hit counter script
Cisco Catalyst 3750-E Software Configuration Manual

Cisco Catalyst 3750-E Software Configuration Manual

Hide thumbs Also See for Catalyst 3750-E:
Table of Contents

Advertisement

Catalyst 3750-E and 3560-E Switch
Software Configuration Guide
Cisco IOS Release 12.2(55)SE
August 2010
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-9775-08

Advertisement

Table of Contents
loading

Summary of Contents for Cisco Catalyst 3750-E

  • Page 1 Catalyst 3750-E and 3560-E Switch Software Configuration Guide Cisco IOS Release 12.2(55)SE August 2010 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-9775-08...
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks.
  • Page 3 Default Settings After Initial Switch Configuration 1-16 Network Configuration Examples 1-19 Design Concepts for Using the Switch 1-19 Small to Medium-Sized Network Using Catalyst 3750-E and 3560-E Switches 1-26 Large Network Using Catalyst 3750-E and 3560-E Switches 1-28 Multidwelling Network Using Catalyst 3750-E Switches 1-31...
  • Page 4 Configuring DHCP Auto-Image Update (Configuration File and Image) 3-12 Configuring the Client 3-14 Manually Assigning IP Information 3-15 Checking and Saving the Running Configuration 3-16 Configuring the NVRAM Buffer Size 3-17 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 5 Managing Switch Stacks C H A P T E R Understanding Switch Stacks Switch Stack Membership Stack Master Election and Re-Election Switch Stack Bridge ID and Router MAC Address Stack Member Numbers Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 6 Understanding the show switch stack-ports summary Output 5-27 Identifying Loopback Problems 5-28 Software Loopback 5-28 Software Loopback Example: No Connected Stack Cable 5-29 Software Loopback Examples: Connected Stack Cables 5-29 Hardware Loopback 5-30 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 7: Table Of Contents

    Using SNMP to Manage Switch Clusters 6-17 Administering the Switch C H A P T E R Managing the System Time and Date Understanding the System Clock Understanding Network Time Protocol Configuring NTP Default NTP Configuration Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 8 Adding and Removing Static Address Entries 7-27 Configuring Unicast MAC Address Filtering 7-28 Disabling MAC Address Learning on a VLAN 7-29 Displaying Address Table Entries 7-30 Managing the ARP Table 7-31 Catalyst 3750-E and 3560-E Switch Software Configuration Guide viii OL-9775-08...
  • Page 9 9-17 Displaying the TACACS+ Configuration 9-17 Controlling Switch Access with RADIUS 9-17 Understanding RADIUS 9-18 RADIUS Operation 9-19 RADIUS Change of Authorization 9-19 Change-of-Authorization Requests 9-20 CoA Request Response Code 9-21 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 10 Displaying the SSH Configuration and Status 9-48 Configuring the Switch for Secure Socket Layer HTTP 9-49 Understanding Secure HTTP Servers and Clients 9-49 Certificate Authority Trustpoints 9-49 CipherSuites 9-51 Configuring Secure HTTP Servers and Clients 9-51 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 11 802.1x Authentication with Per-User ACLs 10-18 802.1x Authentication with Downloadable ACLs and Redirect URLs 10-19 Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 10-20 Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 10-20 VLAN ID-based MAC Authentication 10-21 802.1x Authentication with Guest VLAN...
  • Page 12 Setting the Re-Authentication Number 10-48 Enabling MAC Move 10-49 Enabling MAC Replace 10-49 Configuring 802.1x Accounting 10-50 Configuring a Guest VLAN 10-51 Configuring a Restricted VLAN 10-52 Configuring the Inaccessible Authentication Bypass Feature 10-54 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 13 11-8 Configuring Web-Based Authentication 11-9 Default Web-Based Authentication Configuration 11-9 Web-Based Authentication Configuration Guidelines and Restrictions 11-9 Web-Based Authentication Configuration Task List 11-10 Configuring the Authentication Rule and Interfaces 11-10 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xiii OL-9775-08...
  • Page 14 Understanding the Ethernet Management Port 12-18 Supported Features on the Ethernet Management Port 12-20 Configuring the Ethernet Management Port 12-20 TFTP and the Ethernet Management Port 12-21 Configuring Ethernet Interfaces 12-21 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 15 Configuring Extended-Range VLANs 13-10 Default VLAN Configuration 13-10 Extended-Range VLAN Configuration Guidelines 13-11 Creating an Extended-Range VLAN 13-11 Creating an Extended-Range VLAN with an Internal VLAN ID 13-13 Displaying VLANs 13-14 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 16 Understanding VTP 14-1 The VTP Domain 14-2 VTP Modes 14-3 VTP Advertisements 14-4 VTP Version 2 14-4 VTP Version 3 14-5 VTP Pruning 14-6 VTP and Switch Stacks 14-7 Configuring VTP 14-8 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 17 Configuring Voice VLAN 15-3 Default Voice VLAN Configuration 15-3 Voice VLAN Configuration Guidelines 15-3 Configuring a Port Connected to a Cisco 7960 IP Phone 15-4 Configuring Cisco IP Phone Voice Traffic 15-5 Configuring the Priority of Incoming Data Frames 15-6...
  • Page 18 Spanning-Tree Topology and BPDUs 18-3 Bridge ID, Switch Priority, and Extended System ID 18-4 Spanning-Tree Interface States 18-5 Blocking State 18-6 Listening State 18-7 Learning State 18-7 Forwarding State 18-7 Disabled State 18-7 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xviii OL-9775-08...
  • Page 19 Operations Between MST Regions 19-3 IEEE 802.1s Terminology 19-5 Hop Count 19-5 Boundary Ports 19-6 IEEE 802.1s Implementation 19-6 Port Role Naming Change 19-6 Interoperation Between Legacy and Standard Switches 19-7 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 20 Understanding Port Fast 20-2 Understanding BPDU Guard 20-2 Understanding BPDU Filtering 20-3 Understanding UplinkFast 20-3 Understanding Cross-Stack UplinkFast 20-5 How CSUF Works 20-6 Events that Cause Fast Convergence 20-7 Understanding BackboneFast 20-7 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 21 Monitoring Flex Links and the MAC Address-Table Move Update 21-14 Configuring DHCP Features and IP Source Guard 22-1 C H A P T E R Understanding DHCP Features 22-1 DHCP Server 22-2 DHCP Relay Agent 22-2 DHCP Snooping 22-2 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 22 Configuring Dynamic ARP Inspection 23-1 C H A P T E R Understanding Dynamic ARP Inspection 23-1 Interface Trust States and Network Security 23-3 Rate Limiting of ARP Packets 23-4 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxii OL-9775-08...
  • Page 23 Configuring the IGMP Snooping Querier 24-14 Disabling IGMP Report Suppression 24-15 Displaying IGMP Snooping Information 24-16 Understanding Multicast VLAN Registration 24-17 Using MVR in a Multicast Television Application 24-18 Configuring MVR 24-20 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxiii OL-9775-08...
  • Page 24 Configuring Port-Based Traffic Control 26-1 C H A P T E R Configuring Storm Control 26-1 Understanding Storm Control 26-1 Default Storm Control Configuration 26-3 Configuring Storm Control and Threshold Levels 26-3 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxiv OL-9775-08...
  • Page 25 Understanding LLDP, LLDP-MED, and Wired Location Service 28-1 LLDP 28-1 LLDP-MED 28-2 Wired Location Service 28-3 Configuring LLDP, LLDP-MED, and Wired Location Service 28-5 Default LLDP Configuration 28-5 Configuration Guidelines 28-5 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 26 SPAN and RSPAN and Switch Stacks 30-11 Understanding Flow-Based SPAN 30-11 Configuring SPAN and RSPAN 30-12 Default SPAN and RSPAN Configuration 30-12 Configuring Local SPAN 30-12 SPAN Configuration Guidelines 30-13 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxvi OL-9775-08...
  • Page 27 Enabling and Disabling Sequence Numbers in Log Messages 32-8 Defining the Message Severity Level 32-9 Limiting Syslog Messages Sent to the History Table and to SNMP 32-10 Enabling the Configuration-Change Logger 32-11 Configuring UNIX Syslog Servers 32-12 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxvii OL-9775-08...
  • Page 28 Configuring Embedded Event Manager 34-6 Registering and Defining an Embedded Event Manager Applet 34-6 Registering and Defining an Embedded Event Manager TCL Script 34-7 Displaying Embedded Event Manager Information 34-8 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxviii OL-9775-08...
  • Page 29 Creating a VLAN Map 35-32 Examples of ACLs and VLAN Maps 35-33 Applying a VLAN Map to a VLAN 35-35 Using VLAN Maps in Your Network 35-35 Wiring Closet Configuration 35-35 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxix OL-9775-08...
  • Page 30 Queueing and Scheduling Overview 37-14 Weighted Tail Drop 37-15 SRR Shaping and Sharing 37-15 Queueing and Scheduling on Ingress Queues 37-16 Queueing and Scheduling on Egress Queues 37-19 Packet Modification 37-22 Configuring Auto-QoS 37-23 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 31 Classifying Traffic by Using Class Maps and Filtering IPv6 Traffic 37-58 Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps 37-59 Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps 37-64 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxi OL-9775-08...
  • Page 32 LACP Interaction with Other Features 38-8 EtherChannel On Mode 38-8 Load-Balancing and Forwarding Methods 38-8 EtherChannel and Switch Stacks 38-10 Configuring EtherChannels 38-11 Default EtherChannel Configuration 38-11 EtherChannel Configuration Guidelines 38-12 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxii OL-9775-08...
  • Page 33 Classless Routing 40-8 Configuring Address Resolution Methods 40-9 Define a Static ARP Cache 40-10 Set ARP Encapsulation 40-11 Enable Proxy ARP 40-12 Routing Assistance When IP Routing is Disabled 40-12 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxiii OL-9775-08...
  • Page 34 40-41 Configuring EIGRP Route Authentication 40-42 EIGRP Stub Routing 40-43 Monitoring and Maintaining EIGRP 40-44 Configuring BGP 40-44 Default BGP Configuration 40-46 Nonstop Forwarding Awareness 40-48 Enabling BGP Routing 40-49 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxiv OL-9775-08...
  • Page 35 User Interface for FTP and TFTP 40-83 Configuring Multicast VRFs 40-84 Configuring a VPN Routing Session 40-84 Configuring BGP PE to CE Routing Sessions 40-85 Multi-VRF CE Configuration Example 40-86 Displaying Multi-VRF CE Status 40-89 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxv OL-9775-08...
  • Page 36 RIP for IPv6 41-7 OSPF for IPv6 41-7 EIGRP IPv6 41-7 HSRP for IPv6 41-7 SNMP and Syslog Over IPv6 41-7 HTTP(S) Over IPv6 41-8 Unsupported IPv6 Unicast Routing Features 41-8 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxvi OL-9775-08...
  • Page 37 Enabling HSRP Support for ICMP Redirect Messages 42-12 Configuring HSRP Groups and Clustering 42-12 Troubleshooting HSRP for Mixed Stacks of Catalyst 3750-X, 3750-E and 3750 Switches 42-12 Displaying HSRP Configurations 42-13 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxvii OL-9775-08...
  • Page 38 Configuring IP SLAs Object Tracking 44-8 Configuring Static Routing Support 44-10 Configuring a Primary Interface 44-10 Configuring a Cisco IP SLAs Monitoring Agent and Track Object 44-11 Configuring a Routing Policy and Default Route 44-12 Monitoring Enhanced Object Tracking 44-12...
  • Page 39 46-14 How SSM Differs from Internet Standard Multicast 46-14 SSM IP Address Range 46-15 SSM Operations 46-15 IGMPv3 Host Signalling 46-15 Configuration Guidelines 46-16 Configuring SSM 46-17 Monitoring SSM 46-17 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xxxix OL-9775-08...
  • Page 40 Configuring an IP Multicast Boundary 46-47 Configuring Basic DVMRP Interoperability Features 46-49 Configuring DVMRP Interoperability 46-49 Configuring a DVMRP Tunnel 46-51 Advertising Network 0.0.0.0 to DVMRP Neighbors 46-53 Responding to mrinfo Requests 46-54 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 41 Configuring an Originating Address other than the RP Address 47-18 Monitoring and Maintaining MSDP 47-19 Configuring Fallback Bridging 48-1 C H A P T E R Understanding Fallback Bridging 48-1 Fallback Bridging Overview 48-1 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 42 Using Ping 49-15 Understanding Ping 49-15 Executing Ping 49-15 Using Layer 2 Traceroute 49-16 Understanding Layer 2 Traceroute 49-16 Usage Guidelines 49-17 Displaying the Physical Path 49-17 Using IP Traceroute 49-18 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xlii OL-9775-08...
  • Page 43 Starting Online Diagnostic Tests 50-5 Displaying Online Diagnostic Tests and Test Results 50-6 Supported MIBs A P P E N D I X MIB List Using FTP to Access the MIB Files Catalyst 3750-E and 3560-E Switch Software Configuration Guide xliii OL-9775-08...
  • Page 44 Contents Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System Displaying Available File Systems Setting the Default File System Displaying Information about Files on a File System...
  • Page 45 Unsupported Commands in Applet Configuration Mode Unsupported Commands in Event Trigger Configuration Mode Fallback Bridging Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands HSRP Unsupported Global Configuration Commands Unsupported Interface Configuration Commands Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 46 Unsupported Privileged EXEC Commands 3-12 3-12 Unsupported Global Configuration Command 3-12 Unsupported Interface Configuration Commands 3-12 Unsupported Policy-Map Configuration Command 3-12 RADIUS 3-12 Unsupported Global Configuration Commands 3-12 SNMP 3-13 Catalyst 3750-E and 3560-E Switch Software Configuration Guide xlvi OL-9775-08...
  • Page 47 Unsupported Global Configuration Command 3-13 Unsupported Interface Configuration Command 3-13 VLAN 3-13 Unsupported Global Configuration Command 3-13 Unsupported User EXEC Commands 3-13 3-13 Unsupported Privileged EXEC Command 3-13 N D E X Catalyst 3750-E and 3560-E Switch Software Configuration Guide xlvii OL-9775-08...
  • Page 48 Contents Catalyst 3750-E and 3560-E Switch Software Configuration Guide xlviii OL-9775-08...
  • Page 49 This guide is for the networking professional managing the standalone Catalyst 3750-E or 3560-E switch or the Catalyst 3750-E switch stack, referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
  • Page 50: Related Publications

    Means reader be careful. In this situation, you might do something that could result in equipment Caution damage or loss of data. Related Publications Documents with complete information about the switch are available from these Cisco.com sites: Catalyst 3750-E: http://www.cisco.com/en/US/products/ps7077/tsd_products_support_series_home.html Catalyst 3560-E: http://www.cisco.com/en/US/products/ps7078/tsd_products_support_series_home.html...
  • Page 51: Obtaining Documentation And Submitting A Service Request

    Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
  • Page 52 Preface Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 53 IP base and the IP services feature sets. You must have a Cisco IOS software license for a specific feature set to enable it. For more information about the software license, see the Cisco IOS Software Installation document on Cisco.com.
  • Page 54: Deployment Features

    User-defined and Cisco-default Smartports macros for creating custom switch configurations for • simplified deployment across the network. Auto Smartports Cisco-default and user-defined macros for dynamic port configuration based on the • device type detected on the port. •...
  • Page 55 Using a single IP address and configuration file to manage the entire switch stack. – – Automatic Cisco IOS version-check of new stack members with the option to automatically load images from the stack master or from a TFTP server. –...
  • Page 56: Performance Features

    Auto SmartPort enhancements, which adds support for macro persistency, LLDP-based triggers, • MAC address and OUI-based triggers, remote macros as well as for automatic configuration based on these two new device types: Cisco Digital Media Player (Cisco DMP) and Cisco IP Video Surveillance Camera (Cisco IPVSC). Performance Features Cisco EnergyWise manages the energy usage of power over Ethernet (PoE) entities.
  • Page 57: Management Options

    Network Assistant—Network Assistant is a network management application that can be • downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com.
  • Page 58: Manageability Features

    MAC address table • Disabling MAC address learning on a VLAN Cisco Discovery Protocol (CDP) Versions 1 and 2 for network topology discovery and mapping • between the switch and other Cisco devices on the network Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED) for •...
  • Page 59 Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external source • Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses Configuration logging to log and to view changes to the switch configuration •...
  • Page 60: Availability And Redundancy Features

    Chapter 1 Overview Features • Cisco EnergyWise to manage the power usage of EnergyWise entities, such as power over Ethernet (PoE) devices and end points running daemons. For additional descriptions of the management interfaces, see the “Network Configuration Examples” Note section on page 1-19.
  • Page 61: Vlan Features

    • Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts and servers and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch RPS support through the Cisco Redundant Power System 2300, also referred to as the RPS 2300, •...
  • Page 62 Multidomain authentication (MDA) to allow both a data device and a voice device, such as an – IP phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled switch port VLAN assignment for restricting IEEE 802.1x-authenticated users to a specified VLAN –...
  • Page 63 Port security for controlling access to IEEE 802.1x ports – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized or unauthorized state of the port IP phone detection enhancement to detect and recognize a Cisco IP phone –...
  • Page 64: Qos And Cos Features

    When there is a change in policy for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server, such as Cisco Secure ACS to reinitialize authentication, and apply to the new policies IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to...
  • Page 65 Trusted port states (CoS, DSCP, and IP precedence–both IPv4 and IPv6) within a QoS domain – and with a port bordering another QoS domain Trusted boundary for detecting the presence of a Cisco IP Phone, trusting the CoS value – received, and ensuring port security Policing •...
  • Page 66: Layer 3 Features

    Full OSPF (requires the IP services feature set) – Starting with Cisco IOS Release 12.2(55)SE, the IP base feature set supports OSPF for routed access to enable customers to extend Layer 3 routing capabilities to the access or wiring closet.
  • Page 67: Power Over Ethernet Features

    Cisco IOS Release 12.2(44)SE and later supports enhanced PoE. An enhanced PoE port can support any additional powered device that requires up to 20 W of power, such as a Cisco AP1250 wireless access point. Support for CDP with power consumption. The powered device notifies the switch of the amount of •...
  • Page 68: Default Settings After Initial Switch Configuration

    For information about assigning an IP address by using the browser-based Express Setup program, see the getting started guide. For information about assigning an IP address by using the CLI-based setup program, see the hardware installation guide. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-16 OL-9775-08...
  • Page 69 Switch cluster is disabled. For more information about switch clusters, see Chapter 6, “Clustering • Switches,” and the Getting Started with Cisco Network Assistant, available on Cisco.com. • No passwords are defined. For more information, see Chapter 7, “Administering the Switch.”...
  • Page 70 Chapter 26, “Configuring Port-Based – Traffic Control.” CDP is enabled. For more information, see Chapter 27, “Configuring CDP.” • UDLD is disabled. For more information, see Chapter 29, “Configuring UDLD.” • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-18 OL-9775-08...
  • Page 71: Network Configuration Examples

    10-Gigabit Ethernet connections. “Design Concepts for Using the Switch” section on page 1-19 • “Small to Medium-Sized Network Using Catalyst 3750-E and 3560-E Switches” section on • page 1-26 “Large Network Using Catalyst 3750-E and 3560-E Switches” section on page 1-28 •...
  • Page 72 Use VLAN trunks, cross-stack UplinkFast, and BackboneFast for traffic-load • balancing on the uplink ports so that the uplink port with a lower relative port cost is selected to carry the VLAN traffic. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-20 OL-9775-08...
  • Page 73 1-1)—A cost-effective way to connect many users to the wiring closet is to have a switch stack of up to nine Catalyst 3750-E switches. To preserve switch connectivity if one switch in the stack fails, connect the switches as recommended in the hardware installation guide, and enable either cross-stack Etherchannel or cross-stack UplinkFast.
  • Page 74 (Figure 1-2)—For high-speed access to network resources, you can use Catalyst 3750-E switches and switch stacks in the access layer to provide Gigabit Ethernet access to the desktop. To prevent congestion, use QoS DSCP marking priorities on these switches. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch in the backbone, such as a Catalyst 4500 Gigabit switch or Catalyst 6500 Gigabit switch.
  • Page 75 Chapter 1 Overview Network Configuration Examples Figure 1-3 High-Performance Workgroup (Gigabit-to-the-Desktop) with Catalyst 3650-E Standalone Switches Stacking-capable switches Access-layer standalone switches Cisco 2600 router Access-layer standalone switches Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-23 OL-9775-08...
  • Page 76 VLANs and subnets. Using HSRP also provides faster network convergence if any network failure occurs. You can connect the Catalyst switches, again in a star configuration, to two Catalyst 3750-E backbone switches. If one of the backbone switches fails, the second backbone switch preserves connectivity between the switches and network resources.
  • Page 77 Server Aggregation Campus core Catalyst 6500 switches Catalyst 4500 multilayer switches StackWise Plus switch stacks Server racks Campus core Catalyst 6500 switches StackWise switch stacks Access-layer standalone switches Server racks Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-25 OL-9775-08...
  • Page 78 When an end station in one VLAN needs to communicate with an end station in another VLAN, a router or Layer 3 switch routes the traffic to the destination VLAN. In this network, the Catalyst 3750-E-only switch stack or Catalyst 3560-E switches are providing inter-VLAN routing. VLAN access control lists (VLAN maps) on the switch stack or switch provide intra-VLAN security and prevent unauthorized users from accessing critical areas of the network.
  • Page 79 Each PoE switch port provides 15.4 W of power per port. The powered device, such as a Cisco IP Phone, can receive redundant power when it is also connected to an AC power source. Powered devices not connected to Catalyst PoE switches must be connected to AC power sources to receive power.
  • Page 80 Figure 1-9 shows a configuration for a network that uses only Catalyst 3750-E switch stacks in the wiring closets and two backbone switches, such as the Catalyst 6500 switches, to aggregate up to ten wiring closets. Figure 1-10...
  • Page 81 Chapter 1 Overview Network Configuration Examples Figure 1-9 Catalyst 3750-E Catalyst Switch Stacks in Wiring Closets in a Backbone Configuration Cisco 7x00 routers Catalyst 6500 multilayer switches Mixed hardware Mixed hardware stack, including the stack, including the Catalyst 3750G Integrated...
  • Page 82 (such as a web cam) (such as a web cam) Aironet wireless Aironet wireless access points access points Cisco IP Phones with workstations Cisco IP Phones with workstations Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-30 OL-9775-08...
  • Page 83 Catalyst Long-Reach Ethernet (LRE) switches, see the documentation sets specific to these switches for LRE information. All ports on the residential Catalyst 3750-E switches (and Catalyst 2950 LRE switches if they are included) are configured as IEEE 802.1Q trunks with protected port and STP root guard features enabled.
  • Page 84 The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, see the Cisco CWDM GBIC and CWDM SFP Installation Note. Catalyst 3750-E and 3560-E Switch Software Configuration Guide...
  • Page 85: Where To Go Next

    Where to Go Next Before configuring the switch, review these sections for startup information: • Chapter 2, “Using the Command-Line Interface” Chapter 3, “Assigning the Switch IP Address and Default Gateway” • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-33 OL-9775-08...
  • Page 86 Chapter 1 Overview Where to Go Next Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-34 OL-9775-08...
  • Page 87: Understanding Command Modes

    Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your standalone Catalyst 3750-E or 3560-E switch or a Catalyst 3750-E switch stack, referred to as the switch. It contains these sections: Understanding Command Modes, page 2-1 •...
  • Page 88 To return to console command. privileged EXEC mode, press Ctrl-Z or enter end. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 89: Understanding The Help System

    You need to enter only enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command in an abbreviated form: Switch# show conf Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 90: Understanding No And Default Forms Of Commands

    Logging and Notification feature to track changes on a per-session and per-user basis. The logger tracks each configuration command that is applied, the user who entered the command, the time that the Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 91: Using Command History

    You can choose to have the notifications sent to the syslog. For more information, see the “Configuration Change Notification and Logging” section of the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4 at this URL: http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-logger_ps6350_TS...
  • Page 92: Recalling Commands

    Although enhanced editing mode is automatically enabled, you can disable it, re-enable it, or configure a specific line to have enhanced editing. These procedures are optional. To globally disable enhanced editing mode, enter this command in line configuration mode: Switch (config-line)# no editing Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 93: Editing Commands Through Keystrokes

    Delete the word to the left of the cursor. Press Esc D. Delete from the cursor to the end of the word. Capitalize or lowercase words or Press Esc C. Capitalize at the cursor. capitalize a set of letters. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 94: Editing Command Lines That Wrap

    Switch(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1 Switch(config)# $ 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.25 Switch(config)# $t tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq Switch(config)# $108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq 45 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 95: Searching And Filtering Output Of Show And More Commands

    If you want to configure a specific stack member port, you must include the stack member number in the CLI command interface notation. For more information about interface notations, see the “Using Interface Configuration Mode” section on page 12-12. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 96: Accessing The Cli Through A Console Connection Or Through Telnet

