Software Configuration Guide
Page 1
Catalyst 3560 Switch Software Configuration Guide Cisco IOS Release 12.1(19)EA1 January 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7816156= Text Part Number: 78-16156-01
Catalyst 3560 Switch Software Configuration Guide Cisco IOS Release 12.1(19)EA1 January 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7816156= Text Part Number: 78-16156-01
Software Configuration Guide
Page 2
...Live, Play, and Learn, and iQuick Study are registered trademarks of Cisco Systems, Inc. and certain other company. (0304R) Catalyst 3560 Switch Software Configuration Guide Copyright © 2004 Cisco Systems, Inc. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL... ARE SUBJECT TO CHANGE WITHOUT NOTICE. The Cisco implementation of TCP header compression is an ...
...Live, Play, and Learn, and iQuick Study are registered trademarks of Cisco Systems, Inc. and certain other company. (0304R) Catalyst 3560 Switch Software Configuration Guide Copyright © 2004 Cisco Systems, Inc. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL... ARE SUBJECT TO CHANGE WITHOUT NOTICE. The Cisco implementation of TCP header compression is an ...
Software Configuration Guide
Page 3
... Large Network Using Catalyst 3560 Switches 1-14 Long-Distance, High-Bandwidth Transport Configuration 1-16 Where to Go Next 1-16 Using the Command-Line Interface 2-1 Understanding Command Modes 2-1 Understanding the Help System 2-3 Understanding Abbreviated Commands 2-3 Understanding no and default Forms of Commands 2-4 Understanding CLI Error Messages 2-4 78-16156-01 Catalyst 3560 Switch Software Configuration Guide iii
... Large Network Using Catalyst 3560 Switches 1-14 Long-Distance, High-Bandwidth Transport Configuration 1-16 Where to Go Next 1-16 Using the Command-Line Interface 2-1 Understanding Command Modes 2-1 Understanding the Help System 2-3 Understanding Abbreviated Commands 2-3 Understanding no and default Forms of Commands 2-4 Understanding CLI Error Messages 2-4 78-16156-01 Catalyst 3560 Switch Software Configuration Guide iii
Software Configuration Guide
Page 4
... Levels 3-7 Access to Older Switches In a Cluster 3-7 Configuring CMS 3-8 CMS Requirements 3-8 Minimum Hardware Configuration 3-8 Operating System and Browser Support 3-9 CMS Plug-In Requirements 3-9 Cross-Platform Considerations 3-10 HTTP Access to CMS 3-10 Specifying an HTTP Port (Nondefault Configuration Only) 3-10 Configuring an Authentication Method (Nondefault Configuration Only) 3-10 Catalyst 3560 Switch Software Configuration Guide iv 78-16156-01
... Levels 3-7 Access to Older Switches In a Cluster 3-7 Configuring CMS 3-8 CMS Requirements 3-8 Minimum Hardware Configuration 3-8 Operating System and Browser Support 3-9 CMS Plug-In Requirements 3-9 Cross-Platform Considerations 3-10 HTTP Access to CMS 3-10 Specifying an HTTP Port (Nondefault Configuration Only) 3-10 Configuring an Authentication Method (Nondefault Configuration Only) 3-10 Catalyst 3560 Switch Software Configuration Guide iv 78-16156-01
Software Configuration Guide
Page 5
... Default Boot Configuration 4-12 Automatically Downloading a Configuration File 4-12 Specifying the Filename to Read and Write the System Configuration 4-12 Booting Manually 4-13 Booting a Specific Software Image 4-13 Controlling Environment Variables 4-14 Scheduling a Reload of the Software Image 4-16 Configuring a Scheduled Reload 4-16 Displaying Scheduled Reload Information 4-17 78-16156-01 Catalyst 3560 Switch Software Configuration Guide v
... Default Boot Configuration 4-12 Automatically Downloading a Configuration File 4-12 Specifying the Filename to Read and Write the System Configuration 4-12 Booting Manually 4-13 Booting a Specific Software Image 4-13 Controlling Environment Variables 4-14 Scheduling a Reload of the Software Image 4-16 Configuring a Scheduled Reload 4-16 Displaying Scheduled Reload Information 4-17 78-16156-01 Catalyst 3560 Switch Software Configuration Guide v
Software Configuration Guide
Page 6
