-9775-08...
Note We recommend that all stack members run Cisco IOS Release 12.2(35)SE2 or later. The interface-specific settings of the stack master are saved if the stack master is replaced without saving the running configuration to the startup configuration.
“Working with the Cisco IOS File System, Configuration Files, and Software Images.” Additional Considerations for System-Wide Configuration on Switch Stacks These sections provide additional considerations for configuring system-wide features on switch stacks: “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant, • available on Cisco.com “MAC Addresses and Switch Stacks”...
Page 153
Encryption features are unavailable if the stack master is running the noncryptographic software image. Note The noncryptographic software image was available only on Catalyst 3750 or Catalyst 3750-E switches running Cisco IOS Release 12.2(53)SE and earlier. The Catalyst 3750-X switches run only the cryptographic software image.
Make sure that one stack member has a default configuration and that the other stack member has a saved (nondefault) configuration file. Restart both stack members at the same time. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-18 OL-9775-08...
Page 155
The stack master is retained. The new switch is added to the switch stack. Through their StackWise Plus ports, connect the new switch to a powered-on switch stack. Power on the new switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-19 OL-9775-08...
During this time period, if the previous stack master rejoins the stack, the stack continues to use its MAC address as the stack MAC address, even if the switch is now a stack member and not a stack master. If Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-20...
Page 157
If you enter the no stack-mac persistent timer command after a new stack master takes over, before the time expires, the switch stack moves to the current stack master MAC address. Step 3 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-21 OL-9775-08...
Setting the Stack Member Priority Value, page 5-23 (optional) • Provisioning a New Member for a Switch Stack, page 5-23 (optional) • Assigning a Stack Member Number This task is available only from the stack master. Note Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-22 OL-9775-08...
Page 159
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Provisioning a New Member for a Switch Stack This task is available only from the stack master. Note Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-23 OL-9775-08...
Page 160
The show running-config command output shows the interfaces associated with the provisioned switch: Switch(config)# switch 2 provision switch_PID Switch(config)# end Switch# show running-config | include switch 2 interface GigabitEthernet2/0/1 interface GigabitEthernet2/0/2 interface GigabitEthernet2/0/3 <output truncated> Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-24 OL-9775-08...
Manually Disabling a Stack Port, page 5-26 • Re-Enabling a Stack Port While Another Member Starts, page 5-26 Understanding the show switch stack-ports summary Output, page 5-27 • Identifying Loopback Problems, page 5-28 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-25 OL-9775-08...
If Switch 4 is powered on first, you might need to enter the switch 1 stack port 1 enable and the switch 4 stack port 2 enable privileged EXEC commands to bring up the link. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-26...
Page 163
In Loopback No—At least one stack port on the member has an attached stack • cable. • Yes—None of the stack ports on the member has an attached stack cable. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-27 OL-9775-08...
-------- ------ -------- -------- ---- ------ ---- --------- -------- Down None 50 cm 50 cm Down None 50 cm Switch 1 is a standalone switch. Switch# show switch stack-ports summary Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-28 OL-9775-08...
Page 165
-------- ---- ------ ---- --------- -------- 50 cm 50 cm The port status shows that – Switch 2 is a standalone switch. – The ports can send and receive traffic. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-29 OL-9775-08...
If neither stack port has an connected stack cable, the Loopback HW value for both stack ports is Yes. • On a Catalyst 3750-E or Catalyst 3750-X member, If a stack port has an connected stack cable, the Loopback HW value for the stack port is No.
%STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state DOWN %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN This is now the port status: Switch# show switch stack-ports summary Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-32 OL-9775-08...
The Cable Length value is 50 cm. The switch detects and correctly identifies the cable. • The connection between Port 2 on Switch 1 and Port 1 on Switch 2 is unreliable on at least one of the connector pins. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-33 OL-9775-08...
C H A P T E R Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 3750-E and 3560-E switch clusters. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
The switches can be in the same location, or they can be distributed across a Layer 2 or Layer 3 (if your cluster is using a Catalyst 3560, Catalyst 3750, Catalyst 3560-E, Catalyst 3750-E, Catalyst 3560-X, or Catalyst 3750-X switch as a Layer 3 router between the Layer 2 switches in the cluster) network.
It is running a supported software release. • It has an IP address. • It has Cisco Discovery Protocol (CDP) Version 2 enabled (the default). It is not a command or cluster member switch of another cluster. • • It is connected to the standby cluster command switches through the management VLAN and to the cluster member switches through a common VLAN.
Standby cluster command switches must be the same type of switches as the cluster command Note switch. For example, if the cluster command switch is a Catalyst 3750-E switch, the standby cluster command switches must also be Catalyst 3750-E switches. See the switch configuration guide of other cluster-capable switches for their requirements on standby cluster command switches.
Page 175
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 176
Device 15 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Page 177
Planning a Switch Cluster Discovery Through Different VLANs If the cluster command switch is a Catalyst 3560-E, Catalyst 3750-E, Catalyst 3560-X, or Catalyst 3750-X switch, the cluster can have cluster member switches in different VLANs. As cluster member switches, they must be connected through at least one VLAN in common with the cluster command switch.
Chapter 6 Clustering Switches Planning a Switch Cluster If the switch cluster has a Catalyst 3750-E or Catalyst 3750-X switch or switch stack, that switch or Note switch stack must be the cluster command switch. The cluster command switch and standby command switch in...
The other cluster-capable switch and its access port are assigned to management VLAN 16. Figure 6-6 Discovery of Newly Installed Switches Command device VLAN 9 VLAN 16 Device A Device B VLAN 9 VLAN 16 New (out-of-box) New (out-of-box) candidate device candidate device Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 180
These topics also provide more detail about standby cluster command switches: Virtual IP Addresses, page 6-11 • Other Considerations for Cluster Standby Groups, page 6-11 • Automatic Recovery of Cluster Configuration, page 6-12 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 6-10 OL-9775-08...
If your switch cluster has a Catalyst 3750-X switch or a switch stack, it should be the cluster command switch. If not, when the cluster has a Catalyst 3750-E switch or switch stack, that switch should be the cluster command switch.
6-7) must be connected to the cluster command switch through the same VLAN. In this example, the cluster command switch and standby cluster command switches are Catalyst 3560-E, Catalyst 3750-E, Catalyst 3560-X, or Catalyst 3750-X cluster command switches. Each standby-group member must also be redundantly connected to each other through at least one VLAN in common with the switch cluster.
(such as eng-cluster-5) with the hostname of the cluster command switch in the new cluster (such as mkg-cluster-5). If the switch member number changes in the new cluster (such as 3), the switch retains the previous name (eng-cluster-5). Catalyst 3750-E and 3560-E Switch Software Configuration Guide 6-13 OL-9775-08...
Switch Clusters and Switch Stacks A switch cluster can have one or more Catalyst 3750-E switch stacks. Each switch stack can act as the cluster command switch or as a single cluster member.
Page 185
Cluster configuration of switch stacks is through the stack master. These are considerations to keep in mind when you have switch stacks in switch clusters: If the cluster command switch is not a Catalyst 3750-E switch or switch stack and a new stack •...
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
If a cluster member switch has its own IP address and community strings, they can be used in addition to the access provided by the cluster command switch. For more information about SNMP and community strings, see Chapter 33, “Configuring SNMP.” Catalyst 3750-E and 3560-E Switch Software Configuration Guide 6-17 OL-9775-08...
Page 188
Clustering Switches Using SNMP to Manage Switch Clusters Figure 6-8 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 6-18 OL-9775-08...
Administering the Switch This chapter describes how to perform one-time operations to administer the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 191
Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
NTP that provide for accurate timekeeping) with other devices for security purposes: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp authenticate Enable the NTP authentication feature, which is disabled by default. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
(meaning that only this switch synchronizes to the other device, and not the other way around). Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 194
However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, the information flow is one-way only. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 195
Step 3 ntp broadcast client Enable the interface to receive NTP broadcast packets. By default, no interfaces receive NTP broadcast packets. Step 4 exit Return to global configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
NTP control queries and allows the • switch to synchronize to the remote device. For access-list-number, enter a standard IP access list number from 1 to 99. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 197
99. However, the switch restricts access to allow only time requests from access list 42: Switch# configure terminal Switch(config)# ntp access-group peer 99 Switch(config)# ntp access-group serve-only 42 Switch(config)# access-list 99 permit 172.20.130.5 Switch(config)# access list 42 permit 172.20.130.6 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 198
“Configuring NTP Associations” section on page 7-5. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-10 OL-9775-08...
• show ntp status • For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
Page 200
Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and.5 means 50 percent. In this case, the necessary command is clock timezone AST -3 30. To set the time to UTC, use the no clock timezone global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-12 OL-9775-08...
Page 201
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-13 OL-9775-08...
9. When you use this command, the stack member number is appended to the system prompt. For example, is the prompt in privileged EXEC mode for stack member 2, and the system prompt Switch-2# for the switch stack is Switch Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-14 OL-9775-08...
Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 204
If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS). Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-16 OL-9775-08...
If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Page 206
Unix> telnet 172.2.5.4 Trying 172.2.5.4... Connected to 172.2.5.4. Escape character is '^]'. This is a secure site. Only authorized users are allowed. For access, contact technical support. User Access Verification Password: Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-18 OL-9775-08...
(static or dynamic). For complete syntax and usage information for the commands used in this section, see the command Note reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-19 OL-9775-08...
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-20...
VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time can cause the address table to be filled with unused addresses, which prevents new addresses from being learned. Flooding results, which can impact switch performance. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-21 OL-9775-08...
MAC address change notifications are generated for dynamic and secure MAC addresses. Notifications are not generated for self addresses, multicast addresses, or other static addresses. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-22 OL-9775-08...
Page 211
Enable the trap when a MAC address is added • on this interface. Enable the trap when a MAC address is removed • from this interface. Step 8 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-23 OL-9775-08...
When you configure MAC-move notification, an SNMP notification is generated and sent to the network management system whenever a MAC address moves from one port to another within the same VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-24...
Configuring MAC Threshold Notification Traps When you configure MAC threshold notification, an SNMP notification is generated and sent to the network management system when a MAC address table threshold limit is reached or exceeded. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-25 OL-9775-08...
(Optional) Save your entries in the configuration file. To remove static entries from the address table, use the no mac address-table static mac-addr vlan vlan-id [interface interface-id] global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-27 OL-9775-08...
For vlan-id, specify the VLAN for which the packet with the • specified MAC address is received. Valid VLAN IDs are 1 to 4094. Step 3 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-28 OL-9775-08...
If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning • is not disabled on that port. If you disable port security, the configured MAC address learning state is enabled. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-29 OL-9775-08...
Displays the MAC notification parameters and history table. show mac address-table static Displays only static MAC address table entries. show mac address-table vlan Displays the MAC address table information for the specified VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-30 OL-9775-08...
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, see the Cisco IOS Release 12.2 documentation on Cisco.com. Catalyst 3750-E and 3560-E Switch Software Configuration Guide...
Page 220
Chapter 7 Administering the Switch Managing the ARP Table Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-32 OL-9775-08...
This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Dual IPv4 and IPv6 VLAN template—supports basic Layer 2, multicast, QoS, and ACLs for IPv4, • and basic Layer 2, ACLs, and QoS for IPv6 on the switch. Cisco IOS Release 12.2(46)SE and later supports IPv6 port-based trust with the dual IPv4 and Note IPv6 SDM templates.
SDM Templates and Switch Stacks In a Catalyst 3750-E-only or a mixed hardware switch stack, all stack members must use the same SDM desktop template that is stored on the stack master. When a new switch is added to a stack, the SDM configuration that is stored on the stack master overrides the template configured on an individual switch.
If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template, a warning message • appears. Using the dual stack template results in less hardware capacity allowed for each resource, so do not • use it if you plan to forward only IPv4 traffic. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
0.5K number of security aces: On next reload, template will be “desktop vlan” template. To return to the default template, use the no sdm prefer global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
The current template is "desktop IPv4 and IPv6 routing" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 1.5K Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 227
IPv4/MAC qos aces: 0.5K number of IPv4/MAC security aces: 0.5K number of IPv6 policy based routing aces: 0.25K number of IPv6 qos aces: 0.5K number of IPv6 security aces: 0.5K Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 228
Chapter 8 Configuring SDM Templates Displaying the SDM Templates Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
We recommend that you use the enable secret command because it uses an improved encryption algorithm. If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 232
To remove a password and level, use the no enable password [level level] or no enable secret [level level] global configuration command. To disable password encryption, use the no service password-encryption global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 236
This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands: Switch(config)# privilege exec level 14 configure Switch(config)# enable password level 14 SecretPswd14 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
Page 237
Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
(AAA) and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2. These sections contain this configuration information: •...
Page 239
TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-11 OL-9775-08...
These sections contain this configuration information: • Default TACACS+ Configuration, page 9-13 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 9-13 • Configuring TACACS+ Login Authentication, page 9-14 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-12 OL-9775-08...
Page 241
(Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-13 OL-9775-08...
Page 242
Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-14 OL-9775-08...
Page 243
{default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-15 OL-9775-08...
Page 244
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
RADIUS is facilitated through AAA and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
This section provides an overview of the RADIUS interface including available primitives and how they are used during a Change of Authorization (CoA). Change-of-Authorization Requests, page 9-20 • • CoA Request Response Code, page 9-21 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-19 OL-9775-08...
RADIUS Change of Authorization (CoA) extensions defined in RFC 5176 that are typically used in a pushed model and allow for the dynamic reconfiguring of sessions from external authentication, authorization, and accounting (AAA) or policy servers. Beginning with Cisco IOS Release 12.2(52)SE, the switch supports these per-session CoA requests: Session reauthentication •...
Page 249
CoA Request Response Code The CoA Request response code can be used to convey a command to the switch. The supported commands are listed in Table 9-4 on page 9-23. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-21 OL-9775-08...
Page 250
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- The attributes field is used to carry Cisco VSAs. CoA ACK Response Code If the authorization state is changed successfully, a positive acknowledgement (ACK) is sent. The attributes returned within CoA ACK will vary based on the CoA Request and are discussed in individual CoA Commands.
Page 251
Session Termination • CoA Disconnect-Request • CoA Request: Disable Host Port CoA Request: Bounce-Port • Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Table 9-4. Table 9-4 CoA Commands Supported on the Switch Command Cisco VSA Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate”...
Page 252
To restrict a host’s access to the network, use a CoA Request with the Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is known to be causing problems on the network, and you need to immediately block network access for the host.
(which is subsequently removed). If the stack master fails before sending a CoA-ACK message, the new stack master treats the re-sent command as a new command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-25 OL-9775-08...
Configuring the Switch to Use Vendor-Specific RADIUS Attributes, page 9-35 (optional) • Configuring the Switch for Vendor-Proprietary RADIUS Server Communication, page 9-37 • (optional) Configuring CoA on the Switch, page 9-38 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-26 OL-9775-08...
For information on configuring these settings on all RADIUS servers, see the “Configuring Settings for All RADIUS Servers” section on page 9-35. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-27 OL-9775-08...
Page 256
RADIUS host. Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-28 OL-9775-08...
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Page 260
Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-32 OL-9775-08...
EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-33 OL-9775-08...
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named cisco-avpair. The value is a string with this format:...
Page 264
Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
To disable AAA, use the no aaa new-model global configuration command. To disable the AAA server functionality on the switch, use the no aaa server radius dynamic authorization global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-38 OL-9775-08...
In the Kerberos configuration examples and in the Cisco IOS Security Command Reference, Release 12.2, the trusted third party can be a Catalyst 3750-E or 3560-E switch that supports Kerberos, that is configured as a network security server, and that can authenticate users by using the Kerberos protocol.
Note A Kerberos server can be a Catalyst 3750-E or 3560-E switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol.
Page 269
Kerberos realm represented by the KDC. 1. TGT = ticket granting ticket 2. KDC = key distribution center 3. KEYTAB = key table 4. SRVTAB = server table Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-41 OL-9775-08...
