Software Configuration Guide
Page 1
Catalyst 3560 Switch Software Configuration Guide Cisco IOS Release 12.1(19)EA1 January 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7816156= Text Part Number: 78-16156-01
Catalyst 3560 Switch Software Configuration Guide Cisco IOS Release 12.1(19)EA1 January 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7816156= Text Part Number: 78-16156-01
Software Configuration Guide
Page 2
... VCO are the property of the UNIX operating system. and certain other company. (0304R) Catalyst 3560 Switch Software Configuration Guide Copyright © 2004 Cisco Systems, Inc. The use of the word partner does not imply a partnership relationship between Cisco and any other countries. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED...
... VCO are the property of the UNIX operating system. and certain other company. (0304R) Catalyst 3560 Switch Software Configuration Guide Copyright © 2004 Cisco Systems, Inc. The use of the word partner does not imply a partnership relationship between Cisco and any other countries. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED...
Software Configuration Guide
Page 3
... Obtaining Technical Assistance xxxvi Cisco TAC Website xxxvii Opening a TAC Case xxxvii TAC Case Priority Definitions xxxvii Obtaining Additional Publications and Information xxxviii Overview 1-1 Features 1-1 Default Settings After Initial Switch Configuration 1-9 Network Configuration Examples 1-11 Design Concepts... for Using the Switch 1-11 Small to Medium-Sized Network Using Catalyst 3560 Switches 1-13 Large Network Using Catalyst 3560 Switches 1-14 Long-Distance, High-Bandwidth Transport Configuration 1-16 Where to Go Next 1-16 Using the Command-Line Interface 2-1 Understanding...
... Obtaining Technical Assistance xxxvi Cisco TAC Website xxxvii Opening a TAC Case xxxvii TAC Case Priority Definitions xxxvii Obtaining Additional Publications and Information xxxviii Overview 1-1 Features 1-1 Default Settings After Initial Switch Configuration 1-9 Network Configuration Examples 1-11 Design Concepts... for Using the Switch 1-11 Small to Medium-Sized Network Using Catalyst 3560 Switches 1-13 Large Network Using Catalyst 3560 Switches 1-14 Long-Distance, High-Bandwidth Transport Configuration 1-16 Where to Go Next 1-16 Using the Command-Line Interface 2-1 Understanding...
Software Configuration Guide
Page 4
... 3-7 Access to Older Switches In a Cluster 3-7 Configuring CMS 3-8 CMS Requirements 3-8 Minimum Hardware Configuration 3-8 Operating System and Browser Support 3-9 CMS Plug-In Requirements 3-9 Cross-Platform Considerations 3-10 HTTP Access to CMS 3-10 Specifying an HTTP Port (Nondefault Configuration Only) 3-10 Configuring an Authentication Method (Nondefault Configuration Only) 3-10 Catalyst 3560 Switch Software Configuration Guide iv 78-16156-01
... 3-7 Access to Older Switches In a Cluster 3-7 Configuring CMS 3-8 CMS Requirements 3-8 Minimum Hardware Configuration 3-8 Operating System and Browser Support 3-9 CMS Plug-In Requirements 3-9 Cross-Platform Considerations 3-10 HTTP Access to CMS 3-10 Specifying an HTTP Port (Nondefault Configuration Only) 3-10 Configuring an Authentication Method (Nondefault Configuration Only) 3-10 Catalyst 3560 Switch Software Configuration Guide iv 78-16156-01
Software Configuration Guide
Page 5
... Boot Configuration 4-12 Automatically Downloading a Configuration File 4-12 Specifying the Filename to Read and Write the System Configuration 4-12 Booting Manually 4-13 Booting a Specific Software Image 4-13 Controlling Environment Variables 4-14 Scheduling a Reload of the Software Image 4-16 Configuring a Scheduled Reload 4-16 Displaying Scheduled Reload Information 4-17 78-16156-01 Catalyst 3560 Switch Software Configuration Guide...
