Configure a Management Interface for 3550 and 3750 Series Switches

On Catalyst 3550 and Catalyst 3750X  series switches that run Cisco IOS Software, any routable interface can be used for management. There are three options to configure this interface.

Option 1—Configure a loopback interface for switch management. There are a few advantages to a loopback interface. A loopback is a virtual interface that is always up. Packets that are routed to the loopback interface are rerouted back to the L3 switch or router and processed locally. IP packets that are routed out the loopback interface but are not destined to the loopback interface are dropped. This means that the loopback interface serves as the null 0 interface also. The loopback interface serves as the router ID for OSPF and so on. This example uses loopback 0:

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#interface loopback 0

Switch(config-if)#ip address 10.1.1.1 255.255.255.255

!--- The loopback interface should have a 32-bit subnet mask, which means that

!--- the 10.1.1.1 address is the only destination address in this subnet.

Switch(config-if)#end

Switch#

You must also configure a routing protocol to distribute the subnet that is assigned to the loopback address or create a static route.

Option 2—Configure the interface as an L3 routed interface with an IP address. All interfaces on a Catalyst 3550 or 3750 switch that runs Cisco IOS Software are L2 by default. In order to make an L2 interface an L3 interface, issue the no switchport command and then configure an IP address. All interfaces are enabled by default, so you do not need to issue the no shutdown command. This example uses Fast Ethernet 2/0/1 on a Catalyst 3750:

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#interface fastethernet 2/0/1

Switch(config-if)#no switchport

Switch(config-if)#ip address 11.1.1.1 255.0.0.0

Switch(config-if)#end

Switch#

If you issue the show running-config interface fastethernet 2/0/1 command, this output displays:

Switch#show running-config interface fastethernet 2/0/1

Building configuration...

Current configuration : 81 bytes

!

interface FastEthernet2/0/1

 no switchport

 ip address 11.1.1.1 255.0.0.0

end

Switch#

Option 3—Configure an L2 interface as a part of a specific VLAN. Issue the switchport mode access command and the switchport access vlan vlan-id command, and use a corresponding SVI with an IP address.

Complete these steps:

Issue these commands:

Switch(config)#interface vlan 1

!--- Interface VLAN 1 is an SVI.

Switch(config-if)#ip address 10.1.1.1 255.0.0.0

Switch(config-if)#no shut

Note: This example uses VLAN 1 as the management VLAN. VLAN 1 is in the VLAN database by default.

Issue the switchport mode access command under the desired physical interface if you want confirmation that the interface is an access switch port.

By default, all interfaces are L2 interfaces and are access switch ports in VLAN 1. If you plan to use VLAN 1 as the management VLAN, no configuration is necessary under the interface. But if you want confirmation in the configuration that the interface is indeed an access switch port, you need to use the switchport mode access command.

This example uses Fast Ethernet 2/0/1:

Switch(config)#interface fastethernet 2/0/1

Switch(config-if)#switchport mode access

Switch(config-if)#end

If you issue the show run interface fastethernet 2/0/1 command, this output now displays:

Switch#show run interface fastethernet 2/0/1

Building configuration...

Current configuration : 59 bytes

!

interface FastEthernet2/0/1

 switchport mode access

end

Switch#

If you want to change the management interface from the default VLAN 1 to another VLAN, issue the interface vlan vlan-id command in order to create a new SVI.

You must then issue the switchport access vlan vlan-id command in order to configure an L2 interface to be a part of the new VLAN. This example demonstrates this process:

Switch(config)#interface vlan 2

Switch(config-if)#ip address 20.1.1.1 255.0.0.0

Switch(config-if)#no shut

!--- Configure an interface to access the new management VLAN.

Switch(config)#interface fastethernet 2/0/1

Switch(config-if)#switchport access vlan 2

Switch(config-if)#end

Switch#

If you issue the show run interface fastethernet 2/0/1 command, this output now displays:

Switch#show run interface fastethernet 2/0/1

Building configuration...

Current configuration : 85 bytes

!

interface FastEthernet2/0/1

 switchport access vlan 2

 switchport mode access

end

Switch#

In order for the switch to access remote networks, you must have either:

A default gateway that is set for the next hop router that is directly connected to the switch

A dynamic routing protocol configured

If you are not routing IP, issue the ip default-gateway ip-address command in order to configure a gateway router IP address.