Controlling Switch Access with Kerberos Kerberos Operation A Kerberos server can be a Catalyst 3750-E or 3560-E switch that is configured as a network security server and that can authenticate remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways, remote users attempting to access network services must pass through three layers of security before they can access network services.
The Kerberos realm name must be in all uppercase characters. • A Kerberos server can be a Catalyst 3750-E or 3560-E switch that is configured as a network security Note server and that can authenticate users by using the Kerberos protocol.
Page 272
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
SSH server. Generate an RSA key pair for the switch, which automatically enables SSH. Follow this procedure only if you are configuring the switch as an SSH server. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-46 OL-9775-08...
If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-47 OL-9775-08...
Commands for Displaying the SSH Server Configuration and Status Command Purpose show ip ssh Shows the version and configuration information for the SSH server. show ssh Shows the status of the SSH server. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-48 OL-9775-08...
(pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 278
X.509v3 certificate from the client. Authenticating the client provides more security than server authentication by itself. For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.2. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-50...
• Configuring the Secure HTTP Client, page 9-54 Default SSL Configuration The standard HTTP server is enabled. SSL is enabled. No CA trustpoints are configured. No self-signed certificates are generated. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-51 OL-9775-08...
Page 280
RSA key pair. Step 13 Return to privileged EXEC mode. Step 14 show crypto ca trustpoints Verify the configuration. Step 15 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-52 OL-9775-08...
(Optional) Set the maximum number of concurrent connections that are allowed to the HTTP server. The range is 1 to 16; the default value is 5. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-53 OL-9775-08...
Using this command assumes that you have already configured a CA trustpoint by using the previous procedure. The command is optional if client authentication is not needed or if a primary trustpoint has been configured. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-54 OL-9775-08...
Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and • Adelman (RSA) key pair. When using SCP, you cannot enter the password into the copy command. You must enter the password Note when prompted. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-55 OL-9775-08...
A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
Page 285
This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 3750-E or 3560-E switch. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network.Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Page 286
Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Page 287
Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 288
Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The devices that can act as intermediaries include the Catalyst 3750-X, Catalyst 3750-E, Catalyst 3750, Catalyst 3650-X, Catalyst 3560-E, Catalyst 3560, Catalyst 3550, Catalyst 2970, Catalyst 2960, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These devices must be running software that supports the RADIUS client and IEEE 802.1x authentication.
Page 289
After 802.1x authentication using a RADIUS server is configured, the switch uses timers based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]). The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which re-authentication occurs. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-5 OL-9775-08...
The specific exchange of EAP frames depends on the authentication method being used. Figure 10-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-6 OL-9775-08...
Page 291
MAC authentication bypass. Figure 10-4 Message Exchange During MAC Authentication Bypass Authentication server Client (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity Ethernet packet RADIUS Access/Request RADIUS Access/Accept Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-7 OL-9775-08...
Understanding IEEE 802.1x Port-Based Authentication Authentication Manager In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000.
Page 293
ACL configured on another device running Cisco IOS software, such as a Catalyst 6000 switch. In Cisco IOS Release 12.2(50)SE or later, the ACLs configured on the switch are compatible with other devices running Cisco IOS releases.
Page 294
802.1x CLI commands Beginning with Cisco IOS Release 12.2(55)SE, you can filter out verbose system messages generated by the authentication manager. The filtered content typically relates to authentication success. You can also filter verbose messages for 802.1x authentication and MAB authentication. There is a separate command for each authentication method: •...
Note that if the stack master fails, a stack member becomes the new stack master by using the election process described in Chapter 5, “Managing Switch Stacks,” and the 802.1x authentication process continues as usual. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-11 OL-9775-08...
With the multiple-hosts mode enabled, you can use 802.1x authentication to authenticate the port and port security to manage network access for all MAC addresses, including that of the client. Figure 10-5 Multiple Host Mode Example Authentication server Access point (RADIUS) Wireless clients Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-12 OL-9775-08...
When a port is in multiple-authentication mode, the guest VLAN and the authentication-failed VLAN features do not activate. Beginning with Cisco IOS Release 12.2(55)SE, you can assign a RADIUS-server-supplied VLAN in multi-auth mode, under these conditions: The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
Page 298
Beginning with Cisco IOS Release 12.2(55)SE, MAC move can be configured in all host modes, along with port security. When a MAC address moves from one port to another, the switch terminates the authenticated session on the original port and initiates a new authentication sequence on the new port.
Voice device authentication is supported with multidomain host mode in Cisco IOS Release 12.2(37)SE.In Cisco IOS Release 12.2(40)SE and later. When a voice device is authorized and the RADIUS server returned an authorized VLAN, the voice VLAN on the port is configured to send and...
Page 301
802.1x authentication on an access port). • Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch: [64] Tunnel-Type = VLAN – Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-17 OL-9775-08...
Page 302
If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
On a voice VLAN port, the switch applies the ACL only to the phone. Beginning with Cisco IOS Release 12.2(55)SE, if you do not configure a static ACL on a port, a dynamic Auth-Default-ACL is created and its policies are enforced. The Auth-Default-ACL is not stored in NVRAM and cannot be retrieved by the nonvolatile generation (NVGEN) process.
Page 304
ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However, if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not configured, the authorization failure is declared.
The feature also limits the number of VLANs monitored and handled by STP.The network can be managed as a fixed VLAN. This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new Note hosts and only authenticates based on the MAC address.)
VLAN. If re-authentication is successful, the port moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-22...
If the port is unauthorized when a host connected to a critical port tries to authenticate and all servers • are unavailable, the switch puts the port in the critical-authentication state in the RADIUS-configured or user-specified access VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-23 OL-9775-08...
Page 308
When a member is added to the stack, the stack master sends the member the server status. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-24 OL-9775-08...
The PVID is the native VLAN of the port. The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This allows the phone to work independently of IEEE 802.1x authentication. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-25 OL-9775-08...
Page 310
If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and Note to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
Page 311
When you configure a port as bidirectional by using the dot1x control-direction both interface configuration command, the port is access-controlled in both directions. The port does not receive packets from or send packets to the host. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-27 OL-9775-08...
Page 312
“IEEE 802.1x Authentication with Voice VLAN Ports” section on • page 10-25. VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutually exclusive. • • Private VLAN—You can assign a client to a private VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-28 OL-9775-08...
For more configuration information, see the “Authentication Manager” section on page 10-8. Cisco IOS Release 12.2(55)SE and later supports filtering of MAB system messages. See the “Authentication Manager CLI Commands” section on page 10-9. Network Admission Control Layer 2 IEEE 802.1x Validation The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which...
The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
Page 315
When a port host mode is changed from single- or multihost to multidomain mode, an authorized data device remains authorized on the port. However, a Cisco IP phone that has been allowed on the port voice VLAN is automatically removed and must be reauthenticated on that port.
Page 316
VLAN results in the shutdown of only the data VLAN. The traffic on the voice VLAN flows through the switch without interruption. For information on configuring voice aware 802.1x security, see the “Configuring Voice Aware 802.1x Security” section on page 10-39. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-32 OL-9775-08...
If you try to change the mode of an 802.1x-enabled port (for example, from access to trunk), an error • message appears, and the port mode is not changed. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-35 OL-9775-08...
Page 320
EtherChannel configuration from the interfaces on which 802.1x authentication and EtherChannel are configured. If you are using a device running the Cisco Access Control Server (ACS) application for • IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5, make sure that the device is running ACS Version 3.2.1 or later.
Page 321
“802.1x Authentication” section on page 10-35. If you disable MAC authentication bypass from a port after the port has been authorized with its • MAC address, the port state is not affected. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-37 OL-9775-08...
Page 322
• In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN. In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one •...
Page 323
You can re-enable individual VLANs by using the clear errdisable interface interface-id vlan [vlan-list] privileged EXEC command. If you do not specify a range, all VLANs on the port are enabled. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-39 OL-9775-08...
Page 324
Beginning in privileged EXEC mode, follow these steps to configure the security violation actions on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-40 OL-9775-08...
Page 325
The switch sends a start message to an accounting server. Re-authentication is performed, as necessary. Step 5 Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-41 OL-9775-08...
Page 326
IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-42...
Page 327
You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-43 OL-9775-08...
IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. Use the multi-domain keyword to configure and enable multidomain authentication (MDA), which allows both a host and a voice device, such as an IP phone (Cisco or non-Cisco), on the same switch port. This procedure is optional.
Page 329
Return to privileged EXEC mode. Step 6 show authentication interface-id Verify your entries. show dot1x interface interface-id Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-45 OL-9775-08...
To return to the default quiet time, use the no dot1x timeout quiet-period interface configuration command. This example shows how to set the quiet time on the switch to 30 seconds: Switch(config-if)# dot1x timeout quiet-period 30 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-46 OL-9775-08...
Page 331
You should change the default value of this command only to adjust for unusual circumstances such as Note unreliable links or specific behavioral problems with certain clients and authentication servers. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-47 OL-9775-08...
Page 332
Set the number of times that the switch restarts the authentication process before the port changes to the unauthorized state. The range is 0 to 10; the default is 2. Step 4 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-48 OL-9775-08...
Please review the purpose column for Step 3 below, and indicate any changes needed. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-49 OL-9775-08...
Page 334
This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-50 OL-9775-08...
You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an 802.1x guest VLAN. Step 6 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-51 OL-9775-08...
Specify an active VLAN as an 802.1x restricted VLAN. The range is 1 to 4094. You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an 802.1x restricted VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-52 OL-9775-08...
Page 337
Return to privileged EXEC mode. Step 8 show authentication interface-id (Optional) Verify your entries. show dot1x interface interface-id Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-53 OL-9775-08...
(Optional) Set the number of minutes that a RADIUS server is not sent requests. minutes The range is from 0 to 1440 minutes (24 hours). The default is 0 minutes. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-54 OL-9775-08...
Page 339
Step 6 interface interface-id Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “802.1x Authentication Configuration Guidelines” section on page 10-35. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-55 OL-9775-08...
Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “802.1x Authentication Configuration Guidelines” section on page 10-35. Step 3 authentication port-control auto Enable 802.1x authentication on the port. dot1x port-control auto Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-57 OL-9775-08...
Page 342
This example shows how to add a VLAN to an existing VLAN group and to verify that the VLAN was added: switch(config)# vlan group eng-dept vlan-list 30 switch(config)# show vlan group eng-dept Group Name Vlans Mapped ------------- -------------- Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-58 OL-9775-08...
Page 343
For more information about these commands, see the Cisco IOS Security Command Reference. Configuring NAC Layer 2 IEEE 802.1x Validation You can configure NAC Layer 2 802.1x validation, which is also referred to as 802.1x authentication with a RADIUS server.
“802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)” section on page 10-31. The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the Note interface as a trunk after the supplicant is successfully authenticated. Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:...
Page 345
Attach the 802.1x credentials profile to the interface. Step 12 Return to privileged EXEC mode. Step 13 show running-config interface Verify your configuration. interface-id Step 14 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-61 OL-9775-08...
Step 5 radius-server vsa send authentication Configure the radius vsa send authentication. Step 6 interface interface-id Specify the port to be configured, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-62 OL-9775-08...
Step 8 ip device tracking Enables the IP device tracking table. To disable the IP device tracking table, use the no ip device tracking global configuration commands. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-63 OL-9775-08...
Page 348
Enter global configuration mode. Step 2 mab request format attribute 32 vlan access-vlan Enable VLAN ID-based MAC authentication. Step 3 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-64 OL-9775-08...
There is no show command to confirm the status of VLAN ID-based MAC authentication. You can use the debug radius accounting privileged EXEC command to confirm the RADIUS attribute 32. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_q1.html#wp1123741...
Page 350
Switch(config)# aaa ip auth-proxy auth-proxy-banner C My Switch C Switch(config) end For more information about the ip auth-proxy auth-proxy-banner command, see the “Authentication Proxy Commands” section of the Cisco IOS Security Command Reference on Cisco.com. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-66 OL-9775-08...
Page 351
Return to privileged EXEC mode. Step 5 show authentication interface-id Verify your entries. show dot1x interface interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-67 OL-9775-08...
Page 352
EXEC command. Beginning with Cisco IOS Release 12.2(55)SE, you can use the no dot1x logging verbose global configuration command to filter verbose 802.1x authentication messages. For detailed information about the fields in these displays, see the command reference for this release.
Page 353
C H A P T E R Configuring Web-Based Authentication This chapter describes how to configure web-based authentication on the Catalyst 3750-E or 3560-E switch. It contains these sections: Understanding Web-Based Authentication, page 11-1 • Configuring Web-Based Authentication, page 11-9 •...
ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static • IP address or a dynamic IP address. Dynamic ARP inspection • DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding • entry for the host. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-2 OL-9775-08...
If the terminate action is RADIUS, the feature sends a nonresponsive host (NRH) request to the server. The terminate action is included in the response from the server. • If the terminate action is default, the session is dismantled, and the applied policy is removed. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-3 OL-9775-08...
You create a banner by using the ip admission auth-proxy-banner http global configuration command. The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page, as shown in Figure 11-2.
Page 357
Figure 11-4. Figure 11-4 Login Screen With No Banner For more information, see the Cisco IOS Security Command Reference and the “Configuring a Web Authentication Local Banner” section on page 11-16. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-5 OL-9775-08...
You must include an HTML redirect command in the success page to access a specific URL. • The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL • might cause page not found or similar errors on a web browser.
Page 359
You can then limit the number or group of clients that can access the network through the port. For more information about enabling port security, see the “Configuring Port Security” section on page 26-8. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-7 OL-9775-08...
Page 360
ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied. For Layer 2 web-based authentication, you must configure a port ACL (PACL) as the default access policy for ingress traffic from hosts connected to the port.
Page 361
You must configure the default ACL on the interface before configuring web-based authentication. • Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface. You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts •...
Switch(config-if)# exit Switch(config)# ip device tracking This example shows how to verify the configuration: Switch# show ip admission configuration Authentication Proxy Banner not configured Authentication global cache time is 60 minutes Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-10 OL-9775-08...
The RADIUS host entries are chosen in the order that they were configured. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-11 OL-9775-08...
Page 364
For more information, see Cisco IOS Security Configuration Guide, Release 12.2 and the Cisco IOS Security Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html You need to configure some settings on the RADIUS server, including: the switch IP address, the key Note string to be shared by both the server and the switch, and the downloadable ACL (DACL).
Step 4 ip admission proxy http login expired page file Specify the location of the custom HTML file to use in device:expired-filename place of the default login expired page. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-13 OL-9775-08...
Page 366
Authentication global init state time is 2 minutes Authentication Proxy Session ratelimit is 100 Authentication Proxy Watch-list is disabled Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-14 OL-9775-08...
AAA down state to avoid flooding the AAA server when it returns to service. This example shows how to apply an AAA failure policy: Switch(config)# ip admission name AAA_FAIL_POLICY proxy http event timeout aaa policy identity GLOBAL_POLICY1 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-15 OL-9775-08...
Page 368
(Optional) Create a custom banner by entering C banner-text C, where C is a delimiting character or a file-path indicates a file (for example, a logo or text file) that appears in the banner. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-16 OL-9775-08...
Page 369
This example shows how to view only the global web-based authentication status: Switch# show authentication sessions This example shows how to view the web-based authentication settings for gigabit interface 3/27: Switch# show authentication sessions interface gigabitethernet 3/27 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-17 OL-9775-08...
The rest of the chapter describes configuration procedures for physical interface characteristics. The stack ports on the rear of the Catalyst 3750-E switch are not Ethernet ports and cannot be configured. Note...
Configure switch ports by using the switchport interface configuration commands. Use the switchport command with no keywords to put an interface that is in Layer 3 mode into Layer 2 mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-2...
Page 373
Catalyst 6500 series switch; the Catalyst 3750-E or 3560-E switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 15, “Configuring Voice VLAN.”...
