Cisco Catalyst 3850, Catalyst 3650 User Manual

Page 1

Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide

First Published: November 30, 2015 Last Updated: December 14, 2015

Cisco Systems, Inc.

www.cisco.com

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.

Page 2

Page 3

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Page 4

Page 5

Preface vii

Audience iii-vii

Conventions vii

Obtaining Documentation and Submitting a Service Request viii

Ease of Deployment 1-1

Purpose 1-1

Configuration Tool 1-2

Catalyst Switch Configuration Best Practices 1-2

LAN Access Switch Topology 1-4

Switch Address Plan 1-5

Initial Switch Configuration 2-7

Purpose 2-7

Prerequisites 2-7

Identify Configuration Values 2-8

Assign Initial Management Information 2-8

Configure the Hostname for Switch Identification 2-9 Configure Secure HTTPS and Secure Shell for Secure LAN Management 2-9 Configure SNMP for Remote Management 2-10 Configure Local Login and Password for Switch Access 2-10 Configure Centralized User Authentication Through TACACS+ 2-10 Assign an IP Address to the Switch 2-11 Configure the Management IP Address on an Out-of-Band Interface 2-12 Configure the Management IP Address on an In-Band Interface 2-14 Create a Management VLAN in Hardware 2-15 Verify Basic Switch Configuration 2-17

Show Running Configuration for Initial Management Information 2-17

Switch Stack Update 3-21

Purpose 3-21

Prerequisites 3-21

Identify Configuration Values 3-22

Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide

Page 6

Contents

LAN Access Switch Topology with Configured FTP Server 3-22

Performing the Stack Update 3-23

Obtain the Switch Software Image 3-23 Check the Software Version on the Stack Members 3-23 Configure the Switch to Run in Install Mode 3-24 Download the Switch Image from Cisco.com to a FTP Server 3-25 Update the Switch Stack Image 3-27 Enable Switch Image Auto-Upgrade 3-27 Verify that Stack Members Are Running the Same Software Image 3-28

Global System Configuration 4-29

Purpose 4-29

Prerequisites 4-29

Identify Configuration Values 4-29

Assign Global Configuration Information 4-30

Configure High Availability on the Switch Stack 4-31 Configure VTP Transparent Mode 4-31 Enable Rapid Per-VLAN Spanning Tree 4-32 Configure BPDU Guard for Spanning-Tree PortFast Interfaces 4-32 Configure UDLD to Detect Link Failure 4-33 Configure an Access List to Limit Switch Access 4-33 Configure System Clock and Console Timestamps 4-34 Configure DHCP Snooping Security Features 4-34 Configure ARP Inspection 4-34 Configure EtherChannel Load Balancing 4-35 Create Access Layer VLANs 4-35 Create IPv6 First Hop Security Policies 4-35 Increase the TFTP Block Size 4-36 Enable New Members to Automatically Update to the Switch Stack Image 4-36 Verify Global Switch Configuration 4-37

Show Running Configuration For Global Management Information 4-37

Uplink Interface Connectivity 5-41

Purpose 5-41

Prerequisites 5-41

Restrictions 5-41

Identify Configuration Values 5-42

LAN Access Switch Topology with Uplinks to a Distribution Switch or Distribution Router 5-43

Configure Uplink Interface Connectivity 5-44

Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide

Page 7

Recommendations for Configuring the Uplink Interface to a Router or Switch 5-44 Configure QoS on the Uplink EtherChannel Interfaces 5-44 Configure the Uplink Interface as an EtherChannel and as a Trunk 5-45

Configure the Uplink Interface to Connect to Distribution VSS or VPC Switches 5-45 Configure the Uplink Interface to Connect to Distribution Routers (or Standalone Distribution

Switches)

5-46

Configure Security Features on the Uplink EtherChannel Interfaces 5-48 Spanning-Tree Recommendations for Uplink Interfaces Connecting to Distribution Switches 5-48 Verify Uplink Interface Configurations 5-49

Show Running Configuration for Uplink Interface Connectivity 5-49

Access Interface Connectivity 6-51

Purpose 6-51

Prerequisites 6-51

Identify Configuration Values 6-51

Contents

LAN Access Switch Topology with Connections to End Devices 6-53

Configure Access Interface Connectivity 6-53

Recommendations for Configuring Access Interfaces 6-53 Configure the Interface for Access Mode 6-55 Configure VLAN Membership 6-55 Create an Interface Description 6-55 Configure Security Features on Access Interfaces 6-56 Configure QoS on the Access Interfaces 6-57 Verify Access Interface Configurations 6-58

Show Running Configuration for Access Interface Connectivity 6-61

Access Control on the Wired Network 7-65

Purpose 7-65

Prerequisites 7-65

Restrictions 7-65

Identify Configuration Values 7-66

LAN Access Switch Topology with IEEE 802.1x Secure Access Control 7-67

Provision IEEE 802.1x for Wired LAN 7-67

Recommendations for Configuring Security on a Wired LAN 7-67 Provision Common Wired Security Access 7-68 Provision in Monitor Mode 7-71 Provision in Low Impact Mode 7-72 Provision in High Impact Mode 7-73 Verify Secure Access Control on the Switch 7-74

Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide

iii

Page 8

Contents

Show Running Configuration for Provisioning Modes 7-74

Monitoring IEEE 802.1x Status and Statistics 7-77

Converged Wired and Wireless Access 8-81

Purpose 8-81

Prerequisites 8-81

Restrictions 8-82

Identify Configuration Values 8-82

LAN Access Switch Topology with Wireless Connectivity 8-83

Enable the Switch as a Wireless Controller 8-84

Install Access Point Licenses on the Switch 8-84

Verify AP-Count License Installation 8-85 Configure a Wireless Management VLAN 8-86 Configure Service Connectivity 8-86 Enable Wireless Controller Functionality 8-87 Change a Switch to Run in Mobility Controller Mode 8-87 Enable the Access Point Connections 8-88 Enable a Client VLAN 8-89

Provisioning a Small Branch WLAN 8-90

Provision in Easy-RADIUS 8-90

Disable Authentication to Enable Easy-RADIUS 8-90

Configure QoS to Secure the WLAN 8-91

Verify Client Connectivity in RADIUS 8-91 Provision in Secure Mode 8-93

Enable the AAA RADIUS Server 8-93

Configure the WLAN with IEEE 802.1x Authentication 8-94

Configure QoS Service Policies for an Open WLAN 8-94

Obtain WLAN Client IP Addresses 8-95 Manage Radio Frequency and Channel Settings 8-95

Disable Low Data Rates 8-96

Enable Clean Air 8-97

Enable Dynamic Channel Assignment 8-97

Associate WLAN Clients 8-98

Verify WLAN Client Connectivity 8-98 Verify the Converged Access Configuration on the Switch 8-99

Show Running Configuration for Wireless LAN Converged Access 8-99

System Health Monitoring 9-103

Purpose 9-103

Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide

Page 9

NDEX

Contents

Prerequisites 9-103

Show Running Status 9-103

Run a System Baseline for Core Resources 9-104

Obtain CPU and Core Processor Usage 9-104 Obtain Switch Memory Usage 9-106 Monitor File Systems Usage 9-106

Run a System Baseline for Environmental Resources 9-107

Other System Monitoring Considerations 9-108

Spanning Tree Monitoring 9-108

Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide

Page 10

Contents

Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide

Page 11

Preface

Audience

This document is written for managing the Cisco Catalyst 3850 Series Switches and the Cisco 3650 Series switches and switch stacks in their network. A basic understanding of Ethernet networking is expected. Cisco Certified Network Associate level (CCNA) knowledge is helpful, but not required.

Conventions

This document uses the following conventions:

Convention Indication

italic blue font Example configuration values that are replaced with reader values.

bold font Commands and keywords and user-entered CLI appear in bold font.

italic font Document titles, new or emphasized terms, and arguments for which you supply values are in italic

font.

[ ]

• Default responses to system prompts are in square brackets.

• Elements in square brackets are optional.

{x | y | z} Required alternative keywords are grouped in braces and separated by vertical bars.

[x | y | z] Optional alternative keywords are grouped in brackets and separated by vertical bars.

string A nonquoted set of characters. Do not use quotation marks around the string, or the string will include

the quotation marks.

courier font Terminal sessions and information the system displays appear in courier font.

< > Nonprinting characters such as passwords are in angle brackets.

!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.

Note Means reader take note. Notes contain helpful suggestions or references to material that is not covered

in the manual.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

vii

Page 12

Audience

Tip The tips information might not be troubleshooting or even an action, but could be useful information,

similar to a Timesaver.

Timesaver You can save time by performing the action described in the paragraph.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.

Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.

viii

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

OL-xxxxx-xx

Page 13

Ease of Deployment

This document describes best practices for deploying your Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series switches.

Note Unless otherwise noted, the term switch refers to a standalone Catalyst 3850 switch, a Catalyst 3650

switch, or a switch stack.

A Cisco switch deployment best practice is a preferred configuration method to employ on your Catalyst switches. It is a proven and tested way to improve network security, performance, and availability.

A best practice configuration includes an explanation of why you should perform a given task and a sample snapshot of a full running configuration that you can extrapolate for your specific scenario.

Tip Use the configuration recommendations in this document as a template for your switch deployments.

Note Many Cisco documents are available that define best practices for a variety of features and solutions.

There will be some overlap between the information provided in this guide and other best practices and deployment guides. When relevant, this document references other existing documents so the reader can get a deeper understanding of an aspect of the 3850 operation. Otherwise, this document is self-contained, and provides complete best practice configuration.

Configuration Tool

The configuration examples in this document use the Cisco IOS CLI configuration tool, which is the most common tool used to configure a switch.

However, you do have the flexibility to use a different tool to perform switch configuration. Other configuration tools are the Express Setup, Device Manager, and Cisco Prime.

The examples provided in this document show the CLI commands that you should execute on your switch. You must replace the blue italicized example values with your own values.

Cisco Systems, Inc.

www.cisco.com

Page 14

LAN Access Switch Topology

set system location Building 1, San Jose, CA

Dual redundant switches in distribution layer running VSS (Cat6500/6800/4500), or VPC (Nexus 7000)

Desktop user direct connect

Desktop user

Printer

Wireless access

Catalyst 3850 stack in access

Voice VLAN 11 Data VLAN 10

Data VLAN 10

Switch management VLAN 100

Access point VLAN 12

Trunk link Native VLAN 999 All VLANs included

LAN Access Switch Topology

The workflows described in this document assume that a switch is deployed as a LAN access switch. Unless noted otherwise, a switch that is in the LAN access layer is configured as a Layer 2 switch, with all Layer 3 services provided by the directly connected distribution switch or router.