... Newly Installed Switches 5-9 HSRP and Standby Cluster Command Switches 5-10 Virtual IP Addresses 5-11 Other Considerations for Cluster Standby Groups 5-11 Automatic Recovery of Cluster Configuration 5-12 IP Addresses 5-13 Host Names 5-13 Passwords 5-14 SNMP Community Strings 5-14 TACACS+ and RADIUS 5-14 Access Modes in CMS 5-15 LRE Profiles 5-15... 5-20 Using the CLI to Manage Switch Clusters 5-21 Catalyst 1900 and Catalyst 2820 CLI Considerations 5-22 Using SNMP to Manage Switch Clusters 5-22 Catalyst 3560 Switch Software Configuration Guide vi 78-16156-01
... Newly Installed Switches 5-9 HSRP and Standby Cluster Command Switches 5-10 Virtual IP Addresses 5-11 Other Considerations for Cluster Standby Groups 5-11 Automatic Recovery of Cluster Configuration 5-12 IP Addresses 5-13 Host Names 5-13 Passwords 5-14 SNMP Community Strings 5-14 TACACS+ and RADIUS 5-14 Access Modes in CMS 5-15 LRE Profiles 5-15... 5-20 Using the CLI to Manage Switch Clusters 5-21 Catalyst 1900 and Catalyst 2820 CLI Considerations 5-22 Using SNMP to Manage Switch Clusters 5-22 Catalyst 3560 Switch Software Configuration Guide vi 78-16156-01
Software Configuration Guide
Page 7
... Banner 6-19 Configuring a Login Banner 6-20 Managing the MAC Address Table 6-21 Building the Address Table 6-21 MAC Addresses and VLANs 6-22 Default MAC Address Table Configuration 6-22 Changing the Address Aging Time 6-22 Removing Dynamic Address Entries 6-23 Configuring MAC Address Notification Traps 6-23 Contents 78-16156-01 Catalyst 3560 Switch Software Configuration Guide vii
... Banner 6-19 Configuring a Login Banner 6-20 Managing the MAC Address Table 6-21 Building the Address Table 6-21 MAC Addresses and VLANs 6-22 Default MAC Address Table Configuration 6-22 Changing the Address Aging Time 6-22 Removing Dynamic Address Entries 6-23 Configuring MAC Address Notification Traps 6-23 Contents 78-16156-01 Catalyst 3560 Switch Software Configuration Guide vii
Software Configuration Guide
Page 8
... Password Recovery 8-5 Setting a Telnet Password for a Terminal Line 8-6 Configuring Username and Password Pairs 8-7 Configuring Multiple Privilege Levels 8-8 Setting the Privilege Level for a Command 8-8 ...Configuring TACACS+ 8-13 Default TACACS+ Configuration 8-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 8-13 Configuring TACACS+ Login Authentication 8-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 8-16 Starting TACACS+ Accounting 8-17 Displaying the TACACS+ Configuration 8-17 Catalyst 3560 Switch Software Configuration Guide...
... Password Recovery 8-5 Setting a Telnet Password for a Terminal Line 8-6 Configuring Username and Password Pairs 8-7 Configuring Multiple Privilege Levels 8-8 Setting the Privilege Level for a Command 8-8 ...Configuring TACACS+ 8-13 Default TACACS+ Configuration 8-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 8-13 Configuring TACACS+ Login Authentication 8-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 8-16 Starting TACACS+ Accounting 8-17 Displaying the TACACS+ Configuration 8-17 Catalyst 3560 Switch Software Configuration Guide...
Software Configuration Guide
Page 9
...8-35 Authenticating to Network Services 8-35 Configuring Kerberos 8-36 Configuring the Switch for Local Authentication and Authorization 8-36 Configuring the Switch for Secure Shell 8-37 ...Configuring the SSH Server 8-40 Displaying the SSH Configuration and Status 8-41 Configuring 802.1X Port-Based Authentication 9-1 Understanding 802.1X Port-Based Authentication 9-1 Device Roles 9-2 Authentication Initiation and Message Exchange 9-3 Ports in Authorized and Unauthorized States 9-4 Supported Topologies 9-4 Using 802.1X with Port Security 9-5 Catalyst 3560 Switch Software Configuration Guide...
...8-35 Authenticating to Network Services 8-35 Configuring Kerberos 8-36 Configuring the Switch for Local Authentication and Authorization 8-36 Configuring the Switch for Secure Shell 8-37 ...Configuring the SSH Server 8-40 Displaying the SSH Configuration and Status 8-41 Configuring 802.1X Port-Based Authentication 9-1 Understanding 802.1X Port-Based Authentication 9-1 Device Roles 9-2 Authentication Initiation and Message Exchange 9-3 Ports in Authorized and Unauthorized States 9-4 Supported Topologies 9-4 Using 802.1X with Port Security 9-5 Catalyst 3560 Switch Software Configuration Guide...