The IP base feature set supports static routing and the Routing Information Protocol (RIP). For full Note Layer 3 routing or for fallback bridging, you must enable the IP services feature set on the standalone switch, or the stack master. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-4 OL-9775-08...
VLAN. Note The protocol link state for VLAN interfaces come up when the first switchport belonging to the corresponding VLAN link comes up and is in STP forwarding state. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-5 OL-9775-08...
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
Page 377
In Cisco IOS Release 12.2(40)SE and earlier, each 10/100/1000 PoE port provides up to 15.4 W of power to the device. Cisco IOS Release 12.2(44)SE and later supports enhanced PoE. Enhanced PoE should be con- figured on a port to power a device requiring up to 20 W of power, such as the Cisco AP1250 wireless access point.
Page 378
LEDs. On a Catalyst 3750-E switch, the PoE feature operates the same whether or not the switch is a stack member. The power budget is per-switch and independent of any other switch in the stack. Election of a new stack master does not affect PoE operation.
PoE-capable port, making the port a data-only port. For information on configuring a PoE port, see the “Configuring a Power Management Mode on a PoE Port” section on page 12-27. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-9 OL-9775-08...
Page 380
The switch also polices the power usage with the power policing feature. Power monitoring is backward-compatible with Cisco intelligent power management and CDP-based power consumption. It works with these features to ensure that the PoE port can supply power to the powered device.
PoE ports. Because the switch supports internal power supplies and the Cisco Redundant Power System 2300 (also referred to as the RPS 2300), the total amount of power available for the powered devices varies depending on the power supply configuration.
12-14). To configure a physical interface (port), specify the interface type, stack member number (only Catalyst 3750-E switches), module number, and switch port number, and enter interface configuration mode. Type—Gigabit Ethernet (gigabitethernet or gi) for 10/100/1000 Mb/s Ethernet ports, 10-Gigabit •...
Ethernet module slots, the port numbers restart with the 10-Gigabit Ethernet ports: tengigabitethernet1/0/1. On a switch with 10/100/1000 ports and Cisco dual SFP X2 converter modules in the 10-Gigabit Ethernet module slots, the SFP module ports are numbered consecutively following the 10/100/1000 interfaces.
Step 2 Enter the interface global configuration command. Identify the interface type, the switch number (only on Catalyst 3750-E switches), and the number of the connector. In this example, Gigabit Ethernet port 1 on switch 1 is selected: Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# You do not need to add a space between the interface type and the interface number.
Page 385
- {last port} (for Catalyst 3560-E switches), where the – module is always 0 gigabitethernet stack member/module/{first port} - {last port} (for Catalyst 3750-E switches), – where the module is always 0 tengigabitethernet module/{first port} - {last port} (for Catalyst 3560-E switches), where the...
PC through the Ethernet management ports. The active link is from the stack master, a Catalyst 3750-E or Catalyst 3750- X switch to the PC. If the stack master fails and the elected stack master is not a Catalyst 3750-E or Catalyst 3750- X switch (switch 2), the active link can be from a stack member to the PC.
Page 389
If this happens, data packet loops occur between the ports, which disrupt the switch and network operation. To prevent the loops, configure route filters to avoid routes between the Ethernet management port and the network ports. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-19 OL-9775-08...
LED is green (on) when the link is active, and the LED is off when the link is down. The LED is amber when there is a POST failure. To display the link status, use the show interfaces fastethernet 0 privileged EXEC command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-20 OL-9775-08...
Loads and boots an executable image from the TFTP server and enters the command-line interface. For more details, see the command reference for this release. copy tftp:/source-file-url Copies a Cisco IOS image from the TFTP server to the specified filesystem:/destination-file- location. For more details, see the command reference for this release.
Port security Disabled (Layer 2 interfaces only). See the “Default Port Security Configuration” section on page 26-11. Port Fast Disabled. See the “Default Optional Spanning-Tree Configuration” section on page 20-12. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-22 OL-9775-08...
The switch might not support a pre-standard powered device—such as Note Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether auto-MIDX is enabled on the switch port.
Page 394
Use the no speed and no duplex interface configuration commands to return the interface to the default speed and duplex settings (autonegotiate). To return all interface settings to the defaults, use the default interface interface-id interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-24 OL-9775-08...
Page 395
Note Catalyst 3750-E or 3560-E ports can receive, but not send, pause frames. You use the flowcontrol interface configuration command to set the interface’s ability to receive pause frames to on, off, or desired. The default state is off.
Page 396
Step 7 show controllers ethernet-controller Verify the operational state of the auto-MDIX feature on the interface. interface-id phy Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-26 OL-9775-08...
The switch repowers the port only if the powered device is a class 1, class 2, or a Cisco-only powered device. Beginning in privileged EXEC mode, follow these steps to configure a power management mode on a...
Chapter 15, “Configuring Voice VLAN.” Budgeting Power for Devices Connected to a PoE Port When Cisco powered devices are connected to PoE ports, the switch uses Cisco Discovery Protocol (CDP) to determine the CDP-specific power consumption of the devices, and the switch adjusts the power budget accordingly.
Page 399
Enter global configuration mode. Step 2 no cdp run (Optional) Disable CDP. Step 3 interface interface-id Specify the physical port to be configured, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-29 OL-9775-08...
If you do not enter the action log keywords, the default action shuts down the port and puts the port in the error-disabled state. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-30 OL-9775-08...
Verify your entry. show running-config Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no description interface configuration command to delete the description. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-31 OL-9775-08...
If the switch attempts to boot up with a configuration that has more VLANs and routed ports than • hardware can support, the VLANs are created, but the routed ports are shut down, and the switch sends a message that this was due to insufficient hardware resources. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-32 OL-9775-08...
At least one port in the VLAN should be up and not excluded to keep the SVI state up. You can use this command to exclude the monitoring port status when determining the status of the SVI. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-33...
The switch does not support the MTU on a per-interface basis. • You can enter the system mtu bytes global configuration command on a Catalyst 3750-E switch, but • the command does not take effect on the switch. This command only affects the system MTU size on Fast Ethernet ports on Catalyst 3750 members in a mixed hardware switch stack.
Page 405
Unlike the system MTU routing configuration, the MTU settings you enter with the system mtu and system mtu jumbo commands are not saved in the switch Cisco IOS configuration file, even if you enter the copy running-config startup-config privileged EXEC command.
Page 406
Switch# reload This example shows the response when you try to set Gigabit Ethernet interfaces to an out-of-range number: Switch(config)# system mtu jumbo 25000 % Invalid input detected at '^' marker. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-36 OL-9775-08...
Page 407
Configuring the Cisco RPS 2300 Configuring the Cisco RPS 2300 You can configure and manage the Cisco Redundant Power System 2300, also known as the RPS 2300. Follow these guidelines when configuring the RSP-2300: The RPS name is a 16-character-maximum string.
For more information about using the power rps user EXEC command, see the command reference for this release. Configuring the Power Supplies You can use the power supply user EXEC command to configure and manage the internal power supply on the switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-38 OL-9775-08...
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2. Table 12-6...
The clear counters privileged EXEC command does not clear counters retrieved by using Simple Note Network Management Protocol (SNMP), but only those seen with the show interface privileged EXEC command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-41 OL-9775-08...
Use the no shutdown interface configuration command to restart the interface. To verify that an interface is disabled, enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the display. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-42 OL-9775-08...
VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS). Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
VTP transparent mode when you create VLAN IDs from 1006 to 4094. Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094). Extended range VLANs (VLANs 1006 to 4094) are supported only in VTP version 3.
VMPS can be a Catalyst 5000 or Catalyst 6500 series switch, with the same VTP domain name. for example, but never a Catalyst 3750-E or 3560-E switch. To participate in VTP, at least one trunk The Catalyst 3750-E or 3560-E switch is a VMPS client.
Page 416
EXEC command. The vlan.dat file is stored in flash memory. On a Catalyst 3750-E switch, thevlan.dat file is stored in flash memory on the stack master. Stack members have a vlan.dat file that is consistent with the stack master.
VLAN configuration for VLANs 1 to 1005 are always saved in the VLAN database. If the VTP mode • is transparent, VTP and VLAN configuration are also saved in the switch running configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-5 OL-9775-08...
EXEC command to save the configuration in the startup configuration file. In a switch stack, the whole stack uses the same vlan.dat file and running configuration. To display the VLAN configuration, enter the show vlan privileged EXEC command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-6 OL-9775-08...
This example shows how to create Ethernet VLAN 20, name it test20, and add it to the VLAN database: Switch# configure terminal Switch(config)# vlan 20 Switch(config-vlan)# name test20 Switch(config-vlan)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-8 OL-9775-08...
Define the VLAN membership mode for the port (Layer 2 access port). Step 4 switchport access vlan vlan-id Assign the port to a VLAN. Valid VLAN IDs are 1 to 4094. Step 5 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-9 OL-9775-08...
Ethernet VLANs. You can change only the MTU size, private VLAN, and the remote SPAN configuration state on extended-range VLANs; all other characteristics must remain at the default state. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-10 OL-9775-08...
Page 423
VLAN ID from 1006 to 4094. The extended-range VLAN has the default Ethernet VLAN characteristics (see Table 13-2) and the MTU size, private VLAN, and RSPAN configuration are the only parameters you can change. See the description of the vlan global Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-11 OL-9775-08...
Page 424
This example shows how to create a new extended-range VLAN with all default characteristics, enter VLAN configuration mode, and save the new VLAN in the switch startup configuration file: Switch(config)# vtp mode transparent Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-12 OL-9775-08...
Page 425
VTP server mode, and the extended-range VLAN IDs will not be saved. This step is not required for VTP version 3 because VLANs are Note saved in the VLAN database. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-13 OL-9775-08...
Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network. Two trunking encapsulations are available on all Ethernet interfaces: Inter-Switch Link (ISL)—Cisco-proprietary trunking encapsulation. • IEEE 802.1Q— industry-standard trunking encapsulation. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-14 OL-9775-08...
Page 427
You can also specify on DTP interfaces whether the trunk uses ISL or IEEE 802.1Q encapsulation or if the encapsulation type is autonegotiated. The DTP supports autonegotiation of both ISL and IEEE 802.1Q trunks. DTP is not supported on private-VLAN ports or tunnel ports. Note Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-15 OL-9775-08...
Page 428
The trunking mode, the trunk encapsulation type, and the hardware capabilities of the two connected interfaces decide whether a link becomes an ISL or IEEE 802.1Q trunk. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-16 OL-9775-08...
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
Configure the port to support ISL or IEEE 802.1Q encapsulation or to dot1q | negotiate} negotiate (the default) with the neighboring interface for encapsulation type. You must configure each end of the link with the same encapsulation type. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-18 OL-9775-08...
Page 431
VLANs from the allowed list. VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a Note requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
Page 432
VLAN 1 from the allowed list. When you remove VLAN 1 from a trunk port, the interface continues to sent and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1.
Page 433
Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Define the interface that is configured as the IEEE 802.1Q trunk, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-21 OL-9775-08...
6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs. No duplication of traffic occurs over any trunk port. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-22...
Page 435
Repeat Steps 7 through 11on Switch A for a second port in the switch or switch stack. Step 14 Repeat Steps 7 through 11on Switch B to configure the trunk ports that connect to the trunk ports configured on Switch A. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-23 OL-9775-08...
Return to global configuration mode. Step 6 Repeat Steps 2 through 5 on a second interface in Switch A (for a Catalyst 3560-E switch) or in the Switch A stack (for a Catalyst 3750-E switch). Step 7 Return to privileged EXEC mode.
The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic-access port and attempts to match the MAC address to a VLAN in the VMPS database. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-26...
You must turn off trunking on the port before the dynamic-access setting takes effect. Dynamic-access ports cannot be monitor ports. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-27 OL-9775-08...
If you are configuring a port on a cluster member switch as a dynamic-access port, first use the rcommand privileged EXEC command to log in to the cluster member switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-28 OL-9775-08...
Page 441
If you are configuring a member switch in a cluster, this parameter must be equal to or greater than the reconfirmation setting on the command switch. You must also first use the rcommand privileged EXEC command to log in to the member switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-29 OL-9775-08...
VMPS Action—the result of the most recent reconfirmation attempt. A reconfirmation attempt can • occur automatically when the reconfirmation interval expires, or you can force it by entering the vmps reconfirm privileged EXEC command or its Network Assistant or SNMP equivalent. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-30 OL-9775-08...
• End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-31 OL-9775-08...
Page 444
Switch E 172.20.26.155 Switch F 172.20.26.156 Switch G 172.20.26.157 Switch H Client switch I Dynamic-access port 172.20.26.158 station 2 Trunk port 172.20.26.159 Catalyst 6500 series Secondary VMPS Switch J Server 3 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-32 OL-9775-08...
Page 445
VLANs with the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
VLAN in a suspended state. VTP version 1 and version 2 support only normal-range VLANs (VLAN IDs 1 to 1005). Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094).
VTP off A switch in VTP off mode functions in the same manner as a VTP transparent switch, except that it does not forward VTP advertisements on trunks. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-3 OL-9775-08...
Although VTP version 2 supports only one domain, a VTP version 2 transparent switch forwards a message only when the domain name matches. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-4 OL-9775-08...
For example, you can configure the switch as a VTP server for the VLAN database but with VTP off for the MST database. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-5...
F have no ports in the Red VLAN. Figure 14-1 Flooding Traffic without VTP Pruning Switch D Port 2 Switch E Switch B VLAN Port 1 Switch F Switch C Switch A Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-6 OL-9775-08...
VTP. When a switch joins the stack, it inherits the VTP and VLAN properties of the stack master. • All VTP updates are carried across the stack. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-7 OL-9775-08...
The mode is the same as the mode in VTP version 1 or 2 before conversion to version 3. VTP version Version 1 (Version 2 is disabled). MST database mode Transparent. VTP version 3 server type Secondary. VTP password None. VTP pruning Disabled. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-8 OL-9775-08...
If you are adding a new switch to an existing network with VTP capability, the new switch learns the domain name only after the applicable password has been configured on it. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-9...
Page 454
2. If there is a version 1-only switch, it does not exchange VTP information with switches that have version 2 enabled. Cisco recommends placing VTP version 1 and 2 switches at the edge of the network because they •...
VTP server mode (the default). VTP version 3 supports extended-range VLANs. If extended VLANs are configured, you cannot • convert from VTP version 3 to VTP version 2. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-11 OL-9775-08...
Page 456
When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-12 OL-9775-08...
Page 457
This example shows how to configure a hidden password and how it appears. Switch(config)# vtp password mypassword hidden Generating the secret associated to the password. Switch(config)# end Switch# show vtp password VTP password: 89914640C8D90868B6A0D8103847A733 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-13 OL-9775-08...
Token Ring VLAN switching to function properly. For Token Ring and Token Ring-Net media, disable VTP version 2 must be disabled. VTP version 3 is supported on switches running Cisco IOS Release 12.2(52) SE or later. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide...
Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning-eligible on trunk ports. Reserved VLANs and extended-range VLANs cannot be pruned. To change the pruning-eligible VLANs, see the “Changing the Pruning-Eligible List” section on page 13-20. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-15 OL-9775-08...
Change the domain name from the original one displayed in Step 1 to a new name. Step 4 The VLAN information on the switch is updated and the configuration revision number is reset to 0. You return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-16 OL-9775-08...
Display the VTP password. The form of the password displayed depends on whether or not the hidden keyword was entered and if encryption is enabled on the switch. show vtp status Display the VTP switch configuration information. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-17 OL-9775-08...
Page 463
This chapter describes how to configure the voice VLAN feature on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation.
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...
Chapter 37, “Configuring QoS.” • You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration to the phone. (CDP is globally enabled by default on all switch interfaces.) Catalyst 3750-E and 3560-E Switch Software Configuration Guide...
VLAN, the Port Fast feature is not automatically disabled. • If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: –...
Page 467
Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value.
Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
(Optional) Save your entries in the configuration file. startup-config This example shows how to configure a port connected to a Cisco IP Phone to not change the priority of frames received from the PC or the attached device: Switch# configure terminal Enter configuration commands, one per line.
Page 471
Configuring Private VLANs This chapter describes how to configure private VLANs on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Page 472
These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN. Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs. Note Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-2 OL-9775-08...
VLAN. Subsequent IP addresses can be assigned to customer devices in different secondary VLANs, but in the same primary VLAN. When new devices are added, the DHCP server assigns them the next available address from a large pool of subnet addresses. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-3 OL-9775-08...
Private VLANs have specific interaction with some other features, described in these sections: Private VLANs and Unicast, Broadcast, and Multicast Traffic, page 16-5 • Private VLANs and SVIs, page 16-5 • • Private VLANs and Switch Stacks, page 16-5 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-4 OL-9775-08...
Page 475
VLAN that had its promiscuous port on the old stack master lose connectivity outside of the private VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-5...
See the “Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface” section on page 16-13. Step 6 Verify private-VLAN configuration. Default Private-VLAN Configuration No private VLANs are configured. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-6 OL-9775-08...
Page 477
Sticky ARP entries are those learned on SVIs and Layer 3 interfaces. They entries do not age – out. The ip sticky-arp global configuration command is supported only on SVIs belonging to – private VLANs. The ip sticky-arp interface configuration command is only supported on – Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-7 OL-9775-08...
Page 478
VLAN become inactive. • Private-VLAN ports can be on different network devices if the devices are trunk-connected and the primary and secondary VLANs have not been removed from the trunk. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-8 OL-9775-08...
Configuring and Associating VLANs in a Private VLAN Beginning in privileged EXEC mode, follow these steps to configure a private VLAN: The private-vlan commands do not take effect until you exit VLAN configuration mode. Note Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-9 OL-9775-08...
Page 480
Use the remove keyword with a secondary_vlan_list to clear the association between secondary • VLANs and a primary VLAN. The command does not take effect until you exit VLAN configuration mode. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-10 OL-9775-08...
Page 481
Return to privileged EXEC mode. Step 6 show interfaces [interface-id] switchport Verify the configuration. Step 7 copy running-config startup config (Optional) Save your entries in the switch startup configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-11 OL-9775-08...
Page 482
Return to privileged EXEC mode. Step 6 show interfaces [interface-id] switchport Verify the configuration. Step 7 copy running-config startup config (Optional) Save your entries in the switch startup configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-12 OL-9775-08...
Return to privileged EXEC mode. Step 5 show interface private-vlan mapping Verify the configuration. Step 6 copy running-config startup config (Optional) Save your entries in the switch startup configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-13 OL-9775-08...
This is an example of the output from the show vlan private-vlan command: Switch(config)# show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ isolated Gi2/0/1, Gi3/0/1, Gi3/0/2 community Gi2/0/11, Gi3/0/1, Gi3/0/4 non-operational Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-14 OL-9775-08...
Page 485
The Catalyst 3750-E or 3560-E switch supports IEEE 802.1Q tunneling and Layer 2 protocol tunneling. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Page 486
When the packet exits another trunk port on the same core switch, the same metro tag is again added to the packet. Figure 17-2 shows the tag structures of the double-tagged packets. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-2 OL-9775-08...
Page 487
(The default is zero if none is configured.) On Catalyst 3750-E switches, because 802.1Q tunneling is configured on a per-port basis, it does not matter whether the switch is a standalone switch or a stack member. All configuration is done on the stack master.
Page 488
The packet carries only the VLAN 30 tag through the service-provider network to the trunk port of the egress-edge switch (Switch C) and is misdirected through the egress switch tunnel port to Customer Y. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-4 OL-9775-08...
IEEE 802.1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added, you must configure all switches in the service-provider network to be able to process maximum frames by adding 4 bytes to the system MTU and system jumbo MTU sizes. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-5 OL-9775-08...
Page 490
When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit • (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) and the Layer Link Discovery Protocol (LLDP) are automatically disabled on the interface.
Page 491
Switch(config-if)# exit Switch(config)# vlan dot1q tag native Switch(config)# end Switch# show dot1q-tunnel interface gigabitethernet1/0/7 Port ----- Gi1/0/1Port ----- Switch# show vlan dot1q tag native dot1q native vlan tagging is enabled Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-7 OL-9775-08...
VLAN should build a proper spanning tree that includes the local site and all remote sites across the service-provider network. Cisco Discovery Protocol (CDP) must discover neighboring Cisco devices from local and remote sites. VLAN Trunking Protocol (VTP) must provide consistent VLAN configuration throughout all sites in the customer network.
Page 493
When you enable protocol tunneling (PAgP or LACP) on the SP switch, remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-9 OL-9775-08...
Page 494
When the Layer 2 PDUs that entered the service-provider inbound edge switch through a Layer 2 protocol-enabled port exit through the trunk port into the service-provider network, the switch overwrites the customer PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0). If IEEE 802.1Q tunneling is enabled, packets are also double-tagged; the outer tag is the customer metro tag, and the inner tag is the customer’s VLAN tag.
BPDU CoS value for Layer 2 protocol tunneling. If no CoS value is configured at the interface level, the default value for CoS marking of L2 protocol tunneling BPDUs is 5. This does not apply to data traffic. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-11 OL-9775-08...
PDUs higher priority within the service-provider network than data packets received from the same tunnel port. By default, the PDUs use the same CoS value as data packets. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-12 OL-9775-08...
Page 497
Display the Layer 2 tunnel ports on the switch, including the protocols configured, the thresholds, and the counters. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-13 OL-9775-08...
If no keyword is entered, tunneling is enabled for all three protocols. To avoid a network failure, make sure that the network is a Caution point-to-point topology before you enable tunneling for PAgP, LACP, or UDLD packets. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-14 OL-9775-08...
Page 499
[point-to-point [pagp | lacp | udld]] and the no l2protocol-tunnel drop-threshold [[point-to-point [pagp | lacp | udld]] commands to return the shutdown and drop thresholds to the default settings. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-15 OL-9775-08...
Display only Layer 2 protocol summary information. show vlan dot1q tag native Display the status of native VLAN tagging on the switch. For detailed information about these displays, see the command reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-18 OL-9775-08...
By default, the switch sends keepalive messages (to ensure the connection is up) only on interfaces that Note do not have small form-factor pluggable (SFP) modules. You can change the default for an interface by entering the [no] keepalive interface configuration command with no keywords. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-2 OL-9775-08...
Page 505
Selects the lowest path cost to the root switch – Selects the lowest designated bridge ID – Selects the lowest designated path cost – Selects the lowest port ID – Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-3 OL-9775-08...
Page 506
VLAN. Each VLAN on the switch has a unique 8-byte bridge ID. The 2 most-significant bytes are used for the switch priority, and the remaining 6 bytes are derived from the switch MAC address. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-4...
Page 507
An interface moves through these states: From initialization to blocking • From blocking to listening or to disabled • • From listening to learning or to disabled Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-5 OL-9775-08...
Page 508
An interface always enters the blocking state after switch initialization. An interface in the blocking state performs these functions: • Discards frames received on the interface Discards frames switched from another interface for forwarding • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-6 OL-9775-08...
A disabled interface performs these functions: Discards frames received on the interface • • Discards frames switched from another interface for forwarding • Does not learn addresses • Does not receive BPDUs Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-7 OL-9775-08...
If the speeds are the same, the port priority and port ID are added together, and spanning tree disables the link with the lowest value. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-8 OL-9775-08...
A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-9 OL-9775-08...
Page 512
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Page 513
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Configuring the Root Switch, page 18-16 (optional) Configuring a Secondary Root Switch, page 18-18 (optional) • • Configuring Port Priority, page 18-18 (optional) Configuring Path Cost, page 18-20 (optional) • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-12 OL-9775-08...
Page 515
VLAN where you want it to run. Use the no spanning-tree vlan vlan-id global configuration command to disable spanning tree on a specific VLAN, and use the spanning-tree vlan vlan-id global configuration command to enable spanning tree on the desired VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-13 OL-9775-08...
Page 516
(For example, all VLANs run PVST+, all VLANs run rapid PVST+, or all VLANs run MSTP.) In Catalyst 3750-E-only and mixed switch stacks, all stack members run the same version of spanning tree. For information about the different spanning-tree modes and how they interoperate, see the “Spanning-Tree Interoperability and Backward Compatibility”...
Page 517
To return to the default setting, use the no spanning-tree mode global configuration command. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-15 OL-9775-08...
ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-16 OL-9775-08...
Page 519
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id root global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-17 OL-9775-08...
Page 520
(higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-18 OL-9775-08...
Page 521
The show spanning-tree interface interface-id privileged EXEC command displays information only Note if the port is in a link-up operative state. Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-19 OL-9775-08...
Page 522
Return to privileged EXEC mode. Step 6 show spanning-tree interface interface-id Verify your entries. show spanning-tree vlan vlan-id Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-20 OL-9775-08...
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id priority global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-21 OL-9775-08...
Page 524
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id hello-time global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-22 OL-9775-08...
Page 525
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-23 OL-9775-08...
Page 526
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-24 OL-9775-08...
C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 3750-E or 3560-E switch. The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard.
Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST). All other MST instances are numbered from 1 to 4094. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-2 OL-9775-08...
Page 529
CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-3...
Page 530
VLAN cost, and port VLAN priority) can be configured on both the CST instance and the MST instance. MSTP switches use Version 3 RSTP BPDUs or IEEE 802.1D STP BPDUs to communicate with legacy IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-4 OL-9775-08...
Understanding MSTP IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network. Because the CIST is the only spanning-tree instance that spans the whole network, only the CIST parameters require the external rather than the internal or regional qualifiers.
The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.
Page 533
Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
IEEE 802.1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. A switch might also continue to assign a boundary role Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-8...
A port with the root or a designated port role is included in the active topology. A port with the alternate or backup port role is excluded from the active topology. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-9...
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
RSTP forces it to synchronize with new root information. In general, when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions, its port state is set to blocking. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-11 OL-9775-08...
IEEE 802.1D switch and a configuration BPDU with the TCA bit set is received, the TC-while timer is reset. This behavior is only required to support IEEE 802.1D switches. The RSTP BPDUs never have the TCA bit set. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-13 OL-9775-08...
VLAN-to-instance map, the same configuration revision number, and the same name. • For two or more stacked Catalyst 3750-E switches to be in the same MST region, they must have the same VLAN-to-instance map, the same configuration revision number, and the same name.
Beginning in privileged EXEC mode, follow these steps to specify the MST region configuration and enable MSTP. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst configuration Enter MST configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-16 OL-9775-08...
Page 543
Switch(config)# spanning-tree mst configuration Switch(config-mst)# instance 1 vlan 10-20 Switch(config-mst)# name region1 Switch(config-mst)# revision 1 Switch(config-mst)# show pending Pending MST configuration Name [region1] Revision Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-17 OL-9775-08...
Page 544
After configuring the switch as the root switch, we recommend that you avoid manually configuring the Note hello time, forward-delay time, and maximum-age time through the spanning-tree mst hello-time, spanning-tree mst forward-time, and the spanning-tree mst max-age global configuration commands. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-18 OL-9775-08...
Page 545
You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-19 OL-9775-08...
Page 546
MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. If your Catalyst 3750-E switch is a member of a switch stack, you must use the spanning-tree mst Note [instance-id] cost cost interface configuration command instead of the spanning-tree mst [instance-id] port-priority priority interface configuration command to select a port to put in the forwarding state.
Page 547
If all interfaces have the same cost value, the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-21 OL-9775-08...
Exercise care when using this command. For most situations, we recommend that you use the Note spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-22 OL-9775-08...
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst hello-time global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-23 OL-9775-08...
Page 550
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst max-age global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-24 OL-9775-08...
Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-25 OL-9775-08...
To restart the protocol migration process (force the renegotiation with neighboring switches) on the switch, use the clear spanning-tree detected-protocols privileged EXEC command. To restart the protocol migration process on a specific interface, use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-26 OL-9775-08...
Displays MST information for the specified interface. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-27 OL-9775-08...
Page 554
Chapter 19 Configuring MSTP Displaying the MST Configuration and Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-28 OL-9775-08...
Page 555
(PVST+). You can configure only the noted features when your switch or switch stack is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-2 OL-9775-08...
Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 20-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-3 OL-9775-08...
Page 558
Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-4...
Page 559
Switch C Understanding Cross-Stack UplinkFast For Catalyst 3750-E switches, the UplinkFast feature is the cross-stack UplinkFast feature. Cross-stack UplinkFast (CSUF) provides a fast spanning-tree transition (fast convergence in less than 1 second under normal network conditions) across a switch stack. During the fast transition, an alternate redundant link on the switch stack is placed in the forwarding state without causing temporary spanning-tree loops or loss of connectivity to the backbone.
The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-6 OL-9775-08...
BPDU is a signal that the other switch might have lost its path to the root, and BackboneFast tries to find an alternate path to the root. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-7...
Page 562
If the switch has alternate paths to the root switch, it uses these alternate paths to send a root link query (RLQ) request. The Catalyst 3750-E switch sends the RLQ request on all alternate paths to learn if any stack member has an alternate root to the root switch and waits for an RLQ reply from other switches in the network and in the stack.The Catalyst 3560-E switch sends the RLQ request on all alternate paths...
Page 563
Switch A, the root switch. Figure 20-8 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch B Switch C (Designated bridge) Blocked port Added switch Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-9 OL-9775-08...
MST instance. You can enable this feature by using the spanning-tree guard root interface configuration command. Caution Misuse of the root-guard feature can cause a loss of connectivity. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-10 OL-9775-08...
PVST+, rapid PVST+, or MSTP. On a Catalyst 3750-E switch, you can configure the UplinkFast, the BackboneFast, or the cross-stack UplinkFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-13 OL-9775-08...
Configure Port Fast only on interfaces that connect to end stations; otherwise, an accidental topology Caution loop could cause a data packet loop and disrupt switch and network operation. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-14 OL-9775-08...
You can configure the UplinkFast or the CSUF feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-15 OL-9775-08...
To disable UplinkFast on the switch and all its VLANs, use the no spanning-tree uplinkfast global configuration command. Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-16 OL-9775-08...
EXEC command to verify the EtherChannel configuration. After the configuration is corrected, enter the shutdown and no shutdown interface configuration commands on the port-channel interfaces that were misconfigured. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-17 OL-9775-08...
Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional. Command Purpose Step 1 show spanning-tree active Verify which interfaces are alternate or root ports. show spanning-tree mst Step 2 configure terminal Enter global configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-18 OL-9775-08...
Page 573
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-19 OL-9775-08...
Page 574
Chapter 20 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-20 OL-9775-08...
Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 3750-E or 3560-E switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature.
You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link. On Catalyst 3750-E switches, the Flex Link can be on the same switch or on another switch in the stack. When one of the links is up and forwarding traffic, the other link is in standby mode, ready to begin forwarding traffic if the other link shuts down.
When the backup link starts forwarding, to achieve faster convergence of multicast data, the downstream switch immediately sends proxy reports for all the learned groups on this port without waiting for a general query. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-3 OL-9775-08...
Here is output for the show ip igmp snooping mrouter command for VLANs 1 and 401: Switch# show ip igmp snooping mrouter Vlan ports ---- ----- Gi1/0/11(dynamic), Gi1/0/12(dynamic) Gi1/0/11(dynamic), Gi1/0/12(dynamic) Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-4 OL-9775-08...
Page 579
GigabitEthernet2/0/11 is a receiver/host in VLAN 1, which is interested in two multicast groups: Switch# show ip igmp snooping groups Vlan Group Type Version Port List ----------------------------------------------------------------------- 228.1.5.1 igmp Gi1/0/11, Gi1/0/12, Gi2/0/11 228.1.5.2 igmp Gi1/0/11, Gi1/0/12, Gi2/0/11 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-5 OL-9775-08...