This document assumes that the switches are stacked together to form a switch stack (a common switching unit). We recommend that you use switch stacks because of built-in redundancy. We also recommend the use of using switch stacks when deploying switches in converged access mode (wireless mode) and connecting access points to different stack members.

A switch deployed at the LAN access layer provides high-bandwidth connections to devices through 10/100/1000 Ethernet, with both Gigabit and 10-Gigabit uplink connectivity options.

When a switch is deployed in access mode, it enables end devices, such as IP phones, wireless access points, and desktops to gain access to the network. The Power over Ethernet (PoE) switch models support PoE+ (30 W) and UPoE (60 W) to power IP phones, wireless access points, and IP cameras. The field-replaceable uplink module from the switch enables different uplink connectivity types.

Ease of Deployment

Figure 1 shows an enterprise campus deployment, where the switch is connected to a distribution layer

switch (such as a Catalyst 6500,6800,4500 or a Nexus 7000 switch).

Figure 1 LAN Access Switch Topology with Distribution Switch

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 15

Ease of Deployment

Cisco Catalyst Switch Configuration Workflow

Figure 2 shows a branch deployment, where the switch is connected to a router (ISR). Because the switch

operates as a Layer 2 switch, not many differences occur in the configuration between the campus or branch deployment cases. Differences in the configuration are noted in the best practice procedures.

Figure 2 LAN Access Switch Topology with Distribution Router

Voice VLAN 11 Data VLAN 10

Desktop user behind IP phone

Data VLAN 10

Desktop user direct connect

Data VLAN 10

Printer

Wireless access

Catalyst 3850 stack in access

Switch management VLAN 100

Trunk link Native VLAN 999 All VLANs included

Access point VLAN 12

Cisco Catalyst Switch Configuration Workflow

This document focuses on configuring a switch network and is organized in a workflow pattern, beginning with the initial configuration of a switch after it is racked, mounted, connected, and powered on, and ending with monitoring system health.

Figure 3 shows the best-practice configurations described in this document.

See the Switch Hardware Installation Guide for information on how to install a switch.

Dual redundant routers running HSRP

391638

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 16

Cisco Catalyst Switch Configuration Workflow

Figure 3 Cisco Catalyst Switch: Configuration Workflow

Ye s N o

Ease of Deployment

Install a switch

Complete initial switch configuration

on the first day of deploying the switch

Are switch

stack members

running the

same image?

Update the image on

switch stack members

Configure QoS on wired and wireless

traffic to guarantee network performance

Configure switch connections to end

Configure secure access

on the switch and on

connected devices

network stability and performance

Configure global switch settings

to define common configuration

Configure switch connections to

distribution switches or routers

devices (such as access points,

IP phones, laptops, printers)

Configure wireless LAN

access on the switch to enable

converged access functionality

Monitor switch health to maintain

353733

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 17

Ease of Deployment

Switch Address Plan

The VLAN IDs and IP addresses designated for a switch and used throughout this document are not a component of practices; they are only specified for the configuration examples. Your deployment will have an IP address plan that suits your specific network.

In this document, all IP address ranges are /24 for the sake of simplicity. We recommend that VLAN IDs be reused across the access switches deployed.

For example, in the access layer, VLAN 10 is always used for data, and VLAN 11 is always used for voice. The IP subnets for those VLANs are different across the access switches, but the VLAN IDs are the same. This type of address plan makes it easier to operate the network because the same VLAN IDs are consistent.

Table 1 IP Address Plan

VLAN ID IP Address Server Description

100 192.168.1.0/24 — Switch in-band management VLAN.

10 192.168.10.0/24 Upstream device Access data VLAN for end devices

11 192.168.11.0/24 Upstream device Access voice VLAN for IP phones

12 192.168.12.0/24 Catalyst 3850 switch Access point VLAN and subnet.

200 192.168.13.0/24 Upstream device Wireless client VLAN and subnet.

— 192.168.254.0 — IP address range for all central

Switch Address Plan

and subnet.

services. The services are not physically adjacent to the switch.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 18

Switch Address Plan

Ease of Deployment

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 19

Switch Stack Update

This workflow explains how to update all members of a switch stack with the same software image.

Before proceeding with global and advanced configurations on a switch stack, all stack members must be running the same Cisco IOS XE release to avoid mismatch issues. In addition, any new switch that needs to join the switch stack must also be running the same Cisco IOS XE release; otherwise, the switch stack will not converge and the new switch will remain in a standalone state.

Note Updating a Catalyst 3850 or 3650 switch stack is different from updating a Catalyst 3750 switch stack.

Simply changing the boot statement to the desired .bin file is not recommended for Catalyst 3850 and 3650 switch stacks. The update process for Catalyst 3850 and 3650 switch stacks includes a series of package files, which are extracted from the .bin file and loaded into flash.

Prerequisites

• Obtain a valid Cisco Connection Online (CCO) account with entitled credentials.

• The process to install the new IOS version will use either FTP or TFTP. This requires a FTP or TFTP

• Install and configure the TFTP or FTP before you begin.

• Verify that the TFTP block size is set at the maximum value of 8192, as described in the “Increase

server be available to host the 3850 IOS Software, and the server reachable over an IP network.

the TFTP Block Size” section.

Cisco Systems, Inc.

www.cisco.com

Page 20

Identify Configuration Values

We recommend that you identify certain switch configuration values in advance so that you are ready to proceed with this section without interruption. As you follow the configuration sequence, replace the values in column B with your values in column C.

Note In the configuration examples, you must replace the blue italicized example values with your own values.

Table 1 Switch Stack Update Configuration Values

A. Value Name B. Example Value Names C. Your Value

hostname

TFTP server

Flash file

Switch Stack Update

3850-access-Bld1Flr1

192.168.254.12

cat3k_caa-universalk9.SSA .16.1.0.EFT3-1.bin

Note Configuration examples begin in global configuration mode unless noted otherwise.

LAN Access Switch Topology with Configured TFTP Server

Figure 1 LAN Access Switch Topology with Configured TFTP Server

Voice VLAN 11 Data VLAN 10

Desktop user

Data VLAN 10

Desktop user direct connect

Data VLAN 10

Printer

Catalyst 3850 stack in access

Switch management VLAN 100

Dual redundant switches in distribution layer running VSS (Cat6500/6800/4500), or VPC (Nexus 7000)

Trunk link Native VLAN 999 All VLANs included

FTP SERVER

172.18.121.121

Access point VLAN 12

Wireless access

Performing the Stack Update

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

391700

Page 21

Switch Stack Update

• Obtain the Switch Software Image

• Check the Software Version on the Stack Members

• Configure the Switch to Run in Install Mode

• Installing IOS image from local TFTP/FTP server

• Update the Switch Stack Image

•

Note The following tasks are to be performed in a sequence that is listed here.

Obtain the Switch Software Image

We recommend that you review the appropriate switch release notes before installation to ensure compatibility with your network topology. Each platform on Cisco.com has a Cisco-suggested release based on software quality, stability, and longevity, which is designated by the symbol, as displayed in Appendix 2, “Cisco Catalyst 3850-48P-S Switch”

Performing the Stack Update

Step 1 Download the desired .bin file from Cisco.com to the switch flash storage.

Note The purpose of this example is only to show you how the Cisco-suggested release symbol is designated,

and not to give you recommended release versions because those change over time.

Figure 2 Cisco Catalyst 3850-48P-S Switch

Check the Software Version on the Stack Members

Step 2 Verify the running software version.

Configure the Switch to Run in Install Mode

Your switches should run in install mode while in production. This mode is not a requirement, but the update procedure is different if your switches are running in a mode other than install mode.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 22

Performing the Stack Update

Switch Ports Model SW Version SW Image Mode

------ ----- ----- ---------- ---------- ---* 1 32 WS-C3850-24P Denali 16.1.1 CAT3K_CAA-UNIVERSALK9 BUNDLE 2 32 WS-C3850-24P Denali 16.1.1 CAT3K_CAA-UNIVERSALK9 BUNDLE 3 32 WS-C3850-24P Denali 16.1.1 CAT3K_CAA-UNIVERSALK9

request platform software package expand switch 1 file flash:cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.b

no boot system boot system switch all flash:packages.conf exit write memory reload

Note To learn the differences for the install and bundle installation modes, see the “Working with the Cisco

IOS File System, Configuration File, and Software Bundle Files” chapter of the Cisco IOS File System,

Configuration Files, and Bundle Files Appendix, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Step 3 If your switch stack is running in bundle mode, use the request platform software package expand

switch file to flash command to convert it to install mode.

Step 4 After the .bin file has successfully extracted to flash, change the boot statement and boot to the

packages.conf file.

Switch Stack Update

Note Since the format of the pacakges.conf file has changed in Cisco IOS XE Release Denali 16.1, overwrite

the old packages.conf with the new packages.conf file. Perform the above step for eachswitch in your stack. If you have a 3 member stack, it will need to be done on flash:, flash-2:, and flash-3.

Note Make sure the tftp server is reachable. To improve performance, increase the tftp block size to 8192. Use

the ip tftp blocksize bytes command in global configuration mode.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 23

Switch Stack Update

Switch# show version

Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.1.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Thu 12-Nov-15 16:23 by mcpre

Switch Ports Model SW Version SW Image Mode

Step 5 Confirm that the switch stack is now running in install mode.

Performing the Stack Update

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 24

Performing the Stack Update

# show run | inc block ip tftp blocksize 8192

ping 192.168.254.12

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.254.12, timeout is 2 seconds: !!!!

Installing IOS image from local TFTP/FTP server

You can use any file transfer method that you are familiar with, but we recommend TFTP or FTP.

Step 6 Confirm the block size config using the following command:

We recommend that you use a TFTP block size of 8192 (maximum allowed value) before attempting to use TFTP or FTP to transfer a file to the switch. Refer to the “Increase the TFTP Block Size” section in the “Global System Configuration” workflow for details.

Step 7 Make sure that there is connectivity to the TFTP server.

In this example, a TFTP server is used that is accessible through the in-band network.

Switch Stack Update

Step 8 After verifying connectivity, make sure that there is enough room in flash on all the switch stack

members.

Step 9 If you determine that files must be purged from flash, run the request platform clean switch command

to erase unneeded files within flash on all the stack members.

We recommend using the request platform clean switch command instead of individually deleting files. The command provides a list of the files to purge so that you understand what files are deleted when you confirm deletion.

Note Use switch all option to clean up all switches in your stack.