... Boot Configuration 4-12 Automatically Downloading a Configuration File 4-12 Specifying the Filename to Read and Write the System Configuration 4-12 Booting Manually 4-13 Booting a Specific Software Image 4-13 Controlling Environment Variables 4-14 Scheduling a Reload of the Software Image 4-16 Configuring a Scheduled Reload 4-16 Displaying Scheduled Reload Information 4-17 78-16156-01 Catalyst 3560 Switch Software Configuration Guide...
Software Configuration Guide
Page 6
... Newly Installed Switches 5-9 HSRP and Standby Cluster Command Switches 5-10 Virtual IP Addresses 5-11 Other Considerations for Cluster Standby Groups 5-11 Automatic Recovery of Cluster Configuration 5-12 IP Addresses 5-13 Host Names 5-13 Passwords 5-14 SNMP Community Strings 5-14 TACACS+ and RADIUS 5-14 Access Modes in CMS 5-15 LRE Profiles 5-15... 5-20 Using the CLI to Manage Switch Clusters 5-21 Catalyst 1900 and Catalyst 2820 CLI Considerations 5-22 Using SNMP to Manage Switch Clusters 5-22 Catalyst 3560 Switch Software Configuration Guide vi 78-16156-01
... Newly Installed Switches 5-9 HSRP and Standby Cluster Command Switches 5-10 Virtual IP Addresses 5-11 Other Considerations for Cluster Standby Groups 5-11 Automatic Recovery of Cluster Configuration 5-12 IP Addresses 5-13 Host Names 5-13 Passwords 5-14 SNMP Community Strings 5-14 TACACS+ and RADIUS 5-14 Access Modes in CMS 5-15 LRE Profiles 5-15... 5-20 Using the CLI to Manage Switch Clusters 5-21 Catalyst 1900 and Catalyst 2820 CLI Considerations 5-22 Using SNMP to Manage Switch Clusters 5-22 Catalyst 3560 Switch Software Configuration Guide vi 78-16156-01
Software Configuration Guide
Page 7
... 6-19 Configuring a Login Banner 6-20 Managing the MAC Address Table 6-21 Building the Address Table 6-21 MAC Addresses and VLANs 6-22 Default MAC Address Table Configuration 6-22 Changing the Address Aging Time 6-22 Removing Dynamic Address Entries 6-23 Configuring MAC Address Notification Traps 6-23 Contents 78-16156-01 Catalyst 3560 Switch Software Configuration Guide vii
... 6-19 Configuring a Login Banner 6-20 Managing the MAC Address Table 6-21 Building the Address Table 6-21 MAC Addresses and VLANs 6-22 Default MAC Address Table Configuration 6-22 Changing the Address Aging Time 6-22 Removing Dynamic Address Entries 6-23 Configuring MAC Address Notification Traps 6-23 Contents 78-16156-01 Catalyst 3560 Switch Software Configuration Guide vii
Software Configuration Guide
Page 8
...Configuring SDM Templates 7-1 Understanding the SDM Templates 7-1 Configuring the Switch SDM Template 7-2 Default SDM Template 7-2 SDM Template Configuration Guidelines 7-2 Setting the SDM Template 7-3 Displaying the SDM Templates 7-4 Configuring... a Telnet Password for a Terminal Line 8-6 Configuring Username and Password Pairs 8-7 Configuring Multiple Privilege Levels 8-8 Setting the Privilege Level for...Configuring TACACS+ 8-13 Default TACACS+ Configuration 8-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 8-13 Configuring TACACS+ Login Authentication 8-14 Configuring...
...Configuring SDM Templates 7-1 Understanding the SDM Templates 7-1 Configuring the Switch SDM Template 7-2 Default SDM Template 7-2 SDM Template Configuration Guidelines 7-2 Setting the SDM Template 7-3 Displaying the SDM Templates 7-4 Configuring... a Telnet Password for a Terminal Line 8-6 Configuring Username and Password Pairs 8-7 Configuring Multiple Privilege Levels 8-8 Setting the Privilege Level for...Configuring TACACS+ 8-13 Default TACACS+ Configuration 8-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 8-13 Configuring TACACS+ Login Authentication 8-14 Configuring...