Page 580
100 milliseconds (ms). The PC is directly connected to switch A, and the connection status does not change. Switch A does not need to update the PC entry in the MAC address table. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-6...
Page 581
You can configure up to 16 backup links. • You can configure only one Flex Link backup link for any active link, and it must be a different • interface from the active interface. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-7 OL-9775-08...
Page 582
Configure a physical Layer 2 interface (or port channel) as part of a Flex Link pair with the interface. When one link is forwarding traffic, the other interface is in standby mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-8 OL-9775-08...
Page 583
Configure the time delay until a port preempts another delay delay-time port. Setting a delay time only works with forced and Note bandwidth modes. Step 6 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-9 OL-9775-08...
(Optional) Save your entries in the switch startup configuration file. To disable the VLAN load balancing feature, use the no switchport backup interface interface-id prefer vlan vlan-range interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-10 OL-9775-08...
Page 585
Vlans Preferred on Active Interface: 1-2,5-4094 Vlans Preferred on Backup Interface: 3-4 Preemption Mode : off Bandwidth : 10000 Kbit (Fa1/0/3), 100000 Kbit (Fa1/0/4) Mac Address Move Update Vlan : auto Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-11 OL-9775-08...
Page 586
This example shows how to configure an access switch to send MAC address-table move update messages: Switch# configure terminal Switch(conf)# interface gigabitethernet1/0/1 Switch(conf-if)# switchport backup interface gigabitethernet0/2 mmu primary vlan 2 Switch(conf-if)# exit Switch(conf)# mac address-table move update transmit Switch(conf)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-12 OL-9775-08...
Page 587
EXEC command. This example shows how to configure a switch to get and process MAC address-table move update messages: Switch# configure terminal Switch(conf)# mac address-table move update receive Switch(conf)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-13 OL-9775-08...
Page 588
Flex Links and the state of each active and backup backup interface (up or standby mode). show mac address-table Displays the MAC address-table move update information on the move update switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-14 OL-9775-08...
This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the Catalyst 3750-E or 3560-E switch. It also describes how to configure the IP source guard feature. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
• For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them.
Page 591
DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-3 OL-9775-08...
Page 592
Circuit-ID type – Length of the circuit-ID type – Remote-ID suboption fields • Suboption type – Length of the suboption type – – Remote-ID type – Length of the remote-ID type Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-4 OL-9775-08...
Page 593
In the port field of the circuit ID suboption, the port numbers start at 3. For example, on a Catalyst 3750-E switch with 24 10/100/1000 ports and four small form-factor pluggable (SFP) module slots, port 3 is the Gigabit Ethernet 1/0/1 port, port 4 is the Gigabit Ethernet 1/0/2 port, and so forth.
An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.
DHCP snooping configuration from the stack master. When a member leaves the stack, all DHCP snooping address bindings associated with the switch age out. All snooping statistics are generated on the stack master. If a new stack master is elected, the statistics counters reset. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-7 OL-9775-08...
URL before the switch can write bindings to the binding file at that URL. See the documentation for your TFTP server to determine whether you must first create an empty file on the server; some TFTP servers cannot be configured this way. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-9 OL-9775-08...
RSPAN VLANs, DHCP packets might not reach the RSPAN destination port. Configuring the DHCP Server The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational.
To disable the DHCP server and relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for these procedures: Checking (validating) the relay agent information •...
The default setting is disabled. Enter this command only on aggregation switches that are Note connected to trusted devices. Step 7 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-12 OL-9775-08...
Page 601
100 packets per second on a port: Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10 Switch(config)# ip dhcp snooping information option Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip dhcp snooping limit rate 100 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-13 OL-9775-08...
VLANs, on which DHCP snooping is enabled. Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Display the dynamically and statically configured bindings. If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the Note statically configured bindings. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-15 OL-9775-08...
ACL that denies all IP traffic on the interface. If you disable IP source guard, the switch removes the port ACL from the interface. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-16 OL-9775-08...
DHCP snooping. Multiple bindings are established on a port that is connected to both DHCP and static hosts. For example, bindings are stored in both the device tracking database as well as in the DHCP snooping binding database. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-17 OL-9775-08...
If you again provision the switch by entering the switch stack-member-number provision command, the binding is restored. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-18 OL-9775-08...
(Optional) Save your entries in the configuration file. To disable IP source guard with source IP address filtering, use the no ip verify source interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-19 OL-9775-08...
Step 3 interface interface-id Enter interface configuration mode. Step 4 switchport mode access Configure a port as access. Step 5 switchport access vlan vlan-id Configure the VLAN for this port. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-20 OL-9775-08...
Page 609
This example shows how to enable IPSG for static hosts with IP filters on a Layer 2 access port and to verify the valid IP bindings on the interface Gi1/0/3: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip device tracking Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-21 OL-9775-08...
Page 610
GigabitEthernet1/0/2 ACTIVE 200.1.1.1 0001.0600.0000 GigabitEthernet1/0/1 INACTIVE 200.1.1.2 0001.0600.0000 GigabitEthernet1/0/2 ACTIVE 200.1.1.2 0001.0600.0000 GigabitEthernet1/0/1 INACTIVE 200.1.1.3 0001.0600.0000 GigabitEthernet1/0/2 ACTIVE 200.1.1.3 0001.0600.0000 GigabitEthernet1/0/1 INACTIVE 200.1.1.4 0001.0600.0000 GigabitEthernet1/0/2 ACTIVE 200.1.1.4 0001.0600.0000 GigabitEthernet1/0/1 INACTIVE Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-22 OL-9775-08...
IP device tracking globally or setting an IP device tracking maximum on that interface, IPSG with static hosts will reject all the IP traffic from that interface. This requirement also applies to IPSG with static hosts on a Layer 2 access port. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-23 OL-9775-08...
In some environments, such as on a factory floor, if a device fails, the replacement device must be working immediately in the existing network. With the current DHCP implementation, there is no Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-25...
Page 614
In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
Page 615
DHCP address pool. Step 4 address ip-address client-id string [ascii] Reserve an IP address for a DHCP client identified by the interface name. string—can be an ASCII value or a hexadecimal value. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-27 OL-9775-08...
Page 616
1 subnet is currently in the pool: Current index IP address range Leased/Excluded/Total 10.1.1.1 10.1.1.1 - 10.1.1.254 / 4 / 254 1 reserved address is currently in the pool Address Client 10.1.1.7 Et1/0 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-28 OL-9775-08...
Page 617
For more information about configuring the DHCP server port-based address allocation feature, go to Cisco.com, and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation. You can also access the documentation here: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html...
Page 618
Chapter 22 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port-Based Address Allocation Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-30 OL-9775-08...
Page 619
Catalyst 3750-E or 3560-E switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Page 620
“Configuring ARP ACLs for Non-DHCP Environments” section on page 23-9. The switch logs dropped packets. For more information about the log buffer, see the “Logging of Dropped Packets” section on page 23-5. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-2 OL-9775-08...
If Switch A is not running dynamic ARP inspection, Host 1 can easily poison the ARP cache of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-3 OL-9775-08...
The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-4 OL-9775-08...
The rate is unlimited on all trusted interfaces. The burst interval is 1 second. ARP ACLs for non-DHCP No ARP ACLs are defined. environments Validation checks No checks are performed. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-5 OL-9775-08...
30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2, each port can receive packets at 29 pps without causing the EtherChannel to become error-disabled. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-6 OL-9775-08...
This procedure is required. Command Purpose Step 1 show cdp neighbors Verify the connection between the switches. Step 2 configure terminal Enter global configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-7 OL-9775-08...
Page 626
This example shows how to configure dynamic ARP inspection on Switch A in VLAN 1. You would perform a similar procedure on Switch B: Switch(config)# ip arp inspection vlan 1 Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip arp inspection trust Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-8 OL-9775-08...
Page 627
For more information, see the “Configuring the Log Buffer” section on page 23-13. Step 4 exit Return to global configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-9 OL-9775-08...
Page 628
To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-10 OL-9775-08...
ARP packets.The range is 1 to 15. For rate none, specify no upper limit for the rate of incoming ARP • packets that can be processed. Step 4 exit Return to global configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-11 OL-9775-08...
Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-12 OL-9775-08...
VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a single system message for the entry. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-13...
Page 632
The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-14 OL-9775-08...
ARP inspection for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active). Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-15 OL-9775-08...
Page 634
Displays the configuration and contents of the dynamic ARP inspection log buffer. For more information about these commands, see the command reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-16 OL-9775-08...
Page 635
Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
For more information on IP multicast and IGMP, see RFC 1112 and RFC 2236. Note The multicast router (which could be a Catalyst 3750-E switch with the IP services feature set on the stack master) sends out periodic general queries to all VLANs. All hosts interested in this multicast traffic send join requests and are added to the forwarding table entry.
The CPU also adds the interface where the join message was received to the forwarding-table entry. The host associated with that interface receives multicast traffic for that multicast group. See Figure 24-1. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-3 OL-9775-08...
Page 638
The information in the table tells the switching engine to send frames addressed to the 224.1.2.3 multicast IP address that are not IGMP packets to the router and to the host that has joined the group. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-4...
If the router receives no reports from a VLAN, it removes the group for the VLAN from its IGMP cache. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-5...
IGMPv2, and IGMPv3 reports for a group to the multicast devices. If you disable IGMP report suppression, all IGMP reports are forwarded to the multicast routers. For configuration steps, see the “Disabling IGMP Report Suppression” section on page 24-15. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-6 OL-9775-08...
• Snooping on IGMP queries, Protocol-Independent Multicast (PIM) packets, and Distance Vector Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • • Statically connecting to a multicast router port with the ip igmp snooping mrouter global...
Page 643
To add a multicast router port (add a static connection to a multicast router), use the ip igmp snooping vlan mrouter global configuration command on the switch. Note Static connections to multicast routers are supported only on switch ports. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-9 OL-9775-08...
(Optional) Save your entries in the configuration file. To remove the Layer 2 port from the multicast group, use the no ip igmp snooping vlan vlan-id static mac-address interface interface-id global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-10 OL-9775-08...
The actual leave latency in the network is usually the configured leave time. However, the leave time • might vary around the configured time, depending on real-time CPU load conditions, network delays and the amount of traffic sent through the interface. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-11 OL-9775-08...
Page 646
Specify the number of IGMP general queries for which the multicast count traffic is flooded. The range is 1 to 10. By default, the flooding query count is 2. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-12 OL-9775-08...
Page 647
Beginning in privileged EXEC mode, follow these steps to disable multicast flooding on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-13 OL-9775-08...
IP address, the querier tries to use the global IP address configured for the IGMP querier. The IGMP snooping querier does not generate an IGMP Note general query if it cannot find an IP address on the switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-14 OL-9775-08...
IGMP report suppression is enabled by default. When it is enabled, the switch forwards only one IGMP report per multicast router query. When report suppression is disabled, all IGMP reports are forwarded to the multicast routers. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-15 OL-9775-08...
IGMP snooping. • ip_address—Display characteristics of the multicast group with the • specified group IP address. user—Display only the user-configured multicast entries. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-16 OL-9775-08...
VLAN from the source. This forwarding behavior selectively allows traffic to cross between different VLANs. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-17 OL-9775-08...
VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-18 OL-9775-08...
Page 653
VLAN. The IGMP leave and join messages are in the VLAN to which the subscriber port is assigned. These messages dynamically register for streams of multicast traffic in the multicast VLAN on the Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-19...
If you try to enable MVR while multicast routing and a multicast routing protocol are enabled, the operation to enable MVR is cancelled, and you receive an error message. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-20 OL-9775-08...
(Optional) Save your entries in the configuration file. startup-config To return the switch to its default settings, use the no mvr [mode | group ip-address | querytime | vlan] global configuration commands. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-21 OL-9775-08...
This command applies to only receiver ports and should only be enabled on receiver ports to which a single receiver device is connected. Step 7 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-22 OL-9775-08...
VLAN ID range is 1 to 1001 and 1006 to 4094. show mvr members [ip-address] Displays all receiver and source ports that are members of any IP multicast group or the specified IP multicast group IP address. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-23 OL-9775-08...
Default IGMP Filtering Configuration Feature Default Setting IGMP filters None applied IGMP maximum number of IGMP groups No maximum set IGMP profiles None defined IGMP profile action Deny the range addresses Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-24 OL-9775-08...
To delete a profile, use the no ip igmp profile profile number global configuration command. To delete an IP multicast address or range of IP multicast addresses, use the no range ip multicast address IGMP profile configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-25 OL-9775-08...
To remove a profile from an interface, use the no ip igmp filter profile number interface configuration command. This example shows how to apply IGMP profile 4 to a port: Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# ip igmp filter 4 Switch(config-if)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-26 OL-9775-08...
EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group. When the maximum group limitation is set to the default (no maximum), entering the ip igmp • max-groups action {deny | replace} command has no effect. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-27 OL-9775-08...
Page 662
(Optional) Save your entries in the configuration file. To return to the default action of dropping the report, use the no ip igmp max-groups action interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-28 OL-9775-08...
Displays the configuration of the specified interface or the configuration of all interfaces interface-id] on the switch, including (if configured) the maximum number of IGMP groups to which an interface can belong and the IGMP profile applied to the interface. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-29 OL-9775-08...
Page 664
Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-30 OL-9775-08...
Page 665
You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP Version 6 (IPv6) multicast data to clients and routers in a switched network on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 3750-E or 3560-E switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
MASQs. A port is removed from membership to an address when there are no MLDv1 reports to the address on the port for the configured number of queries. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 25-4...
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 3750-E or Catalyst 3560-E switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 3750-E or 3560-E switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
(add a static connection to a multicast router), use the ipv6 mld snooping vlan mrouter global configuration command on the switch. Static connections to multicast routers are supported only on switch ports. Note Catalyst 3750-E and 3560-E Switch Software Configuration Guide 25-8 OL-9775-08...
To disable MLD Immediate Leave on a VLAN, use the no ipv6 mld snooping vlan vlan-id immediate-leave global configuration command. This example shows how to enable MLD Immediate Leave on VLAN 130: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 130 immediate-leave Switch(config)# exit Catalyst 3750-E and 3560-E Switch Software Configuration Guide 25-9 OL-9775-08...
[vlan (Optional) Verify that the MLD snooping querier information for the vlan-id] switch or for the VLAN. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 25-10 OL-9775-08...
Return to privileged EXEC mode. Step 4 show ipv6 mld snooping Verify that IPv6 MLD snooping report suppression is disabled. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 25-11 OL-9775-08...
Enter user to display MLD snooping user-configured group • information for the switch or for a VLAN. show ipv6 mld snooping multicast-address vlan Display MLD snooping for the specified VLAN and IPv6 multicast vlan-id [ipv6-multicast-address] address. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 25-12 OL-9775-08...
This chapter describes how to configure the port-based traffic control features on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Page 678
Traffic rate in packets per second and for small frames. This feature is enabled globally. The • threshold for small frames is configured for each interface. (Cisco IOS Release 12.2(44)SE or later) With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding.
Beginning in privileged EXEC mode, follow these steps to storm control and threshold levels: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-3 OL-9775-08...
Page 680
Select the shutdown keyword to error-disable the port during a storm. Select the trap keyword to generate an SNMP trap when a • storm is detected. Step 5 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-4 OL-9775-08...
Page 681
Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. In Cisco IOS Release 12.2(44)SE and later, you can configure a port to be error disabled if small frames arrive at a specified rate (threshold).
Default Protected Port Configuration, page 26-6 • Protected Port Configuration Guidelines, page 26-7 • Configuring a Protected Port, page 26-7 Default Protected Port Configuration The default is to have no protected ports defined. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-6 OL-9775-08...
With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets that Note contain IPv4 or IPv6 information in the header are not blocked. • Default Port Blocking Configuration, page 26-8 Blocking Flooded Traffic on an Interface, page 26-8 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-7 OL-9775-08...
MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-8...
If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-9 OL-9775-08...
