Configure a Management Interface for 3550 and 3750 Series Switches

On Catalyst 3550 and Catalyst 3750X  series switches that run Cisco IOS Software, any routable interface can be used for management. There are three options to configure this interface.

Option 1—Configure a loopback interface for switch management. There are a few advantages to a loopback interface. A loopback is a virtual interface that is always up. Packets that are routed to the loopback interface are rerouted back to the L3 switch or router and processed locally. IP packets that are routed out the loopback interface but are not destined to the loopback interface are dropped. This means that the loopback interface serves as the null 0 interface also. The loopback interface serves as the router ID for OSPF and so on. This example uses loopback 0:

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#interface loopback 0

Switch(config-if)#ip address 10.1.1.1 255.255.255.255

!--- The loopback interface should have a 32-bit subnet mask, which means that

!--- the 10.1.1.1 address is the only destination address in this subnet.

Switch(config-if)#end

Switch#

You must also configure a routing protocol to distribute the subnet that is assigned to the loopback address or create a static route.

Option 2—Configure the interface as an L3 routed interface with an IP address. All interfaces on a Catalyst 3550 or 3750 switch that runs Cisco IOS Software are L2 by default. In order to make an L2 interface an L3 interface, issue the no switchport command and then configure an IP address. All interfaces are enabled by default, so you do not need to issue the no shutdown command. This example uses Fast Ethernet 2/0/1 on a Catalyst 3750:

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#interface fastethernet 2/0/1

Switch(config-if)#no switchport

Switch(config-if)#ip address 11.1.1.1 255.0.0.0

Switch(config-if)#end

Switch#

If you issue the show running-config interface fastethernet 2/0/1 command, this output displays:

Switch#show running-config interface fastethernet 2/0/1

Building configuration...

Current configuration : 81 bytes

!

interface FastEthernet2/0/1

 no switchport

 ip address 11.1.1.1 255.0.0.0

end

Switch#

Option 3—Configure an L2 interface as a part of a specific VLAN. Issue the switchport mode access command and the switchport access vlan vlan-id command, and use a corresponding SVI with an IP address.

Complete these steps:

Issue these commands:

Switch(config)#interface vlan 1

!--- Interface VLAN 1 is an SVI.

Switch(config-if)#ip address 10.1.1.1 255.0.0.0

Switch(config-if)#no shut

Note: This example uses VLAN 1 as the management VLAN. VLAN 1 is in the VLAN database by default.

Issue the switchport mode access command under the desired physical interface if you want confirmation that the interface is an access switch port.

By default, all interfaces are L2 interfaces and are access switch ports in VLAN 1. If you plan to use VLAN 1 as the management VLAN, no configuration is necessary under the interface. But if you want confirmation in the configuration that the interface is indeed an access switch port, you need to use the switchport mode access command.

This example uses Fast Ethernet 2/0/1:

Switch(config)#interface fastethernet 2/0/1

Switch(config-if)#switchport mode access

Switch(config-if)#end

If you issue the show run interface fastethernet 2/0/1 command, this output now displays:

Switch#show run interface fastethernet 2/0/1

Building configuration...

Current configuration : 59 bytes

!

interface FastEthernet2/0/1

 switchport mode access

end

Switch#

If you want to change the management interface from the default VLAN 1 to another VLAN, issue the interface vlan vlan-id command in order to create a new SVI.

You must then issue the switchport access vlan vlan-id command in order to configure an L2 interface to be a part of the new VLAN. This example demonstrates this process:

Switch(config)#interface vlan 2

Switch(config-if)#ip address 20.1.1.1 255.0.0.0

Switch(config-if)#no shut

!--- Configure an interface to access the new management VLAN.

Switch(config)#interface fastethernet 2/0/1

Switch(config-if)#switchport access vlan 2

Switch(config-if)#end

Switch#

If you issue the show run interface fastethernet 2/0/1 command, this output now displays:

Switch#show run interface fastethernet 2/0/1

Building configuration...

Current configuration : 85 bytes

!

interface FastEthernet2/0/1

 switchport access vlan 2

 switchport mode access

end

Switch#

In order for the switch to access remote networks, you must have either:

A default gateway that is set for the next hop router that is directly connected to the switch

A dynamic routing protocol configured

If you are not routing IP, issue the ip default-gateway ip-address command in order to configure a gateway router IP address.

If you plan to configure dynamic routing, keep in mind that IP routing is disabled by default. You must issue the global ip routing command in order to enable IP routing. Routing Information Protocol (RIP) is the only dynamic routing protocol that is supported when you use the Standard Multilayer Software Image (SMI). The Enhanced Multilayer Software Image (EMI) is required for Interior Gateway Routing Protocol (IGRP), Enhanced IGRP (EIGRP), OSPF, and Border Gateway Protocol (BGP) support. In order to configure dynamic routing, use the router routing_protocol command. Issue the show ip route command in order to view the status of the routing table.