Software Configuration Guide
Page 9
...8-35 Authenticating to Network Services 8-35 Configuring Kerberos 8-36 Configuring the Switch for Local Authentication and Authorization 8-36 Configuring the Switch for Secure Shell 8-37 ...Configuring the SSH Server 8-40 Displaying the SSH Configuration and Status 8-41 Configuring 802.1X Port-Based Authentication 9-1 Understanding 802.1X Port-Based Authentication 9-1 Device Roles 9-2 Authentication Initiation and Message Exchange 9-3 Ports in Authorized and Unauthorized States 9-4 Supported Topologies 9-4 Using 802.1X with Port Security 9-5 Catalyst 3560 Switch Software Configuration...
...8-35 Authenticating to Network Services 8-35 Configuring Kerberos 8-36 Configuring the Switch for Local Authentication and Authorization 8-36 Configuring the Switch for Secure Shell 8-37 ...Configuring the SSH Server 8-40 Displaying the SSH Configuration and Status 8-41 Configuring 802.1X Port-Based Authentication 9-1 Understanding 802.1X Port-Based Authentication 9-1 Device Roles 9-2 Authentication Initiation and Message Exchange 9-3 Ports in Authorized and Unauthorized States 9-4 Supported Topologies 9-4 Using 802.1X with Port Security 9-5 Catalyst 3560 Switch Software Configuration...
Software Configuration Guide
Page 10
... 10-6 Procedures for Configuring Interfaces 10-7 Configuring a Range of Interfaces 10-8 Configuring and Using Interface Range Macros 10-9 Configuring Ethernet Interfaces 10-11 Default Ethernet Interface Configuration 10-11 Configuring Interface Speed and Duplex Mode 10-12 Configuration Guidelines 10-13 Setting the Interface Speed and Duplex Parameters 10-13 Catalyst 3560 Switch Software Configuration Guide x 78-16156-01
... 10-6 Procedures for Configuring Interfaces 10-7 Configuring a Range of Interfaces 10-8 Configuring and Using Interface Range Macros 10-9 Configuring Ethernet Interfaces 10-11 Default Ethernet Interface Configuration 10-11 Configuring Interface Speed and Duplex Mode 10-12 Configuration Guidelines 10-13 Setting the Interface Speed and Duplex Parameters 10-13 Catalyst 3560 Switch Software Configuration Guide x 78-16156-01
Software Configuration Guide
Page 11
...-6 VLAN Configuration Mode Options 12-6 VLAN Configuration in config-vlan Mode 12-7 VLAN Configuration in VLAN Database Configuration Mode 12-7 Saving VLAN Configuration 12-7 Default Ethernet VLAN Configuration 12-8 Creating or Modifying an Ethernet VLAN 12-8 Deleting a VLAN 12-10 Assigning Static-Access Ports to a VLAN 12-11 Contents 78-16156-01 Catalyst 3560 Switch Software Configuration Guide...
...-6 VLAN Configuration Mode Options 12-6 VLAN Configuration in config-vlan Mode 12-7 VLAN Configuration in VLAN Database Configuration Mode 12-7 Saving VLAN Configuration 12-7 Default Ethernet VLAN Configuration 12-8 Creating or Modifying an Ethernet VLAN 12-8 Deleting a VLAN 12-10 Assigning Static-Access Ports to a VLAN 12-11 Contents 78-16156-01 Catalyst 3560 Switch Software Configuration Guide...
Software Configuration Guide
Page 12
...27 Dynamic-Access Port VLAN Membership 12-28 Default VMPS Client Configuration 12-29 VMPS Configuration Guidelines 12-29 Configuring the VMPS Client 12-29 Entering the IP Address of the VMPS 12-30 Configuring Dynamic-Access Ports on VMPS Clients 12-30 Reconfirming VLAN ...Memberships 12-31 Changing the Reconfirmation Interval 12-31 Changing the Retry Count 12-32 Monitoring the VMPS 12-32 Troubleshooting Dynamic-Access Port VLAN Membership 12-33 VMPS Configuration Example 12-33 Catalyst 3560 Switch Software Configuration...