In this mode, the VLAN is error • disabled instead of the entire port when a violation occurs Table 26-1 shows the violation mode and the actions taken when you configure an interface for port security. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-10 OL-9775-08...
When you enable port security on an interface that is also configured with a voice VLAN, set the • maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice...
Page 688
Configuring Port Security VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
The voice keyword is available only if a voice VLAN is configured on Note a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-13 OL-9775-08...
Page 690
You can manually re-enable it by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface vlan privileged EXEC command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-14 OL-9775-08...
Page 691
VLAN. Step 11 Return to privileged EXEC mode. Step 12 show port-security Verify your entries. Step 13 copy running-config (Optional) Save your entries in the configuration file. startup-config Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-15 OL-9775-08...
Step 4 Return to privileged EXEC mode. Step 5 show port-security [interface interface-id] Verify your entries. [address] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-17 OL-9775-08...
Step 5 Return to privileged EXEC mode. Step 6 show port-security [interface interface-id] Verify your entries. [address] Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-18 OL-9775-08...
Page 695
Displays the number of secure MAC addresses configured per VLAN on the specified interface. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-19 OL-9775-08...
Page 696
Chapter 26 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-20 OL-9775-08...
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
(Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it. The range is 10 to 255 seconds; the default is 180 seconds. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 27-2 OL-9775-08...
27-5. Disabling and Enabling CDP CDP is enabled by default. Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Note Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 6, “Clustering Switches”...
(Optional) Save your entries in the configuration file. This example shows how to enable CDP on a port when it has been disabled. Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# cdp enable Switch(config-if)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 27-4 OL-9775-08...
You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information. show cdp traffic Display CDP counters, including the number of packets sent and received and checksum errors. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 27-5 OL-9775-08...
Page 702
Chapter 27 Configuring CDP Monitoring and Maintaining CDP Catalyst 3750-E and 3560-E Switch Software Configuration Guide 27-6 OL-9775-08...
Page 703
This chapter describes how to configure the Link Layer Discovery Protocol (LLDP), LLDP Media Endpoint Discovery (LLDP-MED) and wired location service on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Page 704
Enables advanced power management between LLDP-MED endpoint and network connectivity devices. Allows switches and phones to convey power information, such as how the device is powered, power priority, and how much power the device needs. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-2 OL-9775-08...
Starting with Cisco IOS Release 12.2(52)SE, when LLDP is enabled and power is applied to a port, the power TLV determines the actual power requirement of the endpoint device so that the system power budget can be adjusted accordingly.
Page 706
If you change a location address on the switch, the switch sends an NMSP location notification message that identifies the affected ports and the changed address information. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-4 OL-9775-08...
You cannot configure static secure MAC addresses on an interface that has a network-policy profile. • • You cannot configure a network-policy profile on a private-VLAN port. For wired location to function, you must first enter the ip device tracking global configuration • command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-5 OL-9775-08...
(Optional) Specify the amount of time a receiving device should hold the information from your device before discarding it. The range is 0 to 65535 seconds; the default is 120 seconds. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-6 OL-9775-08...
Page 709
Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are configuring an LLDP-MED TLV, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-7 OL-9775-08...
Page 710
Step 5 interface interface-id Specify the interface on which you are configuring a network-policy profile, and enter interface configuration mode. Step 6 network-policy profile number Specify the network-policy profile number. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-8 OL-9775-08...
• format. Step 3 exit Return to global configuration mode. Step 4 interface interface-id Specify the interface on which you are configuring the location information, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-9 OL-9775-08...
Page 712
30. Step 4 Return to privileged EXEC mode. Step 5 show network-policy profile Verify the configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-10 OL-9775-08...
Page 713
TLVs. show location Display the location information for an endpoint. show network-policy profile Display the configured network-policy profiles. show nmsp Display the NMSP information. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-11 OL-9775-08...
Page 714
Chapter 28 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-12 OL-9775-08...
Page 715
This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
UDLD sends at least one message to inform the neighbors to flush the part of their caches affected by the status change. The message is intended to keep the caches synchronized. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-2...
Page 717
If UDLD is in normal mode, the logical link is considered undetermined, and UDLD does not disable the interface. Switch B Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-3 OL-9775-08...
Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-4 OL-9775-08...
To disable UDLD globally, use the no udld enable global configuration command to disable normal mode UDLD on all fiber-optic ports. Use the no udld aggressive global configuration command to disable aggressive mode UDLD on all fiber-optic ports. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-5 OL-9775-08...
The errdisable recovery cause udld global configuration command enables the timer to • automatically recover from the UDLD error-disabled state, and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error-disabled state. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-6 OL-9775-08...
To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-7 OL-9775-08...
Page 722
Chapter 29 Configuring UDLD Displaying UDLD Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-8 OL-9775-08...
Page 723
This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Example of Local SPAN Configuration on a Single Switch Port 5 traffic mirrored 1 2 3 4 5 6 7 8 9 10 11 12 on Port 10 Network analyzer Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-2 OL-9775-08...
RSPAN VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port, as shown on Switch C in the figure. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-3 OL-9775-08...
SPAN sessions gather a set of ingress and egress packets specified by the user and form them into a stream of SPAN data, which is directed to the destination port. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-4 OL-9775-08...
Page 727
An RSPAN destination session cannot have a local source port. – An RSPAN destination session and an RSPAN source session that are using the same RSPAN – VLAN cannot run on the same switch or switch stack. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-5 OL-9775-08...
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Page 729
You cannot use filter VLANs in the same session with VLAN sources. • You can monitor only Ethernet VLANs. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-7 OL-9775-08...
It does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP). • A destination port that belongs to a source VLAN of any SPAN session is excluded from the source • list and is not monitored. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-8 OL-9775-08...
Page 731
RSPAN session. It is also possible to have multiple RSPAN destination sessions throughout the network, monitoring the same RSPAN VLAN and presenting traffic to the user. The RSPAN VLAN ID separates the sessions. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-9 OL-9775-08...
For SPAN sessions, do not enable port security on ports with monitored egress when ingress forwarding is enabled on the destination port. For RSPAN source sessions, do not enable port security on any ports with monitored egress. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-10 OL-9775-08...
A system message notifies you of this action, which is called reloading. The IPv4, IPv6 and MAC FSPAN ACLs can be unloaded or reloaded independently. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-11 OL-9775-08...
SPAN Configuration Guidelines, page 30-13 • Creating a Local SPAN Session, page 30-14 • Creating a Local SPAN Session and Configuring Incoming Traffic, page 30-16 • Specifying VLANs to Filter, page 30-18 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-12 OL-9775-08...
Page 735
0/1 to tengigabitethernet 0/4 or gigabitethernet 0/1 to gigabitethernet 0/8 b—tengigabitethernet 0/5 to tengigabitethernet 0/8 or gigabitethernet 0/9 to gigabitethernet 0/16 c—tengigabitethernet 0/9 to tengigabitethernet 0/12 or gigabitethernet 0/17 to gigabitethernet 0/24 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-13 OL-9775-08...
Page 736
This is the default. • rx—Monitor received traffic. • tx—Monitor sent traffic. • You can use the monitor session session_number source Note command multiple times to configure multiple source ports. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-14 OL-9775-08...
Page 737
Switch(config)# no monitor session 1 source interface gigabitethernet1/0/1 rx The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-15 OL-9775-08...
Page 738
VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating a Local SPAN Session”...
Page 739
IEEE 802.1Q encapsulation and VLAN 6 as the default ingress VLAN. Switch(config)# no monitor session 2 Switch(config)# monitor session 2 source gigabitethernet1/0/1 rx Switch(config)# monitor session 2 destination interface gigabitethernet1/0/2 encapsulation replicate ingress dot1q vlan 6 Switch(config)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-17 OL-9775-08...
Page 740
Step 8 copy running-config startup-config (Optional) Save the configuration in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-18 OL-9775-08...
If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted • flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-19 OL-9775-08...
| remote} For session_number, the range is 1 to 66. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-20 OL-9775-08...
Page 743
To remove a source port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command. To remove the RSPAN VLAN from the session, use the no monitor session session_number destination remote vlan vlan-id. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-21 OL-9775-08...
(Optional) Use a comma (,) to specify a series of VLANs or use a hyphen (-) to specify a range of VLANs. Enter a space before and after the comma; enter a space before and after the hyphen. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-22 OL-9775-08...
Page 746
Step 8 Return to privileged EXEC mode. Step 9 show monitor [session session_number] Verify the configuration. show running-config Step 10 copy running-config startup-config (Optional) Save the configuration in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-24 OL-9775-08...
RSPAN VLAN and the destination port, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating an RSPAN Destination...
Page 748
VLAN 6 as the default receiving VLAN. Switch(config)# monitor session 2 source remote vlan 901 Switch(config)# monitor session 2 destination interface gigabitethernet1/0/2 ingress vlan 6 Switch(config)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-26 OL-9775-08...
Port-based FSPAN sessions can be configured on a stack that includes Catalyst 3750 switches as • long as the session only includes Catalyst 3750-E ports as source ports. If the session has any Catalyst 3750 ports as source ports, the FSPAN ACL command is rejected. If the session has FSPAN ACL configured, any commands including Catalyst 3750 ports as source ports are rejected.
This is the default. • rx—Monitor received traffic. • tx—Monitor sent traffic. • You can use the monitor session session_number source Note command multiple times to configure multiple source ports. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-28 OL-9775-08...
| remote} For session_number, the range is 1 to 66. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-29 OL-9775-08...
Page 752
Step 9 Return to privileged EXEC mode. Step 10 show monitor [session session_number] Verify the configuration. show running-config Step 11 copy running-config startup-config (Optional) Save the configuration in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-30 OL-9775-08...
Page 753
To display the current SPAN, RSPAN, FSPAN, or FRSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured sessions. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-31 OL-9775-08...
Page 754
Chapter 30 Configuring SPAN and RSPAN Displaying SPAN, RSPAN. FSPAN, and FRSPAN Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-32 OL-9775-08...
Page 755
Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Page 756
Because switches supported by this software release use hardware counters for RMON data processing, the monitoring is more efficient, and little processing power is required. Note 64-bit counters are not supported for RMON alarms. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 31-2 OL-9775-08...
You must also configure SNMP on the switch to access RMON MIB objects. For more information, see Chapter 33, “Configuring SNMP.” 64-bit counters are not supported for RMON alarms. Note Catalyst 3750-E and 3560-E Switch Software Configuration Guide 31-3 OL-9775-08...
Page 758
SNMP community string used for this trap. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 31-4 OL-9775-08...
(Optional) For owner ownername, enter the name of the owner of the RMON group of statistics. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 31-5 OL-9775-08...
Table 31-1 Commands for Displaying RMON Status Command Purpose show rmon Displays general RMON statistics. show rmon alarms Displays the RMON alarm table. show rmon events Displays the RMON event table. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 31-6 OL-9775-08...
Page 761
Displays the RMON statistics table. For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 31-7...
Page 762
Chapter 31 Configuring RMON Displaying RMON Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 31-8 OL-9775-08...
Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-2 OL-9775-08...
Page 765
00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to up (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/1, changed state to down 2 (Switch-2) Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-3 OL-9775-08...
To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 32-12. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-5 OL-9775-08...
Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-6 OL-9775-08...
Page 769
(Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-7 OL-9775-08...
Beginning in privileged EXEC mode, follow these steps to enable sequence numbers in log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service sequence-numbers Enable sequence numbers. Step 3 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-8 OL-9775-08...
To disable logging to syslog servers, use the no logging trap global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-9 OL-9775-08...
By default, one message of the level warning and numerically lower levels (see Table 32-3 on page 32-10) are stored in the history table even if syslog traps are not enabled. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-10 OL-9775-08...
Page 773
The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T. Catalyst 3750-E and 3560-E Switch Software Configuration Guide...
Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. This procedure is optional. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-12 OL-9775-08...
Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Page 777
MAC address tracking, closing of a TCP connection, loss of connection to a neighbor, or other significant events. On the Catalyst 3750-E switch, the stack master handles the SNMP requests and traps for the whole switch stack. The stack master transparently manages any requests or traps that are related to all stack members.
A combination of the security level and the security model determine which security mechanism is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and SNMPv3. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-2 OL-9775-08...
1. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table. 2. The get-bulk command only works with SNMPv2 or later. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-3 OL-9775-08...
(@esN, where N is the switch number) to the first configured RW and RO community strings on the command switch and propagates them to the member switches. For more information, see Chapter 6, “Clustering Switches” and see Getting Started with Cisco Network Assistant, available on Cisco.com. Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software.
The switch uses one of the values in Table 33-3 to assign an ifIndex value to an interface: Table 33-3 ifIndex Values Interface Type ifIndex Range 1–4999 EtherChannel 5000–5012 Loopback 5013–5077 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-5 OL-9775-08...
If no type is specified, all notifications are sent. 1. This is the default when the switch starts and the startup configuration does not have any snmp-server global configuration commands. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-6 OL-9775-08...
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
MIB objects. By default, the community string permits read-only access to all objects. (Optional) For access-list-number, enter an IP standard access • list numbered from 1 to 99 and 1300 to 1999. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-8 OL-9775-08...
You can specify an identification name (engine ID) for the local or remote SNMP server engine on the switch. You can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users to the SNMP group. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-9 OL-9775-08...
Page 786
64 characters) that is the name of the view in which you specify a notify, inform, or trap. (Optional) Enter access access-list with a string (not to exceed • 64 characters) that is the name of the access list. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-10 OL-9775-08...
Page 787
To display SNMPv3 information about auth | noauth | priv mode configuration, you must enter the show snmp user EXEC command. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-11 OL-9775-08...
A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
Page 789
You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 33-5. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-13 OL-9775-08...
Page 790
Avoid using the @ symbol as part of the SNMP community string when configuring this command. (Optional) For notification-type, use the keywords listed in • Table 33-5 on page 33-12. If no type is specified, all notifications are sent. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-14 OL-9775-08...
Page 791
To disable informs, use the no snmp-server host informs global configuration command. To disable a specific trap type, use the no snmp-server enable traps notification-types global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-15 OL-9775-08...
Dial System Operator at beeper 21555. Step 3 snmp-server location text Set the system location string. For example: snmp-server location Building 3/Room 222 Step 4 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-16 OL-9775-08...
Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-17 OL-9775-08...
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
EXEC command. You also can use the other privileged EXEC commands in Table 33-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference. Table 33-6 Commands for Displaying SNMP Information Feature...
Page 796
Chapter 33 Configuring SNMP Displaying SNMP Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-20 OL-9775-08...
Page 797
An EEM policy defines an event and the actions to be taken when that event occurs. This chapter tells how to use EEM and how to configure it on a Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a standalone switch or a Catalyst 3750-E switch stack.
Page 798
Subscribes to receive events subscribers and implements policy actions EEM APPLET EEM SCRIPT See the EEM Configuration for Cisco Integrated Services Router Platforms Guide for examples of EEM deployment. Event Detectors, page 34-3 • Embedded Event Manager Actions, page 34-4 •...
Counter event detector—Publishes an event when a named counter crosses a specified threshold. • Interface counter event detector—Publishes an event when a generic Cisco IOS interface counter for • a specified interface crosses a defined threshold. A threshold can be specified as an absolute value or an incremental value.For example, if the incremental value is set to 50 an event would be...
Watchdog event detector (IOSWDSysMon)—Publishes an event only on the master switch when • Publishes an event when one of these events occurs: CPU utilization for a Cisco IOS process crosses a threshold. – Memory utilization for a Cisco IOS process crosses a threshold.
Cisco built-in variables (available in EEM applets) • Defined by Cisco and can be read-only or read-write. The read-only variables are set by the system before an applet starts to execute. The single read-write variable, _exit_status, allows you to set the exit status for policies triggered from synchronous events.
Registering and Defining an Embedded Event Manager TCL Script, page 34-7 • For complete information about configuring embedded event manager, see the Cisco IOS Network Management Configuration Guide, Release 12.4T. To configure EEM, you must have the IP services feature set installed on the switch.