    After you connect through the console port, through the Ethernet management port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 2-10 OL-9775-08...
  • Page 97: Understanding The Boot Process

    Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. This chapter consists of these sections: Understanding the Boot Process, page 3-1 •...
  • Page 98: Assigning Switch Information

    Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The normal boot process involves the operation of the boot loader software and includes these activities: Performs low-level CPU initialization. It initializes the CPU registers, which control where physical •...
  • Page 99: Default Switch Information

    Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Stack members retain their IP address when you remove them from a switch stack. To avoid a conflict Note by having two devices with the same IP address in your network, change the IP address of the switch that you removed from the switch stack.
  • Page 100: Dhcp Client Request Process

    Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch. However, you need to configure the DHCP server for various lease options associated with IP addresses. If you are using DHCP to relay the configuration file location on the network, you might also need to configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server.
  • Page 101 Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The DHCP server sends the client a DHCPNAK denial broadcast message, which means that the offered configuration parameters have not been assigned, that an error has occurred during the negotiation of the parameters, or that the client has been slow in responding to the DHCPOFFER message (the DHCP server assigned the parameters to another client).
  • Page 102 (Only Configuration File)” section on page 3-11 and the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html After you install the switch in your network, the auto-image update feature starts. The downloaded configuration file is saved in the running configuration of the switch, and the new image is downloaded and installed on the switch.
  • Page 103 • The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational. If your DHCP server is a Cisco device, for additional information about configuring DHCP, see the “Configuring DHCP”...
  • Page 104: Configuring The Dns

    If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
  • Page 105 Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Figure 3-2 Relay Device Used in Autoconfiguration Switch Cisco router (DHCP client) (Relay) 10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2 20.0.0.3 20.0.0.4 DHCP server TFTP server DNS server Obtaining Configuration Files...
  • Page 106 Figure 3-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (tftpserver) Table 3-2 shows the configuration of the reserved leases on the DHCP server.
  • Page 107: Configuring The Dhcp Auto Configuration And Image Update Features

    Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the hostname to be assigned to the switch based on its IP address.
  • Page 108 Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Command Purpose Step 4 network network-number mask Specify the subnet network number and mask of the DHCP address prefix-length pool. Note The prefix length specifies the number of bits that comprise the address prefix.
  • Page 109 Upload the tar file for the new image to the switch. Step 10 exit Return to global configuration mode. Step 11 tftp-server flash:config.text Specify the Cisco IOS configuration file on the TFTP server. Step 12 tftp-server flash:imagename.tar Specify the image name on the TFTP server. Step 13 tftp-server flash:filename.txt...
  • Page 110: Configuring The Client

    Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the Client Beginning in privileged EXEC mode, follow these steps to configure a switch to download a configuration file and new image from a DHCP server: Command Purpose Step 1...
  • Page 111: Manually Assigning Ip Information

    Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs): If the switch is running the IP services feature set, you can also manually assign IP information to a port Note if you first put the port into Layer 3 mode by using the no switchport interface configuration command.
  • Page 112: Checking And Saving The Running Configuration

    EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
  • Page 113 Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Configuring the NVRAM Buffer Size The default NVRAM buffer size is 512 kB. In some cases, the configuration file might be too large to save to NVRAM.
  • Page 114: Modifying The Startup Configuration

    The Cisco IOS image is stored in a directory that has the same name as the image file (excluding the .bin extension).
  • Page 115: Specifying The Filename To Read And Write The System Configuration

    Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
  • Page 116: Booting A Specific Software Image

    Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Command Purpose Step 4 show boot Verify your entries. The boot manual global command changes the setting of the MANUAL_BOOT environment variable. The next time you reboot the system, the switch is in boot loader mode, shown by the switch: prompt.
  • Page 117: Controlling Environment Variables

    Environment variables store two kinds of data: • Data that controls code, which does not read the Cisco IOS configuration file. For example, the name of a boot loader helper file, which extends or patches the functionality of the boot loader can be stored as an environment variable.
  • Page 118 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
  • Page 119 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Table 3-4 Environment Variables (continued) Variable Boot Loader Command Cisco IOS Global Configuration Command SWITCH_NUMBER set SWITCH_NUMBER switch current-stack-member-number renumber stack-member-number new-stack-member-number Changes the member number of a stack Changes the member number of a stack member.
  • Page 120: Scheduling A Reload Of The Software Image

    Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example, late at night or during the weekend when the switch is used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network).
  • Page 121: Displaying Scheduled Reload Information

    Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image If you modify your configuration file, the switch prompts you to save the configuration before reloading. During the save operation, the system requests whether you want to proceed with the save if the CONFIG_FILE environment variable points to a startup configuration file that no longer exists.
  • Page 122 Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-26 OL-21521-01...
  • Page 123: Understanding Cisco Configuration Engine Software

    Configuring Cisco IOS Configuration Engine This chapter describes how to configure the feature on the Catalyst 3750-E and 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 124: Configuration Service

    (LDAP) URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
  • Page 125: Event Service

    ID, and event. Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software; for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using any desired naming convention.
  • Page 126 Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.
  • Page 127: Understanding Cisco Ios Agents

    Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: •...
  • Page 128: Synchronized Configuration

    NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 4-6.
  • Page 129 Note For more information about running the setup program and creating templates on the Configuration Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux at http://www.cisco.com/en/US/docs/net_mgmt/configuration_engine/1.5/installation_linux/guide/setup_ 1.html Catalyst 3750-E and 3560-E Switch Software Configuration Guide...
  • Page 130: Enabling The Cns Event Agent

    This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.27 keepalive 120 10 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 131: Enabling The Cisco Ios Cns Agent

    Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: •...
  • Page 132 Return to global configuration mode. Step 11 hostname name Enter the hostname for the switch. Step 12 ip route network-number (Optional) Establish a static route to the Configuration Engine whose IP address is network-number. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 4-10 OL-9775-08...
  • Page 133 ID, enter an arbitrary text string for string string as the unique ID, or enter udi to set the unique device identifier (UDI) as the unique ID. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 4-11 OL-9775-08...
  • Page 134 Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown (the CNS Zero Touch feature).
  • Page 135: Enabling A Partial Configuration

    RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.129.22 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...
  • Page 136: Displaying Cns Configuration

    Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed. show cns config stats Displays statistics about the Cisco IOS agent.
  • Page 137: Managing Switch Stacks

    Catalyst3750-X-only stack with only Catalyst 3750-X switches as stack members. Mixed stack • A mixed hardware stack with a mixture of Catalyst 3750-X, Catalyst 3750-E, and 3750 switches – as stack members. For example, a stack with Catalyst 3750-E and 3750 switches supporting the IP services features.
  • Page 138 One of the switches controls the operation of the stack and is called the stack master. The stack master and the other switches in the stack are all stack members. The Catalyst 3750-E stack members use the Cisco StackWise Plus technology to work together as a unified system. Layer 2 and Layer 3 protocols present the entire switch stack as a single entity to the network.
  • Page 139: Switch Stack Membership

    Note their LAN ports, such as the 10/100/1000 ports. For more information about how switch stacks differ from switch clusters, see the “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant on Cisco.com. Switch Stack Membership A switch stack has up to nine stack members connected through their StackWise Plus ports.
  • Page 140 For more information about cabling and powering switch stacks, see the “Switch Installation” chapter in the hardware installation guide. Figure 5-1 Creating a Switch Stack from Two Standalone Switches Stack member 1 Stack member 1 Stack member 1 Stack member 2 and stack master Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 141 We recommend assigning the highest priority value to the switch that you prefer to be the Note stack master. This ensures that the switch is re-elected as stack master if a re-election occurs. The switch that is not using the default interface-level configuration. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 142 As described in the hardware installation guide, you can use the Master LED on the switch to see if the switch is the stack master. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 143: Switch Stack Bridge Id And Router Mac Address

    “Switch Stack Membership” section on page 5-3. As described in the hardware installation guide, you can use the switch port LEDs in Stack mode to visually determine the stack member number of each stack member. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 144: Stack Member Priority Values

    When you add a provisioned switch to the switch stack, the stack applies either the provisioned configuration or the default configuration. Table 5-1 lists the events that occur when the switch stack compares the provisioned configuration with the provisioned switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 145 The stack member number of The switch stack applies the default the provisioned switch is not configuration to the provisioned switch found in the provisioned and adds it to the stack. configuration. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 146: Hardware Compatibility And Sdm Mismatch Mode In Switch Stacks

    Hardware Compatibility and SDM Mismatch Mode in Switch Stacks The Catalyst 3750-E switch supports only the desktop Switch Database Management (SDM) templates. All stack members use the SDM template configured on the stack master.
  • Page 147: Switch Stack Software Compatibility Recommendations

    “Hardware Compatibility and SDM Mismatch Mode in Switch Stacks” section on page 5-10. All stack members must run the same Cisco IOS software image and feature set to ensure compatibility between stack members. For example, all stack members should run the universal software image and have the IP services feature set enabled for the Cisco IOS Release 12.2(35)SE2 or later.
  • Page 148 (including the switch in VM mode). If an appropriate image is not found in the stack flash file systems, the auto-advise process tells you to install new software on the switch stack. Auto-advise cannot be disabled, and there is no command to check its status. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-12 OL-9775-08...
  • Page 149 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Image Suffix:ipservices-122-35.SE2 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Image Directory:c3750e-universal-mz.122-35.SE2 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Image Name:c3750e-universal-mz.122-35.SE2 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Image Feature:IP|LAYER_3|PLUS|MIN_DRAM_MEG=128 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:Old image for switch 1:flash1:c3750e-universal-mz.122-35.SE2 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-13 OL-9775-08...
  • Page 150 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:been determined that the stack can be *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:repaired by issuing the following *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:command(s): *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: archive download-sw /force-reload /overwrite /dest 1 flash1:c3750e-universal-mz.122-35.SE2.tar *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-14 OL-9775-08...
  • Page 151: Incompatible Software And Stack Member Image Upgrades

    Note We recommend that all stack members run Cisco IOS Release 12.2(35)SE2 or later. The interface-specific settings of the stack master are saved if the stack master is replaced without saving the running configuration to the startup configuration.
  • Page 152: Switch Stack Management Connectivity

    “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Additional Considerations for System-Wide Configuration on Switch Stacks These sections provide additional considerations for configuring system-wide features on switch stacks: “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant, • available on Cisco.com “MAC Addresses and Switch Stacks”...
  • Page 153 Encryption features are unavailable if the stack master is running the noncryptographic software image. Note The noncryptographic software image was available only on Catalyst 3750 or Catalyst 3750-E switches running Cisco IOS Release 12.2(53)SE and earlier. The Catalyst 3750-X switches run only the cryptographic software image.
  • Page 154: Switch Stack Configuration Scenarios

    Make sure that one stack member has a default configuration and that the other stack member has a saved (nondefault) configuration file. Restart both stack members at the same time. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-18 OL-9775-08...
  • Page 155 The stack master is retained. The new switch is added to the switch stack. Through their StackWise Plus ports, connect the new switch to a powered-on switch stack. Power on the new switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-19 OL-9775-08...
  • Page 156: Configuring The Switch Stack

    During this time period, if the previous stack master rejoins the stack, the stack continues to use its MAC address as the stack MAC address, even if the switch is now a stack member and not a stack master. If Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-20...
  • Page 157 If you enter the no stack-mac persistent timer command after a new stack master takes over, before the time expires, the switch stack moves to the current stack master MAC address. Step 3 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-21 OL-9775-08...
  • Page 158: Assigning Stack Member Information

    Setting the Stack Member Priority Value, page 5-23 (optional) • Provisioning a New Member for a Switch Stack, page 5-23 (optional) • Assigning a Stack Member Number This task is available only from the stack master. Note Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-22 OL-9775-08...
  • Page 159 Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Provisioning a New Member for a Switch Stack This task is available only from the stack master. Note Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-23 OL-9775-08...
  • Page 160 The show running-config command output shows the interfaces associated with the provisioned switch: Switch(config)# switch 2 provision switch_PID Switch(config)# end Switch# show running-config | include switch 2 interface GigabitEthernet2/0/1 interface GigabitEthernet2/0/2 interface GigabitEthernet2/0/3 <output truncated> Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-24 OL-9775-08...
  • Page 161: Accessing The Cli Of A Specific Stack Member

    Manually Disabling a Stack Port, page 5-26 • Re-Enabling a Stack Port While Another Member Starts, page 5-26 Understanding the show switch stack-ports summary Output, page 5-27 • Identifying Loopback Problems, page 5-28 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-25 OL-9775-08...
  • Page 162: Manually Disabling A Stack Port

    If Switch 4 is powered on first, you might need to enter the switch 1 stack port 1 enable and the switch 4 stack port 2 enable privileged EXEC commands to bring up the link. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-26...
  • Page 163 In Loopback No—At least one stack port on the member has an attached stack • cable. • Yes—None of the stack ports on the member has an attached stack cable. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-27 OL-9775-08...
  • Page 164: Identifying Loopback Problems

    -------- ------ -------- -------- ---- ------ ---- --------- -------- Down None 50 cm 50 cm Down None 50 cm Switch 1 is a standalone switch. Switch# show switch stack-ports summary Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-28 OL-9775-08...
  • Page 165 -------- ---- ------ ---- --------- -------- 50 cm 50 cm The port status shows that – Switch 2 is a standalone switch. – The ports can send and receive traffic. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-29 OL-9775-08...
  • Page 166: Hardware Loopback Example: Link Ok Event

    If neither stack port has an connected stack cable, the Loopback HW value for both stack ports is Yes. • On a Catalyst 3750-E or Catalyst 3750-X member, If a stack port has an connected stack cable, the Loopback HW value for the stack port is No.
  • Page 167: Hardware Loop Example: Link Not Ok Event

    0000000957 FF08FF00 86033431 55AAFFFF FFFFFFFF 1CE61CE6 Yes/Yes No cable Event type: RAC 0000000958 FF08FF00 86034DAC 5555FFFF FFFFFFFF 1CE61CE6 Yes/Yes No cable 0000000958 FF08FF00 86033431 55AAFFFF FFFFFFFF 1CE61CE6 Yes/Yes No cable Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-31 OL-9775-08...
  • Page 168: Finding A Disconnected Stack Cable

    %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state DOWN %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN This is now the port status: Switch# show switch stack-ports summary Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-32 OL-9775-08...
  • Page 169: Fixing A Bad Connection Between Stack Ports

    The Cable Length value is 50 cm. The switch detects and correctly identifies the cable. • The connection between Port 2 on Switch 1 and Port 1 on Switch 2 is unreliable on at least one of the connector pins. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-33 OL-9775-08...
  • Page 170 Chapter 5 Managing Switch Stacks Troubleshooting Stacks Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-34 OL-9775-08...
  • Page 171: Clustering Switches

    C H A P T E R Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 3750-E and 3560-E switch clusters. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
  • Page 172: Understanding Switch Clusters

    The switches can be in the same location, or they can be distributed across a Layer 2 or Layer 3 (if your cluster is using a Catalyst 3560, Catalyst 3750, Catalyst 3560-E, Catalyst 3750-E, Catalyst 3560-X, or Catalyst 3750-X switch as a Layer 3 router between the Layer 2 switches in the cluster) network.
  • Page 173: Cluster Command Switch Characteristics

    It is running a supported software release. • It has an IP address. • It has Cisco Discovery Protocol (CDP) Version 2 enabled (the default). It is not a command or cluster member switch of another cluster. • • It is connected to the standby cluster command switches through the management VLAN and to the cluster member switches through a common VLAN.
  • Page 174: Candidate Switch And Cluster Member Switch Characteristics

    Standby cluster command switches must be the same type of switches as the cluster command Note switch. For example, if the cluster command switch is a Catalyst 3750-E switch, the standby cluster command switches must also be Catalyst 3750-E switches. See the switch configuration guide of other cluster-capable switches for their requirements on standby cluster command switches.
  • Page 175 Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
  • Page 176 Device 15 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
  • Page 177 Planning a Switch Cluster Discovery Through Different VLANs If the cluster command switch is a Catalyst 3560-E, Catalyst 3750-E, Catalyst 3560-X, or Catalyst 3750-X switch, the cluster can have cluster member switches in different VLANs. As cluster member switches, they must be connected through at least one VLAN in common with the cluster command switch.
  • Page 178: Discovery Through Routed Ports

    Chapter 6 Clustering Switches Planning a Switch Cluster If the switch cluster has a Catalyst 3750-E or Catalyst 3750-X switch or switch stack, that switch or Note switch stack must be the cluster command switch. The cluster command switch and standby command switch in...
  • Page 179: Discovery Of Newly Installed Switches

    The other cluster-capable switch and its access port are assigned to management VLAN 16. Figure 6-6 Discovery of Newly Installed Switches Command device VLAN 9 VLAN 16 Device A Device B VLAN 9 VLAN 16 New (out-of-box) New (out-of-box) candidate device candidate device Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 180 These topics also provide more detail about standby cluster command switches: Virtual IP Addresses, page 6-11 • Other Considerations for Cluster Standby Groups, page 6-11 • Automatic Recovery of Cluster Configuration, page 6-12 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 6-10 OL-9775-08...
  • Page 181: Virtual Ip Addresses

    If your switch cluster has a Catalyst 3750-X switch or a switch stack, it should be the cluster command switch. If not, when the cluster has a Catalyst 3750-E switch or switch stack, that switch should be the cluster command switch.
  • Page 182: Automatic Recovery Of Cluster Configuration

    6-7) must be connected to the cluster command switch through the same VLAN. In this example, the cluster command switch and standby cluster command switches are Catalyst 3560-E, Catalyst 3750-E, Catalyst 3560-X, or Catalyst 3750-X cluster command switches. Each standby-group member must also be redundantly connected to each other through at least one VLAN in common with the switch cluster.
  • Page 183: Ip Addresses

    (such as eng-cluster-5) with the hostname of the cluster command switch in the new cluster (such as mkg-cluster-5). If the switch member number changes in the new cluster (such as 3), the switch retains the previous name (eng-cluster-5). Catalyst 3750-E and 3560-E Switch Software Configuration Guide 6-13 OL-9775-08...
  • Page 184: Snmp Community Strings

    Switch Clusters and Switch Stacks A switch cluster can have one or more Catalyst 3750-E switch stacks. Each switch stack can act as the cluster command switch or as a single cluster member.
  • Page 185 Cluster configuration of switch stacks is through the stack master. These are considerations to keep in mind when you have switch stacks in switch clusters: If the cluster command switch is not a Catalyst 3750-E switch or switch stack and a new stack •...
  • Page 186: Tacacs+ And Radius

    Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
  • Page 187: Catalyst 1900 And Catalyst 2820 Cli Considerations

    If a cluster member switch has its own IP address and community strings, they can be used in addition to the access provided by the cluster command switch. For more information about SNMP and community strings, see Chapter 33, “Configuring SNMP.” Catalyst 3750-E and 3560-E Switch Software Configuration Guide 6-17 OL-9775-08...
  • Page 188 Clustering Switches Using SNMP to Manage Switch Clusters Figure 6-8 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 6-18 OL-9775-08...
  • Page 189: Administering The Switch

    Administering the Switch This chapter describes how to perform one-time operations to administer the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 190: Chapter 7 Administering The Switch

    The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 191 Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
  • Page 192: Configuring Ntp

    NTP that provide for accurate timekeeping) with other devices for security purposes: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp authenticate Enable the NTP authentication feature, which is disabled by default. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 193: Configuring Ntp Associations

    (meaning that only this switch synchronizes to the other device, and not the other way around). Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 194 However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, the information flow is one-way only. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 195 Step 3 ntp broadcast client Enable the interface to receive NTP broadcast packets. By default, no interfaces receive NTP broadcast packets. Step 4 exit Return to global configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 196: Configuring Ntp Access Restrictions

    NTP control queries and allows the • switch to synchronize to the remote device. For access-list-number, enter a standard IP access list number from 1 to 99. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 197 99. However, the switch restricts access to allow only time requests from access list 42: Switch# configure terminal Switch(config)# ntp access-group peer 99 Switch(config)# ntp access-group serve-only 42 Switch(config)# access-list 99 permit 172.20.130.5 Switch(config)# access list 42 permit 172.20.130.6 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 198 “Configuring NTP Associations” section on page 7-5. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-10 OL-9775-08...
  • Page 199: Displaying The Ntp Configuration

    • show ntp status • For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
  • Page 200 Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and.5 means 50 percent. In this case, the necessary command is clock timezone AST -3 30. To set the time to UTC, use the no clock timezone global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-12 OL-9775-08...
  • Page 201 This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-13 OL-9775-08...
  • Page 202: Configuring A System Name And Prompt

    9. When you use this command, the stack member number is appended to the system prompt. For example, is the prompt in privileged EXEC mode for stack member 2, and the system prompt Switch-2# for the switch stack is Switch Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-14 OL-9775-08...
  • Page 203: Default System Name And Prompt Configuration

    Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
  • Page 204 If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS). Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-16 OL-9775-08...
  • Page 205: Creating A Banner

    If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
  • Page 206 Unix> telnet 172.2.5.4 Trying 172.2.5.4... Connected to 172.2.5.4. Escape character is '^]'. This is a secure site. Only authorized users are allowed. For access, contact technical support. User Access Verification Password: Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-18 OL-9775-08...
  • Page 207: Configuring A Login Banner

    (static or dynamic). For complete syntax and usage information for the commands used in this section, see the command Note reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-19 OL-9775-08...
  • Page 208: Building The Address Table

    Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-20...
  • Page 209: Mac Addresses And Switch Stacks

    VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time can cause the address table to be filled with unused addresses, which prevents new addresses from being learned. Flooding results, which can impact switch performance. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-21 OL-9775-08...
  • Page 210: Removing Dynamic Address Entries

    MAC address change notifications are generated for dynamic and secure MAC addresses. Notifications are not generated for self addresses, multicast addresses, or other static addresses. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-22 OL-9775-08...
  • Page 211 Enable the trap when a MAC address is added • on this interface. Enable the trap when a MAC address is removed • from this interface. Step 8 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-23 OL-9775-08...
  • Page 212: Configuring Mac Address Move Notification Traps

    When you configure MAC-move notification, an SNMP notification is generated and sent to the network management system whenever a MAC address moves from one port to another within the same VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-24...
  • Page 213: Configuring Mac Threshold Notification Traps

    Configuring MAC Threshold Notification Traps When you configure MAC threshold notification, an SNMP notification is generated and sent to the network management system when a MAC address table threshold limit is reached or exceeded. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-25 OL-9775-08...
  • Page 214 Switch(config)# snmp-server host 172.20.10.10 traps private mac-notification Switch(config)# snmp-server enable traps mac-notification threshold Switch(config)# mac address-table notification threshold Switch(config)# mac address-table notification threshold interval 123 Switch(config)# mac address-table notification threshold limit 78 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-26 OL-9775-08...
  • Page 215: Adding And Removing Static Address Entries

    (Optional) Save your entries in the configuration file. To remove static entries from the address table, use the no mac address-table static mac-addr vlan vlan-id [interface interface-id] global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-27 OL-9775-08...
  • Page 216: Configuring Unicast Mac Address Filtering

    For vlan-id, specify the VLAN for which the packet with the • specified MAC address is received. Valid VLAN IDs are 1 to 4094. Step 3 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-28 OL-9775-08...
  • Page 217: Disabling Mac Address Learning On A Vlan

    If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning • is not disabled on that port. If you disable port security, the configured MAC address learning state is enabled. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-29 OL-9775-08...
  • Page 218: Displaying Address Table Entries

    Displays the MAC notification parameters and history table. show mac address-table static Displays only static MAC address table entries. show mac address-table vlan Displays the MAC address table information for the specified VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-30 OL-9775-08...
  • Page 219: Managing The Arp Table

    (represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, see the Cisco IOS Release 12.2 documentation on Cisco.com. Catalyst 3750-E and 3560-E Switch Software Configuration Guide...
  • Page 220 Chapter 7 Administering the Switch Managing the ARP Table Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-32 OL-9775-08...
  • Page 221: Understanding The Sdm Templates

    This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 222: Dual Ipv4 And Ipv6 Sdm Templates

    Dual IPv4 and IPv6 VLAN template—supports basic Layer 2, multicast, QoS, and ACLs for IPv4, • and basic Layer 2, ACLs, and QoS for IPv6 on the switch. Cisco IOS Release 12.2(46)SE and later supports IPv6 port-based trust with the dual IPv4 and Note IPv6 SDM templates.
  • Page 223: Sdm Templates And Switch Stacks

    SDM Templates and Switch Stacks In a Catalyst 3750-E-only or a mixed hardware switch stack, all stack members must use the same SDM desktop template that is stored on the stack master. When a new switch is added to a stack, the SDM configuration that is stored on the stack master overrides the template configured on an individual switch.
  • Page 224: Configuring The Switch Sdm Template

    If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template, a warning message • appears. Using the dual stack template results in less hardware capacity allowed for each resource, so do not • use it if you plan to forward only IPv4 traffic. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 225: Setting The Sdm Template