Note The request platform clean switch command also deletes the .bin file that is used to install the new

Cisco IOS software. After the .bin is extracted, you no longer need it.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 25

Switch Stack Update

Device# request platform software package clean switch all file flash: Running command on switch 1 Cleaning up unnecessary package files Scanning boot directory for packages ... done. Preparing packages list to delete ... done. Running command on switch 2 Cleaning up unnecessary package files Scanning boot directory for packages ... done. Preparing packages list to delete ... done. The following files will be deleted: [1]: /flash/cat3k_caa-rpbase.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg /flash/cat3k_caa-srdriver.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg /flash/cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.bin /flash/cat3k_caa-wcm.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg /flash/cat3k_caa-webui.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg /flash/packages.conf /flash/packages.conf.00/flash/packages.conf.01/flash/packages.conf.02-

[2]:

/flash/cat3k_caa-rpbase.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg /flash/cat3k_caa-srdriver.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg /flash/cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.bin /flash/cat3k_caa-wcm.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg /flash/cat3k_caa-webui.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg /flash/packages.conf /flash/packages.conf.00/flash/packages.conf.01/flash/packages.conf.02Do you want to proceed? [y/n]y [1]: Deleting file flash:cat3k_caa-rpbase.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg ... done. Deleting file flash:cat3k_caa-srdriver.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg ... done. Deleting file flash:cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.bin ... done. Deleting file flash:cat3k_caa-wcm.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg ... done. Deleting file flash:cat3k_caa-webui.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg ...

done.

Performing the Stack Update

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 26

Performing the Stack Update

Deleting file flash:packages.conf ... done. Deleting file flash:packages.conf.00- ... done. Deleting file flash:packages.conf.01- ... done. Deleting file flash:packages.conf.02- ... done. SUCCESS: Files deleted. [2]: Deleting file flash:cat3k_caa-rpbase.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg ... done. Deleting file flash:cat3k_caa-srdriver.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg ... done. Deleting file flash:cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.bin ... done. Deleting file flash:cat3k_caa-wcm.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg ... done. Deleting file flash:cat3k_caa-webui.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg ... done. Deleting file flash:packages.conf ... done. Deleting file flash:packages.conf.00- ... done. Deleting file flash:packages.conf.01- ... done. Deleting file flash:packages.conf.02- ... done. SUCCESS: Files deleted.

copy tftp://admin:cisco@192.168.254.12/IOS/3850/cat3k_caa-universalk9.SSA.16.1.0.

EFT3-1.bin flash:

software install file flash: cat3k_caa-universalk9.SSA.16.1.0.EFT3-1.bin

[1 2]: Do you want to proceed with reload? [yes/no]

Switch Stack Update

Step 10 Copy the switch image to the TFTP server using the copy tftp://flash command.

The following example shows that the TFTP server (192.168.254.12) requires a user name (admin) and password (cisco), which can easily be integrated into the copy command:

Update the Switch Stack Image

Step 11 Upload the image to the stack members, and then reload the switch.

The image download and installation can be performed while the stack is in-service, but to complete the update install, you must perform a switch reload, which causes a service outage.

Step 12 After the reload completes, run the request platform software package clean switch all file flash

command.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 27

Switch Stack Update

request platform software package clean switch all file flash

done. Running command on switch 2 Cleaning up unnecessary package files Scanning boot directory for packages ... done. Preparing packages list to delete ...

done.

software auto-upgrade enable end

Performing the Stack Update

To verify that stack members are using the same software, use the show version command on all members of the switch stack.

Enable Switch Image Auto-Upgrade

Step 13 Enable auto-upgrade so that new or replacement stack members are automatically upgraded with the

software running on the switch stack.

If you are adding a new member, or replacing a stack member, we recommend that you enable the auto upgrade feature within the stack. This feature helps to avoid stack mismatch issues and ensures that any new switches are upgraded to the version currently running on the stack and also converts a member in bundle mode to install mode.

The auto-upgrade feature automatically installs the software packages from an existing stack member to the stack member that is running incompatible software.

Note Auto-upgrade is disabled by default.

Note The rolling-upgrade feature is not supported.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 28

Performing the Stack Update

Switch Stack Update

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 29

Initial Switch Configuration

This workflow explains how to configure the basic settings on a switch.

Whether the configuration deployment of a switch is completed all at once or done in phases, the basic switch settings must first be configured. The initial management configuration includes setting IP addresses, passwords, and VLANs, which the prerequisites for future feature configuration.

Prerequisites for Initial Switch configuration

Refer to the switch Hardware Installation Guide to complete the following tasks:

1. Rack-mount the switch.

2. Connect the StackWise cables.

3. Connect the switch ports.

4. Perform power on.

5. Provision your upstream switch.

6. Connect at least one Ethernet cable from the uplink interface on the switch to the upstream switch

or router.

Identify Configuration Values

We recommend that you identify certain switch configuration values in advance so that you can proceed with this section without interruption. We recommend that you take a print out of Table 2, and, as you follow the configuration sequence, replace the values in column B with your values in column C.

Note Replace the blue italicized example values with your own values.

Cisco Systems, Inc.

www.cisco.com

Page 30

Assign Initial Management Information

Table 3 Initial Configuration Values

A. Value Name B. Example Value Names C. Your Value

Hostname 3850-access-Bld1Flr1

SNMP community strings for read-only and read-write access

Management VLAN ID 100

In-band management IP address and mask

Default gateway 192.168.1.1

Secret password my-secret-password

TACAS server IP address 192.168.254.10

TACAS server secret key cisco123

Uplink interface ID

Management VRF IP address for out-of-band interface

Mgmt-VRF default route next hop

Native VLAN 999, dummy

Initial Switch Configuration

my-SNMP-RO-name

my-SNMP-RW-name

192.168.1.2 255.255.255.0

GigabitEthernet 1/1/1

Mgmt-vrf 192.168.128.5

255.255.255.0

192.168.128.1

Note The configuration examples provided in this document begin in global configuration mode, unless noted

otherwise.

Assign Initial Management Information

• The following configurations should be performed in the same sequence in which they are listed

here.

• Users can now proceed to the Configure Secure HTTPS ans Secure Shell for Secure LAN

Management section.

• Configure SNMP for Remote Management

• Configure Local Login and Password for Switch Access

• Configure Centralized User Authentication Through TACACS+

• Configure a Management IP Address on an Out-of-Band Interface

• Configure a Management IP Address on an In-Band Interface

• Create a Management VLAN in Hardware

• Enter the show running-configuration command to display the initial management information for

the switch.

Note The following configurations should be performed in the same sequence in which they are listed here.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 31

Initial Switch Configuration

hostname 3850-access-Bld1Flr1 no ip http server

ip http secure-server ip ssh version 2

line vty 0 15

transport input ssh transport preferred none

Configure the Hostname for Switch Identification

Step 1 Configure the hostname on a switch to identify the switch in your network. By default, the system name

and prompt are Switch.

Set the hostname for the switch product family, the role of the switch in your network, and the switch location.

Note that the system name is also used as the system prompt.

If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol [>] is appended. The prompt is updated whenever the system name changes.

This example is for the switch serving as an access layer switch located on the first floor of Building 1

Note Users can now proceed to the Configure Secure HTTPS ans Secure Shell for Secure LAN Management

section.

Assign Initial Management Information

Configure Secure HTTPS and Secure Shell for Secure LAN Management

Step 2 Disable the HTTP and Telnet unencrypted protocols on the switch.

Step 3 Configure Secure HTTP (HTTPS) and Secure Shell (SSH) to enable secure management of the switch.

Enabling HTTPS automatically generates a cryptographic key to use the service. When SSH is configured after HTTPS, you do not have to explicitly generate the cryptographic key that SSH requires, unless you want to change the default key size.

We recommend that you use the transport preferred none command on the VTY lines to prevent connection attempt errors from the CLI prompt. Without this command, your IP name server may become unreachable, and long timeout delays may occur..

Note If the switch acts as a Web authentication server or as an authentication proxy, then do not disable the

HTTP server by executing the no ip http server command.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 32

Assign Initial Management Information

snmp-server community my-SNMP-RO-name RO snmp-server community my-SNMP-RW-name RW

username admin privilege 15 secret my-password enable secret my-secret-password service password-encryption

Configure SNMP for Remote Management

Step 4 Enable Simple Network Management Protocol (SNMP) to allow the network infrastructure devices to

be managed by a remote Network Management System (NMS). Configure SNMPv2c read-only and read-write community strings, as shown in the following example. Once SNMP community strings are configured, then SNMP tools can be used to monitor the 3850 which includes statistics.

Configure Local Login and Password for Switch Access

Step 5 Configure a local user ID and password to secure access to the switch.

We recommend that you encrypt passwords to secure access to the device configuration mode and prevent the display of plain text passwords in configuration files.

Initial Switch Configuration

Configure Centralized User Authentication Through TACACS+

Note Configuring the TACACS+ protocol is optional and recommended only when using TACACS to manage

all of your network devices.

Step 6 Configure centralized user authentication through the TACACS+ protocol.

As networks increase the number of devices to maintain, there is an operational burden to maintain local user accounts on every device. A centralized authentication, authorization, and accounting (AAA) service reduces operational tasks on each device and provides an audit log of user access for security compliance and root-cause analysis. When AAA is enabled for access control, all management access to the network infrastructure devices (SSH and HTTPS) is controlled by the AAA service.

TACACS+ is the primary protocol used to authenticate management infrastructure devices to determine whether access can be allowed to the AAA server. A local AAA user database defined on each network infrastructure device to provide a fallback authentication source in case the centralized TACACS+ server is unavailable.

This example shows how to configure the switch for TACACS administrative access.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 33

Initial Switch Configuration

aaa new-model tacacs server TACACS-SERVER-1

address ipv4 192.168.254.10 key cisco123 exit

aaa group server tacacs+ TACACS-SERVERS

server name TACACS-SERVER-1 exit

aaa authentication login default group TACACS-SERVERS local aaa authorization exec default group TACACS-SERVERS local ip http authentication local

write memory

Step 7 To save your configuration, use the write memory EXEC command in privileged mode.

Assign Initial Management Information

Assign an IP Address to the Switch

Assign an IP to the switch, so that the switch can be managed remotely instead of being restricted to management through a direct connection to the console port.

Although the switch supports multiple IP addresses for switch management, only primary IP address is responsible for switch management.

Two types of IP addresses are used for switch management—in-band and out-of-band.

An in-band IP address is an address assigned to an interface that is reached through the production network. Examples of in-band interfaces that have assigned IP addresses are VLAN, Ethernet, and loopback interfaces.

An out-of-band IP address is an address assigned to an interface that is unreachable through the production network. Out-of-band networks are more common in large network deployments. If you do not have an Out-of-band network, use only an in-band network for management.