This example shows the sample output for the show event manager environment command: Switch# show event manager environment all Name Value _cron_entry 0-59/2 0-23/1 * * 0-6 _show_cmd show ver _syslog_pattern .*UPDOWN.*Ethernet1/0.* Catalyst 3750-E and 3560-E Switch Software Configuration Guide 34-7 OL-9775-08...
Switch(config)# event manager environment_cron_entry 0-59/2 0-23/1 * * 0-6 This example shows the sample EEM policy named tm_cli_cmd.tcl registered as a system policy. The system policies are part of the Cisco IOS image. User-defined TCL scripts must first be copied to flash memory.
Page 805
This chapter describes how to configure network security on the Catalyst 3750-E or 3560-E switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Layer 3 addresses for IPv4. Unsupported protocols are access-controlled through MAC addresses using Ethernet ACEs. After a VLAN map is applied to a VLAN, all packets Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-2 OL-9775-08...
Page 807
Host A to access the Human Resources network, but prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-3...
Page 808
The switch supports these access lists for IPv4 traffic: Standard IP access lists use source addresses for matching operations. • Extended IP access lists use source and destination addresses and optional protocol type information • for matching operations. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-4 OL-9775-08...
Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4 information might have been. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-5 OL-9775-08...
If packets must be forwarded by software for any reason (for example, not enough hardware resources), the master switch forwards the packets only after applying ACLs on the packets. It programs its hardware with the ACL information it processes. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-6 OL-9775-08...
ACL information to all switches in the stack. Configuring IPv4 ACLs Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services”...
AppleTalk access list 700–799 48-bit MAC address access list 800–899 IPX standard access list 900–999 IPX extended access list 1000–1099 IPX SAP access list 1100–1199 Extended 48-bit MAC address access list Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-8 OL-9775-08...
Page 813
IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-9...
Switch (config)# access-list 2 deny host 171.69.198.102 Switch (config)# access-list 2 permit any Switch(config)# end Switch# show access-lists Standard IP access list 2 10 deny 171.69.198.102 20 permit any Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-10 OL-9775-08...
Page 815
For more details on the specific keywords for each protocol, see these command references: • Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 • Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 Cisco IOS IP Command Reference, Volume 3 of 3: Multicast, Release 12.2...
Page 816
DSCP value specified by a number • from 0 to 63, or use the question mark (?) to see a list of available values. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-12 OL-9775-08...
Page 817
TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
Page 818
ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. Step 2e access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
Page 819
The ACL must be an extended named ACL. – match input-interface interface-id-list – match ip dscp dscp-list match ip precedence ip-precedence-list – You cannot enter the match access-group acl-index command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-15 OL-9775-08...
Page 820
Show the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a named extended ACL, use the no ip access-list extended name global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-16 OL-9775-08...
Page 821
The time range relies on the switch system clock; therefore, you need a reliable clock source. We Note recommend that you use Network Time Protocol (NTP) to synchronize the switch clock. For more information, see the “Managing the System Time and Date” section on page 7-1. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-17 OL-9775-08...
Page 822
Switch(config)# access-list 188 permit tcp any any time-range workhours Switch(config)# end Switch# show access-lists Extended IP access list 188 10 deny tcp any any time-range new_year_day_2006 (inactive) 20 permit tcp any any time-range workhours (inactive) Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-18 OL-9775-08...
For procedures for applying ACLs to interfaces, see the “Applying an IPv4 ACL to an Interface” section on page 35-20. For applying ACLs to VLANs, see the “Configuring VLAN Maps” section on page 35-31. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-19 OL-9775-08...
These access-group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP-unreachable message. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-20...
Page 825
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network security. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-21 OL-9775-08...
Logical operation units are needed for a TCP flag match or a test other than eq (ne, gt, lt, or range) on TCP, UDP, or SCTP port numbers. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-22...
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 828
Note that with extended ACLs, you must enter the protocol (IP) before the source and destination information. Switch(config)# access-list 106 permit ip any 172.20.128.64 0.0.0.31 Switch(config)# end Switch# show access-lists Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-24 OL-9775-08...
Smith is not allowed access: Switch(config)# access-list 1 remark Permit only Jones workstation through Switch(config)# access-list 1 permit 171.69.2.88 Switch(config)# access-list 1 remark Do not allow Smith workstation through Switch(config)# access-list 1 deny 171.69.3.13 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-26 OL-9775-08...
0.0.0.255 and denies all UDP packets. Switch(config)# ip access-list extended ext1 Switch(config-ext-nacl)# permit icmp any 10.1.1.0 0.0.0.255 log Switch(config-ext-nacl)# deny udp any any log Switch(config-std-nacl)# exit Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# ip access-group ext1 in Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-27 OL-9775-08...
Though visible in the command-line help strings, appletalk is not supported as a matching condition for Note the deny and permit MAC access-list configuration mode commands. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-28 OL-9775-08...
Page 833
Switch(config)# mac access-list extended mac1 Switch(config-ext-macl)# deny any any decnet-iv Switch(config-ext-macl)# permit any any Switch(config-ext-macl)# end Switch # show access-lists Extended MAC access list mac1 10 deny any any decnet-iv 20 permit any any Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-29 OL-9775-08...
ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-30...
If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-31...
IP packets are matched against standard or extended IP access lists. Non-IP packets are only matched against named MAC extended access lists. Step 5 Return to global configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-32 OL-9775-08...
Page 837
Forward all UDP packets • Drop all IGMP packets Forward all TCP packets • Drop all other IP packets • Forward all non-IP packets • Switch(config)# access-list 101 permit udp any any Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-33 OL-9775-08...
Page 838
Drop all other IP packets • Drop all other MAC packets • Switch(config)# vlan access-map drop-all-default 10 Switch(config-access-map)# match ip address tcp-match Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-all-default 20 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-34 OL-9775-08...
Host X to Host Y is eventually being routed by Switch B, a Layer 3 switch with routing enabled. Traffic from Host X to Host Y can be access-controlled at the traffic entry point, Switch A. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-35...
(see Figure 35-5): Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access. • Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-36 OL-9775-08...
VLAN map to access control the bridged traffic. If a packet flow matches a VLAN-map deny clause in the ACL, regardless of the router ACL configuration, the packet flow is denied. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-37 OL-9775-08...
If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/ICMP ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. This gives priority to the filtering of traffic based on IP addresses. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-38 OL-9775-08...
Figure 35-7 shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN. Only non-IP, non-ARP packets can be fallback-bridged. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-39 OL-9775-08...
Page 844
Figure 35-8 Applying ACLs on Routed Packets Input Output VLAN 10 router router VLAN 20 Frame Host A Host B (VLAN 10) (VLAN 20) Routing function VLAN 10 VLAN 20 Packet Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-40 OL-9775-08...
(numbered or named). show ip access-lists [number | name] Display the contents of all current IP access lists or a specific IP access list (numbered or named). Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-41 OL-9775-08...
Page 846
Show information about all VLAN access maps or the specified access map. show vlan filter [access-map name | vlan vlan-id] Show information about all VLAN filters or about a specified VLAN or VLAN access map. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-42 OL-9775-08...
Page 847
ACLs to filter Layer 3 management traffic when the switch is running the IP base feature set. This chapter includes information about configuring IPv6 ACLs on the switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Note To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
Routed or bridged packets with hop-by-hop options have IPv6 ACLs applied in software. • Logging is supported for router ACLs, but not for port ACLs. • The switch supports IPv6 address-matching for a full range of prefix-lengths. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 36-2 OL-9775-08...
With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs. The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions: • The switch does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.
Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 access-list Use a name to define an IPv6 access list and enter IPv6 access-list configuration mode. access-list-name Catalyst 3750-E and 3560-E Switch Software Configuration Guide 36-4 OL-9775-08...
Page 851
(Optional) Enter sequence value to specify the sequence number for the access list • statement. The acceptable range is from 1 to 4294967295. (Optional) Enter time-range name to specify the time range that applies to the • deny or permit statement. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 36-5 OL-9775-08...
Page 852
[dscp and code names, use the ? key or see command reference for this release. value] [log] [log-input] [routing] [sequence value] [time-range name] Step 4 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 36-6 OL-9775-08...
This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.
Use the no ipv6 traffic-filter access-list-name interface configuration command to remove an access list from an interface. This example shows how to apply the access list Cisco to outbound traffic on a Layer 3 interface: Switch(config)# interface gigabitethernet 1/0/3 Switch(config-if)# no switchport...
It sends the packets without any assurance of reliability, delay bounds, or throughput. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Understanding QoS The switch supports some of the modular QoS CLI (MQC) commands. For more information about the MQC commands, see the “Modular Quality of Service Command-Line Interface” chapter of the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2.
Page 857
Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices, the traffic types and patterns in your network, and the granularity of control that you need over incoming and outgoing traffic. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-3 OL-9775-08...
Scheduling services the four egress queues based on their configured SRR shared or shaped weights. • One of the queues (queue 1) can be the expedited queue, which is serviced until empty before the other queues are serviced. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-4 OL-9775-08...
Page 859
0 as the DSCP and CoS values, which means best-effort traffic. Otherwise, the policy-map action specifies a DSCP or CoS value to assign to the incoming frame. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-5...
Page 860
CoS of the port. Yyou can do this for both IPv4 and IPv6 traffic. After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-6 OL-9775-08...
Page 861
You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). You can also classify IP traffic based on IPv6 ACLs. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-7...
Page 862
In this mode, you specify the actions to take on a specific traffic class by using the class, trust, or set policy-map configuration and policy-map class configuration commands. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-8 OL-9775-08...
“Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps” section on page 37-64, and the “Classifying, Policing, and Marking Traffic by Using Aggregate Policers” section on page 37-72. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-9 OL-9775-08...
Page 864
A nonhierarchical policy map on a physical port. • The interface level of a hierarchical policy map attached to an SVI. The physical ports are specified • in this secondary policy map. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-10 OL-9775-08...
SVI. The second level, the interface level, specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface-level policy map. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-11 OL-9775-08...
Page 866
Pass through Drop Verify the out-of-profile action Drop packet. configured for this policer. Mark Modify DSCP according to the policed-DSCP map. Generate a new QoS label. Done Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-12 OL-9775-08...
Scheduling on Ingress Queues” section on page 37-16. For information about the DSCP and CoS output queue threshold maps, see the “Queueing and Scheduling on Egress Queues” section on page 37-19. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-13 OL-9775-08...
Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 37-6 Figure 37-7. Figure 37-6 Ingress and Egress Queue Location on Catalyst 3750-E Switches Policer Marker Egress queues Stack ring Policer...
Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic. With shaping, the absolute value of each weight is used to compute the bandwidth available for the queues. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-15 OL-9775-08...
Page 870
Queueing and Scheduling on Ingress Queues Figure 37-9 Figure 37-10 show the queueing and scheduling flowcharts for ingress ports. Figure 37-9 Queueing and Scheduling Flowchart for Ingress Ports on Catalyst 3750-E Switches Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds.
Page 871
You can configure the bandwidth required for this traffic as a percentage of the total traffic or total stack traffic on Catalyst 3750-E switches by using the mls qos srr-queue input priority-queue global configuration command. The expedite queue has guaranteed bandwidth.
Page 872
DSCPs or CoSs into certain queues, by allocating a large queue size or by servicing the queue more frequently, and by adjusting queue thresholds so that packets with lower priorities are dropped. For configuration information, see the “Configuring Ingress Queue Characteristics” section on page 37-80. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-18 OL-9775-08...
Page 873
If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Note Figure 37-11 Queueing and Scheduling Flowchart for Egress Ports on Catalyst 3750-E Switches Start Receive packet from the stack ring.
Page 874
(under-limit), whether it has consumed all of its maximum buffers (over limit), and whether the common pool is empty (no free Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-20...
Page 875
You can display the DSCP output queue threshold map and the CoS output queue threshold map by using the show mls qos maps privileged EXEC command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-21 OL-9775-08...
For IP packets, the packet modification occurs at a later stage; for non-IP packets the DSCP is converted to CoS and used for queueing and scheduling decisions. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-22 OL-9775-08...
Page 877
The switch uses the classification results to choose the appropriate egress queue. Auto-QoS supports both IPv4 and IPv6 traffic when the dual IPv4 and IPv6 SDM template is configured. You use auto-QoS commands to identify ports connected to or running these types of Cisco devices: •...
Page 878
DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When there is no Cisco IP Phone, the ingress classification is set to not trust the QoS label in the packet. The policing is applied to the traffic matching the policy-map classification before the switch enables the trust boundary feature.
Page 879
39-42. • When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone, or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and...
Page 883
Auto-QoS Generated Configuration For VoIP Devices If you entered the auto qos voip cisco-phone command, the switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone. Switch(config-if)# mls qos trust device cisco-phone If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
Page 884
AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is enabled. Switch(config-if)# service-policy input AutoQoS-Police-SoftPhone If you entered the auto qos voip cisco-phone command, the switch automatically creates class maps and policy maps. Switch(config-if)# mls qos trust device cisco-phone If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
Page 885
Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-pmap)# class AUTOQOS_TRANSACTION_CLASS Switch(config-pmap-c)# set dscp af21 Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-pmap)# class AUTOQOS_SCAVANGER_CLASS Switch(config-pmap-c)# set dscp cs1 Switch(config-pmap-c)# police 10000000 8000 exceed-action drop Switch(config-pmap)# class AUTOQOS_SIGNALING_CLASS Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-31 OL-9775-08...
Page 886
Switch(config-pmap-c)# set dscp default Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-if)# service-policy input AUTOQOS-SRND4-CLASSIFY-POLICE-POLICY This is the enhanced configuration for the auto qos voip cisco-phone command: Switch(config)# mls qos map policed-dscp 0 10 18 to 8 Switch(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56...
Page 887
By default, the CDP is enabled on all ports. For auto-QoS to function properly, do not disable CDP. • Auto-QoS VoIP Considerations Auto-QoS configures the switch for VoIP with Cisco IP Phones on nonrouted and routed ports. • Auto-QoS also configures the switch for VoIP with devices running the Cisco SoftPhone application.
Page 888
Configuring QoS Configuring Auto-QoS • When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address to the IP phone. • This release supports only Cisco IP SoftPhone Version 1.3(3) or later.
Page 889
EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-35 OL-9775-08...
(the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing). Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-36 OL-9775-08...
You can configure QoS on physical ports and SVIs. When configuring QoS on physical ports, you • create and apply nonhierarchical policy maps. When configuring QoS on SVIs, you can create and apply nonhierarchical and hierarchical policy maps. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-39 OL-9775-08...
You can enable IPv6 QoS on a switch or a switch stack. If the stack includes only Catalyst 3750-X and Catalyst 3750-E switches, the QoS configuration applies to all traffic. These are the guidelines for IPv6 QoS in a stack that includes one or more Catalyst 3750 switches: Any switch can be the stack master.
By default, QoS is disabled on the switch. To enable IPv6 QoS on the switch, you must first configure a dual-ipv4-and ipv6 SDM template and reload the switch. This template enables both IPv4 and IPv6 QoS configuration. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-41 OL-9775-08...
Page 896
By default, VLAN-based QoS is disabled on all physical switch ports. The switch applies QoS, including class maps and policy maps, only on a physical-port basis. In Cisco IOS Release 12.2(25)SE or later, yYou can enable VLAN-based QoS on a switch port.
QoS domain. Figure 37-14 shows a sample network topology. Figure 37-14 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here Trusted boundary Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-43 OL-9775-08...
Page 898
Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Valid interfaces include physical ports. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-44 OL-9775-08...
Page 899
CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.
Page 900
Configuring QoS Configuring Standard QoS In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
Page 901
Figure 37-15 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 IP traffic Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-47 OL-9775-08...
Step 3 Return to privileged EXEC mode. Step 4 show access-lists Verify your entries. Step 5 copy running-config (Optional) Save your entries in the configuration file. startup-config Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-49 OL-9775-08...