    0.5K number of security aces: On next reload, template will be “desktop vlan” template. To return to the default template, use the no sdm prefer global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 226: Displaying The Sdm Templates

    The current template is "desktop IPv4 and IPv6 routing" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 1.5K Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 227 IPv4/MAC qos aces: 0.5K number of IPv4/MAC security aces: 0.5K number of IPv6 policy based routing aces: 0.25K number of IPv6 qos aces: 0.5K number of IPv6 security aces: 0.5K Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 228 Chapter 8 Configuring SDM Templates Displaying the SDM Templates Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 229: Preventing Unauthorized Access To Your Switch

    Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 230: Protecting Access To Privileged Exec Commands

    Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
  • Page 231: Setting Or Changing A Static Enable Password

    We recommend that you use the enable secret command because it uses an improved encryption algorithm. If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 232 To remove a password and level, use the no enable password [level level] or no enable secret [level level] global configuration command. To disable password encryption, use the no service password-encryption global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 233: Disabling Password Recovery

    Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
  • Page 234: Setting A Telnet Password For A Terminal Line

    If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 235: Configuring Multiple Privilege Levels

    Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
  • Page 236 This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands: Switch(config)# privilege exec level 14 configure Switch(config)# enable password level 14 SecretPswd14 Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 237 Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15. Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-08...
  • Page 238: Controlling Switch Access With Tacacs

    (AAA) and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2. These sections contain this configuration information: •...
  • Page 239 TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-11 OL-9775-08...
  • Page 240: Configuring Tacacs

    These sections contain this configuration information: • Default TACACS+ Configuration, page 9-13 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 9-13 • Configuring TACACS+ Login Authentication, page 9-14 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-12 OL-9775-08...
  • Page 241 (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-13 OL-9775-08...
  • Page 242 Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-14 OL-9775-08...
  • Page 243 {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-15 OL-9775-08...
  • Page 244 Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
  • Page 245: Controlling Switch Access With Radius

    RADIUS is facilitated through AAA and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
  • Page 246: Understanding Radius

    Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
  • Page 247: Radius Operation

    This section provides an overview of the RADIUS interface including available primitives and how they are used during a Change of Authorization (CoA). Change-of-Authorization Requests, page 9-20 • • CoA Request Response Code, page 9-21 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-19 OL-9775-08...
  • Page 248: Coa Request Commands

    RADIUS Change of Authorization (CoA) extensions defined in RFC 5176 that are typically used in a pushed model and allow for the dynamic reconfiguring of sessions from external authentication, authorization, and accounting (AAA) or policy servers. Beginning with Cisco IOS Release 12.2(52)SE, the switch supports these per-session CoA requests: Session reauthentication •...
  • Page 249 CoA Request Response Code The CoA Request response code can be used to convey a command to the switch. The supported commands are listed in Table 9-4 on page 9-23. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-21 OL-9775-08...
  • Page 250 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- The attributes field is used to carry Cisco VSAs. CoA ACK Response Code If the authorization state is changed successfully, a positive acknowledgement (ACK) is sent. The attributes returned within CoA ACK will vary based on the CoA Request and are discussed in individual CoA Commands.
  • Page 251 Session Termination • CoA Disconnect-Request • CoA Request: Disable Host Port CoA Request: Bounce-Port • Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Table 9-4. Table 9-4 CoA Commands Supported on the Switch Command Cisco VSA Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate”...
  • Page 252 To restrict a host’s access to the network, use a CoA Request with the Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is known to be causing problems on the network, and you need to immediately block network access for the host.
  • Page 253: Stacking Guidelines For Session Termination

    (which is subsequently removed). If the stack master fails before sending a CoA-ACK message, the new stack master treats the re-sent command as a new command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-25 OL-9775-08...
  • Page 254: Configuring Radius

    Configuring the Switch to Use Vendor-Specific RADIUS Attributes, page 9-35 (optional) • Configuring the Switch for Vendor-Proprietary RADIUS Server Communication, page 9-37 • (optional) Configuring CoA on the Switch, page 9-38 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-26 OL-9775-08...
  • Page 255: Default Radius Configuration

    For information on configuring these settings on all RADIUS servers, see the “Configuring Settings for All RADIUS Servers” section on page 9-35. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-27 OL-9775-08...
  • Page 256 RADIUS host. Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-28 OL-9775-08...
  • Page 257: Configuring Radius Login Authentication

    Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-29 OL-9775-08...
  • Page 258 • login command. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-30 OL-9775-08...
  • Page 259: Defining Aaa Server Groups

    Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
  • Page 260 Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-32 OL-9775-08...
  • Page 261: Configuring Radius Authorization For User Privileged Access And Network Services

    EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-33 OL-9775-08...
  • Page 262: Starting Radius Accounting

    (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
  • Page 263: Configuring Settings For All Radius Servers

    The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named cisco-avpair. The value is a string with this format:...
  • Page 264 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
  • Page 265: Configuring The Switch For Vendor-Proprietary Radius Server Communication

    Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
  • Page 266: Configuring Coa On The Switch

    To disable AAA, use the no aaa new-model global configuration command. To disable the AAA server functionality on the switch, use the no aaa server radius dynamic authorization global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-38 OL-9775-08...
  • Page 267: Monitoring And Troubleshooting Coa Functionality

    In the Kerberos configuration examples and in the Cisco IOS Security Command Reference, Release 12.2, the trusted third party can be a Catalyst 3750-E or 3560-E switch that supports Kerberos, that is configured as a network security server, and that can authenticate users by using the Kerberos protocol.
  • Page 268: Understanding Kerberos

    Note A Kerberos server can be a Catalyst 3750-E or 3560-E switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol.
  • Page 269 Kerberos realm represented by the KDC. 1. TGT = ticket granting ticket 2. KDC = key distribution center 3. KEYTAB = key table 4. SRVTAB = server table Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-41 OL-9775-08...
  • Page 270: Kerberos Operation

    Controlling Switch Access with Kerberos Kerberos Operation A Kerberos server can be a Catalyst 3750-E or 3560-E switch that is configured as a network security server and that can authenticate remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways, remote users attempting to access network services must pass through three layers of security before they can access network services.
  • Page 271: Configuring Kerberos

    The Kerberos realm name must be in all uppercase characters. • A Kerberos server can be a Catalyst 3750-E or 3560-E switch that is configured as a network security Note server and that can authenticate users by using the Kerberos protocol.
  • Page 272 Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
  • Page 273: Configuring The Switch For Secure Shell

    You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
  • Page 274: Configuring Ssh

    SSH server. Generate an RSA key pair for the switch, which automatically enables SSH. Follow this procedure only if you are configuring the switch as an SSH server. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-46 OL-9775-08...
  • Page 275: Configuring The Ssh Server

    If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-47 OL-9775-08...
  • Page 276: Displaying The Ssh Configuration And Status

    Commands for Displaying the SSH Server Configuration and Status Command Purpose show ip ssh Shows the version and configuration information for the SSH server. show ssh Shows the status of the SSH server. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-48 OL-9775-08...
  • Page 277: Configuring The Switch For Secure Socket Layer Http

    (pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
  • Page 278 X.509v3 certificate from the client. Authenticating the client provides more security than server authentication by itself. For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.2. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-50...
  • Page 279: Ciphersuites

    • Configuring the Secure HTTP Client, page 9-54 Default SSL Configuration The standard HTTP server is enabled. SSL is enabled. No CA trustpoints are configured. No self-signed certificates are generated. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-51 OL-9775-08...
  • Page 280 RSA key pair. Step 13 Return to privileged EXEC mode. Step 14 show crypto ca trustpoints Verify the configuration. Step 15 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-52 OL-9775-08...
  • Page 281: Configuring The Secure Http Server

    (Optional) Set the maximum number of concurrent connections that are allowed to the HTTP server. The range is 1 to 16; the default value is 5. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-53 OL-9775-08...
  • Page 282: Configuring The Secure Http Client

    Using this command assumes that you have already configured a CA trustpoint by using the previous procedure. The command is optional if client authentication is not needed or if a primary trustpoint has been configured. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-54 OL-9775-08...
  • Page 283: Displaying Secure Http Server And Client Status

    Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and • Adelman (RSA) key pair. When using SCP, you cannot enter the password into the copy command. You must enter the password Note when prompted. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-55 OL-9775-08...
  • Page 284: Information About Secure Copy

    A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
  • Page 285 This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 3750-E or 3560-E switch. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network.Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 286 Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
  • Page 287 Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
  • Page 288 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The devices that can act as intermediaries include the Catalyst 3750-X, Catalyst 3750-E, Catalyst 3750, Catalyst 3650-X, Catalyst 3560-E, Catalyst 3560, Catalyst 3550, Catalyst 2970, Catalyst 2960, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These devices must be running software that supports the RADIUS client and IEEE 802.1x authentication.
  • Page 289 After 802.1x authentication using a RADIUS server is configured, the switch uses timers based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]). The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which re-authentication occurs. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-5 OL-9775-08...
  • Page 290: Authentication Initiation And Message Exchange

    The specific exchange of EAP frames depends on the authentication method being used. Figure 10-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-6 OL-9775-08...
  • Page 291 MAC authentication bypass. Figure 10-4 Message Exchange During MAC Authentication Bypass Authentication server Client (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity Ethernet packet RADIUS Access/Request RADIUS Access/Accept Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-7 OL-9775-08...
  • Page 292: Authentication Manager

    Understanding IEEE 802.1x Port-Based Authentication Authentication Manager In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000.
  • Page 293 ACL configured on another device running Cisco IOS software, such as a Catalyst 6000 switch. In Cisco IOS Release 12.2(50)SE or later, the ACLs configured on the switch are compatible with other devices running Cisco IOS releases.
  • Page 294 802.1x CLI commands Beginning with Cisco IOS Release 12.2(55)SE, you can filter out verbose system messages generated by the authentication manager. The filtered content typically relates to authentication success. You can also filter verbose messages for 802.1x authentication and MAB authentication. There is a separate command for each authentication method: •...
  • Page 295: Ports In Authorized And Unauthorized States

    Note that if the stack master fails, a stack member becomes the new stack master by using the election process described in Chapter 5, “Managing Switch Stacks,” and the 802.1x authentication process continues as usual. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-11 OL-9775-08...
  • Page 296: X Host Mode

    With the multiple-hosts mode enabled, you can use 802.1x authentication to authenticate the port and port security to manage network access for all MAC addresses, including that of the client. Figure 10-5 Multiple Host Mode Example Authentication server Access point (RADIUS) Wireless clients Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-12 OL-9775-08...
  • Page 297: X Multiple Authentication Mode

    When a port is in multiple-authentication mode, the guest VLAN and the authentication-failed VLAN features do not activate. Beginning with Cisco IOS Release 12.2(55)SE, you can assign a RADIUS-server-supplied VLAN in multi-auth mode, under these conditions: The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
  • Page 298 Beginning with Cisco IOS Release 12.2(55)SE, MAC move can be configured in all host modes, along with port security. When a MAC address moves from one port to another, the switch terminates the authenticated session on the original port and initiates a new authentication sequence on the new port.
  • Page 299 Attribute[40] Acct-Status-Type Always Always Always Attribute[41] Acct-Delay-Time Always Always Always Attribute[42] Acct-Input-Octets Never Always Always Attribute[43] Acct-Output-Octets Never Always Always Attribute[44] Acct-Session-ID Always Always Always Attribute[45] Acct-Authentic Always Always Always Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-15 OL-9775-08...
  • Page 300: X Readiness Check

    Voice device authentication is supported with multidomain host mode in Cisco IOS Release 12.2(37)SE.In Cisco IOS Release 12.2(40)SE and later. When a voice device is authorized and the RADIUS server returned an authorized VLAN, the voice VLAN on the port is configured to send and...
  • Page 301 802.1x authentication on an access port). • Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch: [64] Tunnel-Type = VLAN – Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-17 OL-9775-08...
  • Page 302 If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
  • Page 303: X Authentication With Downloadable Acls And Redirect Urls

    On a voice VLAN port, the switch applies the ACL only to the phone. Beginning with Cisco IOS Release 12.2(55)SE, if you do not configure a static ACL on a port, a dynamic Auth-Default-ACL is created and its policies are enforced. The Auth-Default-ACL is not stored in NVRAM and cannot be retrieved by the nonvolatile generation (NVGEN) process.
  • Page 304 ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However, if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not configured, the authorization failure is declared.
  • Page 305: X Authentication With Guest Vlan

    The feature also limits the number of VLANs monitored and handled by STP.The network can be managed as a fixed VLAN. This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new Note hosts and only authenticates based on the MAC address.)
  • Page 306: X Authentication With Restricted Vlan

    VLAN. If re-authentication is successful, the port moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-22...
  • Page 307: X Authentication With Inaccessible Authentication Bypass

    If the port is unauthorized when a host connected to a critical port tries to authenticate and all servers • are unavailable, the switch puts the port in the critical-authentication state in the RADIUS-configured or user-specified access VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-23 OL-9775-08...
  • Page 308 When a member is added to the stack, the stack master sends the member the server status. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-24 OL-9775-08...
  • Page 309: X User Distribution

    The PVID is the native VLAN of the port. The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This allows the phone to work independently of IEEE 802.1x authentication. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-25 OL-9775-08...
  • Page 310 If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and Note to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
  • Page 311 When you configure a port as bidirectional by using the dot1x control-direction both interface configuration command, the port is access-controlled in both directions. The port does not receive packets from or send packets to the host. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-27 OL-9775-08...
  • Page 312 “IEEE 802.1x Authentication with Voice VLAN Ports” section on • page 10-25. VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutually exclusive. • • Private VLAN—You can assign a client to a private VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-28 OL-9775-08...
  • Page 313: Flexible Authentication Ordering

    For more configuration information, see the “Authentication Manager” section on page 10-8. Cisco IOS Release 12.2(55)SE and later supports filtering of MAB system messages. See the “Authentication Manager CLI Commands” section on page 10-9. Network Admission Control Layer 2 IEEE 802.1x Validation The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which...
  • Page 314: Multidomain Authentication

    The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
  • Page 315 When a port host mode is changed from single- or multihost to multidomain mode, an authorized data device remains authorized on the port. However, a Cisco IP phone that has been allowed on the port voice VLAN is automatically removed and must be reauthenticated on that port.
  • Page 316 VLAN results in the shutdown of only the data VLAN. The traffic on the voice VLAN flows through the switch without interruption. For information on configuring voice aware 802.1x security, see the “Configuring Voice Aware 802.1x Security” section on page 10-39. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-32 OL-9775-08...
  • Page 317: Common Session Id

    Changing the Quiet Period, page 10-46 (optional) • Changing the Switch-to-Client Retransmission Time, page 10-47 (optional) • Setting the Switch-to-Client Frame-Retransmission Number, page 10-47 (optional) • Setting the Re-Authentication Number, page 10-48 (optional) • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-33 OL-9775-08...
  • Page 318 Disabled. RADIUS server • IP address • None specified. • UDP authentication port • 1812. None specified. • • Host mode Single-host mode. Control direction Bidirectional control. Periodic re-authentication Disabled. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-34 OL-9775-08...
  • Page 319: X Authentication Configuration Guidelines

    If you try to change the mode of an 802.1x-enabled port (for example, from access to trunk), an error • message appears, and the port mode is not changed. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-35 OL-9775-08...
  • Page 320 EtherChannel configuration from the interfaces on which 802.1x authentication and EtherChannel are configured. If you are using a device running the Cisco Access Control Server (ACS) application for • IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5, make sure that the device is running ACS Version 3.2.1 or later.
  • Page 321 “802.1x Authentication” section on page 10-35. If you disable MAC authentication bypass from a port after the port has been authorized with its • MAC address, the port state is not affected. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-37 OL-9775-08...
  • Page 322 • In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN. In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one •...
  • Page 323 You can re-enable individual VLANs by using the clear errdisable interface interface-id vlan [vlan-list] privileged EXEC command. If you do not specify a range, all VLANs on the port are enabled. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-39 OL-9775-08...
  • Page 324 Beginning in privileged EXEC mode, follow these steps to configure the security violation actions on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-40 OL-9775-08...
  • Page 325 The switch sends a start message to an accounting server. Re-authentication is performed, as necessary. Step 5 Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-41 OL-9775-08...
  • Page 326 IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-42...
  • Page 327 You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-43 OL-9775-08...
  • Page 328: Configuring The Host Mode

    IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. Use the multi-domain keyword to configure and enable multidomain authentication (MDA), which allows both a host and a voice device, such as an IP phone (Cisco or non-Cisco), on the same switch port. This procedure is optional.
  • Page 329 Return to privileged EXEC mode. Step 6 show authentication interface-id Verify your entries. show dot1x interface interface-id Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-45 OL-9775-08...
  • Page 330: Changing The Quiet Period

    To return to the default quiet time, use the no dot1x timeout quiet-period interface configuration command. This example shows how to set the quiet time on the switch to 30 seconds: Switch(config-if)# dot1x timeout quiet-period 30 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-46 OL-9775-08...
  • Page 331 You should change the default value of this command only to adjust for unusual circumstances such as Note unreliable links or specific behavioral problems with certain clients and authentication servers. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-47 OL-9775-08...
  • Page 332 Set the number of times that the switch restarts the authentication process before the port changes to the unauthorized state. The range is 0 to 10; the default is 2. Step 4 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-48 OL-9775-08...
  • Page 333: Enabling Mac Move

    Please review the purpose column for Step 3 below, and indicate any changes needed. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-49 OL-9775-08...
  • Page 334 This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-50 OL-9775-08...
  • Page 335: Configuring A Guest Vlan

    You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an 802.1x guest VLAN. Step 6 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-51 OL-9775-08...
  • Page 336: Configuring A Restricted Vlan

    Specify an active VLAN as an 802.1x restricted VLAN. The range is 1 to 4094. You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an 802.1x restricted VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-52 OL-9775-08...
  • Page 337 Return to privileged EXEC mode. Step 8 show authentication interface-id (Optional) Verify your entries. show dot1x interface interface-id Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-53 OL-9775-08...
  • Page 338: Configuring The Inaccessible Authentication Bypass Feature

    (Optional) Set the number of minutes that a RADIUS server is not sent requests. minutes The range is from 0 to 1440 minutes (24 hours). The default is 0 minutes. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-54 OL-9775-08...
  • Page 339 Step 6 interface interface-id Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “802.1x Authentication Configuration Guidelines” section on page 10-35. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-55 OL-9775-08...
  • Page 340 Switch(config)# dot1x critical recovery delay 2000 Switch(config)# interface gigabitethernet 1/0/1 Switch(config)# radius-server deadtime 60 Switch(config-if)# dot1x critical Switch(config-if)# dot1x critical recovery action reinitialize Switch(config-if)# dot1x critical vlan 20 Switch(config-if)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-56 OL-9775-08...
  • Page 341: Configuring Mac Authentication Bypass

    Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “802.1x Authentication Configuration Guidelines” section on page 10-35. Step 3 authentication port-control auto Enable 802.1x authentication on the port. dot1x port-control auto Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-57 OL-9775-08...
  • Page 342 This example shows how to add a VLAN to an existing VLAN group and to verify that the VLAN was added: switch(config)# vlan group eng-dept vlan-list 30 switch(config)# show vlan group eng-dept Group Name Vlans Mapped ------------- -------------- Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-58 OL-9775-08...
  • Page 343 For more information about these commands, see the Cisco IOS Security Command Reference. Configuring NAC Layer 2 IEEE 802.1x Validation You can configure NAC Layer 2 802.1x validation, which is also referred to as 802.1x authentication with a RADIUS server.
  • Page 344: Configuring An Authenticator And A Supplicant Switch With Neat

    “802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)” section on page 10-31. The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the Note interface as a trunk after the supplicant is successfully authenticated. Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:...
  • Page 345 Attach the 802.1x credentials profile to the interface. Step 12 Return to privileged EXEC mode. Step 13 show running-config interface Verify your configuration. interface-id Step 14 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-61 OL-9775-08...
  • Page 346: Configuring Downloadable Acls

    Step 5 radius-server vsa send authentication Configure the radius vsa send authentication. Step 6 interface interface-id Specify the port to be configured, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-62 OL-9775-08...
  • Page 347: Configuring A Downloadable Policy

    Step 8 ip device tracking Enables the IP device tracking table. To disable the IP device tracking table, use the no ip device tracking global configuration commands. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-63 OL-9775-08...
  • Page 348 Enter global configuration mode. Step 2 mab request format attribute 32 vlan access-vlan Enable VLAN ID-based MAC authentication. Step 3 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-64 OL-9775-08...
  • Page 349: Configuring Flexible Authentication Ordering

    There is no show command to confirm the status of VLAN ID-based MAC authentication. You can use the debug radius accounting privileged EXEC command to confirm the RADIUS attribute 32. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_q1.html#wp1123741...
  • Page 350 Switch(config)# aaa ip auth-proxy auth-proxy-banner C My Switch C Switch(config) end For more information about the ip auth-proxy auth-proxy-banner command, see the “Authentication Proxy Commands” section of the Cisco IOS Security Command Reference on Cisco.com. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-66 OL-9775-08...
  • Page 351 Return to privileged EXEC mode. Step 5 show authentication interface-id Verify your entries. show dot1x interface interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 10-67 OL-9775-08...
  • Page 352 EXEC command. Beginning with Cisco IOS Release 12.2(55)SE, you can use the no dot1x logging verbose global configuration command to filter verbose 802.1x authentication messages. For detailed information about the fields in these displays, see the command reference for this release.
  • Page 353 C H A P T E R Configuring Web-Based Authentication This chapter describes how to configure web-based authentication on the Catalyst 3750-E or 3560-E switch. It contains these sections: Understanding Web-Based Authentication, page 11-1 • Configuring Web-Based Authentication, page 11-9 •...
  • Page 354: Host Detection

    ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static • IP address or a dynamic IP address. Dynamic ARP inspection • DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding • entry for the host. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-2 OL-9775-08...
  • Page 355: Session Creation

    If the terminate action is RADIUS, the feature sends a nonresponsive host (NRH) request to the server. The terminate action is included in the response from the server. • If the terminate action is default, the session is dismantled, and the applied policy is removed. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-3 OL-9775-08...
  • Page 356: Local Web Authentication Banner

    You create a banner by using the ip admission auth-proxy-banner http global configuration command. The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page, as shown in Figure 11-2.
  • Page 357 Figure 11-4. Figure 11-4 Login Screen With No Banner For more information, see the Cisco IOS Security Command Reference and the “Configuring a Web Authentication Local Banner” section on page 11-16. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-5 OL-9775-08...
  • Page 358: Web Authentication Customizable Web Pages

    You must include an HTML redirect command in the success page to access a specific URL. • The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL • might cause page not found or similar errors on a web browser.
  • Page 359 You can then limit the number or group of clients that can access the network through the port. For more information about enabling port security, see the “Configuring Port Security” section on page 26-8. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-7 OL-9775-08...
  • Page 360 ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied. For Layer 2 web-based authentication, you must configure a port ACL (PACL) as the default access policy for ingress traffic from hosts connected to the port.
  • Page 361 You must configure the default ACL on the interface before configuring web-based authentication. • Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface. You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts •...
  • Page 362: Configuring The Authentication Rule And Interfaces

    Switch(config-if)# exit Switch(config)# ip device tracking This example shows how to verify the configuration: Switch# show ip admission configuration Authentication Proxy Banner not configured Authentication global cache time is 60 minutes Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-10 OL-9775-08...
  • Page 363: Configuring Aaa Authentication

    The RADIUS host entries are chosen in the order that they were configured. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-11 OL-9775-08...
  • Page 364 For more information, see Cisco IOS Security Configuration Guide, Release 12.2 and the Cisco IOS Security Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html You need to configure some settings on the RADIUS server, including: the switch IP address, the key Note string to be shared by both the server and the switch, and the downloadable ACL (DACL).
  • Page 365: Configuring The Http Server

    Step 4 ip admission proxy http login expired page file Specify the location of the custom HTML file to use in device:expired-filename place of the default login expired page. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-13 OL-9775-08...
  • Page 366 Authentication global init state time is 2 minutes Authentication Proxy Session ratelimit is 100 Authentication Proxy Watch-list is disabled Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-14 OL-9775-08...
  • Page 367: Configuring An Aaa Fail Policy

    AAA down state to avoid flooding the AAA server when it returns to service. This example shows how to apply an AAA failure policy: Switch(config)# ip admission name AAA_FAIL_POLICY proxy http event timeout aaa policy identity GLOBAL_POLICY1 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-15 OL-9775-08...
  • Page 368 (Optional) Create a custom banner by entering C banner-text C, where C is a delimiting character or a file-path indicates a file (for example, a logo or text file) that appears in the banner. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-16 OL-9775-08...
  • Page 369 This example shows how to view only the global web-based authentication status: Switch# show authentication sessions This example shows how to view the web-based authentication settings for gigabit interface 3/27: Switch# show authentication sessions interface gigabitethernet 3/27 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-17 OL-9775-08...
  • Page 370 Chapter 11 Configuring Web-Based Authentication Displaying Web-Based Authentication Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 11-18 OL-9775-08...
  • Page 371: Interface Types