Configuring IEEE 802.1x Port-Based Authentication

IEEE 802.1x port-based authentication prevents unauthorized devices (clients) from gaining access to the network. The switch command reference and the "RADIUS Commands" section in the Cisco IOS Security Command Reference, Release 12.2, have command syntax and usage information.

Device Roles

Client—the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch. The workstation must be running 802.1x-compliant client software such as that offered in the Microsoft Windows XP operating system. (The client is the supplicant in the 802.1x standard.)

•Authentication server—performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. In this release, the RADIUS security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.

•Switch (edge switch or wireless access point)—controls the physical access to the network based on the authentication status of the client. The switch acts as an intermediary (proxy) between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client. The switch includes the RADIUS client, which is responsible for encapsulating and decapsulating the EAP frames and interacting with the authentication server. (The switch is the authenticator in the 802.1x standard.)

When the switch receives EAPOL frames and relays them to the authentication server, the Ethernet header is stripped, and the remaining EAP frame is re-encapsulated in the RADIUS format. The EAP frames are not modified during encapsulation, and the authentication server must support EAP within the native frame format. When the switch receives frames from the authentication server, the server's frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client.

The devices that can act as intermediaries include the Catalyst 3750-E, Catalyst 3560-E, Catalyst 3750, Cisco 3560, WS-C3560X-48T-S，Catalyst 3550, Catalyst 2975, Catalyst 2970, Catalyst 2960, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These devices must be running software that supports the RADIUS client and 802.1x authentication.

Channelized vs clear channel E1

I understand a HWIC-1T    pure G.703 means clear channel = 2048kbps = unstructured E1 = unchannelized E1.

And a G.703/G.704 means a channelized E1 = 1984kbps = for data it can use timeslow 1-31 for data and TS0 is reserved for framing for G.704.

If the above two description are correct, then I assume there is no such thing "Channelized clear channel 1984k", is that correct? Someone told me about this term and I can't make sense out of this of what that means as I thought "channelized" and "clear channel" are mutually exclusive in an E1 data ckt perspective.  Please correct me if this is wrong.

Now question onto the router:

If PTT delivers a 1984k E1, I will assume this mean I can use VWIC-1MFT-E1 module to connect to this handoff.  And then I can configure:

Controller E1 0/0/0
channel-group 0 timeslots 1-31

So now I have a data ckt with 1984k bandwidth talking to the other side with similar config.

Question is what about if PTT deliver a clear channel 2048k ckt to me but I have no reason or need to use 2048k.  I just need 1984k as I am connecting my router (CE) to a provider PE for MPLS VPN for a 1984k E1 Port speed.

So if somehow the PTT loop is 2048k to me and to provider (PTT is not same provider as MPLS provider).  And if I really need 1984k instead,

a) first of all, can my VWIC-1MFT-E1 card still work on this clear channel handoff even though I really only need 1984k with timeslot 1-31?

b) if (a) is negative, so does that mean even if I just need 1984k, I still need to use VWIC-1MFT-G703 interface card?

c) If (b) is correct, then should I still configure

Controller E1 0/0/0
channel-group 0 timeslots 1-31

or should I need to configure

Controller E1 0/0/0
channel-group 0 timeslots unframed

I mean I don't want clear channel as Provider is doing 1984k for MPLS Port.  So my question really is can we still do the timeslot 1-31 on an clear channel loop?

You've got an answer from an inexperienced representative, that doesn't fully understand how E1 works. This is typical especially in the WS-X45-SUP7L-E   USA TAC.

how to copy the confi from 2900 series to another one

I know we can use copy & Paste, my Cisco 2921 price    questions are:

1.       Before that, do I need to wipe out the existing confi on the brand new switch?
2.       About using TFTP, how does this new switch connects to the TFTP? Does it mean I have to assign a real IP and put it on our network? More details, pls

•1.       Before that, do I need to wipe out the existing confi on the brand new switch?
     Answer:  I always ersase the default configuration on the switch by doing "er startup" and then reloading the switch

•2.       About  using TFTP, how does this new switch connects to the TFTP? Does it mean  I have to assign a real IP and put it on our network? More details, pls
     Answer: Multiple ways you can use test network, you can assign it a static IP on the network and move the config from the other switch to this one or let it grab an IP from the DHCP and then move the config from the other switch to this one.  You can simply setup the other switch you are replacing as a tftp server to copy the config  Cisco 2951 price   to the new

3560 switches, differences

I have been looking at deploying a small core switch design for an important branch office that would consist of 2 cores with an etherchannel link and then 4 POE access switches linked to both cores utilising STP. I will also want static IP routing on the cores and will set up HSRP for gateway failover.