On the switch, the out-of-band interface is GigabitEthernet 0/0. The GigabitEthernet 0/0 interface is not connected to the internal switching hardware, but directly to the CPU. IP traffic on GigabitEthernet 0/0 does not use the operating network. If the physical topology of the switch deployment does not support out-of-band, then the switch can be managed with an in-band IP address.

We recommend that the switch be assigned multiple IP addresses for high availability; one IP address on the out-of-band interface, and one on the in-band interface. High availability for switch management ensures that the most available switch on the switch stack is the active switch and that it has a management IP address so that all the stack members are accessible for management. You can have both an in-band and out-of-band IP addresses as long as they are not in the same subnet. The preferred method for management is out-of-band, because it is highly available and less likely to be impacted by DOS and broadcast storms. The GigabitEthernet 0/0 interface on the switch is used for out-of-band management.

Configure the management IP addressees, as described in these sections:

• Configure a Management IP Address on an Out-of-Band Interface

• Configure a Management IP Address on an In-Band Interface

• Create a Management VLAN in Hardware

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 34

Assign Initial Management Information

interface GigabitEthernet 0/0

ip address 192.168.128.5 255.255.255.0 exit

ip default-gateway 192.168.2.1

ip route vrf Mgmt-vrf 192.168.128.5 255.255.255.0 192.168.128.1 exit

Configure a Management IP Address on an Out-of-Band Interface

Step 8 Assign an IP address to an out-of-band interface.

Out-of-band management is managing the switch and all other networking devices through a physical network, which is separate from the production network that carries end-user traffic. To manage the switch with an out-of-band network, the switch uses the GigabitEthernet 0/0 interface. The GigabitEthernet0/0 interface is physically located on the rear of the switch, next to the blue console port.

The following are the advantages of a GigabitEthernet 0/0 interface:

• The interface is not susceptible to network outages, such as broadcast storms or other potential

issues on the production network because it is separated from the data plane.

• The interface is out-of-band and allows the switch and all other networking devices to always be

manageable so that you can quickly respond whenever there is a network issue.

Step 9 Configure a Virtual Routing and Forwarding (VRF) instance.

The out-of-band management interface is in its own VRF instance. This means that the routing database and protocol exchange are also separate for this interface from the other data network interfaces.

Initial Switch Configuration

The following are the limitations of a GigabitEthernet 0/0 interface.

• Management traffic originating from the switch must be associated with the GigabitEthernet 0/0

VRF instance. A Mgmt-vrf is used to segment management traffic from the global routing table of the switch.

• A default route for the Mgmt-vrf is required.

• This interface cannot be used as the source interface for sending SNMP traps. Sending traps to an

SNMP trap server requires an IP address on a VLAN interface, see the “Configure a Management

IP Address on an In-Band Interface” section.

Note Use the IP address value that you listed in the print-out (Table 3 ) for the out-of-band management

configuration.

In the following example, the GigabitEthernet 0/0 interface is not on the switch data plane. This interface (also referred to as the service port) is terminated on the CPU of the switch as opposed to a logical interface of the forwarding ASIC. The GigabitEthernet 0/0 differs from the Ethernet interfaces on the front of the switch because it is only a Layer 3 interface (also referred to as a routable interface). The Ethernet interfaces on the front of the switch default to Layer 2 mode and are used for bridging.

The Ethernet interfaces on the front can be configured to be a routable interface using the no switchport interface command. The GigabitEthernet 0/0 interface will not function without an IP address assigned to it.

Mgmt-vrf is built-in; you do not have to create one for out-of-band management.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 35

Initial Switch Configuration

show ip route vrf Mgmt-vrf

Routing Table: Mgmt-vrf C- IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override

Gateway of last resort is not set

192.168.128.5/16 is variably subnetted, 3 subnets, 2 masks S 192.168.128.5/24 [1/0] via 192.168.128.1 C 192.168.128.5/24 is directly connected, GigabitEthernet0/0 L 192.168.128.2/32 is directly connected, GigabitEthernet0/0

ping vrf Mgmt-vrf 192.168.128.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.128.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms odes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i

Step 10 Following is the example for show ip route vrf command.

Assign Initial Management Information

Configure a Management IP Address on an In-Band Interface

Step 11 Assign your management IP address to a VLAN interface that is used only for management, and not used

to carry other network traffic.

A VLAN interface is a Layer 3 endpoint on the subnet assigned to the corresponding VLAN.

Note Do not use VLAN 1 as the management VLAN for security purposes.

The management VLAN is a separate VLAN for managing the switch and all other network devices in the same subnet. You should assign an in-band IP address to a VLAN interface regardless of whether an IP address is assigned to the out-of-band interface.

With in-band management, the IP address can be reached through the production network. For management purposes, the in-band IP address can be used the same way as the out-of-band IP address. There is no functional difference. However, the in-band IP address has more capabilities because this is the source IP address for some of the auto-generated traffic that comes from the switch, for instance, SNMP traps use the in-band IP address.

You can assign an IP address to your VLAN interface before you configure the VLAN on the switch. The VLAN interface is not operational until the VLAN is created in hardware, and at least one physical interface, which is a member of the VLAN, is in a forwarding state.

This example shows a VLAN created for management and indicates that the IP address is reachable.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 36

Assign Initial Management Information

interface vlan 100

ip address 192.168.1.2 255.255.255.0

no shutdown exit

ip default-gateway 192.168.1.1

Note The switch supports IP address assignments to physical Ethernet interfaces that have been configured to

operate in Layer 3 mode.

Step 12 Configure the default gateway, as shown in the following example. This gateway functions as the default

route.

When using a VLAN interface, a default route is not required.

Create a Management VLAN in Hardware

Initial Switch Configuration

Earlier you assigned an IP address to the interface for VLAN 100. Refer to the "Appendix 3, “Configure

a Management IP Address on an In-Band Interface” section to assign an IP address to the interface.

However, merely assigning the IP address to VLAN 100 does not create the VLAN in hardware. Perform the below step to make the switch reachable through the assigned IP address.

Step 13 Configure a management VLAN in hardware and configure an uplink interface as a member of this

VLAN.

Note This is an intermediate step required only to make the switch Layer 3 reachable and manageable from

SSH or HTTPS as well as the console or Express Setup. You can skip this step if you continue to use the console to complete the configuration, but required if you use another tool to complete the configuration of the switch. The complete best-practice configuration for uplink connectivity is explained in the

“Uplink Interface Connectivity” workflow.

We recommend that you use a dummy VLAN as the native VLAN on trunk interfaces instead of the default VLAN 1. Because all interfaces are assigned to VLAN 1 by default on the switch, this step limits the traffic associated with potential user configuration and possible connection errors propagating across the trunk.

All other VLANs on the uplink interfaces are tagged with IEEE 802.1q which encapsulates the Layer 2 head of the Frame packet.

The following example shows how to configure VLAN IDs in hardware and assign the names. The upstream interfaces to the switch or router are modified to make them members of the new VLANs. You must have the same VLAN ID on both ends of the Ethernet link to properly configure the management VLAN in hardware. A “dummy” VLAN is used as the native VLAN on trunk interfaces. A dummy VLAN is not used for data or management traffic.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 37

Initial Switch Configuration

vlan 100

name switch_mgmt

exit

vlan 999

name dummy

exit

! ! The next step assumes the uplink interface is GigabitEthernet 1/1/1, but ! your uplink interface may be different. !

interface GigabitEthernet 1/1/1

Switchport mode trunk

Switchport trunk native vlan 999

Note The Shortest Path Tree (SPT) and ping command used in this example require that the upstream layer

Assign Initial Management Information

device (switch or router) to be configured to operate in a production network, and without any additional configuration changes being required.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 38

Assign Initial Management Information

! Use “show spanning-tree vlan 100” to confirm VLAN 100 FWD on the uplink ! interface. ! Use “show interface trunk” to confirm GigabitEthernet 1/1/1 is ! operating in Trunk mode correctly.

show spanning-tree vlan 100

VLAN0100

Spanning tree enabled protocol rstp Root ID Priority 32868 Address 0022.bdd9.4c00 Cost 4 Port 49 (GigabitEthernet1/1/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32868 (priority 32768 sys-id-ext 100) Address 20bb.c05f.b300 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- --------

-------------------------------Gi1/1/1 Root FWD 4 128.49 P2p Gi1/1/2 Altn BLK 4 128.50 P2p

show interfaces trunk

Port Mode Encapsulation Status Native vlan Gi1/1/1 on 802.1q trunking 999 Gi1/1/2 on 802.1q trunking 999

Port Vlans allowed on trunk Gi1/1/1 1-4094 Gi1/1/2 1-4094

Port Vlans allowed and active in management domain Gi1/1/1 1,100,999 Gi1/1/2 1,100,999

Port Vlans in spanning tree forwarding state and not pruned Gi1/1/1 1,100,999 Gi1/1/2 none ! ! Now the default gateway will respond to pings !

ping 182.168.1.1

Initial Switch Configuration

Note Enter the show running-configuration command to display the initial management information for the

switch.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 39

Initial Switch Configuration

Assign Initial Management Information

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 40

Assign Initial Management Information

Initial Switch Configuration

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 41

Global System Configuration

This workflow describes common global configurations for all switch deployments in the access layer.

Prerequisites for Global System Configuration

• Complete the task described in “Initial Switch Configuration” workflow.

• If you have not completed the task described in the “Uplink Interface Connectivity” workflow, the

switch might not be IP reachable. If that is the case, use only the switch console to perform the Global System Configuration workflow.

If you have completed the “Uplink Interface Connectivity” workflow, you can perform the Global System Configuration workflow using the switch console, SSH, or any management tool. Using tools other than the console requires you to log in using user names and passwords configured, as described in the section the “Initial Switch Configuration” workflow.

Identify Configuration Values

We recommend that you identify certain switch configuration values in advance so that you can proceed with this workflow without interruption. We recommend that you take a print out of Table 4, and, as you follow the configuration sequence, you should replace the values in column B with your values in column C.

Note Replace the blue italicized example values with your own values.