    The rest of the chapter describes configuration procedures for physical interface characteristics. The stack ports on the rear of the Catalyst 3750-E switch are not Ethernet ports and cannot be configured. Note...
  • Page 372: Switch Ports

    Configure switch ports by using the switchport interface configuration commands. Use the switchport command with no keywords to put an interface that is in Layer 3 mode into Layer 2 mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-2...
  • Page 373 Catalyst 6500 series switch; the Catalyst 3750-E or 3560-E switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 15, “Configuring Voice VLAN.”...
  • Page 374: Routed Ports

    The IP base feature set supports static routing and the Routing Information Protocol (RIP). For full Note Layer 3 routing or for fallback bridging, you must enable the IP services feature set on the standalone switch, or the stack master. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-4 OL-9775-08...
  • Page 375: Switch Virtual Interfaces

    VLAN. Note The protocol link state for VLAN interfaces come up when the first switchport belonging to the corresponding VLAN link comes up and is in STP forwarding state. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-5 OL-9775-08...
  • Page 376: Etherchannel Port Groups

    Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
  • Page 377 In Cisco IOS Release 12.2(40)SE and earlier, each 10/100/1000 PoE port provides up to 15.4 W of power to the device. Cisco IOS Release 12.2(44)SE and later supports enhanced PoE. Enhanced PoE should be con- figured on a port to power a device requiring up to 20 W of power, such as the Cisco AP1250 wireless access point.
  • Page 378 LEDs. On a Catalyst 3750-E switch, the PoE feature operates the same whether or not the switch is a stack member. The power budget is per-switch and independent of any other switch in the stack. Election of a new stack master does not affect PoE operation.
  • Page 379: Power Management Modes

    PoE-capable port, making the port a data-only port. For information on configuring a PoE port, see the “Configuring a Power Management Mode on a PoE Port” section on page 12-27. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-9 OL-9775-08...
  • Page 380 The switch also polices the power usage with the power policing feature. Power monitoring is backward-compatible with Cisco intelligent power management and CDP-based power consumption. It works with these features to ensure that the PoE port can supply power to the powered device.
  • Page 381: Connecting Interfaces

    PoE ports. Because the switch supports internal power supplies and the Cisco Redundant Power System 2300 (also referred to as the RPS 2300), the total amount of power available for the powered devices varies depending on the power supply configuration.
  • Page 382: Using Interface Configuration Mode

    12-14). To configure a physical interface (port), specify the interface type, stack member number (only Catalyst 3750-E switches), module number, and switch port number, and enter interface configuration mode. Type—Gigabit Ethernet (gigabitethernet or gi) for 10/100/1000 Mb/s Ethernet ports, 10-Gigabit •...
  • Page 383: Procedures For Configuring Interfaces

    Ethernet module slots, the port numbers restart with the 10-Gigabit Ethernet ports: tengigabitethernet1/0/1. On a switch with 10/100/1000 ports and Cisco dual SFP X2 converter modules in the 10-Gigabit Ethernet module slots, the SFP module ports are numbered consecutively following the 10/100/1000 interfaces.
  • Page 384: Configuring A Range Of Interfaces

    Step 2 Enter the interface global configuration command. Identify the interface type, the switch number (only on Catalyst 3750-E switches), and the number of the connector. In this example, Gigabit Ethernet port 1 on switch 1 is selected: Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# You do not need to add a space between the interface type and the interface number.
  • Page 385 - {last port} (for Catalyst 3560-E switches), where the – module is always 0 gigabitethernet stack member/module/{first port} - {last port} (for Catalyst 3750-E switches), – where the module is always 0 tengigabitethernet module/{first port} - {last port} (for Catalyst 3560-E switches), where the...
  • Page 386: Configuring And Using Interface Range Macros

    - {last port} (for Catalyst 3560-E switches), where the – module is always 0 gigabitethernet stack member/module/{first port} - {last port} (for Catalyst 3750-E switches), – where the module is always 0 tengigabitethernet module/{first port} - {last port} (for Catalyst 3560-E switches), where the –...
  • Page 387 Chapter 12 Configuring Interface Characteristics Using Interface Configuration Mode tengigabitethernet stack member/module/{first port} - {last port} (for Catalyst 3750-E switches), where the module is always 0 gigabitethernet stack member/module/{first port} - {last port}, where the module is always 0 tengigabitethernet stack member/module/{first port} - {last port}, where the module is –...
  • Page 388: Using The Ethernet Management Port

    PC through the Ethernet management ports. The active link is from the stack master, a Catalyst 3750-E or Catalyst 3750- X switch to the PC. If the stack master fails and the elected stack master is not a Catalyst 3750-E or Catalyst 3750- X switch (switch 2), the active link can be from a stack member to the PC.
  • Page 389 If this happens, data packet loops occur between the ports, which disrupt the switch and network operation. To prevent the loops, configure route filters to avoid routes between the Ethernet management port and the network ports. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-19 OL-9775-08...
  • Page 390: Supported Features On The Ethernet Management Port

    LED is green (on) when the link is active, and the LED is off when the link is down. The LED is amber when there is a POST failure. To display the link status, use the show interfaces fastethernet 0 privileged EXEC command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-20 OL-9775-08...
  • Page 391: Tftp And The Ethernet Management Port

    Loads and boots an executable image from the TFTP server and enters the command-line interface. For more details, see the command reference for this release. copy tftp:/source-file-url Copies a Cisco IOS image from the TFTP server to the specified filesystem:/destination-file- location. For more details, see the command reference for this release.
  • Page 392: Default Ethernet Interface Configuration

    Port security Disabled (Layer 2 interfaces only). See the “Default Port Security Configuration” section on page 26-11. Port Fast Disabled. See the “Default Optional Spanning-Tree Configuration” section on page 20-12. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-22 OL-9775-08...
  • Page 393: Configuring Interface Speed And Duplex Mode

    The switch might not support a pre-standard powered device—such as Note Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether auto-MIDX is enabled on the switch port.
  • Page 394 Use the no speed and no duplex interface configuration commands to return the interface to the default speed and duplex settings (autonegotiate). To return all interface settings to the defaults, use the default interface interface-id interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-24 OL-9775-08...
  • Page 395 Note Catalyst 3750-E or 3560-E ports can receive, but not send, pause frames. You use the flowcontrol interface configuration command to set the interface’s ability to receive pause frames to on, off, or desired. The default state is off.
  • Page 396 Step 7 show controllers ethernet-controller Verify the operational state of the auto-MDIX feature on the interface. interface-id phy Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-26 OL-9775-08...
  • Page 397: Configuring A Power Management Mode On A Poe Port

    The switch repowers the port only if the powered device is a class 1, class 2, or a Cisco-only powered device. Beginning in privileged EXEC mode, follow these steps to configure a power management mode on a...
  • Page 398: Budgeting Power For Devices Connected To A Poe Port

    Chapter 15, “Configuring Voice VLAN.” Budgeting Power for Devices Connected to a PoE Port When Cisco powered devices are connected to PoE ports, the switch uses Cisco Discovery Protocol (CDP) to determine the CDP-specific power consumption of the devices, and the switch adjusts the power budget accordingly.
  • Page 399 Enter global configuration mode. Step 2 no cdp run (Optional) Disable CDP. Step 3 interface interface-id Specify the physical port to be configured, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-29 OL-9775-08...
  • Page 400: Configuring Power Policing

    If you do not enter the action log keywords, the default action shuts down the port and puts the port in the error-disabled state. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-30 OL-9775-08...
  • Page 401: Adding A Description For An Interface

    Verify your entry. show running-config Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no description interface configuration command to delete the description. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-31 OL-9775-08...
  • Page 402: Configuring Layer 3 Interfaces

    If the switch attempts to boot up with a configuration that has more VLANs and routed ports than • hardware can support, the VLANs are created, but the routed ports are shut down, and the switch sends a message that this was due to insufficient hardware resources. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-32 OL-9775-08...
  • Page 403: Configuring Svi Autostate Exclude

    At least one port in the VLAN should be up and not excluded to keep the SVI state up. You can use this command to exclude the monitoring port status when determining the status of the SVI. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-33...
  • Page 404: Configuring The System Mtu

    The switch does not support the MTU on a per-interface basis. • You can enter the system mtu bytes global configuration command on a Catalyst 3750-E switch, but • the command does not take effect on the switch. This command only affects the system MTU size on Fast Ethernet ports on Catalyst 3750 members in a mixed hardware switch stack.
  • Page 405 Unlike the system MTU routing configuration, the MTU settings you enter with the system mtu and system mtu jumbo commands are not saved in the switch Cisco IOS configuration file, even if you enter the copy running-config startup-config privileged EXEC command.
  • Page 406 Switch# reload This example shows the response when you try to set Gigabit Ethernet interfaces to an out-of-range number: Switch(config)# system mtu jumbo 25000 % Invalid input detected at '^' marker. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-36 OL-9775-08...
  • Page 407 Configuring the Cisco RPS 2300 Configuring the Cisco RPS 2300 You can configure and manage the Cisco Redundant Power System 2300, also known as the RPS 2300. Follow these guidelines when configuring the RSP-2300: The RPS name is a 16-character-maximum string.
  • Page 408: Configuring The Power Supplies

    For more information about using the power rps user EXEC command, see the command reference for this release. Configuring the Power Supplies You can use the power supply user EXEC command to configure and manage the internal power supply on the switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-38 OL-9775-08...
  • Page 409: Monitoring And Maintaining The Interfaces

    These sections contain interface monitoring and maintenance information: Monitoring Interface Status, page 12-40 • Clearing and Resetting Interfaces and Counters, page 12-41 • Shutting Down and Restarting the Interface, page 12-42 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-39 OL-9775-08...
  • Page 410: Monitoring Interface Status

    (You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2. Table 12-6...
  • Page 411: Clearing And Resetting Interfaces And Counters

    The clear counters privileged EXEC command does not clear counters retrieved by using Simple Note Network Management Protocol (SNMP), but only those seen with the show interface privileged EXEC command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-41 OL-9775-08...
  • Page 412: Shutting Down And Restarting The Interface

    Use the no shutdown interface configuration command to restart the interface. To verify that an interface is disabled, enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the display. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 12-42 OL-9775-08...
  • Page 413: Configuring Vlans

    VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS). Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 414: Supported Vlans

    VTP transparent mode when you create VLAN IDs from 1006 to 4094. Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094). Extended range VLANs (VLANs 1006 to 4094) are supported only in VTP version 3.
  • Page 415: Vlan Port Membership Modes

    VMPS can be a Catalyst 5000 or Catalyst 6500 series switch, with the same VTP domain name. for example, but never a Catalyst 3750-E or 3560-E switch. To participate in VTP, at least one trunk The Catalyst 3750-E or 3560-E switch is a VMPS client.
  • Page 416 EXEC command. The vlan.dat file is stored in flash memory. On a Catalyst 3750-E switch, thevlan.dat file is stored in flash memory on the stack master. Stack members have a vlan.dat file that is consistent with the stack master.
  • Page 417: Token Ring Vlans

    VLAN configuration for VLANs 1 to 1005 are always saved in the VLAN database. If the VTP mode • is transparent, VTP and VLAN configuration are also saved in the switch running configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-5 OL-9775-08...
  • Page 418: Saving Vlan Configuration

    EXEC command to save the configuration in the startup configuration file. In a switch stack, the whole stack uses the same vlan.dat file and running configuration. To display the VLAN configuration, enter the show vlan privileged EXEC command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-6 OL-9775-08...
  • Page 419: Default Ethernet Vlan Configuration

    Translational bridge 1 0 to 1005 Translational bridge 2 0 to 1005 VLAN state active active, suspend Remote SPAN disabled enabled, disabled Private VLANs none configured 2 to 1001, 1006 to 4094. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-7 OL-9775-08...
  • Page 420: Creating Or Modifying An Ethernet Vlan

    This example shows how to create Ethernet VLAN 20, name it test20, and add it to the VLAN database: Switch# configure terminal Switch(config)# vlan 20 Switch(config-vlan)# name test20 Switch(config-vlan)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-8 OL-9775-08...
  • Page 421: Deleting A Vlan

    Define the VLAN membership mode for the port (Layer 2 access port). Step 4 switchport access vlan vlan-id Assign the port to a VLAN. Valid VLAN IDs are 1 to 4094. Step 5 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-9 OL-9775-08...
  • Page 422: Default Vlan Configuration

    Ethernet VLANs. You can change only the MTU size, private VLAN, and the remote SPAN configuration state on extended-range VLANs; all other characteristics must remain at the default state. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-10 OL-9775-08...
  • Page 423 VLAN ID from 1006 to 4094. The extended-range VLAN has the default Ethernet VLAN characteristics (see Table 13-2) and the MTU size, private VLAN, and RSPAN configuration are the only parameters you can change. See the description of the vlan global Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-11 OL-9775-08...
  • Page 424 This example shows how to create a new extended-range VLAN with all default characteristics, enter VLAN configuration mode, and save the new VLAN in the switch startup configuration file: Switch(config)# vtp mode transparent Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-12 OL-9775-08...
  • Page 425 VTP server mode, and the extended-range VLAN IDs will not be saved. This step is not required for VTP version 3 because VLANs are Note saved in the VLAN database. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-13 OL-9775-08...
  • Page 426: Displaying Vlans

    Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network. Two trunking encapsulations are available on all Ethernet interfaces: Inter-Switch Link (ISL)—Cisco-proprietary trunking encapsulation. • IEEE 802.1Q— industry-standard trunking encapsulation. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-14 OL-9775-08...
  • Page 427 You can also specify on DTP interfaces whether the trunk uses ISL or IEEE 802.1Q encapsulation or if the encapsulation type is autonegotiated. The DTP supports autonegotiation of both ISL and IEEE 802.1Q trunks. DTP is not supported on private-VLAN ports or tunnel ports. Note Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-15 OL-9775-08...
  • Page 428 The trunking mode, the trunk encapsulation type, and the hardware capabilities of the two connected interfaces decide whether a link becomes an ISL or IEEE 802.1Q trunk. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-16 OL-9775-08...
  • Page 429: Default Layer 2 Ethernet Interface Vlan Configuration

    VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
  • Page 430: Interaction With Other Features

    Configure the port to support ISL or IEEE 802.1Q encapsulation or to dot1q | negotiate} negotiate (the default) with the neighboring interface for encapsulation type. You must configure each end of the link with the same encapsulation type. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-18 OL-9775-08...
  • Page 431 VLANs from the allowed list. VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a Note requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
  • Page 432 VLAN 1 from the allowed list. When you remove VLAN 1 from a trunk port, the interface continues to sent and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1.
  • Page 433 Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Define the interface that is configured as the IEEE 802.1Q trunk, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-21 OL-9775-08...
  • Page 434: Configuring Trunk Ports For Load Sharing

    6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs. No duplication of traffic occurs over any trunk port. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-22...
  • Page 435 Repeat Steps 7 through 11on Switch A for a second port in the switch or switch stack. Step 14 Repeat Steps 7 through 11on Switch B to configure the trunk ports that connect to the trunk ports configured on Switch A. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-23 OL-9775-08...
  • Page 436 VLANs 2 – 4 (path cost 30) VLANs 8 – 10 (path cost 30) VLANs 8 – 10 (path cost 19) VLANs 2 – 4 (path cost 19) Switch B Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-24 OL-9775-08...
  • Page 437: Configuring Vmps

    Return to global configuration mode. Step 6 Repeat Steps 2 through 5 on a second interface in Switch A (for a Catalyst 3560-E switch) or in the Switch A stack (for a Catalyst 3750-E switch). Step 7 Return to privileged EXEC mode.
  • Page 438: Understanding Vmps

    The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic-access port and attempts to match the MAC address to a VLAN in the VMPS database. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-26...
  • Page 439: Default Vmps Client Configuration

    You must turn off trunking on the port before the dynamic-access setting takes effect. Dynamic-access ports cannot be monitor ports. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-27 OL-9775-08...
  • Page 440: Configuring The Vmps Client

    If you are configuring a port on a cluster member switch as a dynamic-access port, first use the rcommand privileged EXEC command to log in to the cluster member switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-28 OL-9775-08...
  • Page 441 If you are configuring a member switch in a cluster, this parameter must be equal to or greater than the reconfirmation setting on the command switch. You must also first use the rcommand privileged EXEC command to log in to the member switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-29 OL-9775-08...
  • Page 442: Monitoring The Vmps

    VMPS Action—the result of the most recent reconfirmation attempt. A reconfirmation attempt can • occur automatically when the reconfirmation interval expires, or you can force it by entering the vmps reconfirm privileged EXEC command or its Network Assistant or SNMP equivalent. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-30 OL-9775-08...
  • Page 443: Vmps Configuration Example

    • End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-31 OL-9775-08...
  • Page 444 Switch E 172.20.26.155 Switch F 172.20.26.156 Switch G 172.20.26.157 Switch H Client switch I Dynamic-access port 172.20.26.158 station 2 Trunk port 172.20.26.159 Catalyst 6500 series Secondary VMPS Switch J Server 3 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 13-32 OL-9775-08...
  • Page 445 VLANs with the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
  • Page 446: The Vtp Domain

    VLAN in a suspended state. VTP version 1 and version 2 support only normal-range VLANs (VLAN IDs 1 to 1005). Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094).
  • Page 447: Vtp Modes

    VTP off A switch in VTP off mode functions in the same manner as a VTP transparent switch, except that it does not forward VTP advertisements on trunks. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-3 OL-9775-08...
  • Page 448: Vtp Advertisements

    Although VTP version 2 supports only one domain, a VTP version 2 transparent switch forwards a message only when the domain name matches. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-4 OL-9775-08...
  • Page 449: Vtp Version 3

    For example, you can configure the switch as a VTP server for the VLAN database but with VTP off for the MST database. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-5...
  • Page 450: Vtp Pruning

    F have no ports in the Red VLAN. Figure 14-1 Flooding Traffic without VTP Pruning Switch D Port 2 Switch E Switch B VLAN Port 1 Switch F Switch C Switch A Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-6 OL-9775-08...
  • Page 451: Vtp And Switch Stacks

    VTP. When a switch joins the stack, it inherits the VTP and VLAN properties of the stack master. • All VTP updates are carried across the stack. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-7 OL-9775-08...
  • Page 452: Default Vtp Configuration

    The mode is the same as the mode in VTP version 1 or 2 before conversion to version 3. VTP version Version 1 (Version 2 is disabled). MST database mode Transparent. VTP version 3 server type Secondary. VTP password None. VTP pruning Disabled. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-8 OL-9775-08...
  • Page 453: Vtp Configuration Guidelines

    If you are adding a new switch to an existing network with VTP capability, the new switch learns the domain name only after the applicable password has been configured on it. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-9...
  • Page 454 2. If there is a version 1-only switch, it does not exchange VTP information with switches that have version 2 enabled. Cisco recommends placing VTP version 1 and 2 switches at the edge of the network because they •...
  • Page 455: Configuring Vtp Mode

    VTP server mode (the default). VTP version 3 supports extended-range VLANs. If extended VLANs are configured, you cannot • convert from VTP version 3 to VTP version 2. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-11 OL-9775-08...
  • Page 456 When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-12 OL-9775-08...
  • Page 457 This example shows how to configure a hidden password and how it appears. Switch(config)# vtp password mypassword hidden Generating the secret associated to the password. Switch(config)# end Switch# show vtp password VTP password: 89914640C8D90868B6A0D8103847A733 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-13 OL-9775-08...
  • Page 458: Enabling The Vtp Version

    Token Ring VLAN switching to function properly. For Token Ring and Token Ring-Net media, disable VTP version 2 must be disabled. VTP version 3 is supported on switches running Cisco IOS Release 12.2(52) SE or later. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide...
  • Page 459: Enabling Vtp Pruning

    Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning-eligible on trunk ports. Reserved VLANs and extended-range VLANs cannot be pruned. To change the pruning-eligible VLANs, see the “Changing the Pruning-Eligible List” section on page 13-20. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-15 OL-9775-08...
  • Page 460: Adding A Vtp Client Switch To A Vtp Domain

    Change the domain name from the original one displayed in Step 1 to a new name. Step 4 The VLAN information on the switch is updated and the configuration revision number is reset to 0. You return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-16 OL-9775-08...
  • Page 461: Monitoring Vtp

    Display the VTP password. The form of the password displayed depends on whether or not the hidden keyword was entered and if encryption is enabled on the switch. show vtp status Display the VTP switch configuration information. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-17 OL-9775-08...
  • Page 462 Chapter 14 Configuring VTP Monitoring VTP Catalyst 3750-E and 3560-E Switch Software Configuration Guide 14-18 OL-9775-08...
  • Page 463 This chapter describes how to configure the voice VLAN feature on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation.
  • Page 464: Cisco Ip Phone Voice Traffic

    Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...
  • Page 465: Default Voice Vlan Configuration

    Chapter 37, “Configuring QoS.” • You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration to the phone. (CDP is globally enabled by default on all switch interfaces.) Catalyst 3750-E and 3560-E Switch Software Configuration Guide...
  • Page 466: Configuring A Port Connected To A Cisco 7960 Ip Phone

    VLAN, the Port Fast feature is not automatically disabled. • If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: –...
  • Page 467 Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value.
  • Page 468: Configuring The Priority Of Incoming Data Frames

    Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
  • Page 469: Displaying Voice Vlan

    (Optional) Save your entries in the configuration file. startup-config This example shows how to configure a port connected to a Cisco IP Phone to not change the priority of frames received from the PC or the attached device: Switch# configure terminal Enter configuration commands, one per line.
  • Page 470 Chapter 15 Configuring Voice VLAN Displaying Voice VLAN Catalyst 3750-E and 3560-E Switch Software Configuration Guide 15-8 OL-9775-08...
  • Page 471 Configuring Private VLANs This chapter describes how to configure private VLANs on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 472 These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN. Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs. Note Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-2 OL-9775-08...
  • Page 473: Ip Addressing Scheme With Private Vlans

    VLAN. Subsequent IP addresses can be assigned to customer devices in different secondary VLANs, but in the same primary VLAN. When new devices are added, the DHCP server assigns them the next available address from a large pool of subnet addresses. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-3 OL-9775-08...
  • Page 474: Private Vlans Across Multiple Switches

    Private VLANs have specific interaction with some other features, described in these sections: Private VLANs and Unicast, Broadcast, and Multicast Traffic, page 16-5 • Private VLANs and SVIs, page 16-5 • • Private VLANs and Switch Stacks, page 16-5 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-4 OL-9775-08...
  • Page 475 VLAN that had its promiscuous port on the old stack master lose connectivity outside of the private VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-5...
  • Page 476: Tasks For Configuring Private Vlans

    See the “Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface” section on page 16-13. Step 6 Verify private-VLAN configuration. Default Private-VLAN Configuration No private VLANs are configured. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-6 OL-9775-08...
  • Page 477 Sticky ARP entries are those learned on SVIs and Layer 3 interfaces. They entries do not age – out. The ip sticky-arp global configuration command is supported only on SVIs belonging to – private VLANs. The ip sticky-arp interface configuration command is only supported on – Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-7 OL-9775-08...
  • Page 478 VLAN become inactive. • Private-VLAN ports can be on different network devices if the devices are trunk-connected and the primary and secondary VLANs have not been removed from the trunk. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-8 OL-9775-08...
  • Page 479: Configuring And Associating Vlans In A Private Vlan

    Configuring and Associating VLANs in a Private VLAN Beginning in privileged EXEC mode, follow these steps to configure a private VLAN: The private-vlan commands do not take effect until you exit VLAN configuration mode. Note Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-9 OL-9775-08...
  • Page 480 Use the remove keyword with a secondary_vlan_list to clear the association between secondary • VLANs and a primary VLAN. The command does not take effect until you exit VLAN configuration mode. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-10 OL-9775-08...
  • Page 481 Return to privileged EXEC mode. Step 6 show interfaces [interface-id] switchport Verify the configuration. Step 7 copy running-config startup config (Optional) Save your entries in the switch startup configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-11 OL-9775-08...
  • Page 482 Return to privileged EXEC mode. Step 6 show interfaces [interface-id] switchport Verify the configuration. Step 7 copy running-config startup config (Optional) Save your entries in the switch startup configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-12 OL-9775-08...
  • Page 483: Mapping Secondary Vlans To A Primary Vlan Layer 3 Vlan Interface

    Return to privileged EXEC mode. Step 5 show interface private-vlan mapping Verify the configuration. Step 6 copy running-config startup config (Optional) Save your entries in the switch startup configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-13 OL-9775-08...
  • Page 484: Monitoring Private Vlans