...27 Dynamic-Access Port VLAN Membership 12-28 Default VMPS Client Configuration 12-29 VMPS Configuration Guidelines 12-29 Configuring the VMPS Client 12-29 Entering the IP Address of the VMPS 12-30 Configuring Dynamic-Access Ports on VMPS Clients 12-30 Reconfirming VLAN ...Memberships 12-31 Changing the Reconfirmation Interval 12-31 Changing the Retry Count 12-32 Monitoring the VMPS 12-32 Troubleshooting Dynamic-Access Port VLAN Membership 12-33 VMPS Configuration Example 12-33 Catalyst 3560 Switch Software Configuration...
Software Configuration Guide
Page 14
... Cost 15-18 Configuring the Switch Priority of a VLAN 15-19 Configuring Spanning-Tree Timers 15-20 Configuring the Hello Time 15-20 Configuring the Forwarding-Delay Time for a VLAN 15-21 Configuring the Maximum-Aging Time for a VLAN 15-21 Displaying the Spanning-Tree Status 15-22 Catalyst 3560 Switch Software Configuration Guide xiv 78-16156...
... Cost 15-18 Configuring the Switch Priority of a VLAN 15-19 Configuring Spanning-Tree Timers 15-20 Configuring the Hello Time 15-20 Configuring the Forwarding-Delay Time for a VLAN 15-21 Configuring the Maximum-Aging Time for a VLAN 15-21 Displaying the Spanning-Tree Status 15-22 Catalyst 3560 Switch Software Configuration Guide xiv 78-16156...
Software Configuration Guide
Page 15
...Configuring MSTP Features 16-11 Default MSTP Configuration 16-12 MSTP Configuration Guidelines 16-12 Specifying the MST Region Configuration and Enabling MSTP 16-13 Configuring the Root Switch 16-14 Configuring a Secondary Root Switch 16-16 Configuring Port Priority 16-17 Configuring Path Cost 16-18 Configuring the Switch Priority 16-19 Configuring...Ensure Rapid Transitions 16-22 Restarting the Protocol Migration Process 16-22 Displaying the MST Configuration and Status 16-23 Configuring Optional Spanning-Tree Features 17-1 Understanding Optional Spanning-Tree Features 17-1 Understanding Port ...
...Configuring MSTP Features 16-11 Default MSTP Configuration 16-12 MSTP Configuration Guidelines 16-12 Specifying the MST Region Configuration and Enabling MSTP 16-13 Configuring the Root Switch 16-14 Configuring a Secondary Root Switch 16-16 Configuring Port Priority 16-17 Configuring Path Cost 16-18 Configuring the Switch Priority 16-19 Configuring...Ensure Rapid Transitions 16-22 Restarting the Protocol Migration Process 16-22 Displaying the MST Configuration and Status 16-23 Configuring Optional Spanning-Tree Features 17-1 Understanding Optional Spanning-Tree Features 17-1 Understanding Port ...