Table 4 Global System: Setting Values

A. Value Name B. Example Value C. Your Value

Management subnets allowed

NTP server IP address

Cisco Systems, Inc.

www.cisco.com

192.168.128.5/0.0.0.255

192.168.0.0/0.0.0.255

192.168.254.0/0.0.0.255

192.168.254.11

Page 42

Assign Global Configuration Information

Table 4 Global System: Setting Values

A. Value Name B. Example Value C. Your Value

Data VLAN

Voice VLAN

Access points VLAN

Management VLAN ID

Wireless clients VLAN

VLAN name for data

VLAN name for voice

VLAN name for access points

VLAN name for wireless clients

SNMP community strings for read-only and read-write access

IPv6 Router Advertisement Guard policy for access interfaces

IPv6 Router Advertisement Guard policy for upstream router interfaces

IPv6 Router Advertisement Guard policy for upstream switch interfaces

IPv6 DHCP guard policy for access interfaces

IPv6 DHCP guard policy for uplink interfaces

Global System Configuration

100

200

Data

Voice

Access_Points

Wireless_Client

my-SNMP-RO-name,

my-SNMP-RW-name

endhost_ipv6_raguard

router_ipv6_raguard

switch_ipv6_raguard

endhost_ipv6_dhcp_guard

uplink_ipv6_dhcp_guard

Note Configuration examples begin in global configuration mode, unless noted otherwise.

Assign Global Configuration Information

Note The following tasks should be performed in the same sequence in which they are listed here.

• Configure High Availability on the Switch Stack

• Configure the Switch to run in VTP Transparent Mode

• Enable Rapid Per-VLAN Spanning Tree Plus

• Configure BPDU Guard for Spanning-Tree PortFast Interfaces

• Configure UDLD to Detect Link Failure

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 43

Global System Configuration

switch 1 priority 15 switch 2 priority 14

• Configure an Access List to Limit Switch Access

• Configure System Clock and Console Timestamps

• Configure DHCP Snooping Security Features

• Configure ARP Inspection

• Configure EtherChannel Load Balancing

• Create Access Layer VLANs

• Create IPv6 First-Hop Security Policies

• Increase the TFTP Block Size

• Enable New Members to Automatically Update to the Switch Stack Image

•

Configure High Availability on the Switch Stack

Step 1 Assign the active switch and standby switch with high stack-member priority values, so that network

operations are not affected during a stack-member failure.

Assign Global Configuration Information

Recommendation: For consistency, configure the stack-member priority used to determine the active stack member. By configuring one member to be the active stack member, you ensure that this member is always the active member through all stack elections, for the lifetime of the stack. The member with the highest configured priority becomes the active member.

In a switch stack, the member most likely to fail is the active member. Therefore, in a switch stack with three or more members, we recommend that you configure uplink connectivity on more than one stack member and do not configure uplink connectivity on the active member. This way, uplink connectivity is not affected if the active member fails.

In this document, the stack refers to a two-member stack, and the example here shows how to assign the highest priority to member 1. Assign a secondary member by giving it a slightly lower priority. The default priority is 1.

Note For additional information about managing switch stacks and configuring high availability features on

the switch, see the Stack Manager and High Availability Configuration Guide, Cisco IOS XE Release.

Configure the Switch to run in VTP Transparent Mode

Step 2 Configure your switch to run in VTP transparent mode in order to avoid the VLAN configuration updates

coming from the network, since they have the potential for unexpected behavior due to error operations.

Typically, VLANs are defined once during your initial switch configuration and do not require continuous VTP updates after the switch is operational.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 44

Assign Global Configuration Information

vtp mode transparent

spanning-tree mode rapid-pvst

spanning-tree portfast bpduguard default

A switch in VTP transparent mode can create, modify, and delete VLANs (the same way as VTP servers), but the switch does not send dynamic propagation of VLAN information across the network and does not synchronize its VLAN configuration based on advertisements received. Configuration changes made when the switch is in this mode are saved in the switch’s running configuration, and can be saved to the switch’s startup configuration file.

Note The default VTP mode for the switch is VTP server mode. This mode allows you to create, modify, and

delete VLANs and specify other configuration parameters for the entire VTP domain. VTP servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on advertisements received over trunk links.

Enable Rapid Per-VLAN Spanning Tree Plus

Step 3 Enable Rapid Per-VLAN Spanning Tree Plus (PVST+), to improve the detection of indirect failures or

linkup restoration events over classic spanning tree.

Rapid PVST+ provides an instance of RSTP (IEEE 802.1w) for each VLAN, and PVST+ improves the detection of indirect failures or linkup restoration events over the classic spanning tree (IEEE 802.1D).

Recommendation: Enable spanning tree even if your deployment is created without any Layer 2 loops. By enabling spanning tree, you ensure that if physical or logical loops are accidentally configured, no actual Layer 2 loops occur.

Global System Configuration

Configure BPDU Guard for Spanning-Tree PortFast Interfaces

Step 4 Configure the Bridge Protocol Data Unit (BPDU) guard globally to protect all Spanning-Tree

PortFast-enabled interfaces.

The BPDU guard protects against a user plugging a switch into an access port, which many cause a catastrophic, undetected spanning-tree loop.

If a Spanning-Tree PortFast-configured interface receives a BPDU, an invalid configuration exists, such as the connection of an unauthorized device. The BPDU Guard feature prevents loops by moving a nontrunking interface into an errdisable state when a BPDU is received on an interface when STPF is enabled.

The BPDU configuration protects STPF-enabled interfaces by disabling the port if another switch is plugged into the port.

This command should configured globally, not at the interface level.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 45

Global System Configuration

udld aggressive

access-list 55 permit 192.168.128.0 0.0.0.255 access-list 55 permit 192.168.0.0 0.0.0.255 access-list 55 permit 192.168.254.0 0.0.0.255 line vty 0 15

access-class 55 in vrf-also

exit snmp-server community sample-READONLY RO 55 snmp-server community sampe-READWRITE RW 55

Configure UDLD to Detect Link Failure

Step 5 Configure Unidirectional Link Detection (UDLD) in aggressive mode, not normal mode.

UDLD detects a unidirectional link, and then disables the affected interface and alerts you. Unidirectional links can cause a variety of problems, including spanning-tree loops, black holes, and nondeterministic forwarding. In addition, UDLD enables faster link-failure detection and quick reconvergence of interface trunks, especially with fiber, which can be susceptible to unidirectional failures.

In aggressive mode, if the link state of a port is determined to be bidirectional and the UDLD information times out while the link on the port is still in UP state, UDLD tries to re-establish the state of the port. If this not successful, the port is put into errdisable state. In normal mode, the port state for UDLD is marked as undetermined, and operates according to its Spanning Tree Protocol state.

Do not change UDLD aggressive timers.

Note UDLD in aggressive mode is not needed when the upstream device is a switch operating in VSS mode.

Assign Global Configuration Information

For more information about VSS-enabled campus design, see the Campus 3.0 Virtual Switching System

Design Guide.

Configure an Access List to Limit Switch Access

Step 6 If your network operation support is centralized, you can increase network security by using an access

list to limit the networks that can access your switch.

We recommend that you use an access list to permit IP addresses from known source management locations.

In this example, only the hosts on the 192.168.128.0, 192.168.0.0, and 192.168.254.0 networks can access your switch using SSH or SNMP. The following example shows an ACL that permits three subnets. your network may have more subnets or fewer subnets. configure the ACL that best fits your network. You can continue to add to the list, as required for your network deployment.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 46

Assign Global Configuration Information

ntp server 192.168.0.10

clock timezone PST -8 clock summer-time PDT recurring

service timestamps debug datetime msec localtime service timestamps log datetime msec localtime

ip dhcp snooping vlan 10,11,12,100 no ip dhcp snooping information option ip dhcp snooping ip dhcp snooping wireless bootp-broadcast enable

ip arp inspection vlan 10,11,100

Configure System Clock and Console Timestamps

Step 7 Configure a synchronized clock by programming your network devices to synchronize to a local NTP

server in the network.

The local NTP server typically references a more accurate clock feed from an outside source.

Step 8 Configure console messages, logs, and debug output to provide timestamps on output, which allows

cross-referencing of events in a network.

Global System Configuration

Configure DHCP Snooping Security Features

Step 9 Enable Dynamic Host Configuration Protocol (DHCP) snooping on the data, voice, and wireless AP

VLANs.

The switch intercepts and safeguards DHCP messages within the VLAN. This configuration ensures that an unauthorized DHCP server cannot allocate addresses to end-user devices.

Configure ARP Inspection

ARP inspection is a security feature that prevents ARP spoofing.

Step 10 Enable Address Resolution Protocol (ARP) inspection on the data, voice, and management VLANs.

Configure EtherChannel Load Balancing

Step 11 Set EtherChannels to use the traffic source and destination IP address when calculating which link to

send traffic to.

EtherChannel traffic should be balanced across all physical interfaces. The default load-balancing scheme for EtherChannels is based on the source MAC address.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 47

Global System Configuration

port-channel load-balance src-dst-ip

vlan 10 name Data vlan 11 name Voice vlan 12 name Access_Points vlan 200 name Wireless_Client

This configuration normalizes the method in which traffic is load-shared across the member links of an EtherChannel. EtherChannels are used extensively in this design because of their resilience.

Create Access Layer VLANs

Step 12 Create VLANs to separate traffic based on end-user devices.

When VLANs are created, they automatically join any interface that is configured for trunk mode. Earlier, the uplink interface was configured for trunk mode. Therefore, the uplink interface should now be a member of these VLANs.

Use consistent VLAN IDs and VLAN names in the access layer. Consistent IDs and names help with consistency, and network operation becomes more efficient.

Note Do not use VLAN 1.

Assign Global Configuration Information

Note Use VLAN 200 for wireless clients only if the switch operates as a wireless controller in the converged

access mode.

Create IPv6 First-Hop Security Policies

Step 13 Create and apply global IPv6 security policies on the uplink interfaces to define the trust and roles on

the connected distribution switches or routers.

Blocking router advertisements with Router Advertisement Guard and DHCP responses from untrusted sources are an easy way to secure against the most common IPv6 problems.

Note Access interfaces to end devices should not be trusted for router advertisements and IPv6 DHCP

response.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 48

Assign Global Configuration Information

ipv6 nd raguard policy endhost_ipv6_raguard device-role host !

ipv6 nd raguard policy router_ipv6_raguard

device-role router

trusted-port

ipv6 nd raguard policy switch_ipv6_raguard

device-role switch

trusted-port ! ipv6 dhcp guard policy endhost_ipv6_dhcp_guard device-role client !

ipv6 dhcp guard policy uplink_ipv6_dhcp_guard

device-role server trusted-port

ip tftp blocksize 8192

software auto-upgrade enable

This example configuration shows how to create global policies that are applied to the interfaces described in the “Access Control on the Wired Network” workflow.

Global System Configuration

Increase the TFTP Block Size

Step 14 Increase the TFTP block size to the maximum allowed value of 8192.

By default, the switch uses a TFTP block size value of 512, which is the lowest possible value. Increasing this global value significantly improves the TFTP file transfer time.