    This is an example of the output from the show vlan private-vlan command: Switch(config)# show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ isolated Gi2/0/1, Gi3/0/1, Gi3/0/2 community Gi2/0/11, Gi3/0/1, Gi3/0/4 non-operational Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-14 OL-9775-08...
  • Page 485 The Catalyst 3750-E or 3560-E switch supports IEEE 802.1Q tunneling and Layer 2 protocol tunneling. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 486 When the packet exits another trunk port on the same core switch, the same metro tag is again added to the packet. Figure 17-2 shows the tag structures of the double-tagged packets. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-2 OL-9775-08...
  • Page 487 (The default is zero if none is configured.) On Catalyst 3750-E switches, because 802.1Q tunneling is configured on a per-port basis, it does not matter whether the switch is a standalone switch or a stack member. All configuration is done on the stack master.
  • Page 488 The packet carries only the VLAN 30 tag through the service-provider network to the trunk port of the egress-edge switch (Switch C) and is misdirected through the egress switch tunnel port to Customer Y. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-4 OL-9775-08...
  • Page 489: System Mtu

    IEEE 802.1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added, you must configure all switches in the service-provider network to be able to process maximum frames by adding 4 bytes to the system MTU and system jumbo MTU sizes. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-5 OL-9775-08...
  • Page 490 When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit • (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) and the Layer Link Discovery Protocol (LLDP) are automatically disabled on the interface.
  • Page 491 Switch(config-if)# exit Switch(config)# vlan dot1q tag native Switch(config)# end Switch# show dot1q-tunnel interface gigabitethernet1/0/7 Port ----- Gi1/0/1Port ----- Switch# show vlan dot1q tag native dot1q native vlan tagging is enabled Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-7 OL-9775-08...
  • Page 492: Understanding Layer 2 Protocol Tunneling

    VLAN should build a proper spanning tree that includes the local site and all remote sites across the service-provider network. Cisco Discovery Protocol (CDP) must discover neighboring Cisco devices from local and remote sites. VLAN Trunking Protocol (VTP) must provide consistent VLAN configuration throughout all sites in the customer network.
  • Page 493 When you enable protocol tunneling (PAgP or LACP) on the SP switch, remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-9 OL-9775-08...
  • Page 494 When the Layer 2 PDUs that entered the service-provider inbound edge switch through a Layer 2 protocol-enabled port exit through the trunk port into the service-provider network, the switch overwrites the customer PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0). If IEEE 802.1Q tunneling is enabled, packets are also double-tagged; the outer tag is the customer metro tag, and the inner tag is the customer’s VLAN tag.
  • Page 495: Default Layer 2 Protocol Tunneling Configuration

    BPDU CoS value for Layer 2 protocol tunneling. If no CoS value is configured at the interface level, the default value for CoS marking of L2 protocol tunneling BPDUs is 5. This does not apply to data traffic. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-11 OL-9775-08...
  • Page 496: Layer 2 Protocol Tunneling Configuration Guidelines

    PDUs higher priority within the service-provider network than data packets received from the same tunnel port. By default, the PDUs use the same CoS value as data packets. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-12 OL-9775-08...
  • Page 497 Display the Layer 2 tunnel ports on the switch, including the protocols configured, the thresholds, and the counters. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-13 OL-9775-08...
  • Page 498: Configuring Layer 2 Tunneling For Etherchannels

    If no keyword is entered, tunneling is enabled for all three protocols. To avoid a network failure, make sure that the network is a Caution point-to-point topology before you enable tunneling for PAgP, LACP, or UDLD packets. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-14 OL-9775-08...
  • Page 499 [point-to-point [pagp | lacp | udld]] and the no l2protocol-tunnel drop-threshold [[point-to-point [pagp | lacp | udld]] commands to return the shutdown and drop thresholds to the default settings. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-15 OL-9775-08...
  • Page 500: Configuring The Customer Switch

    Switch(config-if)# l2protocol-tunnel point-to-point udld Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000 Switch(config-if)# exit Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport access vlan 18 Switch(config-if)# switchport mode dot1q-tunnel Switch(config-if)# l2protocol-tunnel point-to-point pagp Switch(config-if)# l2protocol-tunnel point-to-point udld Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-16 OL-9775-08...
  • Page 501 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# udld enable Switch(config-if)# channel-group 1 mode desirable Switch(config-if)# exit Switch(config)# interface port-channel 1 Switch(config-if)# shutdown Switch(config-if)# no shutdown Switch(config-if)# exit Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-17 OL-9775-08...
  • Page 502: Monitoring And Maintaining Tunneling Status

    Display only Layer 2 protocol summary information. show vlan dot1q tag native Display the status of native VLAN tagging on the switch. For detailed information about these displays, see the command reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 17-18 OL-9775-08...
  • Page 503: Configuring Stp

    ID. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 504: Stp Overview

    By default, the switch sends keepalive messages (to ensure the connection is up) only on interfaces that Note do not have small form-factor pluggable (SFP) modules. You can change the default for an interface by entering the [no] keepalive interface configuration command with no keywords. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-2 OL-9775-08...
  • Page 505 Selects the lowest path cost to the root switch – Selects the lowest designated bridge ID – Selects the lowest designated path cost – Selects the lowest port ID – Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-3 OL-9775-08...
  • Page 506 VLAN. Each VLAN on the switch has a unique 8-byte bridge ID. The 2 most-significant bytes are used for the switch priority, and the remaining 6 bytes are derived from the switch MAC address. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-4...
  • Page 507 An interface moves through these states: From initialization to blocking • From blocking to listening or to disabled • • From listening to learning or to disabled Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-5 OL-9775-08...
  • Page 508 An interface always enters the blocking state after switch initialization. An interface in the blocking state performs these functions: • Discards frames received on the interface Discards frames switched from another interface for forwarding • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-6 OL-9775-08...
  • Page 509: Listening State

    A disabled interface performs these functions: Discards frames received on the interface • • Discards frames switched from another interface for forwarding • Does not learn addresses • Does not receive BPDUs Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-7 OL-9775-08...
  • Page 510: How A Switch Or Port Becomes The Root Switch Or Root Port

    If the speeds are the same, the port priority and port ID are added together, and spanning tree disables the link with the lowest value. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-8 OL-9775-08...
  • Page 511: Accelerated Aging To Retain Connectivity

    A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-9 OL-9775-08...
  • Page 512 Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
  • Page 513 VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
  • Page 514: Spanning Tree And Switch Stacks

    Configuring the Root Switch, page 18-16 (optional) Configuring a Secondary Root Switch, page 18-18 (optional) • • Configuring Port Priority, page 18-18 (optional) Configuring Path Cost, page 18-20 (optional) • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-12 OL-9775-08...
  • Page 515 VLAN where you want it to run. Use the no spanning-tree vlan vlan-id global configuration command to disable spanning tree on a specific VLAN, and use the spanning-tree vlan vlan-id global configuration command to enable spanning tree on the desired VLAN. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-13 OL-9775-08...
  • Page 516 (For example, all VLANs run PVST+, all VLANs run rapid PVST+, or all VLANs run MSTP.) In Catalyst 3750-E-only and mixed switch stacks, all stack members run the same version of spanning tree. For information about the different spanning-tree modes and how they interoperate, see the “Spanning-Tree Interoperability and Backward Compatibility”...
  • Page 517 To return to the default setting, use the no spanning-tree mode global configuration command. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-15 OL-9775-08...
  • Page 518: Disabling Spanning Tree

    ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-16 OL-9775-08...
  • Page 519 Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id root global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-17 OL-9775-08...
  • Page 520 (higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-18 OL-9775-08...
  • Page 521 The show spanning-tree interface interface-id privileged EXEC command displays information only Note if the port is in a link-up operative state. Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-19 OL-9775-08...
  • Page 522 Return to privileged EXEC mode. Step 6 show spanning-tree interface interface-id Verify your entries. show spanning-tree vlan vlan-id Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-20 OL-9775-08...
  • Page 523: Configuring The Switch Priority Of A Vlan

    Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id priority global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-21 OL-9775-08...
  • Page 524 Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id hello-time global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-22 OL-9775-08...
  • Page 525 Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-23 OL-9775-08...
  • Page 526 You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 18-24 OL-9775-08...
  • Page 527: Configuring Mstp

    C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 3750-E or 3560-E switch. The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard.
  • Page 528: Understanding Mstp

    Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST). All other MST instances are numbered from 1 to 4094. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-2 OL-9775-08...
  • Page 529 CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-3...
  • Page 530 VLAN cost, and port VLAN priority) can be configured on both the CST instance and the MST instance. MSTP switches use Version 3 RSTP BPDUs or IEEE 802.1D STP BPDUs to communicate with legacy IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-4 OL-9775-08...
  • Page 531: Hop Count

    Understanding MSTP IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network. Because the CIST is the only spanning-tree instance that spans the whole network, only the CIST parameters require the external rather than the internal or regional qualifiers.
  • Page 532: Boundary Ports

    The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.
  • Page 533 Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
  • Page 534: Mstp And Switch Stacks

    IEEE 802.1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. A switch might also continue to assign a boundary role Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-8...
  • Page 535: Understanding Rstp

    A port with the root or a designated port role is included in the active topology. A port with the alternate or backup port role is excluded from the active topology. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-9...
  • Page 536: Rapid Convergence

    Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
  • Page 537: Synchronization Of Port Roles

    RSTP forces it to synchronize with new root information. In general, when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions, its port state is set to blocking. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-11 OL-9775-08...
  • Page 538: Bridge Protocol Data Unit Format And Processing

    RSTP flag fields. Table 19-3 RSTP BPDU Flags Function Topology change (TC) Proposal 2–3: Port role: Unknown Alternate port Root port Designated port Learning Forwarding Agreement Topology change acknowledgement (TCA) Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-12 OL-9775-08...
  • Page 539: Topology Changes

    IEEE 802.1D switch and a configuration BPDU with the TCA bit set is received, the TC-while timer is reset. This behavior is only required to support IEEE 802.1D switches. The RSTP BPDUs never have the TCA bit set. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-13 OL-9775-08...
  • Page 540: Configuring Mstp Features

    MSTP configuration. Table 19-4 Default MSTP Configuration Feature Default Setting Spanning-tree mode PVST+ (Rapid PVST+ and MSTP are disabled). Switch priority (configurable on a per-CIST port basis) 32768. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-14 OL-9775-08...
  • Page 541: Mstp Configuration Guidelines

    VLAN-to-instance map, the same configuration revision number, and the same name. • For two or more stacked Catalyst 3750-E switches to be in the same MST region, they must have the same VLAN-to-instance map, the same configuration revision number, and the same name.
  • Page 542: Specifying The Mst Region Configuration And Enabling Mstp

    Beginning in privileged EXEC mode, follow these steps to specify the MST region configuration and enable MSTP. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst configuration Enter MST configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-16 OL-9775-08...
  • Page 543 Switch(config)# spanning-tree mst configuration Switch(config-mst)# instance 1 vlan 10-20 Switch(config-mst)# name region1 Switch(config-mst)# revision 1 Switch(config-mst)# show pending Pending MST configuration Name [region1] Revision Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-17 OL-9775-08...
  • Page 544 After configuring the switch as the root switch, we recommend that you avoid manually configuring the Note hello time, forward-delay time, and maximum-age time through the spanning-tree mst hello-time, spanning-tree mst forward-time, and the spanning-tree mst max-age global configuration commands. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-18 OL-9775-08...
  • Page 545 You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-19 OL-9775-08...
  • Page 546 MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. If your Catalyst 3750-E switch is a member of a switch stack, you must use the spanning-tree mst Note [instance-id] cost cost interface configuration command instead of the spanning-tree mst [instance-id] port-priority priority interface configuration command to select a port to put in the forwarding state.
  • Page 547 If all interfaces have the same cost value, the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-21 OL-9775-08...
  • Page 548: Configuring The Switch Priority

    Exercise care when using this command. For most situations, we recommend that you use the Note spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-22 OL-9775-08...
  • Page 549: Configuring The Hello Time

    Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst hello-time global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-23 OL-9775-08...
  • Page 550 Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst max-age global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-24 OL-9775-08...
  • Page 551: Specifying The Link Type To Ensure Rapid Transitions

    Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-25 OL-9775-08...
  • Page 552: Designating The Neighbor Type

    To restart the protocol migration process (force the renegotiation with neighboring switches) on the switch, use the clear spanning-tree detected-protocols privileged EXEC command. To restart the protocol migration process on a specific interface, use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-26 OL-9775-08...
  • Page 553: Displaying The Mst Configuration And Status

    Displays MST information for the specified interface. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-27 OL-9775-08...
  • Page 554 Chapter 19 Configuring MSTP Displaying the MST Configuration and Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 19-28 OL-9775-08...
  • Page 555 (PVST+). You can configure only the noted features when your switch or switch stack is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 556: Understanding Port Fast

    To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-2 OL-9775-08...
  • Page 557: Understanding Bpdu Filtering

    Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 20-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-3 OL-9775-08...
  • Page 558 Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-4...
  • Page 559 Switch C Understanding Cross-Stack UplinkFast For Catalyst 3750-E switches, the UplinkFast feature is the cross-stack UplinkFast feature. Cross-stack UplinkFast (CSUF) provides a fast spanning-tree transition (fast convergence in less than 1 second under normal network conditions) across a switch stack. During the fast transition, an alternate redundant link on the switch stack is placed in the forwarding state without causing temporary spanning-tree loops or loss of connectivity to the backbone.
  • Page 560: How Csuf Works

    The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-6 OL-9775-08...
  • Page 561: Understanding Backbonefast

    BPDU is a signal that the other switch might have lost its path to the root, and BackboneFast tries to find an alternate path to the root. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-7...
  • Page 562 If the switch has alternate paths to the root switch, it uses these alternate paths to send a root link query (RLQ) request. The Catalyst 3750-E switch sends the RLQ request on all alternate paths to learn if any stack member has an alternate root to the root switch and waits for an RLQ reply from other switches in the network and in the stack.The Catalyst 3560-E switch sends the RLQ request on all alternate paths...
  • Page 563 Switch A, the root switch. Figure 20-8 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch B Switch C (Designated bridge) Blocked port Added switch Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-9 OL-9775-08...
  • Page 564: Understanding Etherchannel Guard

    MST instance. You can enable this feature by using the spanning-tree guard root interface configuration command. Caution Misuse of the root-guard feature can cause a loss of connectivity. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-10 OL-9775-08...
  • Page 565: Understanding Loop Guard

    Enabling BPDU Guard, page 20-13 (optional) Enabling BPDU Filtering, page 20-14 (optional) • Enabling UplinkFast for Use with Redundant Links, page 20-15 (optional) • Enabling Cross-Stack UplinkFast, page 20-16 (optional) • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-11 OL-9775-08...
  • Page 566: Enabling Port Fast

    PVST+, rapid PVST+, or MSTP. On a Catalyst 3750-E switch, you can configure the UplinkFast, the BackboneFast, or the cross-stack UplinkFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
  • Page 567: Enabling Bpdu Guard

    To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-13 OL-9775-08...
  • Page 568: Enabling Bpdu Filtering

    Configure Port Fast only on interfaces that connect to end stations; otherwise, an accidental topology Caution loop could cause a data packet loop and disrupt switch and network operation. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-14 OL-9775-08...
  • Page 569: Enabling Uplinkfast For Use With Redundant Links

    You can configure the UplinkFast or the CSUF feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-15 OL-9775-08...
  • Page 570: Enabling Backbonefast

    To disable UplinkFast on the switch and all its VLANs, use the no spanning-tree uplinkfast global configuration command. Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-16 OL-9775-08...
  • Page 571: Enabling Etherchannel Guard

    EXEC command to verify the EtherChannel configuration. After the configuration is corrected, enter the shutdown and no shutdown interface configuration commands on the port-channel interfaces that were misconfigured. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-17 OL-9775-08...
  • Page 572: Enabling Root Guard

    Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional. Command Purpose Step 1 show spanning-tree active Verify which interfaces are alternate or root ports. show spanning-tree mst Step 2 configure terminal Enter global configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-18 OL-9775-08...
  • Page 573 You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-19 OL-9775-08...
  • Page 574 Chapter 20 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-20 OL-9775-08...
  • Page 575: Flex Links

    Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 3750-E or 3560-E switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature.
  • Page 576: Vlan Flex Link Load Balancing And Support

    You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link. On Catalyst 3750-E switches, the Flex Link can be on the same switch or on another switch in the stack. When one of the links is up and forwarding traffic, the other link is in standby mode, ready to begin forwarding traffic if the other link shuts down.
  • Page 577: Flex Link Multicast Fast Convergence

    When the backup link starts forwarding, to achieve faster convergence of multicast data, the downstream switch immediately sends proxy reports for all the learned groups on this port without waiting for a general query. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-3 OL-9775-08...
  • Page 578: Leaking Igmp Reports

    Here is output for the show ip igmp snooping mrouter command for VLANs 1 and 401: Switch# show ip igmp snooping mrouter Vlan ports ---- ----- Gi1/0/11(dynamic), Gi1/0/12(dynamic) Gi1/0/11(dynamic), Gi1/0/12(dynamic) Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-4 OL-9775-08...
  • Page 579 GigabitEthernet2/0/11 is a receiver/host in VLAN 1, which is interested in two multicast groups: Switch# show ip igmp snooping groups Vlan Group Type Version Port List ----------------------------------------------------------------------- 228.1.5.1 igmp Gi1/0/11, Gi1/0/12, Gi2/0/11 228.1.5.2 igmp Gi1/0/11, Gi1/0/12, Gi2/0/11 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-5 OL-9775-08...
  • Page 580 100 milliseconds (ms). The PC is directly connected to switch A, and the connection status does not change. Switch A does not need to update the PC entry in the MAC address table. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-6...
  • Page 581 You can configure up to 16 backup links. • You can configure only one Flex Link backup link for any active link, and it must be a different • interface from the active interface. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-7 OL-9775-08...
  • Page 582 Configure a physical Layer 2 interface (or port channel) as part of a Flex Link pair with the interface. When one link is forwarding traffic, the other interface is in standby mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-8 OL-9775-08...
  • Page 583 Configure the time delay until a port preempts another delay delay-time port. Setting a delay time only works with forced and Note bandwidth modes. Step 6 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-9 OL-9775-08...
  • Page 584: Configuring Vlan Load Balancing On Flex Links

    (Optional) Save your entries in the switch startup configuration file. To disable the VLAN load balancing feature, use the no switchport backup interface interface-id prefer vlan vlan-range interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-10 OL-9775-08...
  • Page 585 Vlans Preferred on Active Interface: 1-2,5-4094 Vlans Preferred on Backup Interface: 3-4 Preemption Mode : off Bandwidth : 10000 Kbit (Fa1/0/3), 100000 Kbit (Fa1/0/4) Mac Address Move Update Vlan : auto Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-11 OL-9775-08...
  • Page 586 This example shows how to configure an access switch to send MAC address-table move update messages: Switch# configure terminal Switch(conf)# interface gigabitethernet1/0/1 Switch(conf-if)# switchport backup interface gigabitethernet0/2 mmu primary vlan 2 Switch(conf-if)# exit Switch(conf)# mac address-table move update transmit Switch(conf)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-12 OL-9775-08...
  • Page 587 EXEC command. This example shows how to configure a switch to get and process MAC address-table move update messages: Switch# configure terminal Switch(conf)# mac address-table move update receive Switch(conf)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-13 OL-9775-08...
  • Page 588 Flex Links and the state of each active and backup backup interface (up or standby mode). show mac address-table Displays the MAC address-table move update information on the move update switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-14 OL-9775-08...
  • Page 589: Understanding Dhcp Features

    This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the Catalyst 3750-E or 3560-E switch. It also describes how to configure the IP source guard feature. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 590: Dhcp Server

    • For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them.
  • Page 591 DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-3 OL-9775-08...
  • Page 592 Circuit-ID type – Length of the circuit-ID type – Remote-ID suboption fields • Suboption type – Length of the suboption type – – Remote-ID type – Length of the remote-ID type Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-4 OL-9775-08...
  • Page 593 In the port field of the circuit ID suboption, the port numbers start at 3. For example, on a Catalyst 3750-E switch with 24 10/100/1000 ports and four small form-factor pluggable (SFP) module slots, port 3 is the Gigabit Ethernet 1/0/1 port, port 4 is the Gigabit Ethernet 1/0/2 port, and so forth.
  • Page 594: Cisco Ios Dhcp Server Database

    An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.
  • Page 595: Dhcp Snooping And Switch Stacks

    DHCP snooping configuration from the stack master. When a member leaves the stack, all DHCP snooping address bindings associated with the switch age out. All snooping statistics are generated on the stack master. If a new stack master is elected, the statistics counters reset. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-7 OL-9775-08...
  • Page 596: Configuring Dhcp Features

    Enabling DHCP Snooping and Option 82, page 22-12 • Enabling DHCP Snooping on Private VLANs, page 22-14 • Enabling the Cisco IOS DHCP Server Database, page 22-14 • Enabling the DHCP Snooping Binding Database Agent, page 22-14 • Default DHCP Configuration...
  • Page 597: Dhcp Snooping Configuration Guidelines

    URL before the switch can write bindings to the binding file at that URL. See the documentation for your TFTP server to determine whether you must first create an empty file on the server; some TFTP servers cannot be configured this way. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-9 OL-9775-08...
  • Page 598: Configuring The Dhcp Server

    RSPAN VLANs, DHCP packets might not reach the RSPAN destination port. Configuring the DHCP Server The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational.
  • Page 599: Specifying The Packet Forwarding Address

    To disable the DHCP server and relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for these procedures: Checking (validating) the relay agent information •...
  • Page 600: Enabling Dhcp Snooping And Option 82

    The default setting is disabled. Enter this command only on aggregation switches that are Note connected to trusted devices. Step 7 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-12 OL-9775-08...
  • Page 601 100 packets per second on a port: Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10 Switch(config)# ip dhcp snooping information option Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip dhcp snooping limit rate 100 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-13 OL-9775-08...
  • Page 602: Enabling Dhcp Snooping On Private Vlans

    VLANs, on which DHCP snooping is enabled. Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
  • Page 603: Displaying Dhcp Snooping Information

    Display the dynamically and statically configured bindings. If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the Note statically configured bindings. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-15 OL-9775-08...
  • Page 604: Understanding Ip Source Guard

    ACL that denies all IP traffic on the interface. If you disable IP source guard, the switch removes the port ACL from the interface. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-16 OL-9775-08...
  • Page 605: Source Ip And Mac Address Filtering

    DHCP snooping. Multiple bindings are established on a port that is connected to both DHCP and static hosts. For example, bindings are stored in both the device tracking database as well as in the DHCP snooping binding database. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-17 OL-9775-08...
  • Page 606: Configuring Ip Source Guard

    If you again provision the switch by entering the switch stack-member-number provision command, the binding is restored. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-18 OL-9775-08...
  • Page 607: Enabling Ip Source Guard

    (Optional) Save your entries in the configuration file. To disable IP source guard with source IP address filtering, use the no ip verify source interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-19 OL-9775-08...
  • Page 608: Configuring Ip Source Guard For Static Hosts

    Step 3 interface interface-id Enter interface configuration mode. Step 4 switchport mode access Configure a port as access. Step 5 switchport access vlan vlan-id Configure the VLAN for this port. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-20 OL-9775-08...
  • Page 609 This example shows how to enable IPSG for static hosts with IP filters on a Layer 2 access port and to verify the valid IP bindings on the interface Gi1/0/3: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip device tracking Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-21 OL-9775-08...
  • Page 610 GigabitEthernet1/0/2 ACTIVE 200.1.1.1 0001.0600.0000 GigabitEthernet1/0/1 INACTIVE 200.1.1.2 0001.0600.0000 GigabitEthernet1/0/2 ACTIVE 200.1.1.2 0001.0600.0000 GigabitEthernet1/0/1 INACTIVE 200.1.1.3 0001.0600.0000 GigabitEthernet1/0/2 ACTIVE 200.1.1.3 0001.0600.0000 GigabitEthernet1/0/1 INACTIVE 200.1.1.4 0001.0600.0000 GigabitEthernet1/0/2 ACTIVE 200.1.1.4 0001.0600.0000 GigabitEthernet1/0/1 INACTIVE Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-22 OL-9775-08...
  • Page 611: Configuring Ip Source Guard For Static Hosts On A Private Vlan Host Port

    IP device tracking globally or setting an IP device tracking maximum on that interface, IPSG with static hosts will reject all the IP traffic from that interface. This requirement also applies to IPSG with static hosts on a Layer 2 access port. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-23 OL-9775-08...
  • Page 612 Switch(config)# vlan 201 Switch(config-vlan)# private-vlan isolated Switch(config-vlan)# exit Switch(config)# vlan 200 Switch(config-vlan)# private-vlan association 201 Switch(config-vlan)# exit Switch(config)# interface gigabitethernet1/0/3 Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 200 201 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-24 OL-9775-08...
  • Page 613: Displaying Ip Source Guard Information