Software Configuration Guide
Page 16
... Snooping and Option 82 18-4 Displaying DHCP Information 18-5 Displaying a Binding Table 18-5 Displaying the DHCP Snooping Configuration 18-6 19 C H A P T E R Configuring IGMP Snooping and MVR 19-1 Understanding IGMP Snooping 19-2 IGMP Versions 19-3 Joining a Multicast Group 19-3 Leaving... a Multicast Group 19-5 Immediate-Leave Processing 19-6 IGMP Report Suppression 19-6 Configuring IGMP Snooping 19-6 Default IGMP Snooping Configuration 19-7 Enabling or Disabling IGMP Snooping 19-7 Setting the Snooping Method 19-8 Catalyst 3560 Switch Software Configuration Guide xvi 78-16156-01
... Snooping and Option 82 18-4 Displaying DHCP Information 18-5 Displaying a Binding Table 18-5 Displaying the DHCP Snooping Configuration 18-6 19 C H A P T E R Configuring IGMP Snooping and MVR 19-1 Understanding IGMP Snooping 19-2 IGMP Versions 19-3 Joining a Multicast Group 19-3 Leaving... a Multicast Group 19-5 Immediate-Leave Processing 19-6 IGMP Report Suppression 19-6 Configuring IGMP Snooping 19-6 Default IGMP Snooping Configuration 19-7 Enabling or Disabling IGMP Snooping 19-7 Setting the Snooping Method 19-8 Catalyst 3560 Switch Software Configuration Guide xvi 78-16156-01
Software Configuration Guide
Page 17
...-3 Configuring Protected Ports 20-5 Default Protected Port Configuration 20-5 Protected Port Configuration Guidelines 20-5 Configuring a Protected Port 20-5 Configuring Port Blocking 20-6 Default Port Blocking Configuration 20-6 Blocking Flooded Traffic on an Interface 20-6 Configuring Port Security 20-7 Understanding Port Security 20-7 Secure MAC Addresses 20-8 Security Violations 20-9 Default Port Security Configuration 20-10 Catalyst 3560 Switch Software Configuration...
...-3 Configuring Protected Ports 20-5 Default Protected Port Configuration 20-5 Protected Port Configuration Guidelines 20-5 Configuring a Protected Port 20-5 Configuring Port Blocking 20-6 Default Port Blocking Configuration 20-6 Blocking Flooded Traffic on an Interface 20-6 Configuring Port Security 20-7 Understanding Port Security 20-7 Secure MAC Addresses 20-8 Security Violations 20-9 Default Port Security Configuration 20-10 Catalyst 3560 Switch Software Configuration...
Software Configuration Guide
Page 18
...Configuring CDP 21-1 Understanding CDP 21-1 Configuring CDP 21-2 Default CDP Configuration 21-2 Configuring the CDP Characteristics 21-2 Disabling and Enabling CDP 21-3 Disabling and Enabling CDP on an Interface 21-4 Monitoring and Maintaining CDP 21-5 Configuring... UDLD 22-1 Understanding UDLD 22-1 Modes of Operation 22-1 Methods to Detect Unidirectional Links 22-2 Configuring UDLD 22-4 Default UDLD Configuration 22-4 Configuration Guidelines ... an Interface Disabled by UDLD 22-6 Displaying UDLD Status 22-7 Configuring SPAN and RSPAN 23-1 Understanding SPAN and RSPAN 23-1 Local ...
...Configuring CDP 21-1 Understanding CDP 21-1 Configuring CDP 21-2 Default CDP Configuration 21-2 Configuring the CDP Characteristics 21-2 Disabling and Enabling CDP 21-3 Disabling and Enabling CDP on an Interface 21-4 Monitoring and Maintaining CDP 21-5 Configuring... UDLD 22-1 Understanding UDLD 22-1 Modes of Operation 22-1 Methods to Detect Unidirectional Links 22-2 Configuring UDLD 22-4 Default UDLD Configuration 22-4 Configuration Guidelines ... an Interface Disabled by UDLD 22-6 Displaying UDLD Status 22-7 Configuring SPAN and RSPAN 23-1 Understanding SPAN and RSPAN 23-1 Local ...
Software Configuration Guide
Page 19
...Specifying VLANs to Filter 23-22 Displaying SPAN and RSPAN Status 23-23 Configuring RMON 24-1 Understanding RMON 24-1 Configuring RMON 24-2 Default RMON Configuration 24-3 Configuring RMON Alarms and Events 24-3 Collecting Group History Statistics on an Interface ...Configuration 25-3 Disabling Message Logging 25-4 Setting the Message Display Destination Device 25-4 Synchronizing Log Messages 25-5 Enabling and Disabling Time Stamps on Log Messages 25-7 Enabling and Disabling Sequence Numbers in Log Messages 25-7 Defining the Message Severity Level 25-8 Catalyst 3560 Switch Software Configuration...