Page 904
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an access list, use the no access-list access-list-number global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-50 OL-9775-08...
Page 905
Step 2 ipv6 access-list Create an IPv6 ACL, and enter IPv6 access-list configuration mode. access-list-name Access list names cannot contain a space or quotation mark or begin with a numeric. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-51 OL-9775-08...
Page 906
Verify the access list configuration. Step 6 copy running-config (Optional) Save your entries in the configuration file. startup-config To delete an access list, use the no ipv6 access-list access-list-number global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-52 OL-9775-08...
Page 907
Verify your entries. access-list-name] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an access list, use the no mac access-list extended access-list-name global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-53 OL-9775-08...
Page 909
You can use the match protocol command with the match ip dscp or match precedence commands, but not with the match access-group command. For more information about the match protocol command, see Cisco IOS Quality of Service Solutions Command Reference. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-55 OL-9775-08...
Page 910
This example shows how to create a class map called class3, which matches incoming traffic with IP-precedence values of 5, 6, and 7: Switch(config)# class-map class3 Switch(config-cmap)# match ip precedence 5 6 7 Switch(config-cmap)# end Switch# Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-56 OL-9775-08...
Page 911
The range is 0 to 7. Step 5 Return to privileged EXEC mode. Step 6 show class-map Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-57 OL-9775-08...
Page 912
DSCP or IP precedence value in the traffic class; and specifying the traffic bandwidth limitations for each matched traffic class (policer) and the action to take when the traffic is out of profile (marking). Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-58 OL-9775-08...
Page 913
When you configure a default traffic class by using the class class-default policy-map configuration • command, unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as belonging to the default traffic class (class-default). Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-59 OL-9775-08...
Page 914
It is always ordered at the end of a policy map. With an implied match any included in the class-default class, all packets that have not already matched the other traffic classes will match class-default. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-60 OL-9775-08...
Page 915
DSCP value (by using the policed-DSCP map) and to send the packet. For more information, see the “Configuring the Policed-DSCP Map” section on page 37-76. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-61 OL-9775-08...
Page 917
Use the interface-level policy map to specify the physical ports that are affected by individual policers. Beginning with Cisco IOS Release 12.2(52)SE, you can configure hierarchical policy maps that filter IPv4 and IPv6 traffic. Follow these guidelines when configuring hierarchical policy maps: Before configuring a hierarchical policy map, you must enable VLAN-based QoS on the physical •...
Page 918
When the switch stack divides into two or more switch stacks, the stack master in each switch – stack re-enables and reconfigures these features on all applicable interfaces on the stack members, including the stack master. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-64 OL-9775-08...
Page 919
For ip precedence ip-precedence-list, enter a list of up to eight • IP-precedence values to match against incoming packets. Separate each value with a space. The range is 0 to 7. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-65 OL-9775-08...
Page 920
This command can only be used in the child-level policy map and must be the only match condition in the child-level policy map. Step 9 exit Return to class-map configuration mode. Step 10 exit Return to global configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-66 OL-9775-08...
Page 921
It is always ordered at the end of a policy map. With an implied match any included in the class-default class, all packets that have not already matched the other traffic classes will match class-default. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-67 OL-9775-08...
Page 922
Return to policy-map configuration mode. Step 22 exit Return to global configuration mode. Step 23 interface interface-id Specify the SVI to which to attach the hierarchical policy map, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-68 OL-9775-08...
Page 924
Switch(config-cmap)# match protocol ip Switch(config-cmap)# exit Switch(config)# policy-map pm3 Switch(config-pmap)# class class-default Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-3 Switch(config-pmap-c) set dscp 4 Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-4 Switch(config-pmap-c)# trust cos Switch(config-pmap-c)# exit Switch(config-pmap)# exit Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-70 OL-9775-08...
Page 925
Create a policy map by entering the policy map name, and enter policy-map configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 37-59. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-71 OL-9775-08...
Table 37-12 shows the default CoS-to-DSCP map. Table 37-12 Default CoS-to-DSCP Map CoS Value DSCP Value If these values are not appropriate for your network, you need to modify them. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-73 OL-9775-08...
Page 928
Table 37-13 shows the default IP-precedence-to-DSCP map: Table 37-13 Default IP-Precedence-to-DSCP Map IP Precedence Value DSCP Value If these values are not appropriate for your network, you need to modify them. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-74 OL-9775-08...
Page 929
Step 3 Return to privileged EXEC mode. Step 4 show mls qos maps policed-dscp Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-75 OL-9775-08...
Page 930
Table 37-14 Default DSCP-to-CoS Map DSCP Value CoS Value 0–7 8–15 16–23 24–31 32–39 40–47 48–55 56–63 If these values are not appropriate for your network, you need to modify them. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-76 OL-9775-08...
Page 931
The switch sends the packet out the port with the new DSCP value. You can configure multiple DSCP-to-DSCP-mutation maps on an ingress port. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-77 OL-9775-08...
Allocating Buffer Space Between the Ingress Queues, page 37-82 (optional) • Allocating Bandwidth Between the Ingress Queues, page 37-82 (optional) • Configuring the Ingress Priority Queue, page 37-83 (optional) • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-79 OL-9775-08...
Page 934
To return to the default WTD threshold percentages, use the no mls qos srr-queue input threshold queue-id global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-80 OL-9775-08...
SRR scheduler sends packets from each queue. The bandwidth and the buffer allocation control how much data can be buffered before packets are dropped. On ingress queues, SRR operates only in shared mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-81 OL-9775-08...
Page 936
Then, SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-82 OL-9775-08...
Does the bandwidth of the port need to be rate limited? • How often should the egress queues be serviced and which technique (shaped, shared, or both) • should be used? Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-83 OL-9775-08...
Page 938
The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-84 OL-9775-08...
Page 939
Map the port to a queue-set. For qset-id, enter the ID of the queue-set specified in Step 2. The range is 1 to 2. The default is 1. Step 6 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-85 OL-9775-08...
Page 940
The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of egress queues and if these settings do not meet your QoS solution. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-86 OL-9775-08...
Page 941
This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2: Switch(config)# mls qos srr-queue output dscp-map queue 1 threshold 2 10 11 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-87...
Page 942
2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-88 OL-9775-08...
Page 943
You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-89...
Page 944
Specify the percentage of the port speed to which the port should be limited. The range is 10 to 90. By default, the port is not rate limited and is set to 100 percent. Step 4 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-90 OL-9775-08...
The control-plane and interface keywords are not supported, and the statistics shown in the display should be ignored. show running-config | include rewrite Display the DSCP transparency setting. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-91 OL-9775-08...
Page 946
Chapter 37 Configuring QoS Displaying Standard QoS Information Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-92 OL-9775-08...
This chapter also describes how to configure link-state tracking. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
EtherChannel. The other end of the channel (on the other switch) must also be configured in the on mode; otherwise, packet loss can occur. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-2...
Page 949
EtherChannel are blocked from returning on any other link of the EtherChannel. Figure 38-2 Single-Switch EtherChannel Switch stack Switch 1 Channel group 1 StackWise Plus port connections Switch A Channel Switch 2 group 2 Switch 3 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-3 OL-9775-08...
Page 950
Figure 38-4. Each EtherChannel has a port-channel logical interface numbered from 1 to 48. This port-channel interface number corresponds to the one specified with the channel-group interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-4 OL-9775-08...
Layer 2 EtherChannel as a trunk. Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
Page 952
(VSLs) that carry control and data traffic between them. One of the switches is in active mode. The others are in standby mode. For redundancy, remote switches, such as Catalyst 3750-E or 3560-E switches, are connected to the virtual switch by remote satellite links (RSLs).
Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.
Therefore, to provide load-balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-8 OL-9775-08...
Page 955
MAC address, using the destination-MAC address always chooses the same link in the channel. Using source addresses or IP addresses might result in better load-balancing. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-9...
LACP system-id can change. If the LACP system-id changes, the entire EtherChannel will flap, and there will be an STP reconvergence. Use the stack-mac persistent timer command to control whether or not the stack MAC address changes during a master failover. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-10 OL-9775-08...
32768. LACP system ID LACP system priority and the switch or stack MAC address. Load-balancing Load distribution on the switch is based on the source-MAC address of the incoming packet. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-11 OL-9775-08...
Layer 2 EtherChannel. If the allowed range of VLANs is not the same, the ports do not form an EtherChannel even when PAgP is set to the auto or desirable mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-12...
Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-13 OL-9775-08...
Page 960
Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a port from the EtherChannel group, use the no channel-group interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-14 OL-9775-08...
To move an IP address from a physical port to an EtherChannel, you must delete the IP address from the Note physical port before configuring it on the port-channel interface. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-15 OL-9775-08...
Step 3 no ip address Ensure that there is no IP address assigned to the physical port. Step 4 no switchport Put the port into Layer 3 mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-16 OL-9775-08...
Page 963
“LACP Modes” section on page 38-7. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-17 OL-9775-08...
Page 964
IP • address. src-mac—Load distribution is based on the source-MAC • address of the incoming packet. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-18 OL-9775-08...
Catalyst 1900 switch. When the link partner of the Catalyst 3750-E or 3560-E switch is a physical learner (such as a Catalyst 1900 series switch), we recommend that you configure the Catalyst 3750-E or 3560-E switch as a physical-port learner by using the pagp learn-method physical-port interface configuration command.
Page 966
16 ports. Only eight LACP links can be active at one time. The software places any additional links in a hot-standby mode. If one of the active links becomes inactive, a link that is in the hot-standby mode becomes active in its place. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-20 OL-9775-08...
Page 967
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the LACP system priority to the default value, use the no lacp system-priority global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-21 OL-9775-08...
Page 968
[channel-group-number] {counters | Displays PAgP information such as traffic information, the internal | neighbor} internal PAgP configuration, and neighbor information. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-22 OL-9775-08...
Page 969
Interfaces connected to servers are referred to as downstream interfaces, and interfaces connected to distribution switches and network devices are referred to as upstream interfaces. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-23 OL-9775-08...
Page 970
1. Port 5 and port 6 are connected to distribution switch 1 through link-state group 1. Port 5 and – port 6 are the upstream interfaces in link-state group 1. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-24 OL-9775-08...
Page 972
Create a link-state group, and enable link-state tracking. For Catalyst 3560-E switches, the group number can be 1 to 2. For Catalyst 3750-E switches, the group number can be 1 to 10. The default is 1. Step 3...
Page 973
Upstream Interfaces : Gi1/0/15(Dwn) Gi1/0/16(Dwn) Gi1/0/17(Dwn) Downstream Interfaces : Gi1/0/11(Dis) Gi1/0/12(Dis) Gi1/0/13(Dis) Gi1/0/14(Dis) (Up):Interface up (Dwn):Interface Down (Dis):Interface disabled For detailed information about the fields in the display, see the command reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-27 OL-9775-08...
Understanding TelePresence E911 IP Phone Support You can use a Cisco IP phone as a user interface in a Cisco TelePresence System. See in Figure 1. In this configuration, the IP phone must always be on and available for emergency calls. If the power to the codec in the Cisco TelePresence System fails, is disrupted or if the codec fails, the IP phone is not available.
Page 976
When a CDP-enabled IP phone is connected to the codec through a switch, you can configure the switch to forward CDP packets from the IP phone only to the codec in the Cisco TelePresence System. The switch adds ingress-egress port pairs to the CDP forwarding table. An ingress-egress port pair is a one-to-one mapping between an ingress switch port connected to the IP phone and an egress switch port connected to the codec.
Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. A switch stack operates and appears as a single router to the rest of the routers in the network. Basic routing functions, including static routing and the Routing Information Protocol (RIP), are available with both the IP base feature set and the IP services feature set.
• Types of Routing Routers and Layer 3 switches can route packets in three different ways: By using default routing • • By using preprogrammed static routes for the traffic Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-2 OL-9775-08...
• It processes routing protocol messages and updates received from peer routers. It generates, maintains, and distributes the distributed Cisco Express Forwarding (dCEF) database • to all stack members. The routes are programmed on all switches in the stack bases on this database.
Page 982
(BGP). If the stack master fails and the new elected stack master is running the IP base feature set, these protocols will no longer run in the stack. Caution Partitioning of the switch stack into two or more stacks might lead to undesirable behavior in the network. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-4 OL-9775-08...
Steps for Configuring Routing By default, IP routing is disabled on the switch, and you must enable it before routing can take place. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.2 In the following procedures, the specified interface must be one of these Layer 3 interfaces: A routed port: a physical port configured as a Layer 3 port by using the no switchport interface •...
• Maximum interval between advertisements: 600 seconds. • Minimum interval between advertisements: 0.75 times max interval • Preference: 0. • IP proxy ARP Enabled. IP routing Disabled. IP subnet-zero Disabled. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-6 OL-9775-08...
(Optional) Save your entry in the configuration file. Use the no ip subnet-zero global configuration command to restore the default and disable the use of subnet zero. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-7 OL-9775-08...
40-3, the router in network 128.20.0.0 is connected to subnets 128.20.1.0, 128.20.2.0, and 128.20.3.0. If the host sends a packet to 120.20.4.1, because there is no network default route, the router discards the packet. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-8 OL-9775-08...
Ethernet, the software must learn the MAC address of the device. The process of learning the MAC address from an IP address is called address resolution. The process of learning the IP address from the MAC address is called reverse address resolution. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-9 OL-9775-08...
Page 988
RARP requires a RARP server on the same network segment as the router interface. Use the ip rarp-server address interface configuration command to identify the server. For more information on RARP, see the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable an encapsulation type, use the no arp arpa or no arp snap interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-11 OL-9775-08...
A limitation of this method is that there is no means of detecting when the default router has gone down or is unavailable. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-12...
Page 991
It must be greater than maxadvertinterval and cannot be greater than 9000 seconds. If you change the maxadvertinterval value, this value also changes. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-13 OL-9775-08...
Enabling Directed Broadcast-to-Physical Broadcast Translation, page 40-15 • Forwarding UDP Broadcast Packets and Protocols, page 40-16 • Establishing an IP Broadcast Address, page 40-17 Flooding IP Broadcasts, page 40-17 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-14 OL-9775-08...
Page 993
Use the no ip directed-broadcast interface configuration command to disable translation of directed broadcast to physical broadcasts. Use the no ip forward-protocol global configuration command to remove a protocol or port. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-15 OL-9775-08...
Page 994
By default, both UDP and ND forwarding are enabled if a helper address has been defined for an interface. The description for the ip forward-protocol interface configuration command in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 lists the ports that are forwarded by default if you do not specify any UDP ports.
Page 995
When a flooded UDP datagram is sent out an interface (and the destination address possibly changed), the datagram is handed to the normal IP output routines and is, therefore, subject to access lists, if they are present on the output interface. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-17 OL-9775-08...
You can display specific statistics, such as the contents of IP routing tables, caches, and databases; the reachability of nodes; and the routing path that packets are taking through the network. Table 40-3 lists the privileged EXEC commands for displaying IP statistics. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-18 OL-9775-08...
(RIP) router configuration command. For information on specific protocols, see sections later in this chapter and to the Cisco IOS IP Configuration Guide, Release 12.2. The IP base feature set supports only RIP as a routing Note protocol.
Protocol (UDP) data packets to exchange routing information. The protocol is documented in RFC 1058. You can find detailed information about RIP in IP Routing Fundamentals, published by Cisco Press. RIP is the only routing protocol supported by the IP base feature set; other routing protocols require the Note switch or stack master to be running the IP services feature set.
To configure RIP, you enable RIP routing for a network and optionally configure other parameters. On Note the Catalyst 3750-E and 3560-E switches, RIP configuration commands are ignored until you configure the network number. Beginning in privileged EXEC mode, follow these steps to enable and configure RIP:...
Page 1000
8 to 50 milliseconds. Step 12 Return to privileged EXEC mode. Step 13 show ip protocols Verify your entries. Step 14 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-22 OL-9775-08...