    In some environments, such as on a factory floor, if a device fails, the replacement device must be working immediately in the existing network. With the current DHCP implementation, there is no Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-25...
  • Page 614 In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
  • Page 615 DHCP address pool. Step 4 address ip-address client-id string [ascii] Reserve an IP address for a DHCP client identified by the interface name. string—can be an ASCII value or a hexadecimal value. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-27 OL-9775-08...
  • Page 616 1 subnet is currently in the pool: Current index IP address range Leased/Excluded/Total 10.1.1.1 10.1.1.1 - 10.1.1.254 / 4 / 254 1 reserved address is currently in the pool Address Client 10.1.1.7 Et1/0 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-28 OL-9775-08...
  • Page 617 For more information about configuring the DHCP server port-based address allocation feature, go to Cisco.com, and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation. You can also access the documentation here: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html...
  • Page 618 Chapter 22 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port-Based Address Allocation Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-30 OL-9775-08...
  • Page 619 Catalyst 3750-E or 3560-E switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 620 “Configuring ARP ACLs for Non-DHCP Environments” section on page 23-9. The switch logs dropped packets. For more information about the log buffer, see the “Logging of Dropped Packets” section on page 23-5. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-2 OL-9775-08...
  • Page 621: Interface Trust States And Network Security

    If Switch A is not running dynamic ARP inspection, Host 1 can easily poison the ARP cache of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-3 OL-9775-08...
  • Page 622: Rate Limiting Of Arp Packets

    The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-4 OL-9775-08...
  • Page 623: Logging Of Dropped Packets

    The rate is unlimited on all trusted interfaces. The burst interval is 1 second. ARP ACLs for non-DHCP No ARP ACLs are defined. environments Validation checks No checks are performed. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-5 OL-9775-08...
  • Page 624: Dynamic Arp Inspection Configuration Guidelines

    30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2, each port can receive packets at 29 pps without causing the EtherChannel to become error-disabled. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-6 OL-9775-08...
  • Page 625: Configuring Dynamic Arp Inspection In Dhcp Environments

    This procedure is required. Command Purpose Step 1 show cdp neighbors Verify the connection between the switches. Step 2 configure terminal Enter global configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-7 OL-9775-08...
  • Page 626 This example shows how to configure dynamic ARP inspection on Switch A in VLAN 1. You would perform a similar procedure on Switch B: Switch(config)# ip arp inspection vlan 1 Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip arp inspection trust Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-8 OL-9775-08...
  • Page 627 For more information, see the “Configuring the Log Buffer” section on page 23-13. Step 4 exit Return to global configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-9 OL-9775-08...
  • Page 628 To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-10 OL-9775-08...
  • Page 629: Limiting The Rate Of Incoming Arp Packets

    ARP packets.The range is 1 to 15. For rate none, specify no upper limit for the rate of incoming ARP • packets that can be processed. Step 4 exit Return to global configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-11 OL-9775-08...
  • Page 630: Performing Validation Checks

    Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-12 OL-9775-08...
  • Page 631: Configuring The Log Buffer

    VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a single system message for the entry. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-13...
  • Page 632 The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-14 OL-9775-08...
  • Page 633: Displaying Dynamic Arp Inspection Information

    ARP inspection for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active). Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-15 OL-9775-08...
  • Page 634 Displays the configuration and contents of the dynamic ARP inspection log buffer. For more information about these commands, see the command reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-16 OL-9775-08...
  • Page 635 Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 636: Understanding Igmp Snooping

    For more information on IP multicast and IGMP, see RFC 1112 and RFC 2236. Note The multicast router (which could be a Catalyst 3750-E switch with the IP services feature set on the stack master) sends out periodic general queries to all VLANs. All hosts interested in this multicast traffic send join requests and are added to the forwarding table entry.
  • Page 637: Igmp Versions

    The CPU also adds the interface where the join message was received to the forwarding-table entry. The host associated with that interface receives multicast traffic for that multicast group. See Figure 24-1. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-3 OL-9775-08...
  • Page 638 The information in the table tells the switching engine to send frames addressed to the 224.1.2.3 multicast IP address that are not IGMP packets to the router and to the host that has joined the group. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-4...
  • Page 639: Leaving A Multicast Group

    If the router receives no reports from a VLAN, it removes the group for the VLAN from its IGMP cache. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-5...
  • Page 640: Immediate Leave

    IGMPv2, and IGMPv3 reports for a group to the multicast devices. If you disable IGMP report suppression, all IGMP reports are forwarded to the multicast routers. For configuration steps, see the “Disabling IGMP Report Suppression” section on page 24-15. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-6 OL-9775-08...
  • Page 641: Igmp Snooping And Switch Stacks

    IGMP snooping Immediate Leave Disabled Static groups None configured flood query count TCN query solicitation Disabled IGMP snooping querier Disabled IGMP report suppression Enabled 1. TCN = Topology Change Notification Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-7 OL-9775-08...
  • Page 642: Enabling Or Disabling Igmp Snooping

    • Snooping on IGMP queries, Protocol-Independent Multicast (PIM) packets, and Distance Vector Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • • Statically connecting to a multicast router port with the ip igmp snooping mrouter global...
  • Page 643 To add a multicast router port (add a static connection to a multicast router), use the ip igmp snooping vlan mrouter global configuration command on the switch. Note Static connections to multicast routers are supported only on switch ports. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-9 OL-9775-08...
  • Page 644: Configuring A Host Statically To Join A Group

    (Optional) Save your entries in the configuration file. To remove the Layer 2 port from the multicast group, use the no ip igmp snooping vlan vlan-id static mac-address interface interface-id global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-10 OL-9775-08...
  • Page 645: Enabling Igmp Immediate Leave

    The actual leave latency in the network is usually the configured leave time. However, the leave time • might vary around the configured time, depending on real-time CPU load conditions, network delays and the amount of traffic sent through the interface. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-11 OL-9775-08...
  • Page 646 Specify the number of IGMP general queries for which the multicast count traffic is flooded. The range is 1 to 10. By default, the flooding query count is 2. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-12 OL-9775-08...
  • Page 647 Beginning in privileged EXEC mode, follow these steps to disable multicast flooding on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-13 OL-9775-08...
  • Page 648: Configuring The Igmp Snooping Querier

    IP address, the querier tries to use the global IP address configured for the IGMP querier. The IGMP snooping querier does not generate an IGMP Note general query if it cannot find an IP address on the switch. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-14 OL-9775-08...
  • Page 649: Disabling Igmp Report Suppression

    IGMP report suppression is enabled by default. When it is enabled, the switch forwards only one IGMP report per multicast router query. When report suppression is disabled, all IGMP reports are forwarded to the multicast routers. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-15 OL-9775-08...
  • Page 650: Displaying Igmp Snooping Information

    IGMP snooping. • ip_address—Display characteristics of the multicast group with the • specified group IP address. user—Display only the user-configured multicast entries. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-16 OL-9775-08...
  • Page 651: Understanding Multicast Vlan Registration

    VLAN from the source. This forwarding behavior selectively allows traffic to cross between different VLANs. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-17 OL-9775-08...
  • Page 652: Using Mvr In A Multicast Television Application

    VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-18 OL-9775-08...
  • Page 653 VLAN. The IGMP leave and join messages are in the VLAN to which the subscriber port is assigned. These messages dynamically register for streams of multicast traffic in the multicast VLAN on the Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-19...
  • Page 654: Configuring Mvr

    If you try to enable MVR while multicast routing and a multicast routing protocol are enabled, the operation to enable MVR is cancelled, and you receive an error message. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-20 OL-9775-08...
  • Page 655: Configuring Mvr Global Parameters

    (Optional) Save your entries in the configuration file. startup-config To return the switch to its default settings, use the no mvr [mode | group ip-address | querytime | vlan] global configuration commands. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-21 OL-9775-08...
  • Page 656: Configuring Mvr Interfaces

    This command applies to only receiver ports and should only be enabled on receiver ports to which a single receiver device is connected. Step 7 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-22 OL-9775-08...
  • Page 657: Displaying Mvr Information

    VLAN ID range is 1 to 1001 and 1006 to 4094. show mvr members [ip-address] Displays all receiver and source ports that are members of any IP multicast group or the specified IP multicast group IP address. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-23 OL-9775-08...
  • Page 658: Configuring Igmp Filtering And Throttling

    Default IGMP Filtering Configuration Feature Default Setting IGMP filters None applied IGMP maximum number of IGMP groups No maximum set IGMP profiles None defined IGMP profile action Deny the range addresses Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-24 OL-9775-08...
  • Page 659: Configuring Igmp Profiles

    To delete a profile, use the no ip igmp profile profile number global configuration command. To delete an IP multicast address or range of IP multicast addresses, use the no range ip multicast address IGMP profile configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-25 OL-9775-08...
  • Page 660: Applying Igmp Profiles

    To remove a profile from an interface, use the no ip igmp filter profile number interface configuration command. This example shows how to apply IGMP profile 4 to a port: Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# ip igmp filter 4 Switch(config-if)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-26 OL-9775-08...
  • Page 661: Setting The Maximum Number Of Igmp Groups

    EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group. When the maximum group limitation is set to the default (no maximum), entering the ip igmp • max-groups action {deny | replace} command has no effect. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-27 OL-9775-08...
  • Page 662 (Optional) Save your entries in the configuration file. To return to the default action of dropping the report, use the no ip igmp max-groups action interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-28 OL-9775-08...
  • Page 663: Displaying Igmp Filtering And Throttling Configuration

    Displays the configuration of the specified interface or the configuration of all interfaces interface-id] on the switch, including (if configured) the maximum number of IGMP groups to which an interface can belong and the IGMP profile applied to the interface. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-29 OL-9775-08...
  • Page 664 Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-30 OL-9775-08...
  • Page 665 You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP Version 6 (IPv6) multicast data to clients and routers in a switched network on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 666 Multicast Router Discovery, page 25-4 • • MLD Reports, page 25-4 • MLD Done Messages and Immediate-Leave, page 25-4 • Topology Change Notification Processing, page 25-5 MLD Snooping in Switch Stacks, page 25-5 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 25-2 OL-9775-08...
  • Page 667: Mld Messages

    1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 3750-E or 3560-E switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
  • Page 668: Multicast Router Discovery

    MASQs. A port is removed from membership to an address when there are no MLDv1 reports to the address on the port for the configured number of queries. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 25-4...
  • Page 669: Topology Change Notification Processing

    Configuring a Multicast Router Port, page 25-8 • Enabling MLD Immediate Leave, page 25-9 • Configuring MLD Snooping Queries, page 25-10 • Disabling MLD Listener Message Suppression, page 25-11 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 25-5 OL-9775-08...
  • Page 670: Default Mld Snooping Configuration

    1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 3750-E or Catalyst 3560-E switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
  • Page 671: Enabling Or Disabling Mld Snooping

    1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 3750-E or 3560-E switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
  • Page 672: Configuring A Static Multicast Group

    (add a static connection to a multicast router), use the ipv6 mld snooping vlan mrouter global configuration command on the switch. Static connections to multicast routers are supported only on switch ports. Note Catalyst 3750-E and 3560-E Switch Software Configuration Guide 25-8 OL-9775-08...
  • Page 673: Enabling Mld Immediate Leave

    To disable MLD Immediate Leave on a VLAN, use the no ipv6 mld snooping vlan vlan-id immediate-leave global configuration command. This example shows how to enable MLD Immediate Leave on VLAN 130: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 130 immediate-leave Switch(config)# exit Catalyst 3750-E and 3560-E Switch Software Configuration Guide 25-9 OL-9775-08...
  • Page 674: Configuring Mld Snooping Queries

    [vlan (Optional) Verify that the MLD snooping querier information for the vlan-id] switch or for the VLAN. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 25-10 OL-9775-08...
  • Page 675: Disabling Mld Listener Message Suppression

    Return to privileged EXEC mode. Step 4 show ipv6 mld snooping Verify that IPv6 MLD snooping report suppression is disabled. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 25-11 OL-9775-08...
  • Page 676: Displaying Mld Snooping Information

    Enter user to display MLD snooping user-configured group • information for the switch or for a VLAN. show ipv6 mld snooping multicast-address vlan Display MLD snooping for the specified VLAN and IPv6 multicast vlan-id [ipv6-multicast-address] address. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 25-12 OL-9775-08...
  • Page 677: Configuring Storm Control

    This chapter describes how to configure the port-based traffic control features on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 678 Traffic rate in packets per second and for small frames. This feature is enabled globally. The • threshold for small frames is configured for each interface. (Cisco IOS Release 12.2(44)SE or later) With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding.
  • Page 679: Default Storm Control Configuration

    Beginning in privileged EXEC mode, follow these steps to storm control and threshold levels: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-3 OL-9775-08...
  • Page 680 Select the shutdown keyword to error-disable the port during a storm. Select the trap keyword to generate an SNMP trap when a • storm is detected. Step 5 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-4 OL-9775-08...
  • Page 681 Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. In Cisco IOS Release 12.2(44)SE and later, you can configure a port to be error disabled if small frames arrive at a specified rate (threshold).
  • Page 682: Configuring Protected Ports

    Default Protected Port Configuration, page 26-6 • Protected Port Configuration Guidelines, page 26-7 • Configuring a Protected Port, page 26-7 Default Protected Port Configuration The default is to have no protected ports defined. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-6 OL-9775-08...
  • Page 683: Protected Port Configuration Guidelines

    With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets that Note contain IPv4 or IPv6 information in the header are not blocked. • Default Port Blocking Configuration, page 26-8 Blocking Flooded Traffic on an Interface, page 26-8 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-7 OL-9775-08...
  • Page 684: Default Port Blocking Configuration

    MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-8...
  • Page 685: Understanding Port Security

    If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-9 OL-9775-08...
  • Page 686: Security Violations

    In this mode, the VLAN is error • disabled instead of the entire port when a violation occurs Table 26-1 shows the violation mode and the actions taken when you configure an interface for port security. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-10 OL-9775-08...
  • Page 687: Default Port Security Configuration

    When you enable port security on an interface that is also configured with a voice VLAN, set the • maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice...
  • Page 688 Configuring Port Security VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
  • Page 689: Enabling And Configuring Port Security

    The voice keyword is available only if a voice VLAN is configured on Note a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-13 OL-9775-08...
  • Page 690 You can manually re-enable it by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface vlan privileged EXEC command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-14 OL-9775-08...
  • Page 691 VLAN. Step 11 Return to privileged EXEC mode. Step 12 show port-security Verify your entries. Step 13 copy running-config (Optional) Save your entries in the configuration file. startup-config Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-15 OL-9775-08...
  • Page 692 Switch(config-if)# switchport mode access Switch(config-if)# switchport voice vlan 22 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 20 Switch(config-if)# switchport port-security violation restrict Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-16 OL-9775-08...
  • Page 693: Enabling And Configuring Port Security Aging

    Step 4 Return to privileged EXEC mode. Step 5 show port-security [interface interface-id] Verify your entries. [address] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-17 OL-9775-08...
  • Page 694: Port Security And Switch Stacks

    Step 5 Return to privileged EXEC mode. Step 6 show port-security [interface interface-id] Verify your entries. [address] Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-18 OL-9775-08...
  • Page 695 Displays the number of secure MAC addresses configured per VLAN on the specified interface. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-19 OL-9775-08...
  • Page 696 Chapter 26 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 3750-E and 3560-E Switch Software Configuration Guide 26-20 OL-9775-08...
  • Page 697: Configuring Cdp

    • Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
  • Page 698: Cdp And Switch Stacks

    (Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it. The range is 10 to 255 seconds; the default is 180 seconds. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 27-2 OL-9775-08...
  • Page 699: Disabling And Enabling Cdp

    27-5. Disabling and Enabling CDP CDP is enabled by default. Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Note Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 6, “Clustering Switches”...
  • Page 700: Disabling And Enabling Cdp On An Interface

    (Optional) Save your entries in the configuration file. This example shows how to enable CDP on a port when it has been disabled. Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# cdp enable Switch(config-if)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 27-4 OL-9775-08...
  • Page 701: Monitoring And Maintaining Cdp

    You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information. show cdp traffic Display CDP counters, including the number of packets sent and received and checksum errors. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 27-5 OL-9775-08...
  • Page 702 Chapter 27 Configuring CDP Monitoring and Maintaining CDP Catalyst 3750-E and 3560-E Switch Software Configuration Guide 27-6 OL-9775-08...
  • Page 703 This chapter describes how to configure the Link Layer Discovery Protocol (LLDP), LLDP Media Endpoint Discovery (LLDP-MED) and wired location service on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 704 Enables advanced power management between LLDP-MED endpoint and network connectivity devices. Allows switches and phones to convey power information, such as how the device is powered, power priority, and how much power the device needs. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-2 OL-9775-08...
  • Page 705: Wired Location Service

    Starting with Cisco IOS Release 12.2(52)SE, when LLDP is enabled and power is applied to a port, the power TLV determines the actual power requirement of the endpoint device so that the system power budget can be adjusted accordingly.
  • Page 706 If you change a location address on the switch, the switch sends an NMSP location notification message that identifies the affected ports and the changed address information. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-4 OL-9775-08...
  • Page 707: Default Lldp Configuration

    You cannot configure static secure MAC addresses on an interface that has a network-policy profile. • • You cannot configure a network-policy profile on a private-VLAN port. For wired location to function, you must first enter the ip device tracking global configuration • command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-5 OL-9775-08...
  • Page 708: Enabling Lldp

    (Optional) Specify the amount of time a receiving device should hold the information from your device before discarding it. The range is 0 to 65535 seconds; the default is 120 seconds. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-6 OL-9775-08...
  • Page 709 Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are configuring an LLDP-MED TLV, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-7 OL-9775-08...
  • Page 710 Step 5 interface interface-id Specify the interface on which you are configuring a network-policy profile, and enter interface configuration mode. Step 6 network-policy profile number Specify the network-policy profile number. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-8 OL-9775-08...
  • Page 711: Configuring Location Tlv And Wired Location Service

    • format. Step 3 exit Return to global configuration mode. Step 4 interface interface-id Specify the interface on which you are configuring the location information, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-9 OL-9775-08...
  • Page 712 30. Step 4 Return to privileged EXEC mode. Step 5 show network-policy profile Verify the configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-10 OL-9775-08...
  • Page 713 TLVs. show location Display the location information for an endpoint. show network-policy profile Display the configured network-policy profiles. show nmsp Display the NMSP information. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-11 OL-9775-08...
  • Page 714 Chapter 28 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-12 OL-9775-08...
  • Page 715 This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 716: Methods To Detect Unidirectional Links

    UDLD sends at least one message to inform the neighbors to flush the part of their caches affected by the status change. The message is intended to keep the caches synchronized. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-2...
  • Page 717 If UDLD is in normal mode, the logical link is considered undetermined, and UDLD does not disable the interface. Switch B Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-3 OL-9775-08...
  • Page 718: Default Udld Configuration

    Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-4 OL-9775-08...
  • Page 719: Enabling Udld Globally

    To disable UDLD globally, use the no udld enable global configuration command to disable normal mode UDLD on all fiber-optic ports. Use the no udld aggressive global configuration command to disable aggressive mode UDLD on all fiber-optic ports. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-5 OL-9775-08...
  • Page 720: Enabling Udld On An Interface

    The errdisable recovery cause udld global configuration command enables the timer to • automatically recover from the UDLD error-disabled state, and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error-disabled state. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-6 OL-9775-08...
  • Page 721: Displaying Udld Status

    To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-7 OL-9775-08...
  • Page 722 Chapter 29 Configuring UDLD Displaying UDLD Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-8 OL-9775-08...
  • Page 723 This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 724: Local Span

    Example of Local SPAN Configuration on a Single Switch Port 5 traffic mirrored 1 2 3 4 5 6 7 8 9 10 11 12 on Port 10 Network analyzer Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-2 OL-9775-08...
  • Page 725: Remote Span

    RSPAN VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port, as shown on Switch C in the figure. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-3 OL-9775-08...
  • Page 726: Span And Rspan Concepts And Terminology

    SPAN sessions gather a set of ingress and egress packets specified by the user and form them into a stream of SPAN data, which is directed to the destination port. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-4 OL-9775-08...
  • Page 727 An RSPAN destination session cannot have a local source port. – An RSPAN destination session and an RSPAN source session that are using the same RSPAN – VLAN cannot run on the same switch or switch stack. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-5 OL-9775-08...
  • Page 728: Monitored Traffic

    The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
  • Page 729 You cannot use filter VLANs in the same session with VLAN sources. • You can monitor only Ethernet VLANs. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-7 OL-9775-08...
  • Page 730: Vlan Filtering

    It does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP). • A destination port that belongs to a source VLAN of any SPAN session is excluded from the source • list and is not monitored. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-8 OL-9775-08...
  • Page 731 RSPAN session. It is also possible to have multiple RSPAN destination sessions throughout the network, monitoring the same RSPAN VLAN and presenting traffic to the user. The RSPAN VLAN ID separates the sessions. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-9 OL-9775-08...
  • Page 732: Span And Rspan Interaction With Other Features

    For SPAN sessions, do not enable port security on ports with monitored egress when ingress forwarding is enabled on the destination port. For RSPAN source sessions, do not enable port security on any ports with monitored egress. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-10 OL-9775-08...
  • Page 733: Span And Rspan And Switch Stacks

    A system message notifies you of this action, which is called reloading. The IPv4, IPv6 and MAC FSPAN ACLs can be unloaded or reloaded independently. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-11 OL-9775-08...
  • Page 734: Default Span And Rspan Configuration

    SPAN Configuration Guidelines, page 30-13 • Creating a Local SPAN Session, page 30-14 • Creating a Local SPAN Session and Configuring Incoming Traffic, page 30-16 • Specifying VLANs to Filter, page 30-18 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-12 OL-9775-08...
  • Page 735 0/1 to tengigabitethernet 0/4 or gigabitethernet 0/1 to gigabitethernet 0/8 b—tengigabitethernet 0/5 to tengigabitethernet 0/8 or gigabitethernet 0/9 to gigabitethernet 0/16 c—tengigabitethernet 0/9 to tengigabitethernet 0/12 or gigabitethernet 0/17 to gigabitethernet 0/24 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-13 OL-9775-08...
  • Page 736 This is the default. • rx—Monitor received traffic. • tx—Monitor sent traffic. • You can use the monitor session session_number source Note command multiple times to configure multiple source ports. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-14 OL-9775-08...
  • Page 737 Switch(config)# no monitor session 1 source interface gigabitethernet1/0/1 rx The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-15 OL-9775-08...
  • Page 738 VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating a Local SPAN Session”...
  • Page 739 IEEE 802.1Q encapsulation and VLAN 6 as the default ingress VLAN. Switch(config)# no monitor session 2 Switch(config)# monitor session 2 source gigabitethernet1/0/1 rx Switch(config)# monitor session 2 destination interface gigabitethernet1/0/2 encapsulation replicate ingress dot1q vlan 6 Switch(config)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-17 OL-9775-08...
  • Page 740 Step 8 copy running-config startup-config (Optional) Save the configuration in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-18 OL-9775-08...
  • Page 741: Configuring Rspan

    If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted • flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-19 OL-9775-08...
  • Page 742: Creating An Rspan Source Session

    | remote} For session_number, the range is 1 to 66. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-20 OL-9775-08...
  • Page 743 To remove a source port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command. To remove the RSPAN VLAN from the session, use the no monitor session session_number destination remote vlan vlan-id. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-21 OL-9775-08...
  • Page 744: Specifying Vlans To Filter

    (Optional) Use a comma (,) to specify a series of VLANs or use a hyphen (-) to specify a range of VLANs. Enter a space before and after the comma; enter a space before and after the hyphen. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-22 OL-9775-08...
  • Page 745 Switch(config)# monitor session 1 source interface gigabitethernet0/2 rx Switch(config)# monitor session 1 filter vlan 1 - 5 , 9 Switch(config)# monitor session 1 destination remote vlan 902 destination-port group a Switch(config)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-23 OL-9775-08...
  • Page 746 Step 8 Return to privileged EXEC mode. Step 9 show monitor [session session_number] Verify the configuration. show running-config Step 10 copy running-config startup-config (Optional) Save the configuration in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-24 OL-9775-08...
  • Page 747: Creating An Rspan Destination Session And Configuring Incoming Traffic

    RSPAN VLAN and the destination port, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating an RSPAN Destination...
  • Page 748 VLAN 6 as the default receiving VLAN. Switch(config)# monitor session 2 source remote vlan 901 Switch(config)# monitor session 2 destination interface gigabitethernet1/0/2 ingress vlan 6 Switch(config)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-26 OL-9775-08...
  • Page 749: Configuring Fspan And Frspan

    Port-based FSPAN sessions can be configured on a stack that includes Catalyst 3750 switches as • long as the session only includes Catalyst 3750-E ports as source ports. If the session has any Catalyst 3750 ports as source ports, the FSPAN ACL command is rejected. If the session has FSPAN ACL configured, any commands including Catalyst 3750 ports as source ports are rejected.
  • Page 750: Configuring An Fspan Session