Enable New Members to Automatically Update to the Switch Stack Image

Step 15 Enable the Auto Upgrade feature so that new switch members automatically update to the Cisco IOS

version that is running on the switch stack.

When new members join an existing switch stack, the Cisco IOS version of the new members must match the Cisco IOS version of the existing members. The Auto Upgrade feature provides the ability to

Note The switch stack must be running Cisco IOS XE Release 3.3.1 or higher, or later in install mode.

automatically update new members when they join. However, this feature is not enabled by default.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

For detailed information about the Auto Upgrade feature, see the Using the Auto-Upgrade feature on the

Cisco Catalyst 3850 document.

Page 49

Uplink Interface Connectivity

This workflow describes how to configure the Ethernet interfaces that connect a switch or switch stack to distribution switches or routers. These interfaces are uplink interfaces. They are different from access interfaces that connect to non-networking end devices such as IP phones, personal computers, wireless access points, printers, and IP cameras.

The switch interface configuration recommendations are based on a switch stack deployed in the campus or branch of the access layer.

When stacking two or more physical switches into one logical switch, we recommend that the uplink interfaces are configured across the physical members to ensure that an active uplink interface always available for switch-stack members.

Prerequisites for Uplink Interface Connectivity

Ensure that the best-practice configurations are set, as described in the Global System Configuration workflow.

Restrictions for Uplink Interface Connectivity

• A maximum of only eight physical links can be active in a single EtherChannel group.

• All the ports in an EtherChannel must be assigned to the same VLAN, or must be configured as trunk

ports.

• All the interfaces in an EtherChannel must be of the same type, for example, Gigabit Ethernet

interfaces cannot be mixed with 10-Gbps interfaces.

Identify Configuration Values

We recommend that you identify certain switch configuration values in advance so that you can proceed with this workflow without interruption. We recommend that you take a print out of Table 5, and, as you follow the configuration sequence, replace the values in column B with your values in column C.

Cisco Systems, Inc.

www.cisco.com

Page 50

Identify Configuration Values

Note Replace the blue italicized example values with your own values.

Table 5 Uplink Connectivity Values

A. Value Name B. Example Value Name C. Your Value

Uplink interfaces

Data VLAN

Voice VLAN

Access points VLAN

Wireless clients VLAN

Management VLAN ID

Dummy VLAN

IPv6 Router Advertisement Guard policy name

QoS service policy input name

QoS service policy output name

Uplink Interface Connectivity

GigabitEthernet 1/1/1 GigabitEthernet 1/1/2 GigabitEthernet 2/1/1 GigabitEthernet 2/1/2

200

100

999

switch_ipv6_raguard router_ipv6_raguard

uplink_ipv6__quard

AutoQos-4.0-Trust-Dscp-Input

-Policy

AutoQos-4.0-Output-Policy

Note Configuration examples begin in global configuration mode, unless noted otherwise.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 51

Uplink Interface Connectivity

Dual redundant switches in distribution layer running VSS (Cat6500/6800/4500), or VPC (Nexus 7000)

Desktop user direct connect

Desktop user

Printer

Wireless access

Catalyst 3850 stack in access

Voice VLAN 11 Data VLAN 10

Data VLAN 10

Switch management VLAN 100

Access point VLAN 12

Trunk link Native VLAN 999 All VLANs included

LAN Access Switch Topology with Uplinks to a Distribution Switch or Distribution Router

The following illustration displays the LAN Access Switch Topology with Uplinks to a distribution switch or distribution router:

Figure 6 LAN Access Switch Topology with Uplinks to a Distribution Switch

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 52

LAN Access Switch Topology with Uplinks to a Distribution Switch or Distribution Router

Figure 7 Uplinks for a Distribution Router

Voice VLAN 11 Data VLAN 10

Uplink Interface Connectivity

Desktop user behind IP phone

Data VLAN 10

Desktop user direct connect

Data VLAN 10

Printer

Wireless access

Catalyst 3850 stack in access

Switch management VLAN 100

Dual redundant routers running HSRP

Trunk link Native VLAN 999 All VLANs included

Access point VLAN 12

391936

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 53

Uplink Interface Connectivity

Configure Uplink Interface Connectivity

• Recommendations for Configuring an Uplink Interface to a Router or Switch

• Configure QoS on an Uplink EtherChannel Interfaces

• Configure an Uplink Interface as an EtherChannel and as a Trunk

• Configure Security Features on an Uplink EtherChannel Interface

• Spanning-Tree Recommendations for an Uplink Interface Connecting to a Distribution Switch

• Verify Uplink Interface Configurations

Recommendations for Configuring an Uplink Interface to a Router or Switch

When configuring your uplink interface, follow the below recommendations to guide you through the configuration from interface to upstream router or switch:

• Make sure that the uplink connections from the switch stack to the distribution switches have enough

bandwidth to carry the traffic associated with all of the access interfaces on the switch stack.

• Use EtherChannels to increase resilience of in case an uplink interface fails.

• For EtherChannels, use Link Aggregation Control Protocol (LACP) active-active mode, which

adheres to the IEEE 802.3ad standard. The active-active mode implies that both the switch stack as well as the distribution switch side of the EtherChannel must be configured in LACP active mode.

• Use uplink ports on the different switches in the switch stack to connect back to the distribution

switches. This configuration ensures that there is no single source of failure for the switch stack. If a switch in the stack owning one of the uplink connections fails, there will still be an uplink port connection from a remaining member of the switch stack connecting back to the distribution switches.

• All the interfaces are assigned to VLAN 1 by default. Do not configure VLAN 1 on the trunk; this

is to prevent traffic associated with potential user connection errors from propagating across the trunk.

Configure QoS on an Uplink EtherChannel Interfaces

Note This configuration should be applied to the physical uplink interfaces before adding them to an

EtherChannel.

Step 1 Apply the Trust Differentiated Services Code Point (DSCP) service policy on an interface in the ingress

direction, and then apply the 2P6Q3T policy in order to ensure proper congestion management and egress bandwidth distribution on the interface in the egress direction.

Ethernet traffic that is received from the upstream switch or router contains trusted QoS markings and is classified to guarantee a type of service.

Additional service policies should be applied after traffic is transmitted in order to ease congestion. For more information see, “Configure QoS on an Access Interface” on page 56

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 54

Configure Uplink Interface Connectivity

interface GigabitEthernet 1/1/1

auto qos trust dscp

service-policy input AutoQos-4.0-Trust-Dscp-input-Policy

service-policy output 2P6Q3T

exit

interface GigabitEthernet 1/1/2

auto qos trust dscp

service-policy input AutoQos-4.0-Trust-Dscp-input-Policy

service-policy output 2P6Q3T

exit

interface GigabitEthernet 2/1/1

auto qos trust dscp

service-policy input AutoQos-4.0-Trust-Dscp-input-Policy

service-policy output 2P6Q3T

exit

interface GigabitEthernet 2/1/2

auto qos trust dscp

service-policy input AutoQos-4.0-Trust-Dscp-input-Policy

service-policy output 2P6Q3T

Uplink Interface Connectivity

Configure an Uplink Interface as an EtherChannel and as a Trunk

Step 1 Choose one of the following configurations based on your network topology:

• “Configure an Uplink Interface to Connect to a Distribution VSS or VPC Switch”

• “Configure an Uplink Interface to Connect to a Distribution Router (or Standalone Distribution

Switch)”

Configure an Uplink Interface to Connect to a Distribution VSS or VPC Switch

1. Ensure that the distribution Virtual Switch System (VSS) or Virtual Port Channel (VPC) switch

connections are configured the same way and that the EtherChannel is configured in LACP active mode.

2. For additional resilience, ensure that the uplink interfaces are located on different switches in the

switch stack.

Figure 6, shows the switch stack that has a single EtherChannel connection to a distribution VSS or VPC

switch pair.

The VSS and VPC systems have an explicit configuration between the Cisco distribution switch pair. That allows them to act as a single logical switch when connected to the EtherChannel. The EtherChannel is configured as a trunk with VLANs 10, 11, 12, and 100, with the native VLAN set to 999.

Note Use this switch-stack uplink interface configuration only when connecting the switch stack to a VSS or

VPC distribution switch pair, and not when the distribution switch pair is configured as two standalone switches.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 55

Uplink Interface Connectivity

interface GigabitEthernet 1/1/1 description connection to Distribution VSS or VPC switch 1 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 10,11,12,100,200 channel-protocol lacp channel-group 1 mode active ! interface GigabitEthernet 2/1/1 description connection to Distribution VSS or VPC switch 1 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 10,11,12,100,200 channel-protocol lacp channel-group 1 mode active ! interface GigabitEthernet 1/1/2 description connection to Distribution VSS or VPC switch 2 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 10,11,12,100,200 channel-protocol lacp channel-group 1 mode active ! interface GigabitEthernet 2/1/2 description connection to Distribution VSS or VPC switch 2 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 10,11,12,100,200 channel-protocol lacp channel-group 1 mode active

Configure Uplink Interface Connectivity

Configure an Uplink Interface to Connect to a Distribution Router (or Standalone Distribution Switch)

Note Use this configuration when connecting the switch stack to two standalone distribution switches (not

configured as a VSS or VPC pair). However, do not use the spanning-tree portfast trunk command for switch configuration.

• Ensure that the distribution VSS or VPC router side of the connections are configured the same and

that the EtherChannel is configured with the LACP active mode.

• For additional resilience, the configured uplink interfaces should be located on different switches in

the switch stack.

• Use the spanning-tree portfast trunk command to allow the switch side of the uplink to

immediately transition to a spanning-tree forwarding state when the link becomes available, because routers do not participate in a spanning tree.

Figure 7 shows a switch stack having a separate EtherChannel to each distribution router. Each

EtherChannel is configured as a trunk with VLANs 10, 11, 12, 100, 200, and 999, with the native VLAN set to 999.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 56

Configure Uplink Interface Connectivity

interface GigabitEthernet 1/1/1

description connection to Distribution router 1 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 10,11,12,100,200 spanning-tree portfast trunk channel-protocol lacp channel-group 1 mode active interface GigabitEthernet 2/1/1 description connection to Distribution router 1 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 10,11,12,100,200 spanning-tree portfast trunk channel-protocol lacp channel-group 1 mode active

interface GigabitEthernet 1/1/2

description connection to Distribution router 2 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 10,11,12,100,200 spanning-tree portfast trunk channel-protocol lacp channel-group 2 mode active interface GigabitEthernet 2/1/2 description connection to Distribution router 2 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 10,11,12,100,200 spanning-tree portfast trunk channel-protocol lacp channel-group 2 mode active

EtherChannel Connection to Router 1

Uplink Interface Connectivity

EtherChannel Connection to Router 2

Configure Security Features on an Uplink EtherChannel Interface

Step 2 Configure IPv4 and IPv6 security features on uplink EtherChannel interfaces.