If you plan to configure dynamic routing, keep in mind that IP routing is disabled by default. You must issue the global ip routing command in order to enable IP routing. Routing Information Protocol (RIP) is the only dynamic routing protocol that is supported when you use the Standard Multilayer Software Image (SMI). The Enhanced Multilayer Software Image (EMI) is required for Interior Gateway Routing Protocol (IGRP), Enhanced IGRP (EIGRP), OSPF, and Border Gateway Protocol (BGP) support. In order to configure dynamic routing, use the router routing_protocol command. Issue the show ip route command in order to view the status of the routing table.

Configuring IEEE 802.1x Port-Based Authentication

IEEE 802.1x port-based authentication prevents unauthorized devices (clients) from gaining access to the network. The switch command reference and the "RADIUS Commands" section in the Cisco IOS Security Command Reference, Release 12.2, have command syntax and usage information.

Device Roles

Client—the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch. The workstation must be running 802.1x-compliant client software such as that offered in the Microsoft Windows XP operating system. (The client is the supplicant in the 802.1x standard.)

•Authentication server—performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. In this release, the RADIUS security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.

•Switch (edge switch or wireless access point)—controls the physical access to the network based on the authentication status of the client. The switch acts as an intermediary (proxy) between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client. The switch includes the RADIUS client, which is responsible for encapsulating and decapsulating the EAP frames and interacting with the authentication server. (The switch is the authenticator in the 802.1x standard.)

When the switch receives EAPOL frames and relays them to the authentication server, the Ethernet header is stripped, and the remaining EAP frame is re-encapsulated in the RADIUS format. The EAP frames are not modified during encapsulation, and the authentication server must support EAP within the native frame format. When the switch receives frames from the authentication server, the server's frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client.

The devices that can act as intermediaries include the Catalyst 3750-E, Catalyst 3560-E, Catalyst 3750, Cisco 3560, WS-C3560X-48T-S，Catalyst 3550, Catalyst 2975, Catalyst 2970, Catalyst 2960, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These devices must be running software that supports the RADIUS client and 802.1x authentication.

Channelized vs clear channel E1

I understand a HWIC-1T    pure G.703 means clear channel = 2048kbps = unstructured E1 = unchannelized E1.

And a G.703/G.704 means a channelized E1 = 1984kbps = for data it can use timeslow 1-31 for data and TS0 is reserved for framing for G.704.

If the above two description are correct, then I assume there is no such thing "Channelized clear channel 1984k", is that correct? Someone told me about this term and I can't make sense out of this of what that means as I thought "channelized" and "clear channel" are mutually exclusive in an E1 data ckt perspective.  Please correct me if this is wrong.

Now question onto the router:

If PTT delivers a 1984k E1, I will assume this mean I can use VWIC-1MFT-E1 module to connect to this handoff.  And then I can configure:

Controller E1 0/0/0
channel-group 0 timeslots 1-31

So now I have a data ckt with 1984k bandwidth talking to the other side with similar config.

Question is what about if PTT deliver a clear channel 2048k ckt to me but I have no reason or need to use 2048k.  I just need 1984k as I am connecting my router (CE) to a provider PE for MPLS VPN for a 1984k E1 Port speed.

So if somehow the PTT loop is 2048k to me and to provider (PTT is not same provider as MPLS provider).  And if I really need 1984k instead,

a) first of all, can my VWIC-1MFT-E1 card still work on this clear channel handoff even though I really only need 1984k with timeslot 1-31?

b) if (a) is negative, so does that mean even if I just need 1984k, I still need to use VWIC-1MFT-G703 interface card?

c) If (b) is correct, then should I still configure

Controller E1 0/0/0
channel-group 0 timeslots 1-31

or should I need to configure

Controller E1 0/0/0
channel-group 0 timeslots unframed

I mean I don't want clear channel as Provider is doing 1984k for MPLS Port.  So my question really is can we still do the timeslot 1-31 on an clear channel loop?

You've got an answer from an inexperienced representative, that doesn't fully understand how E1 works. This is typical especially in the WS-X45-SUP7L-E   USA TAC.