The initial switch I looked at for the core was WS-C3560X-24T-L    however after finding that there is no stock around of this at the moment I have seen the WS-C3560X-24T-S which looks like it will do everything I need including IP routing, HSRP and QoS for VOIP. The thing that concerns me is this is about £1000 cheaper so i'm slightly worried im missing someting. Any help in identifying this would be much apprciated?

First of all 3560E are end of life and the 3560X is the replacement for it so you should go for it. Don't believe you will have any feature shortcomings.

Basically I understand 3560X are an evolution of 3560E  switches. But they have some modularity. 3560X you won't  have gigabit  or 10gigabit uplinks unless you order them if you need to. 3560E came  with fixed 10gigabit uplinks.
I also read somewhere that 3560X are more energy efficient.

From 3560X Q&A 2nd question:

Q. What is new in the Cisco Catalyst 3750-X and 3560-X Series Switches?
A. The Cisco Catalyst X-Series switches build on the E-Series switches and add the following features:
• Cisco StackPower™  technology, available only on the Cisco Catalyst 3750-X (requires IP  Base), manages power very efficiently by aggregating and sharing power  supplies across a stack of switches. It also supports a feature known as  Zero-Footprint RPS.
• Field-replaceable network module provides 4 x 1 Gigabit and 2 x 10 Gigabit uplink interfaces for the switch.
• Full 802.3at PoE+ support provides 30W per port on all 48 ports in a single rack unit (RU) switch.
• New LAN Base feature set offers comprehensive Layer 2 functionality.
• Dual redundant power supplies and fans:  Four high-efficiency power supply options are available, including a DC  power supply for PoE applications. Two redundant, field-replaceable fan  modules are also included.
• MACsec  provides hardware-based encryption (802.1ae) at line rate on all 48  ports (requires IP Base) WS-C3560X-24T-S    . Includes MACsec Key Agreement (MKA) (included  in Dot1X-rev).

3750 vlan interface

Is there way to WS-C3750V2-24TS-S   create a vlan interface that wouldn't be routed, like on a layer 2 switch ?

I'd like to use this interface on a layer 2 isolated network, only to managed the c3750 by ssh.

ardhuin-s wrote:

sorry, I wasn't clear about the deploment :

I have a c3750 stack with 10vlans and 8 interfaces vlan :

Vlan1                  10.114.253.254  YES NVRAM  up                    up     

Vlan2                  10.114.1.254    YES NVRAM  up                    up     

Vlan10                 10.114.10.254   YES NVRAM  up                    up     

Vlan11                 10.114.11.254   YES NVRAM  up                    up     

Vlan12                 10.114.12.254   YES NVRAM  up                    up     

Vlan249                10.114.249.254  YES NVRAM  up                    down   

Vlan250                10.114.250.254  YES NVRAM  up                    up     

Vlan252                10.114.252.254  YES NVRAM  up                    down

with the "ip routing" activated

So there's a route created automatically for the vlan interfaces/subnet :

     10.0.0.0/24 is subnetted, 6 subnets

C       10.114.10.0 is directly connected, Vlan10

C       10.114.11.0 is directly connected, Vlan11

C       10.114.12.0 is directly connected, Vlan12

C       10.114.1.0 is directly connected, Vlan2

C       10.114.250.0 is directly connected, Vlan250

C       10.114.253.0 is directly connected, Vlan1

S*   0.0.0.0/0 [1/0] via 10.114.250.1

I'd like to create an interface vlan 254 with an ip address that would not appear in the routing table.

I don't want the subnet of vlan 254 to be routed by the c3750 stack.

The global routing table will contain all the routes.  If you want to have a separate routing table for your management only, then you need to create a VRF and put your management vlan in that VRF.  This  WS-C3750X-48T-S   way you have complete separations between global and VRF tables.

3750 Poe problem

I have 4 WS-C3750V2-24PS-S   connected in stack.

Switch 01

WS-C3750G-48PS-S

Switch 02

WS-C3750-48PS-S

Switch 03

WS-C3750-48PS-S

Switch 04

WS-C3750-48PS-S

xx01#sh power inline

Module   Available     Used     Remaining

          (Watts)     (Watts)    (Watts)

1           370.0       29.0       341.0

2             n/a        n/a         n/a

3           370.0       29.4       340.6

4             n/a        n/a         n/a

but when I try to connect a Poe phone in modules 2 or 4 it doesn't work.

Any idea why the watts available says n/a?

xx01# sh env power all

SW  PID                 Serial#     Status           Sys Pwr  PoE Pwr  Watts

1  Fixed                                            Good

2  Fixed                                            Good

3  Fixed                                            Good

4  Fixed                                            Good

Regards and thanks

Ok, Herman.  Can you post the output to the following commands:

1.  sh switch WS-C3750X-24P-S   detail; and

2.  sh version