The uplink EtherChannel interfaces to distribution routers and switches should be configured to trust router advertisements and IP response, because Layer 3 routing and server functionality resides on the distribution switches and routers. This step is different from the access interface-to-end device configuration, which should not be trusted, as specified in the “Access Interface Connectivity” workflow.

The policies that should be applied are defined in the “Global System Configuration” workflow.

In the following example, security is applied to the uplink interfaces connecting to VPC, VSS, or standalone switch.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 57

Uplink Interface Connectivity

interface Port-channel 1

ip arp inspection trust

ip snooping trust ipv6 nd raguard attach-policy switch_ipv6_raguard ipv6 guard attach-policy uplink_ipv6__guard

interface Port-channel 1

ip arp inspection trust

ip snooping trust ipv6 nd raguard attach-policy router_ipv6_raguard ipv6 guard attach-policy uplink_ipv6__guard

exit

interface Port-channel 2

ip arp inspection trust ip snooping trust ipv6 nd raguard attach-policy router_ipv6_raguard ipv6 guard attach-policy uplink_ipv6__guard

In the following example, security is applied to the uplink interfaces connecting to routers:

Configure Uplink Interface Connectivity

Spanning-Tree Recommendations for an Uplink Interface Connecting to a Distribution Switch

Note Complete this configuration on the distribution switches and not on the switch. The recommendations

listed below are not applicable when routers are used at the distribution layer.

Step 3 On uplink interfaces to distribution switches (Figure 6), ensure that the spanning-tree root for the

switch-stack VLANs is configured on the distribution switch pair.

Follow the below recommendations when the standalone distribution switches are used instead of a VSS or VPC system:

• Make sure that the spanning-tree roots for the VLANs are distributed evenly between two standalone

distribution switches. For example, configure one switch as the spanning-tree root for all the even VLANs, and configure the other switch as the spanning-tree root for all the odd VLANs. This distribution configuration ensures that the spanning tree does not block all the VLANs on a single uplink interface, and results in an even traffic flow on the uplink interfaces.

• If Hot Standby Router Protocol (HSRP) or Virtual Router Redundancy Protocol (VRRP) is

configured for the VLANs located on the standalone distribution switches, make sure that the VLAN configuration on the active switch is the same on the switch that is the spanning-tree root for that VLAN.

• Avoid flooding of traffic caused by asymmetric routing of traffic flows, by configuring the arp

timeout interface configuration command. This command adjusts the ARP aging timer to less than

the MAC address table aging timer on the Layer 3 VLAN interfaces of the distribution switches. By default, the MAC address table aging timer is set to 5 minutes (300 seconds) on the switch.

For more information about spanning tree root configuration on the VSS, see the “Spanning Tree Configuration Best Practice with VSS” section of the VSS Enabled Campus Design Guide.

For more information about spanning-tree root on distribution switches, see the “Spanning VLANs across Access Layer Switches” section of the Campus Network for High Availability Design Guide.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 58

Display Uplink Interface Connectivity for the Switch

Switch#sh int te2/1/3 TenGigabitEthernet2/1/3 is up, line protocol is up (connected)

Hardware is Ten Gigabit Ethernet, address is 381c.1a24.d537 (bia

381c.1a24.d537)

MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Full-duplex, 10Gb/s, link type is auto, media type is SFP-10GBase-SR input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:19, output hang never Last clearing of "show interface" counters never Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1000 bits/sec, 1 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 2596461 packets input, 426179392 bytes, 0 no buffer Received 2596461 broadcasts (2596461 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 2596461 multicast, 0 pause input 0 input packets with dribble condition detected 303459 packets output, 45794121 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out

For more information about spanning-tree root configuration and asymmetric routing, see the “Spanning VLANs Across Access Layer Switches” and “Asymmetric Routing and Unicast Flooding” sections of the Campus Network for High Availability Design Guide.

Verify Uplink Interface Configurations

Use the following commands to verify if configurations in this workflow are correctly applied to your uplink interfaces:

• show etherchannel summary

• show interface

• show interface trunk

• show cdp neighbors

• show auto qos interface

• show policy-map interface

Uplink Interface Connectivity

Display Uplink Interface Connectivity for the Switch

Step 1 Enter the show running-configuration command to display uplink interface connectivity for the switch.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 59

Uplink Interface Connectivity

Display Uplink Interface Connectivity for the Switch

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 60

Display Uplink Interface Connectivity for the Switch

Uplink Interface Connectivity

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 61

Access Interface Connectivity

This workflow describes how to configure the Ethernet interfaces that connect to the end devices of a switch. End devices are the non-networking devices that connect to the network, such as IP phones, personal computers, wireless access points, printers, and IP cameras. The Ethernet interfaces that connect to end devices are referred to as access interfaces. They differ from uplink interfaces that link to other networking devices.

The workflow for configuring access interfaces is based on a switch deployed at the access layer in a campus or branch network (Figure 8). The switch interfaces connected to end devices are the edge of the network, which network security and QoS begins.

Prerequisites for Access Interface Connectivity

• Complete the procedure described in the Global System Configuration workflow, which includes the

necessary configurations for the access interface configuration.

• Complete the procedure described in the “Configure QoS on an Uplink EtherChannel Interfaces”

workflow, which includes the creation of input services policies for end devices.

Identify Configuration Values

We recommend that you identify certain switch configuration values in advance so that can proceed with this section without interruption. We also recommend that you take a print out of Table 6, and, as you follow the configuration sequence, replace the values in column B with your values in column C.

Note Replace the blue italicized example values with your own values.

Cisco Systems, Inc.

www.cisco.com

Page 62

Identify Configuration Values

Table 6 Access Interface Connectivity Values

A. Value Name B. Example Value Name C. Your Value

Access interface ranges

Data VLAN

Voice VLAN

Access Points VLAN

Management VLAN ID

Wireless Clients VLAN

IPv6 Router Advertisement Guard policy name

QoS service policy input names

(See the “Configure QoS on an

Uplink EtherChannel Interfaces”

section.)

QoS service policy output name

Access Interface Connectivity

interface range GigabitEthernet1/0/1-48

interface range GigabitEthernet2/0/1-48

100

200

endhost_ipv6_raguard

endhost_ipv6__guard

IPPhone-Input-Policy

Classify-Police-Input-Policy

Trust-Dscp-Input-Policy

SoftPhone-Input-Policy

Trust-Dscp-Input-Policy

Trust-COS-Input-Policy

No-Trust-Input-Policy

2P6Q3T

Note Configuration examples begin in global configuration mode, unless noted otherwise.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 63

Access Interface Connectivity

Desktop user direct connect

Desktop user

Printer

Wireless access point

Catalyst 3850 stack in access

Voice VLAN 11 Data VLAN 10

Data VLAN 10

Switch management VLAN 100

391689

Access point VLAN 12

Data VLAN 10

LAN Access Switch Topology with Connections to End Devices

The following illustration shows the topology of LAN Access Switch to end devices:

Figure 8 LAN Access Switch Topology with Connections to End Devices

Configure Access Interface Connectivity

• Recommendations for Configuring an Access Interface

• Configure an Interface for Access Mode

• Configure VLAN Membership

• Create an Interface Description

• Configure Security Features on an Access Interfaces

• Configure QoS on an Access Interface

• Verify Access Interface Configurations

Recommendations for Configuring an Access Interface

Although some end devices do not require the following access interface configurations, we recommend that you perform them to ensure consistency. The configurations do not interfere with the operation of the network or the attached end device, and is considered safe to use.

When configuring your access interface, you should complete the following tasks:

• Configure an Interface for Access Mode

• Configure VLAN Membership

• Create an Interface Description

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 64

Configure Access Interface Connectivity

interface GigabitEthernet1/0/1|

nmsp attach suppress

interface GigabitEthernet1/0/1|

ip device tracking maximum 0

• Configure Security Features on an Access Interfaces

• Configure QoS on an Access Interface

• Verify Access Interface Configurations

IP Device Tracking

Caution The IP Device Tracking (IPDT) feature could have some negative side effects that may impact the normal

day-to-day operation of your switch.

Note Symptoms as a result of IPDT issues are seen on the end device. For instance on Windows PC, an error

message report for a duplicate IP Address 0.0.0.0 appears.

IPDT is enabled globally, but it cannot be globally disabled. To disable IPDT, you must disable it at the interface level.

Access Interface Connectivity

Note To disable IPDT on a port channel, you must first unbundle the physical Ethernet interfaces from the port

channel.

We recommend that you disable IPDT on all access interfaces except under these situations where a feature explicitly has IPDT enabled:

• IPDT is required for Centralized Web Authentication with Identity Services Engine (ISE).

• Network Mobility Services communicates with the Mobility Services Engine to track location.

• Device Sensor watches the control packets that ingress from the attached end device and determine

what type of device is attached. Device Sensor uses multiple sources (such as IPDT) to determine the device type. Device Sensor is critical to other features, such as Auto Smart Ports, and AutoConf.

• Auto Smart Ports and AutoConf are indirectly affected, because they are clients of Device Sensor.

The Device Sensor feature uses IPDT to aid in detection of attached device types.

• Address Resolution Protocol (ARP) snooping will be impacted if IPDT is disabled.

Recommended ways to disable IPDT at the interface levels:

Alternately, you can use the following method:

Configure an Interface for Access Mode

Step 1 Use the switchport host command to perform the following configurations for the end devices on your

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

switch:

Page 65

Access Interface Connectivity

switchport access vlan 10 switchport voice vlan 11

description IP Phone

• Configure the access interface for static access mode, which is single VLAN mode with no

negotiation.

• Configure the interface for Spanning Tree PortFast (STPF), which shortens the time it takes for the

interface to go into forwarding mode. We recommend STPF on interfaces that do not connect to other bridging devices (Ethernet switches).

The default Administrative mode for Ethernet interfaces on a switch is dynamic auto. Dynamic mode means the interface will negotiate to trunk mode if the networking device on the side of the link initiates the negotiation to trunk (administrative mode “dynamic desirable”).

Configure VLAN Membership

Step 2 Configure the VLANs for voice and data traffic.

VLAN configuration on an interface is dependent on the end device being used:

• IP phones, IP cameras, and access points are typically configured on separate VLANs.

• VLANs 10 and 11 are defined as the data and voice VLANs, respectively.