Software Configuration Guide
Page 10
...-5 Using Interface Configuration Mode 10-6 Procedures for Configuring Interfaces 10-7 Configuring a Range of Interfaces 10-8 Configuring and Using Interface Range Macros 10-9 Configuring Ethernet Interfaces 10-11 Default Ethernet Interface Configuration 10-11 Configuring Interface Speed and Duplex Mode 10-12 Configuration Guidelines 10-13 Setting the Interface Speed and Duplex Parameters 10-13 Catalyst 3560 Switch Software Configuration Guide x 78...
...-5 Using Interface Configuration Mode 10-6 Procedures for Configuring Interfaces 10-7 Configuring a Range of Interfaces 10-8 Configuring and Using Interface Range Macros 10-9 Configuring Ethernet Interfaces 10-11 Default Ethernet Interface Configuration 10-11 Configuring Interface Speed and Duplex Mode 10-12 Configuration Guidelines 10-13 Setting the Interface Speed and Duplex Parameters 10-13 Catalyst 3560 Switch Software Configuration Guide x 78...
Software Configuration Guide
Page 11
...-6 VLAN Configuration Mode Options 12-6 VLAN Configuration in config-vlan Mode 12-7 VLAN Configuration in VLAN Database Configuration Mode 12-7 Saving VLAN Configuration 12-7 Default Ethernet VLAN Configuration 12-8 Creating or Modifying an Ethernet VLAN 12-8 Deleting a VLAN 12-10 Assigning Static-Access Ports to a VLAN 12-11 Contents 78-16156-01 Catalyst 3560 Switch Software Configuration Guide xi
...-6 VLAN Configuration Mode Options 12-6 VLAN Configuration in config-vlan Mode 12-7 VLAN Configuration in VLAN Database Configuration Mode 12-7 Saving VLAN Configuration 12-7 Default Ethernet VLAN Configuration 12-8 Creating or Modifying an Ethernet VLAN 12-8 Deleting a VLAN 12-10 Assigning Static-Access Ports to a VLAN 12-11 Contents 78-16156-01 Catalyst 3560 Switch Software Configuration Guide xi
Software Configuration Guide
Page 12
... Dynamic-Access Port VLAN Membership 12-28 Default VMPS Client Configuration 12-29 VMPS Configuration Guidelines 12-29 Configuring the VMPS Client 12-29 Entering the IP Address of the VMPS 12-30 Configuring Dynamic-Access Ports on VMPS Clients 12-30 Reconfirming VLAN ...Memberships 12-31 Changing the Reconfirmation Interval 12-31 Changing the Retry Count 12-32 Monitoring the VMPS 12-32 Troubleshooting Dynamic-Access Port VLAN Membership 12-33 VMPS Configuration Example 12-33 Catalyst 3560 Switch Software Configuration Guide...
... Dynamic-Access Port VLAN Membership 12-28 Default VMPS Client Configuration 12-29 VMPS Configuration Guidelines 12-29 Configuring the VMPS Client 12-29 Entering the IP Address of the VMPS 12-30 Configuring Dynamic-Access Ports on VMPS Clients 12-30 Reconfirming VLAN ...Memberships 12-31 Changing the Reconfirmation Interval 12-31 Changing the Retry Count 12-32 Monitoring the VMPS 12-32 Troubleshooting Dynamic-Access Port VLAN Membership 12-33 VMPS Configuration Example 12-33 Catalyst 3560 Switch Software Configuration Guide...