...Specifying VLANs to Filter 23-22 Displaying SPAN and RSPAN Status 23-23 Configuring RMON 24-1 Understanding RMON 24-1 Configuring RMON 24-2 Default RMON Configuration 24-3 Configuring RMON Alarms and Events 24-3 Collecting Group History Statistics on an Interface ...Configuration 25-3 Disabling Message Logging 25-4 Setting the Message Display Destination Device 25-4 Synchronizing Log Messages 25-5 Enabling and Disabling Time Stamps on Log Messages 25-7 Enabling and Disabling Sequence Numbers in Log Messages 25-7 Defining the Message Severity Level 25-8 Catalyst 3560 Switch Software Configuration...
Software Configuration Guide
Page 20
...Configuring UNIX Syslog Servers 25-10 Logging Messages to a UNIX Syslog Daemon 25-10 Configuring the UNIX System Logging Facility 25-11 Displaying the Logging Configuration 25-12 26 C H A P T E R Configuring...Configuring SNMP 26-6 Default SNMP Configuration 26-7 SNMP Configuration Guidelines 26-7 Disabling the SNMP Agent 26-8 Configuring Community Strings 26-8 Configuring SNMP Groups and Users 26-9 Configuring... 27 C H A P T E R Configuring Network Security with ACLs 27-1 Understanding ACLs 27... Handling Fragmented and Unfragmented Traffic 27-5 Configuring IP ACLs 27-6 Creating Standard and ...
...Configuring UNIX Syslog Servers 25-10 Logging Messages to a UNIX Syslog Daemon 25-10 Configuring the UNIX System Logging Facility 25-11 Displaying the Logging Configuration 25-12 26 C H A P T E R Configuring...Configuring SNMP 26-6 Default SNMP Configuration 26-7 SNMP Configuration Guidelines 26-7 Disabling the SNMP Agent 26-8 Configuring Community Strings 26-8 Configuring SNMP Groups and Users 26-9 Configuring... 27 C H A P T E R Configuring Network Security with ACLs 27-1 Understanding ACLs 27... Handling Fragmented and Unfragmented Traffic 27-5 Configuring IP ACLs 27-6 Creating Standard and ...
Software Configuration Guide
Page 21
...-19 Hardware and Software Treatment of IP ACLs 27-21 IP ACL Configuration Examples 27-21 Numbered ACLs 27-23 Extended ACLs 27-23 Named...26 Applying a MAC ACL to a Layer 2 Interface 27-28 Configuring VLAN Maps 27-29 VLAN Map Configuration Guidelines 27-29 Creating a VLAN Map 27-30 Examples of ... VLAN 27-33 Using VLAN Maps in Your Network 27-33 Wiring Closet Configuration 27-33 Denying Access to a Server on Another VLAN 27-35 Using...Routed Packets 27-38 ACLs and Multicast Packets 27-39 Displaying ACL Configuration 27-40 Configuring QoS 28-1 Understanding QoS 28-1 Basic QoS Model 28-3 Classification 28...
...-19 Hardware and Software Treatment of IP ACLs 27-21 IP ACL Configuration Examples 27-21 Numbered ACLs 27-23 Extended ACLs 27-23 Named...26 Applying a MAC ACL to a Layer 2 Interface 27-28 Configuring VLAN Maps 27-29 VLAN Map Configuration Guidelines 27-29 Creating a VLAN Map 27-30 Examples of ... VLAN 27-33 Using VLAN Maps in Your Network 27-33 Wiring Closet Configuration 27-33 Denying Access to a Server on Another VLAN 27-35 Using...Routed Packets 27-38 ACLs and Multicast Packets 27-39 Displaying ACL Configuration 27-40 Configuring QoS 28-1 Understanding QoS 28-1 Basic QoS Model 28-3 Classification 28...