    This is the default. • rx—Monitor received traffic. • tx—Monitor sent traffic. • You can use the monitor session session_number source Note command multiple times to configure multiple source ports. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-28 OL-9775-08...
  • Page 751: Configuring An Frspan Session

    | remote} For session_number, the range is 1 to 66. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-29 OL-9775-08...
  • Page 752 Step 9 Return to privileged EXEC mode. Step 10 show monitor [session session_number] Verify the configuration. show running-config Step 11 copy running-config startup-config (Optional) Save the configuration in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-30 OL-9775-08...
  • Page 753 To display the current SPAN, RSPAN, FSPAN, or FRSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured sessions. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-31 OL-9775-08...
  • Page 754 Chapter 30 Configuring SPAN and RSPAN Displaying SPAN, RSPAN. FSPAN, and FRSPAN Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-32 OL-9775-08...
  • Page 755 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 756 Because switches supported by this software release use hardware counters for RMON data processing, the monitoring is more efficient, and little processing power is required. Note 64-bit counters are not supported for RMON alarms. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 31-2 OL-9775-08...
  • Page 757: Default Rmon Configuration

    You must also configure SNMP on the switch to access RMON MIB objects. For more information, see Chapter 33, “Configuring SNMP.” 64-bit counters are not supported for RMON alarms. Note Catalyst 3750-E and 3560-E Switch Software Configuration Guide 31-3 OL-9775-08...
  • Page 758 SNMP community string used for this trap. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 31-4 OL-9775-08...
  • Page 759: Collecting Group History Statistics On An Interface

    (Optional) For owner ownername, enter the name of the owner of the RMON group of statistics. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 31-5 OL-9775-08...
  • Page 760: Collecting Group Ethernet Statistics On An Interface

    Table 31-1 Commands for Displaying RMON Status Command Purpose show rmon Displays general RMON statistics. show rmon alarms Displays the RMON alarm table. show rmon events Displays the RMON event table. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 31-6 OL-9775-08...
  • Page 761 Displays the RMON statistics table. For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 31-7...
  • Page 762 Chapter 31 Configuring RMON Displaying RMON Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 31-8 OL-9775-08...
  • Page 763: Configuring System Message Logging

    Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 764: System Log Message Format

    The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-2 OL-9775-08...
  • Page 765 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to up (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/1, changed state to down 2 (Switch-2) Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-3 OL-9775-08...
  • Page 766: Default System Message Logging Configuration

    Beginning in privileged EXEC mode, follow these steps to disable message logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no logging console Disable message logging. Step 3 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-4 OL-9775-08...
  • Page 767: Setting The Message Display Destination Device

    To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 32-12. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-5 OL-9775-08...
  • Page 768: Synchronizing Log Messages

    Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-6 OL-9775-08...
  • Page 769 (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-7 OL-9775-08...
  • Page 770: Enabling And Disabling Time Stamps On Log Messages

    Beginning in privileged EXEC mode, follow these steps to enable sequence numbers in log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service sequence-numbers Enable sequence numbers. Step 3 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-8 OL-9775-08...
  • Page 771: Defining The Message Severity Level

    To disable logging to syslog servers, use the no logging trap global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-9 OL-9775-08...
  • Page 772: Limiting Syslog Messages Sent To The History Table And To Snmp

    By default, one message of the level warning and numerically lower levels (see Table 32-3 on page 32-10) are stored in the history table even if syslog traps are not enabled. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-10 OL-9775-08...
  • Page 773 The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T. Catalyst 3750-E and 3560-E Switch Software Configuration Guide...
  • Page 774: Configuring Unix Syslog Servers

    Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. This procedure is optional. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-12 OL-9775-08...
  • Page 775: Configuring The Unix System Logging Facility

    Step 4 logging facility facility-type Configure the syslog facility. See Table 32-4 on page 32-14 facility-type keywords. The default is local7. Step 5 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 32-13 OL-9775-08...
  • Page 776: Displaying The Logging Configuration

    Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
  • Page 777 MAC address tracking, closing of a TCP connection, loss of connection to a neighbor, or other significant events. On the Catalyst 3750-E switch, the stack master handles the SNMP requests and traps for the whole switch stack. The stack master transparently manages any requests or traps that are related to all stack members.
  • Page 778: Snmp Versions

    A combination of the security level and the security model determine which security mechanism is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and SNMPv3. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-2 OL-9775-08...
  • Page 779: Snmp Manager Functions

    1. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table. 2. The get-bulk command only works with SNMPv2 or later. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-3 OL-9775-08...
  • Page 780: Snmp Agent Functions

    (@esN, where N is the switch number) to the first configured RW and RO community strings on the command switch and propagates them to the member switches. For more information, see Chapter 6, “Clustering Switches” and see Getting Started with Cisco Network Assistant, available on Cisco.com. Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software.
  • Page 781: Snmp Notifications

    The switch uses one of the values in Table 33-3 to assign an ifIndex value to an interface: Table 33-3 ifIndex Values Interface Type ifIndex Range 1–4999 EtherChannel 5000–5012 Loopback 5013–5077 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-5 OL-9775-08...
  • Page 782: Default Snmp Configuration

    If no type is specified, all notifications are sent. 1. This is the default when the switch starts and the startup configuration does not have any snmp-server global configuration commands. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-6 OL-9775-08...
  • Page 783: Snmp Configuration Guidelines

    The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
  • Page 784: Configuring Community Strings

    MIB objects. By default, the community string permits read-only access to all objects. (Optional) For access-list-number, enter an IP standard access • list numbered from 1 to 99 and 1300 to 1999. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-8 OL-9775-08...
  • Page 785: Configuring Snmp Groups And Users

    You can specify an identification name (engine ID) for the local or remote SNMP server engine on the switch. You can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users to the SNMP group. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-9 OL-9775-08...
  • Page 786 64 characters) that is the name of the view in which you specify a notify, inform, or trap. (Optional) Enter access access-list with a string (not to exceed • 64 characters) that is the name of the access list. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-10 OL-9775-08...
  • Page 787 To display SNMPv3 information about auth | noauth | priv mode configuration, you must enter the show snmp user EXEC command. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-11 OL-9775-08...
  • Page 788: Configuring Snmp Notifications

    A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
  • Page 789 You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 33-5. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-13 OL-9775-08...
  • Page 790 Avoid using the @ symbol as part of the SNMP community string when configuring this command. (Optional) For notification-type, use the keywords listed in • Table 33-5 on page 33-12. If no type is specified, all notifications are sent. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-14 OL-9775-08...
  • Page 791 To disable informs, use the no snmp-server host informs global configuration command. To disable a specific trap type, use the no snmp-server enable traps notification-types global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-15 OL-9775-08...
  • Page 792: Setting The Cpu Threshold Notification Types And Values

    Dial System Operator at beeper 21555. Step 3 snmp-server location text Set the system location string. For example: snmp-server location Building 3/Room 222 Step 4 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-16 OL-9775-08...
  • Page 793: Limiting Tftp Servers Used Through Snmp

    Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-17 OL-9775-08...
  • Page 794: Snmp Examples

    Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
  • Page 795: Displaying Snmp Status

    EXEC command. You also can use the other privileged EXEC commands in Table 33-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference. Table 33-6 Commands for Displaying SNMP Information Feature...
  • Page 796 Chapter 33 Configuring SNMP Displaying SNMP Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-20 OL-9775-08...
  • Page 797 An EEM policy defines an event and the actions to be taken when that event occurs. This chapter tells how to use EEM and how to configure it on a Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a standalone switch or a Catalyst 3750-E switch stack.
  • Page 798 Subscribes to receive events subscribers and implements policy actions EEM APPLET EEM SCRIPT See the EEM Configuration for Cisco Integrated Services Router Platforms Guide for examples of EEM deployment. Event Detectors, page 34-3 • Embedded Event Manager Actions, page 34-4 •...
  • Page 799: Event Detectors

    Counter event detector—Publishes an event when a named counter crosses a specified threshold. • Interface counter event detector—Publishes an event when a generic Cisco IOS interface counter for • a specified interface crosses a defined threshold. A threshold can be specified as an absolute value or an incremental value.For example, if the incremental value is set to 50 an event would be...
  • Page 800: Embedded Event Manager Actions

    Watchdog event detector (IOSWDSysMon)—Publishes an event only on the master switch when • Publishes an event when one of these events occurs: CPU utilization for a Cisco IOS process crosses a threshold. – Memory utilization for a Cisco IOS process crosses a threshold.
  • Page 801: Embedded Event Manager Environment Variables

    Cisco built-in variables (available in EEM applets) • Defined by Cisco and can be read-only or read-write. The read-only variables are set by the system before an applet starts to execute. The single read-write variable, _exit_status, allows you to set the exit status for policies triggered from synchronous events.
  • Page 802: Registering And Defining An Embedded Event Manager Applet

    Registering and Defining an Embedded Event Manager TCL Script, page 34-7 • For complete information about configuring embedded event manager, see the Cisco IOS Network Management Configuration Guide, Release 12.4T. To configure EEM, you must have the IP services feature set installed on the switch.
  • Page 803: Registering And Defining An Embedded Event Manager Tcl Script

    This example shows the sample output for the show event manager environment command: Switch# show event manager environment all Name Value _cron_entry 0-59/2 0-23/1 * * 0-6 _show_cmd show ver _syslog_pattern .*UPDOWN.*Ethernet1/0.* Catalyst 3750-E and 3560-E Switch Software Configuration Guide 34-7 OL-9775-08...
  • Page 804: Displaying Embedded Event Manager Information

    Switch(config)# event manager environment_cron_entry 0-59/2 0-23/1 * * 0-6 This example shows the sample EEM policy named tm_cli_cmd.tcl registered as a system policy. The system policies are part of the Cisco IOS image. User-defined TCL scripts must first be copied to flash memory.
  • Page 805 This chapter describes how to configure network security on the Catalyst 3750-E or 3560-E switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 806: Understanding Acls

    Layer 3 addresses for IPv4. Unsupported protocols are access-controlled through MAC addresses using Ethernet ACEs. After a VLAN map is applied to a VLAN, all packets Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-2 OL-9775-08...
  • Page 807 Host A to access the Human Resources network, but prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-3...
  • Page 808 The switch supports these access lists for IPv4 traffic: Standard IP access lists use source addresses for matching operations. • Extended IP access lists use source and destination addresses and optional protocol type information • for matching operations. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-4 OL-9775-08...
  • Page 809: Handling Fragmented And Unfragmented Traffic

    Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4 information might have been. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-5 OL-9775-08...
  • Page 810: Acls And Switch Stacks

    If packets must be forwarded by software for any reason (for example, not enough hardware resources), the master switch forwards the packets only after applying ACLs on the packets. It programs its hardware with the ACL information it processes. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-6 OL-9775-08...
  • Page 811: Configuring Ipv4 Acls

    ACL information to all switches in the stack. Configuring IPv4 ACLs Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services”...
  • Page 812: Creating Standard And Extended Ipv4 Acls

    AppleTalk access list 700–799 48-bit MAC address access list 800–899 IPX standard access list 900–999 IPX extended access list 1000–1099 IPX SAP access list 1100–1199 Extended 48-bit MAC address access list Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-8 OL-9775-08...
  • Page 813 IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-9...
  • Page 814: Creating A Numbered Standard Acl

    Switch (config)# access-list 2 deny host 171.69.198.102 Switch (config)# access-list 2 permit any Switch(config)# end Switch# show access-lists Standard IP access list 2 10 deny 171.69.198.102 20 permit any Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-10 OL-9775-08...
  • Page 815 For more details on the specific keywords for each protocol, see these command references: • Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 • Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 Cisco IOS IP Command Reference, Volume 3 of 3: Multicast, Release 12.2...
  • Page 816 DSCP value specified by a number • from 0 to 63, or use the question mark (?) to see a list of available values. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-12 OL-9775-08...
  • Page 817 TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
  • Page 818 ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. Step 2e access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
  • Page 819 The ACL must be an extended named ACL. – match input-interface interface-id-list – match ip dscp dscp-list match ip precedence ip-precedence-list – You cannot enter the match access-group acl-index command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-15 OL-9775-08...
  • Page 820 Show the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a named extended ACL, use the no ip access-list extended name global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-16 OL-9775-08...
  • Page 821 The time range relies on the switch system clock; therefore, you need a reliable clock source. We Note recommend that you use Network Time Protocol (NTP) to synchronize the switch clock. For more information, see the “Managing the System Time and Date” section on page 7-1. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-17 OL-9775-08...
  • Page 822 Switch(config)# access-list 188 permit tcp any any time-range workhours Switch(config)# end Switch# show access-lists Extended IP access list 188 10 deny tcp any any time-range new_year_day_2006 (inactive) 20 permit tcp any any time-range workhours (inactive) Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-18 OL-9775-08...
  • Page 823: Including Comments In Acls

    For procedures for applying ACLs to interfaces, see the “Applying an IPv4 ACL to an Interface” section on page 35-20. For applying ACLs to VLANs, see the “Configuring VLAN Maps” section on page 35-31. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-19 OL-9775-08...
  • Page 824: Applying An Ipv4 Acl To An Interface

    These access-group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP-unreachable message. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-20...
  • Page 825 When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network security. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-21 OL-9775-08...
  • Page 826: Hardware And Software Treatment Of Ip Acls

    Logical operation units are needed for a TCP flag match or a test other than eq (ne, gt, lt, or range) on TCP, UDP, or SCTP port numbers. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-22...
  • Page 827: Ipv4 Acl Configuration Examples

    This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
  • Page 828 Note that with extended ACLs, you must enter the protocol (IP) before the source and destination information. Switch(config)# access-list 106 permit ip any 172.20.128.64 0.0.0.31 Switch(config)# end Switch# show access-lists Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-24 OL-9775-08...
  • Page 829: Numbered Acls

    Internet. Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established Switch(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25 Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip access-group 102 in Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-25 OL-9775-08...
  • Page 830: Named Acls

    Smith is not allowed access: Switch(config)# access-list 1 remark Permit only Jones workstation through Switch(config)# access-list 1 permit 171.69.2.88 Switch(config)# access-list 1 remark Do not allow Smith workstation through Switch(config)# access-list 1 deny 171.69.3.13 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-26 OL-9775-08...
  • Page 831: Acl Logging

    0.0.0.255 and denies all UDP packets. Switch(config)# ip access-list extended ext1 Switch(config-ext-nacl)# permit icmp any 10.1.1.0 0.0.0.255 log Switch(config-ext-nacl)# deny udp any any log Switch(config-std-nacl)# exit Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# ip access-group ext1 in Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-27 OL-9775-08...
  • Page 832: Creating Named Mac Extended Acls

    Though visible in the command-line help strings, appletalk is not supported as a matching condition for Note the deny and permit MAC access-list configuration mode commands. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-28 OL-9775-08...
  • Page 833 Switch(config)# mac access-list extended mac1 Switch(config-ext-macl)# deny any any decnet-iv Switch(config-ext-macl)# permit any any Switch(config-ext-macl)# end Switch # show access-lists Extended MAC access list mac1 10 deny any any decnet-iv 20 permit any any Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-29 OL-9775-08...
  • Page 834: Applying A Mac Acl To A Layer 2 Interface

    ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-30...
  • Page 835: Configuring Vlan Maps

    If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-31...
  • Page 836: Creating A Vlan Map

    IP packets are matched against standard or extended IP access lists. Non-IP packets are only matched against named MAC extended access lists. Step 5 Return to global configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-32 OL-9775-08...
  • Page 837 Forward all UDP packets • Drop all IGMP packets Forward all TCP packets • Drop all other IP packets • Forward all non-IP packets • Switch(config)# access-list 101 permit udp any any Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-33 OL-9775-08...
  • Page 838 Drop all other IP packets • Drop all other MAC packets • Switch(config)# vlan access-map drop-all-default 10 Switch(config-access-map)# match ip address tcp-match Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-all-default 20 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-34 OL-9775-08...
  • Page 839: Applying A Vlan Map To A Vlan

    Host X to Host Y is eventually being routed by Switch B, a Layer 3 switch with routing enabled. Traffic from Host X to Host Y can be access-controlled at the traffic entry point, Switch A. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-35...
  • Page 840: Denying Access To A Server On Another A Vlan

    (see Figure 35-5): Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access. • Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-36 OL-9775-08...
  • Page 841: Using Vlan Maps With Router Acls

    VLAN map to access control the bridged traffic. If a packet flow matches a VLAN-map deny clause in the ACL, regardless of the router ACL configuration, the packet flow is denied. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-37 OL-9775-08...
  • Page 842: Vlan Maps And Router Acl Configuration Guidelines

    If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/ICMP ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. This gives priority to the filtering of traffic based on IP addresses. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-38 OL-9775-08...
  • Page 843: Examples Of Router Acls And Vlan Maps Applied To Vlans

    Figure 35-7 shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN. Only non-IP, non-ARP packets can be fallback-bridged. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-39 OL-9775-08...
  • Page 844 Figure 35-8 Applying ACLs on Routed Packets Input Output VLAN 10 router router VLAN 20 Frame Host A Host B (VLAN 10) (VLAN 20) Routing function VLAN 10 VLAN 20 Packet Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-40 OL-9775-08...
  • Page 845: Displaying Ipv4 Acl Configuration

    (numbered or named). show ip access-lists [number | name] Display the contents of all current IP access lists or a specific IP access list (numbered or named). Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-41 OL-9775-08...
  • Page 846 Show information about all VLAN access maps or the specified access map. show vlan filter [access-map name | vlan vlan-id] Show information about all VLAN filters or about a specified VLAN or VLAN access map. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-42 OL-9775-08...
  • Page 847 ACLs to filter Layer 3 management traffic when the switch is running the IP base feature set. This chapter includes information about configuring IPv6 ACLs on the switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Note To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
  • Page 848: Supported Acl Features

    Routed or bridged packets with hop-by-hop options have IPv6 ACLs applied in software. • Logging is supported for router ACLs, but not for port ACLs. • The switch supports IPv6 address-matching for a full range of prefix-lengths. • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 36-2 OL-9775-08...
  • Page 849: Ipv6 Acl Limitations

    With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs. The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions: • The switch does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.
  • Page 850: Default Ipv6 Acl Configuration

    Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 access-list Use a name to define an IPv6 access list and enter IPv6 access-list configuration mode. access-list-name Catalyst 3750-E and 3560-E Switch Software Configuration Guide 36-4 OL-9775-08...
  • Page 851 (Optional) Enter sequence value to specify the sequence number for the access list • statement. The acceptable range is from 1 to 4294967295. (Optional) Enter time-range name to specify the time range that applies to the • deny or permit statement. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 36-5 OL-9775-08...
  • Page 852 [dscp and code names, use the ? key or see command reference for this release. value] [log] [log-input] [routing] [sequence value] [time-range name] Step 4 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 36-6 OL-9775-08...
  • Page 853: Applying An Ipv6 Acl To An Interface

    This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.
  • Page 854: Displaying Ipv6 Acls

    Use the no ipv6 traffic-filter access-list-name interface configuration command to remove an access list from an interface. This example shows how to apply the access list Cisco to outbound traffic on a Layer 3 interface: Switch(config)# interface gigabitethernet 1/0/3 Switch(config-if)# no switchport...
  • Page 855: Configuring Qos

    It sends the packets without any assurance of reliability, delay bounds, or throughput. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
  • Page 856: Understanding Qos

    Understanding QoS The switch supports some of the modular QoS CLI (MQC) commands. For more information about the MQC commands, see the “Modular Quality of Service Command-Line Interface” chapter of the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2.
  • Page 857 Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices, the traffic types and patterns in your network, and the granularity of control that you need over incoming and outgoing traffic. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-3 OL-9775-08...
  • Page 858: Basic Qos Model

    Scheduling services the four egress queues based on their configured SRR shared or shaped weights. • One of the queues (queue 1) can be the expedited queue, which is serviced until empty before the other queues are serviced. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-4 OL-9775-08...
  • Page 859 0 as the DSCP and CoS values, which means best-effort traffic. Otherwise, the policy-map action specifies a DSCP or CoS value to assign to the incoming frame. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-5...
  • Page 860 CoS of the port. Yyou can do this for both IPv4 and IPv6 traffic. After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-6 OL-9775-08...
  • Page 861 You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). You can also classify IP traffic based on IPv6 ACLs. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-7...
  • Page 862 In this mode, you specify the actions to take on a specific traffic class by using the class, trust, or set policy-map configuration and policy-map class configuration commands. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-8 OL-9775-08...
  • Page 863: Policing And Marking

    “Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps” section on page 37-64, and the “Classifying, Policing, and Marking Traffic by Using Aggregate Policers” section on page 37-72. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-9 OL-9775-08...
  • Page 864 A nonhierarchical policy map on a physical port. • The interface level of a hierarchical policy map attached to an SVI. The physical ports are specified • in this secondary policy map. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-10 OL-9775-08...
  • Page 865: Policing On Svis

    SVI. The second level, the interface level, specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface-level policy map. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-11 OL-9775-08...
  • Page 866 Pass through Drop Verify the out-of-profile action Drop packet. configured for this policer. Mark Modify DSCP according to the policed-DSCP map. Generate a new QoS label. Done Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-12 OL-9775-08...
  • Page 867: Mapping Tables

    Scheduling on Ingress Queues” section on page 37-16. For information about the DSCP and CoS output queue threshold maps, see the “Queueing and Scheduling on Egress Queues” section on page 37-19. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-13 OL-9775-08...
  • Page 868: Queueing And Scheduling Overview

    Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 37-6 Figure 37-7. Figure 37-6 Ingress and Egress Queue Location on Catalyst 3750-E Switches Policer Marker Egress queues Stack ring Policer...
  • Page 869: Weighted Tail Drop

    Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic. With shaping, the absolute value of each weight is used to compute the bandwidth available for the queues. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-15 OL-9775-08...
  • Page 870 Queueing and Scheduling on Ingress Queues Figure 37-9 Figure 37-10 show the queueing and scheduling flowcharts for ingress ports. Figure 37-9 Queueing and Scheduling Flowchart for Ingress Ports on Catalyst 3750-E Switches Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds.
  • Page 871 You can configure the bandwidth required for this traffic as a percentage of the total traffic or total stack traffic on Catalyst 3750-E switches by using the mls qos srr-queue input priority-queue global configuration command. The expedite queue has guaranteed bandwidth.
  • Page 872 DSCPs or CoSs into certain queues, by allocating a large queue size or by servicing the queue more frequently, and by adjusting queue thresholds so that packets with lower priorities are dropped. For configuration information, see the “Configuring Ingress Queue Characteristics” section on page 37-80. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-18 OL-9775-08...
  • Page 873 If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Note Figure 37-11 Queueing and Scheduling Flowchart for Egress Ports on Catalyst 3750-E Switches Start Receive packet from the stack ring.
  • Page 874 (under-limit), whether it has consumed all of its maximum buffers (over limit), and whether the common pool is empty (no free Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-20...
  • Page 875 You can display the DSCP output queue threshold map and the CoS output queue threshold map by using the show mls qos maps privileged EXEC command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-21 OL-9775-08...
  • Page 876: Packet Modification

    For IP packets, the packet modification occurs at a later stage; for non-IP packets the DSCP is converted to CoS and used for queueing and scheduling decisions. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-22 OL-9775-08...
  • Page 877 The switch uses the classification results to choose the appropriate egress queue. Auto-QoS supports both IPv4 and IPv6 traffic when the dual IPv4 and IPv6 SDM template is configured. You use auto-QoS commands to identify ports connected to or running these types of Cisco devices: •...
  • Page 878 DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When there is no Cisco IP Phone, the ingress classification is set to not trust the QoS label in the packet. The policing is applied to the traffic matching the policy-map classification before the switch enables the trust boundary feature.
  • Page 879 39-42. • When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone, or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and...
  • Page 880 2 threshold 1 4 Switch(config)# mls qos srr-queue input cos-map queue 2 threshold 2 4 6 Switch(config)# mls qos srr-queue input cos-map queue 2 threshold 3 3 5 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-26 OL-9775-08...
  • Page 881 33 40 41 42 43 44 45 Switch(config)# mls qos srr-queue Switch(config)# mls qos srr-queue input dscp-map queue 2 threshold 3 40 input dscp-map queue 2 threshold 3 46 41 42 43 44 45 46 47 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-27 OL-9775-08...
  • Page 882 4 threshold 2 10 10 11 12 13 14 15 12 14 Switch(config)# mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-28 OL-9775-08...
  • Page 883 Auto-QoS Generated Configuration For VoIP Devices If you entered the auto qos voip cisco-phone command, the switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone. Switch(config-if)# mls qos trust device cisco-phone If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
  • Page 884 AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is enabled. Switch(config-if)# service-policy input AutoQoS-Police-SoftPhone If you entered the auto qos voip cisco-phone command, the switch automatically creates class maps and policy maps. Switch(config-if)# mls qos trust device cisco-phone If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
  • Page 885 Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-pmap)# class AUTOQOS_TRANSACTION_CLASS Switch(config-pmap-c)# set dscp af21 Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-pmap)# class AUTOQOS_SCAVANGER_CLASS Switch(config-pmap-c)# set dscp cs1 Switch(config-pmap-c)# police 10000000 8000 exceed-action drop Switch(config-pmap)# class AUTOQOS_SIGNALING_CLASS Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-31 OL-9775-08...
  • Page 886 Switch(config-pmap-c)# set dscp default Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-if)# service-policy input AUTOQOS-SRND4-CLASSIFY-POLICE-POLICY This is the enhanced configuration for the auto qos voip cisco-phone command: Switch(config)# mls qos map policed-dscp 0 10 18 to 8 Switch(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56...
  • Page 887 By default, the CDP is enabled on all ports. For auto-QoS to function properly, do not disable CDP. • Auto-QoS VoIP Considerations Auto-QoS configures the switch for VoIP with Cisco IP Phones on nonrouted and routed ports. • Auto-QoS also configures the switch for VoIP with devices running the Cisco SoftPhone application.
  • Page 888 Configuring QoS Configuring Auto-QoS • When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address to the IP phone. • This release supports only Cisco IP SoftPhone Version 1.3(3) or later.
  • Page 889 EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-35 OL-9775-08...
  • Page 890: Configuring Standard Qos