Software Configuration Guide
Page 14
... Cost 15-18 Configuring the Switch Priority of a VLAN 15-19 Configuring Spanning-Tree Timers 15-20 Configuring the Hello Time 15-20 Configuring the Forwarding-Delay Time for a VLAN 15-21 Configuring the Maximum-Aging Time for a VLAN 15-21 Displaying the Spanning-Tree Status 15-22 Catalyst 3560 Switch Software Configuration Guide xiv 78-16156-01
... Cost 15-18 Configuring the Switch Priority of a VLAN 15-19 Configuring Spanning-Tree Timers 15-20 Configuring the Hello Time 15-20 Configuring the Forwarding-Delay Time for a VLAN 15-21 Configuring the Maximum-Aging Time for a VLAN 15-21 Displaying the Spanning-Tree Status 15-22 Catalyst 3560 Switch Software Configuration Guide xiv 78-16156-01
Software Configuration Guide
Page 15
... the Link Type to Ensure Rapid Transitions 16-22 Restarting the Protocol Migration Process 16-22 Displaying the MST Configuration and Status 16-23 Configuring Optional Spanning-Tree Features 17-1 Understanding Optional Spanning-Tree Features 17-1 Understanding Port Fast 17-2 Understanding BPDU Guard 17-3 Understanding BPDU Filtering 17-3 Catalyst 3560 Switch Software Configuration Guide xv
... the Link Type to Ensure Rapid Transitions 16-22 Restarting the Protocol Migration Process 16-22 Displaying the MST Configuration and Status 16-23 Configuring Optional Spanning-Tree Features 17-1 Understanding Optional Spanning-Tree Features 17-1 Understanding Port Fast 17-2 Understanding BPDU Guard 17-3 Understanding BPDU Filtering 17-3 Catalyst 3560 Switch Software Configuration Guide xv
Software Configuration Guide
Page 16
...Snooping and Option 82 18-4 Displaying DHCP Information 18-5 Displaying a Binding Table 18-5 Displaying the DHCP Snooping Configuration 18-6 19 C H A P T E R Configuring IGMP Snooping and MVR 19-1 Understanding IGMP Snooping 19-2 IGMP Versions 19-3 Joining a Multicast Group 19-3 Leaving... a Multicast Group 19-5 Immediate-Leave Processing 19-6 IGMP Report Suppression 19-6 Configuring IGMP Snooping 19-6 Default IGMP Snooping Configuration 19-7 Enabling or Disabling IGMP Snooping 19-7 Setting the Snooping Method 19-8 Catalyst 3560 Switch Software Configuration Guide xvi 78-16156-01
...Snooping and Option 82 18-4 Displaying DHCP Information 18-5 Displaying a Binding Table 18-5 Displaying the DHCP Snooping Configuration 18-6 19 C H A P T E R Configuring IGMP Snooping and MVR 19-1 Understanding IGMP Snooping 19-2 IGMP Versions 19-3 Joining a Multicast Group 19-3 Leaving... a Multicast Group 19-5 Immediate-Leave Processing 19-6 IGMP Report Suppression 19-6 Configuring IGMP Snooping 19-6 Default IGMP Snooping Configuration 19-7 Enabling or Disabling IGMP Snooping 19-7 Setting the Snooping Method 19-8 Catalyst 3560 Switch Software Configuration Guide xvi 78-16156-01
Software Configuration Guide
Page 17
...-3 Configuring Protected Ports 20-5 Default Protected Port Configuration 20-5 Protected Port Configuration Guidelines 20-5 Configuring a Protected Port 20-5 Configuring Port Blocking 20-6 Default Port Blocking Configuration 20-6 Blocking Flooded Traffic on an Interface 20-6 Configuring Port Security 20-7 Understanding Port Security 20-7 Secure MAC Addresses 20-8 Security Violations 20-9 Default Port Security Configuration 20-10 Catalyst 3560 Switch Software Configuration Guide...
...-3 Configuring Protected Ports 20-5 Default Protected Port Configuration 20-5 Protected Port Configuration Guidelines 20-5 Configuring a Protected Port 20-5 Configuring Port Blocking 20-6 Default Port Blocking Configuration 20-6 Blocking Flooded Traffic on an Interface 20-6 Configuring Port Security 20-7 Understanding Port Security 20-7 Secure MAC Addresses 20-8 Security Violations 20-9 Default Port Security Configuration 20-10 Catalyst 3560 Switch Software Configuration Guide...
Software Configuration Guide
Page 18
... on an Interface 21-4 Monitoring and Maintaining CDP 21-5 Configuring UDLD 22-1 Understanding UDLD 22-1 Modes of Operation 22-1 Methods to Detect Unidirectional Links 22-2 Configuring UDLD 22-4 Default UDLD Configuration 22-4 Configuration Guidelines 22-4 Enabling UDLD Globally 22-5 Enabling UDLD on ...Configuring SPAN and RSPAN 23-1 Understanding SPAN and RSPAN 23-1 Local SPAN 23-2 Remote SPAN 23-2 SPAN and RSPAN Concepts and Terminology 23-3 SPAN Sessions 23-3 Monitored Traffic 23-4 Source Ports 23-5 Source VLANs 23-6 VLAN Filtering 23-6 xviii Catalyst 3560 Switch Software Configuration Guide...
... on an Interface 21-4 Monitoring and Maintaining CDP 21-5 Configuring UDLD 22-1 Understanding UDLD 22-1 Modes of Operation 22-1 Methods to Detect Unidirectional Links 22-2 Configuring UDLD 22-4 Default UDLD Configuration 22-4 Configuration Guidelines 22-4 Enabling UDLD Globally 22-5 Enabling UDLD on ...Configuring SPAN and RSPAN 23-1 Understanding SPAN and RSPAN 23-1 Local SPAN 23-2 Remote SPAN 23-2 SPAN and RSPAN Concepts and Terminology 23-3 SPAN Sessions 23-3 Monitored Traffic 23-4 Source Ports 23-5 Source VLANs 23-6 VLAN Filtering 23-6 xviii Catalyst 3560 Switch Software Configuration Guide...
Software Configuration Guide
Page 19
... VLANs to Filter 23-22 Displaying SPAN and RSPAN Status 23-23 Configuring RMON 24-1 Understanding RMON 24-1 Configuring RMON 24-2 Default RMON Configuration 24-3 Configuring RMON Alarms and Events 24-3 Collecting Group History Statistics on an Interface...Configuration 25-3 Disabling Message Logging 25-4 Setting the Message Display Destination Device 25-4 Synchronizing Log Messages 25-5 Enabling and Disabling Time Stamps on Log Messages 25-7 Enabling and Disabling Sequence Numbers in Log Messages 25-7 Defining the Message Severity Level 25-8 Catalyst 3560 Switch Software Configuration Guide...
... VLANs to Filter 23-22 Displaying SPAN and RSPAN Status 23-23 Configuring RMON 24-1 Understanding RMON 24-1 Configuring RMON 24-2 Default RMON Configuration 24-3 Configuring RMON Alarms and Events 24-3 Collecting Group History Statistics on an Interface...Configuration 25-3 Disabling Message Logging 25-4 Setting the Message Display Destination Device 25-4 Synchronizing Log Messages 25-5 Enabling and Disabling Time Stamps on Log Messages 25-7 Enabling and Disabling Sequence Numbers in Log Messages 25-7 Defining the Message Severity Level 25-8 Catalyst 3560 Switch Software Configuration Guide...
Software Configuration Guide
Page 20
...-14 Limiting TFTP Servers Used Through SNMP 26-15 SNMP Examples 26-15 Displaying SNMP Status 26-16 27 C H A P T E R Configuring Network Security with ACLs 27-1 Understanding ACLs 27-1 Supported ACLs 27-2 Port ACLs 27-3 Router ACLs 27-4 VLAN Maps 27-4 Handling Fragmented and ...Unfragmented Traffic 27-5 Configuring IP ACLs 27-6 Creating Standard and Extended IP ACLs 27-7 Access List Numbers 27-7 Creating a Numbered Standard ACL 27-8 Creating a Numbered Extended ACL 27-10 Catalyst 3560 Switch Software Configuration Guide xx 78-16156-01
...-14 Limiting TFTP Servers Used Through SNMP 26-15 SNMP Examples 26-15 Displaying SNMP Status 26-16 27 C H A P T E R Configuring Network Security with ACLs 27-1 Understanding ACLs 27-1 Supported ACLs 27-2 Port ACLs 27-3 Router ACLs 27-4 VLAN Maps 27-4 Handling Fragmented and ...Unfragmented Traffic 27-5 Configuring IP ACLs 27-6 Creating Standard and Extended IP ACLs 27-7 Access List Numbers 27-7 Creating a Numbered Standard ACL 27-8 Creating a Numbered Extended ACL 27-10 Catalyst 3560 Switch Software Configuration Guide xx 78-16156-01
Software Configuration Guide
Page 21
... ACLs and VLAN Maps 27-31 Applying a VLAN Map to a VLAN 27-33 Using VLAN Maps in Your Network 27-33 Wiring Closet Configuration 27-33 Denying Access to a Server on Another VLAN 27-35 Using VLAN Maps with Router ACLs 27-36 Guidelines 27-36 Examples of ... Routed Packets 27-38 ACLs and Multicast Packets 27-39 Displaying ACL Configuration 27-40 Configuring QoS 28-1 Understanding QoS 28-1 Basic QoS Model 28-3 Classification 28-4 Classification Based on QoS ACLs 28-7 Classification Based on Class Maps and Policy Maps 28-7 Policing and Marking 28-8 Catalyst 3560 Switch Software Configuration Guide xxi
... ACLs and VLAN Maps 27-31 Applying a VLAN Map to a VLAN 27-33 Using VLAN Maps in Your Network 27-33 Wiring Closet Configuration 27-33 Denying Access to a Server on Another VLAN 27-35 Using VLAN Maps with Router ACLs 27-36 Guidelines 27-36 Examples of ... Routed Packets 27-38 ACLs and Multicast Packets 27-39 Displaying ACL Configuration 27-40 Configuring QoS 28-1 Understanding QoS 28-1 Basic QoS Model 28-3 Classification 28-4 Classification Based on QoS ACLs 28-7 Classification Based on Class Maps and Policy Maps 28-7 Policing and Marking 28-8 Catalyst 3560 Switch Software Configuration Guide xxi