    (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing). Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-36 OL-9775-08...
  • Page 891: Default Ingress Queue Configuration

    DSCP input queue threshold map when QoS is enabled. Table 37-8 Default DSCP Input Queue Threshold Map DSCP Value Queue ID–Threshold ID 0–39 1–1 40–47 2–1 48–63 1–1 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-37 OL-9775-08...
  • Page 892: Default Egress Queue Configuration

    DSCP output queue threshold map when QoS is enabled. Table 37-11 Default DSCP Output Queue Threshold Map DSCP Value Queue ID–Threshold ID 0–15 2–1 16–31 3–1 32–39 4–1 40–47 1–1 48–63 4–1 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-38 OL-9775-08...
  • Page 893: Standard Qos Configuration Guidelines

    You can configure QoS on physical ports and SVIs. When configuring QoS on physical ports, you • create and apply nonhierarchical policy maps. When configuring QoS on SVIs, you can create and apply nonhierarchical and hierarchical policy maps. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-39 OL-9775-08...
  • Page 894: Policing Guidelines

    You can enable IPv6 QoS on a switch or a switch stack. If the stack includes only Catalyst 3750-X and Catalyst 3750-E switches, the QoS configuration applies to all traffic. These are the guidelines for IPv6 QoS in a stack that includes one or more Catalyst 3750 switches: Any switch can be the stack master.
  • Page 895: Enabling Qos Globally

    By default, QoS is disabled on the switch. To enable IPv6 QoS on the switch, you must first configure a dual-ipv4-and ipv6 SDM template and reload the switch. This template enables both IPv4 and IPv6 QoS configuration. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-41 OL-9775-08...
  • Page 896 By default, VLAN-based QoS is disabled on all physical switch ports. The switch applies QoS, including class maps and policy maps, only on a physical-port basis. In Cisco IOS Release 12.2(25)SE or later, yYou can enable VLAN-based QoS on a switch port.
  • Page 897: Configuring Classification Using Port Trust States

    QoS domain. Figure 37-14 shows a sample network topology. Figure 37-14 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here Trusted boundary Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-43 OL-9775-08...
  • Page 898 Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Valid interfaces include physical ports. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-44 OL-9775-08...
  • Page 899 CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.
  • Page 900 Configuring QoS Configuring Standard QoS In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
  • Page 901 Figure 37-15 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 IP traffic Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-47 OL-9775-08...
  • Page 902 DSCP 30: Switch(config)# mls qos map dscp-mutation gigabitethernet1/0/2-mutation 10 11 12 13 to 30 Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# mls qos trust dscp Switch(config-if)# mls qos dscp-mutation gigabitethernet1/0/2-mutation Switch(config-if)# end Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-48 OL-9775-08...
  • Page 903: Configuring A Qos Policy

    Step 3 Return to privileged EXEC mode. Step 4 show access-lists Verify your entries. Step 5 copy running-config (Optional) Save your entries in the configuration file. startup-config Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-49 OL-9775-08...
  • Page 904 Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an access list, use the no access-list access-list-number global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-50 OL-9775-08...
  • Page 905 Step 2 ipv6 access-list Create an IPv6 ACL, and enter IPv6 access-list configuration mode. access-list-name Access list names cannot contain a space or quotation mark or begin with a numeric. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-51 OL-9775-08...
  • Page 906 Verify the access list configuration. Step 6 copy running-config (Optional) Save your entries in the configuration file. startup-config To delete an access list, use the no ipv6 access-list access-list-number global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-52 OL-9775-08...
  • Page 907 Verify your entries. access-list-name] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an access list, use the no mac access-list extended access-list-name global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-53 OL-9775-08...
  • Page 908 [operator [port-number]] [dscp value] [fragments] [log] [log-input] [routing] [sequence value] [time-range name] mac access-list extended name {permit | deny} {host src-MAC-addr mask | any | host dst-MAC-addr | dst-MAC-addr mask} [type mask] Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-54 OL-9775-08...
  • Page 909 You can use the match protocol command with the match ip dscp or match precedence commands, but not with the match access-group command. For more information about the match protocol command, see Cisco IOS Quality of Service Solutions Command Reference. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-55 OL-9775-08...
  • Page 910 This example shows how to create a class map called class3, which matches incoming traffic with IP-precedence values of 5, 6, and 7: Switch(config)# class-map class3 Switch(config-cmap)# match ip precedence 5 6 7 Switch(config-cmap)# end Switch# Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-56 OL-9775-08...
  • Page 911 The range is 0 to 7. Step 5 Return to privileged EXEC mode. Step 6 show class-map Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-57 OL-9775-08...
  • Page 912 DSCP or IP precedence value in the traffic class; and specifying the traffic bandwidth limitations for each matched traffic class (policer) and the action to take when the traffic is out of profile (marking). Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-58 OL-9775-08...
  • Page 913 When you configure a default traffic class by using the class class-default policy-map configuration • command, unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as belonging to the default traffic class (class-default). Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-59 OL-9775-08...
  • Page 914 It is always ordered at the end of a policy map. With an implied match any included in the class-default class, all packets that have not already matched the other traffic classes will match class-default. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-60 OL-9775-08...
  • Page 915 DSCP value (by using the policed-DSCP map) and to send the packet. For more information, see the “Configuring the Policed-DSCP Map” section on page 37-76. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-61 OL-9775-08...
  • Page 916 Switch(config-ext-mac)# permit 0001.0000.0001 0.0.0 0002.0000.0001 0.0.0 Switch(config-ext-mac)# permit 0001.0000.0002 0.0.0 0002.0000.0002 0.0.0 xns-idp Switch(config-ext-mac)# exit Switch(config)# mac access-list extended maclist2 Switch(config-ext-mac)# permit 0001.0000.0003 0.0.0 0002.0000.0003 0.0.0 Switch(config-ext-mac)# permit 0001.0000.0004 0.0.0 0002.0000.0004 0.0.0 aarp Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-62 OL-9775-08...
  • Page 917 Use the interface-level policy map to specify the physical ports that are affected by individual policers. Beginning with Cisco IOS Release 12.2(52)SE, you can configure hierarchical policy maps that filter IPv4 and IPv6 traffic. Follow these guidelines when configuring hierarchical policy maps: Before configuring a hierarchical policy map, you must enable VLAN-based QoS on the physical •...
  • Page 918 When the switch stack divides into two or more switch stacks, the stack master in each switch – stack re-enables and reconfigures these features on all applicable interfaces on the stack members, including the stack master. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-64 OL-9775-08...
  • Page 919 For ip precedence ip-precedence-list, enter a list of up to eight • IP-precedence values to match against incoming packets. Separate each value with a space. The range is 0 to 7. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-65 OL-9775-08...
  • Page 920 This command can only be used in the child-level policy map and must be the only match condition in the child-level policy map. Step 9 exit Return to class-map configuration mode. Step 10 exit Return to global configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-66 OL-9775-08...
  • Page 921 It is always ordered at the end of a policy map. With an implied match any included in the class-default class, all packets that have not already matched the other traffic classes will match class-default. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-67 OL-9775-08...
  • Page 922 Return to policy-map configuration mode. Step 22 exit Return to global configuration mode. Step 23 interface interface-id Specify the SVI to which to attach the hierarchical policy map, and enter interface configuration mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-68 OL-9775-08...
  • Page 923 Switch(config-cmap)# exit Switch(config)# policy-map port-plcmap Switch(config-pmap)# class cm-interface-1 Switch(config-pmap-c)# police 900000 9000 exc policed-dscp-transmit Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# policy-map vlan-plcmap Switch(config-pmap)# class cm-1 Switch(config-pmap-c)# set dscp 7 Switch(config-pmap-c)# service-policy port-plcmap-1 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-69 OL-9775-08...
  • Page 924 Switch(config-cmap)# match protocol ip Switch(config-cmap)# exit Switch(config)# policy-map pm3 Switch(config-pmap)# class class-default Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-3 Switch(config-pmap-c) set dscp 4 Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-4 Switch(config-pmap-c)# trust cos Switch(config-pmap-c)# exit Switch(config-pmap)# exit Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-70 OL-9775-08...
  • Page 925 Create a policy map by entering the policy map name, and enter policy-map configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 37-59. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-71 OL-9775-08...
  • Page 926 Switch(config-cmap)# exit Switch(config)# policy-map aggflow1 Switch(config-pmap)# class ipclass1 Switch(config-pmap-c)# trust dscp Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# class ipclass2 Switch(config-pmap-c)# set dscp 56 Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-72 OL-9775-08...
  • Page 927: Configuring Dscp Maps

    Table 37-12 shows the default CoS-to-DSCP map. Table 37-12 Default CoS-to-DSCP Map CoS Value DSCP Value If these values are not appropriate for your network, you need to modify them. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-73 OL-9775-08...
  • Page 928 Table 37-13 shows the default IP-precedence-to-DSCP map: Table 37-13 Default IP-Precedence-to-DSCP Map IP Precedence Value DSCP Value If these values are not appropriate for your network, you need to modify them. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-74 OL-9775-08...
  • Page 929 Step 3 Return to privileged EXEC mode. Step 4 show mls qos maps policed-dscp Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-75 OL-9775-08...
  • Page 930 Table 37-14 Default DSCP-to-CoS Map DSCP Value CoS Value 0–7 8–15 16–23 24–31 32–39 40–47 48–55 56–63 If these values are not appropriate for your network, you need to modify them. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-76 OL-9775-08...
  • Page 931 The switch sends the packet out the port with the new DSCP value. You can configure multiple DSCP-to-DSCP-mutation maps on an ingress port. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-77 OL-9775-08...
  • Page 932 30 30 30 30 30 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-78 OL-9775-08...
  • Page 933: Configuring Ingress Queue Characteristics

    Allocating Buffer Space Between the Ingress Queues, page 37-82 (optional) • Allocating Bandwidth Between the Ingress Queues, page 37-82 (optional) • Configuring the Ingress Priority Queue, page 37-83 (optional) • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-79 OL-9775-08...
  • Page 934 To return to the default WTD threshold percentages, use the no mls qos srr-queue input threshold queue-id global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-80 OL-9775-08...
  • Page 935: Allocating Buffer Space Between The Ingress Queues

    SRR scheduler sends packets from each queue. The bandwidth and the buffer allocation control how much data can be buffered before packets are dropped. On ingress queues, SRR operates only in shared mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-81 OL-9775-08...
  • Page 936 Then, SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-82 OL-9775-08...
  • Page 937: Configuring Egress Queue Characteristics

    Does the bandwidth of the port need to be rate limited? • How often should the egress queues be serviced and which technique (shaped, shared, or both) • should be used? Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-83 OL-9775-08...
  • Page 938 The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-84 OL-9775-08...
  • Page 939 Map the port to a queue-set. For qset-id, enter the ID of the queue-set specified in Step 2. The range is 1 to 2. The default is 1. Step 6 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-85 OL-9775-08...
  • Page 940 The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of egress queues and if these settings do not meet your QoS solution. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-86 OL-9775-08...
  • Page 941 This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2: Switch(config)# mls qos srr-queue output dscp-map queue 1 threshold 2 10 11 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-87...
  • Page 942 2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-88 OL-9775-08...
  • Page 943 You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-89...
  • Page 944 Specify the percentage of the port speed to which the port should be limited. The range is 10 to 90. By default, the port is not rate limited and is set to 100 percent. Step 4 Return to privileged EXEC mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-90 OL-9775-08...
  • Page 945: Displaying Standard Qos Information

    The control-plane and interface keywords are not supported, and the statistics shown in the display should be ignored. show running-config | include rewrite Display the DSCP transparency setting. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-91 OL-9775-08...
  • Page 946 Chapter 37 Configuring QoS Displaying Standard QoS Information Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-92 OL-9775-08...
  • Page 947: Understanding Etherchannels

    This chapter also describes how to configure link-state tracking. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
  • Page 948: Etherchannel Overview

    EtherChannel. The other end of the channel (on the other switch) must also be configured in the on mode; otherwise, packet loss can occur. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-2...
  • Page 949 EtherChannel are blocked from returning on any other link of the EtherChannel. Figure 38-2 Single-Switch EtherChannel Switch stack Switch 1 Channel group 1 StackWise Plus port connections Switch A Channel Switch 2 group 2 Switch 3 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-3 OL-9775-08...
  • Page 950 Figure 38-4. Each EtherChannel has a port-channel logical interface numbered from 1 to 48. This port-channel interface number corresponds to the one specified with the channel-group interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-4 OL-9775-08...
  • Page 951: Port Aggregation Protocol

    Layer 2 EtherChannel as a trunk. Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
  • Page 952 (VSLs) that carry control and data traffic between them. One of the switches is in active mode. The others are in standby mode. For redundancy, remote switches, such as Catalyst 3750-E or 3560-E switches, are connected to the virtual switch by remote satellite links (RSLs).
  • Page 953: Link Aggregation Control Protocol

    Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.
  • Page 954: Etherchannel On Mode

    Therefore, to provide load-balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-8 OL-9775-08...
  • Page 955 MAC address, using the destination-MAC address always chooses the same link in the channel. Using source addresses or IP addresses might result in better load-balancing. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-9...
  • Page 956: Etherchannel And Switch Stacks

    LACP system-id can change. If the LACP system-id changes, the entire EtherChannel will flap, and there will be an STP reconvergence. Use the stack-mac persistent timer command to control whether or not the stack MAC address changes during a master failover. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-10 OL-9775-08...
  • Page 957: Configuring Etherchannels

    32768. LACP system ID LACP system priority and the switch or stack MAC address. Load-balancing Load distribution on the switch is based on the source-MAC address of the incoming packet. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-11 OL-9775-08...
  • Page 958: Etherchannel Configuration Guidelines

    Layer 2 EtherChannel. If the allowed range of VLANs is not the same, the ports do not form an EtherChannel even when PAgP is set to the auto or desirable mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-12...
  • Page 959: Configuring Layer 2 Etherchannels

    Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-13 OL-9775-08...
  • Page 960 Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a port from the EtherChannel group, use the no channel-group interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-14 OL-9775-08...
  • Page 961: Configuring Layer 3 Etherchannels

    To move an IP address from a physical port to an EtherChannel, you must delete the IP address from the Note physical port before configuring it on the port-channel interface. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-15 OL-9775-08...
  • Page 962: Configuring The Physical Interfaces

    Step 3 no ip address Ensure that there is no IP address assigned to the physical port. Step 4 no switchport Put the port into Layer 3 mode. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-16 OL-9775-08...
  • Page 963 “LACP Modes” section on page 38-7. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-17 OL-9775-08...
  • Page 964 IP • address. src-mac—Load distribution is based on the source-MAC • address of the incoming packet. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-18 OL-9775-08...
  • Page 965: Configuring The Pagp Learn Method And Priority

    Catalyst 1900 switch. When the link partner of the Catalyst 3750-E or 3560-E switch is a physical learner (such as a Catalyst 1900 series switch), we recommend that you configure the Catalyst 3750-E or 3560-E switch as a physical-port learner by using the pagp learn-method physical-port interface configuration command.
  • Page 966 16 ports. Only eight LACP links can be active at one time. The software places any additional links in a hot-standby mode. If one of the active links becomes inactive, a link that is in the hot-standby mode becomes active in its place. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-20 OL-9775-08...
  • Page 967 Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the LACP system priority to the default value, use the no lacp system-priority global configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-21 OL-9775-08...
  • Page 968 [channel-group-number] {counters | Displays PAgP information such as traffic information, the internal | neighbor} internal PAgP configuration, and neighbor information. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-22 OL-9775-08...
  • Page 969 Interfaces connected to servers are referred to as downstream interfaces, and interfaces connected to distribution switches and network devices are referred to as upstream interfaces. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-23 OL-9775-08...
  • Page 970 1. Port 5 and port 6 are connected to distribution switch 1 through link-state group 1. Port 5 and – port 6 are the upstream interfaces in link-state group 1. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-24 OL-9775-08...
  • Page 971 Configuring Link-State Tracking Default Link-State Tracking Configuration, page 38-26 • Link-State Tracking Configuration Guidelines, page 38-26 • Configuring Link-State Tracking, page 38-26 • Displaying Link-State Tracking Status, page 38-27 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-25 OL-9775-08...
  • Page 972 Create a link-state group, and enable link-state tracking. For Catalyst 3560-E switches, the group number can be 1 to 2. For Catalyst 3750-E switches, the group number can be 1 to 10. The default is 1. Step 3...
  • Page 973 Upstream Interfaces : Gi1/0/15(Dwn) Gi1/0/16(Dwn) Gi1/0/17(Dwn) Downstream Interfaces : Gi1/0/11(Dis) Gi1/0/12(Dis) Gi1/0/13(Dis) Gi1/0/14(Dis) (Up):Interface up (Dwn):Interface Down (Dis):Interface disabled For detailed information about the fields in the display, see the command reference for this release. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-27 OL-9775-08...
  • Page 974 Chapter 38 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-28 OL-9775-08...
  • Page 975: Configuring Telepresence E911 Ip Phone Support

    Understanding TelePresence E911 IP Phone Support You can use a Cisco IP phone as a user interface in a Cisco TelePresence System. See in Figure 1. In this configuration, the IP phone must always be on and available for emergency calls. If the power to the codec in the Cisco TelePresence System fails, is disrupted or if the codec fails, the IP phone is not available.
  • Page 976 When a CDP-enabled IP phone is connected to the codec through a switch, you can configure the switch to forward CDP packets from the IP phone only to the codec in the Cisco TelePresence System. The switch adds ingress-egress port pairs to the CDP forwarding table. An ingress-egress port pair is a one-to-one mapping between an ingress switch port connected to the IP phone and an egress switch port connected to the codec.
  • Page 977: Enabling Telepresence E911 Ip Phone Support

    Switch(config)# no cdp forward ingress gigabitethernet2/0/1 Switch(config)# end Switch# *Mar 1 13:39:14.120: %SYS-5-CONFIG_I: Configured from console by console Switch# show running-config | include cdp cdp forward ingress GigabitEthernet2/0/2 egress GigabitEthernet2/0/13 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 39-3 OL-9775-08...
  • Page 978 Configuring TelePresence E911 IP Phone Support Configuring TelePresence E911 IP Phone Support Switch# show cdp forward Ingress Egress # packets # packets Port Port forwarded dropped ------------------------------------------------------------- Gi2/0/2 Gi2/0/13 Switch# Catalyst 3750-E and 3560-E Switch Software Configuration Guide 39-4 OL-9775-08...
  • Page 979: Configuring Ip Unicast Routing

    Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. A switch stack operates and appears as a single router to the rest of the routers in the network. Basic routing functions, including static routing and the Routing Information Protocol (RIP), are available with both the IP base feature set and the IP services feature set.
  • Page 980: Understanding Ip Routing

    • Types of Routing Routers and Layer 3 switches can route packets in three different ways: By using default routing • • By using preprogrammed static routes for the traffic Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-2 OL-9775-08...
  • Page 981: Ip Routing And Switch Stacks

    • It processes routing protocol messages and updates received from peer routers. It generates, maintains, and distributes the distributed Cisco Express Forwarding (dCEF) database • to all stack members. The routes are programmed on all switches in the stack bases on this database.
  • Page 982 (BGP). If the stack master fails and the new elected stack master is running the IP base feature set, these protocols will no longer run in the stack. Caution Partitioning of the switch stack into two or more stacks might lead to undesirable behavior in the network. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-4 OL-9775-08...
  • Page 983: Steps For Configuring Routing

    Steps for Configuring Routing By default, IP routing is disabled on the switch, and you must enable it before routing can take place. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.2 In the following procedures, the specified interface must be one of these Layer 3 interfaces: A routed port: a physical port configured as a Layer 3 port by using the no switchport interface •...
  • Page 984: Default Addressing Configuration

    • Maximum interval between advertisements: 600 seconds. • Minimum interval between advertisements: 0.75 times max interval • Preference: 0. • IP proxy ARP Enabled. IP routing Disabled. IP subnet-zero Disabled. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-6 OL-9775-08...
  • Page 985: Assigning Ip Addresses To Network Interfaces

    (Optional) Save your entry in the configuration file. Use the no ip subnet-zero global configuration command to restore the default and disable the use of subnet zero. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-7 OL-9775-08...
  • Page 986: Classless Routing

    40-3, the router in network 128.20.0.0 is connected to subnets 128.20.1.0, 128.20.2.0, and 128.20.3.0. If the host sends a packet to 120.20.4.1, because there is no network default route, the router discards the packet. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-8 OL-9775-08...
  • Page 987: Configuring Address Resolution Methods

    Ethernet, the software must learn the MAC address of the device. The process of learning the MAC address from an IP address is called address resolution. The process of learning the IP address from the MAC address is called reverse address resolution. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-9 OL-9775-08...
  • Page 988 RARP requires a RARP server on the same network segment as the router interface. Use the ip rarp-server address interface configuration command to identify the server. For more information on RARP, see the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2.
  • Page 989: Set Arp Encapsulation

    Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable an encapsulation type, use the no arp arpa or no arp snap interface configuration command. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-11 OL-9775-08...
  • Page 990: Routing Assistance When Ip Routing Is Disabled

    A limitation of this method is that there is no means of detecting when the default router has gone down or is unavailable. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-12...
  • Page 991 It must be greater than maxadvertinterval and cannot be greater than 9000 seconds. If you change the maxadvertinterval value, this value also changes. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-13 OL-9775-08...
  • Page 992: Configuring Broadcast Packet Handling

    Enabling Directed Broadcast-to-Physical Broadcast Translation, page 40-15 • Forwarding UDP Broadcast Packets and Protocols, page 40-16 • Establishing an IP Broadcast Address, page 40-17 Flooding IP Broadcasts, page 40-17 • Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-14 OL-9775-08...
  • Page 993 Use the no ip directed-broadcast interface configuration command to disable translation of directed broadcast to physical broadcasts. Use the no ip forward-protocol global configuration command to remove a protocol or port. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-15 OL-9775-08...
  • Page 994 By default, both UDP and ND forwarding are enabled if a helper address has been defined for an interface. The description for the ip forward-protocol interface configuration command in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 lists the ports that are forwarded by default if you do not specify any UDP ports.
  • Page 995 When a flooded UDP datagram is sent out an interface (and the destination address possibly changed), the datagram is handed to the normal IP output routines and is, therefore, subject to access lists, if they are present on the output interface. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-17 OL-9775-08...
  • Page 996: Monitoring And Maintaining Ip Addressing

    You can display specific statistics, such as the contents of IP routing tables, caches, and databases; the reachability of nodes; and the routing path that packets are taking through the network. Table 40-3 lists the privileged EXEC commands for displaying IP statistics. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-18 OL-9775-08...
  • Page 997: Enabling Ip Unicast Routing

    (RIP) router configuration command. For information on specific protocols, see sections later in this chapter and to the Cisco IOS IP Configuration Guide, Release 12.2. The IP base feature set supports only RIP as a routing Note protocol.
  • Page 998: Configuring Rip

    Protocol (UDP) data packets to exchange routing information. The protocol is documented in RFC 1058. You can find detailed information about RIP in IP Routing Fundamentals, published by Cisco Press. RIP is the only routing protocol supported by the IP base feature set; other routing protocols require the Note switch or stack master to be running the IP services feature set.
  • Page 999: Default Rip Configuration

    To configure RIP, you enable RIP routing for a network and optionally configure other parameters. On Note the Catalyst 3750-E and 3560-E switches, RIP configuration commands are ignored until you configure the network number. Beginning in privileged EXEC mode, follow these steps to enable and configure RIP:...
  • Page 1000 8 to 50 milliseconds. Step 12 Return to privileged EXEC mode. Step 13 show ip protocols Verify your entries. Step 14 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3750-E and 3560-E Switch Software Configuration Guide 40-22 OL-9775-08...

This manual is also suitable for:

Catalyst3560-e

Table of Contents