Recommendation: Do not use VLAN 1 for data or voice. VLAN 1 is the default VLAN on the 3850. This is well documented and understood by experienced networking personnel. Thus VLAN 1 will be more susceptible to attacks. Changing the VLAN IDs to something other than VLAN1 has been a long standing Cisco recommendation for Ethernet switching

Configure Access Interface Connectivity

Create an Interface Description

Step 3 Create a description for the interface to identify the end-device type.

Tip When you create an interface description, you can quickly scan a long list of interfaces to learn how they

are used in your network.

Configure Security Features on an Access Interfaces

Step 4 Enable port security features to protect the network from malicious or troublesome end devices.

The primary purpose of port security is to prevent an end device from overloading the switch with too many source MAC addresses. Port security controls the MAC addresses remembered from the attached network device. Port security controls how many MAC addresses are remembered, how long they are remembered, and what happens when too many are remembered.

The MAC address limit is 11. When the end device exceeds 11 source MAC addresses, the ingress traffic to the switch on those source MAC addresses is dropped.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 66

Configure Access Interface Connectivity

switchport port-security maximum 11 switchport port-security switchport port-security aging time 2 switchport port-security aging type inactivity switchport port-security violation restrict

ip arp inspection limit rate 100 ip snoopping limit rate 100

ip verify source

storm-control broadcast level pps 1k

storm-control multicast level pps 2k

storm-control action trap

switchport block unicast

ipv6 nd raguard attach-policy endhost_ipv6_raguard

ipv6 guard attach-policy endhost_ipv6__guard

Note MAC addresses that are remembered on interfaces with port security do not appear in the dynamic MAC

address table; they appear in the static MAC address table.

Step 5 Configure IP ARP inspection and (DHCP, IGMP, and so on) snooping to 100 p/s on the interface.

(Incoming ARP packets exceeding 100 p/s is not typical and is considered malicious. Those packets are dropped and a syslog message is raised).

Access Interface Connectivity

Step 6 Configure IP source guard to prevent IP address spoofing on the interface.

Step 7 Enable storm control on broadcast and multicast packets on the interface to protect the network from a

flood of broadcast or multicast packets.

When the configured levels are exceeded, the switch sends an SNMP trap. The interfaces are not put into a disabled state.

Unicast packets are blocked on egress and not ingress traffic. The switch drops unknown unicast packets from being egressed to the end device, ensuring that only the packets intended for the end device are forwarded.

Step 8 Configure IPv6 security on the interface to secure the end devices from malicious or unexpected

operation by preventing them from transmitting IPv6 router advertisements, and IPv6 responses.

The applied policies are defined in the “Global System Configuration” workflow.

Configure QoS on an Access Interface

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 67

Access Interface Connectivity

auto qos voip cisco-phone service-policy input AutoQos-4.0-CiscoPhone-Input-Policy service-policy output 2P6Q3T

Quality of Service (QoS) provides preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.

Aut0 QoS on the switch generates multiple service policies for various end devices. The service policy that is generated depends with the end device type.

Step 9 Apply service policies to a single access interface.

The switch then automatically generates the modular QoS command-line interface (MQC) service policies needed for access.

This example identifies some of the service policy configurations.

Step 10 Apply ingress and egress service policies.

Check the end device-specific configuration to see which service policy is recommended for an end device.

Configure Access Interface Connectivity

Verify Access Interface Configurations

This following section describes the commands that you should use to use to confirm that your configurations in this workflow are correctly applied to your switch:

Step 11 Use the show running-configuration command to verify the operational configuration of the access

interfaces.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 68

Configure Access Interface Connectivity

show storm-control

Key: U - Unicast, B - Broadcast, M - Multicast Interface Filter State Upper Lower Current Action Type

--------- ------------- ----------- ----------- ---------- ---------

---Gi1/0/1 Link Down 1k pps 1k pps 0 pps Trap B

Gi1/0/1 Link Down 2k pps 2k pps 0 pps Trap M

Gi1/0/2 Link Down 1k pps 1k pps 0 pps Trap B

Gi1/0/2 Link Down 2k pps 2k pps 0 pps Trap M

Gi1/0/3 Link Down 1k pps 1k pps 0 pps Trap B

Gi1/0/3 Link Down 2k pps 2k pps 0 pps Trap M

Gi1/0/4 Link Down 1k pps 1k pps 0 pps Trap B

Gi1/0/4 Link Down 2k pps 2k pps 0 pps Trap M

show ip snooping Switch snooping is enabled Switch gleaning is disabled snooping is configured on following VLANs: 10-13,100 snooping is operational on following VLANs: 10-13,100 snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled circuit-id default format: vlan-mod-port remote-id: 2037.0653.c800 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)

----------------------- ------- ------------ ---------------- GigabitEthernet1/0/1 no no 100 Custom circuit-ids: GigabitEthernet1/0/2 no no 100 Custom circuit-ids: GigabitEthernet1/0/3 no no 100 Custom circuit-ids: GigabitEthernet1/0/4 no no 100 Custom circuit-ids:

Use the show storm-control command to confirm that the interfaces are configured for storm control.

Access Interface Connectivity

Use the show ip snooping command to confirm that the interfaces are configured for snooping.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 69

Access Interface Connectivity

show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- ----------------- ---Gi1/0/1 ip active deny-all 10-11 Gi1/0/2 ip active deny-all 10 Gi1/0/3 ip active deny-all 12 Gi1/0/4 ip active deny-all 10

show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Gi1/0/1 11 1 0 Restrict Gi1/0/2 11 1 0 Restrict Gi1/0/3 11 1 0 Restrict Gi1/0/4 11 1 0 Restrict

--------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 4096

show ip arp inspection interfaces

Interface Trust State Rate (pps) Burst Interval

--------------- ----------- ---------- ------------- Gi1/0/1 Untrusted 100 1 Gi1/0/2 Untrusted 100 1 Gi1/0/3 Untrusted 100 1 Gi1/0/4 Untrusted 100 1

show ipv6 nd raguard policy endhost_ipv6_raguard

Policy endhost_ipv6_raguard configuration: device-role host Policy endhost_ipv6_raguard is applied on the following targets: Target Type Policy Feature Target range Gi1/0/1 PORT endhost_ipv6_raguard RA guard vlan all Gi1/0/2 PORT endhost_ipv6_raguard RA guard vlan all Gi1/0/3 PORT endhost_ipv6_raguard RA guard vlan all Gi1/0/4 PORT endhost_ipv6_raguard RA guard vlan all

Use the show ip verify source command to confirm that the IP source guard is configured and working.

Use the show port-security command to confirm that access interfaces are configured for port security.

Configure Access Interface Connectivity

Use the show ip arp inspection interfaces command to confirm the rate and untrusted state of access interfaces.

Use the show ipv6 nd raguard policy command to confirm that access interfaces are configured for Router Advertisement Guard with specific policies.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 70

Access Interface Connectivity

show ipv6 guard policy endhost_ipv6__guard

guard policy: endhost_ipv6__guard Device Role: client Target: Gi1/0/1 Gi1/0/2 Gi1/0/3 Gi1/0/4

show policy-map interface GigabitEthernet1/0/1

GigabitEthernet1/0/1

Service-policy input: AutoQos-4.0-CiscoPhone-Input-Policy <snip> Service-policy output: AutoQos-4.0-Output-Policy

interface range GigabitEthernet 1/0/1-1/0/48

Display Running Configuration for Access Interface Connectivity

Use the show ipv6 guard policy command to confirm the guard on access interfaces.

Use the show policy-map interface command to confirm the input and output service policies applied to access interfaces.

Display Running Configuration for Access Interface Connectivity

Step 1 Show the recommended configuration for each end device type described in the beginning of this

workflow.

Tip To use the same interface configuration for multiple interfaces on the switch, use the interface range

command. This command allows you to issue a command once and have it apply to many interfaces. Because most of the interfaces in the access layer are configured identically, using this command can save a lot of time. For example, the following command allows you to enter commands simultaneously on all 48 interfaces (GigabitEthernet 1/0/1 to GigabitEthernet 1/0/48).

Note Apply the interface range command to every switch stack member. This range command will work for

all interfaces on a single switch member. Enter the range command for each member.

IP Phone Access Interface

The following example displays the IP phone Access Interface information:

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 71

Access Interface Connectivity

show running-configuration

. . .

Description IP Phone switchport host switchport access vlan 10 switchport voice vlan 11 switchport port-security maximum 11 switchport port-security switchport port-security aging time 2 switchport port-security aging type inactivity switchport port-security violation restrict ip arp inspection limit rate 100 ip snooping limit rate 100 ip verify source switchport block unicast storm-control broadcast level pps 1k storm-control multicast level pps 2k storm-control action trap ipv6 nd raguard attach-policy endhost_ipv6_raguard ipv6 guard attach-policy endhost_ipv6__guard auto qos voip cisco-phone service-policy input AutoQos-4.0-CiscoPhone-Input-Policy service-policy output 2P6Q3T

Display Running Configuration for Access Interface Connectivity

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 72

Display Running Configuration for Access Interface Connectivity

show running-configuration

. . . Description Personal Computer switchport host switchport access vlan 10 switchport port-security maximum 11 switchport port-security switchport port-security aging time 2 switchport port-security aging type inactivity switchport port-security violation restrict ip arp inspection limit rate 100 ip snooping limit rate 100 ip verify source switchport block unicast storm-control broadcast level pps 1k storm-control multicast level pps 2k storm-control action trap ipv6 nd raguard attach-policy endhost_ipv6_raguard ipv6 guard attach-policy endhost_ipv6__guard auto qos trust dscp service-policy input AutoQos-4.0-Classify-Input-Policy service-policy output 2P6Q3T

show running-configuration

. . . Description Lightweight Access Point switchport host switchport access vlan 12 switchport port-security maximum 11 switchport port-security switchport port-security aging time 2 switchport port-security aging type inactivity switchport port-security violation restrict ip snooping limit rate 100 switchport block unicast storm-control broadcast level pps 1k storm-control multicast level pps 2k storm-control action trap

Personal Computer Access Interface

The following example displays the Personal Computer access interface information.

Access Interface Connectivity

Lightweight Access Point Access Interface

The following example displays the Lightweight Access Point Access interface information:

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Printer Access Interface

The following example displays the Printer Access Interface information.

Page 73

Access Interface Connectivity

show running-configuration

. . . Description Printer switchport host switchport access vlan 10 switchport port-security maximum 11 switchport port-security switchport port-security aging time 2 switchport port-security aging type inactivity switchport port-security violation restrict ip arp inspection limit rate 100 ip snooping limit rate 100 ip verify source switchport block unicast storm-control broadcast level pps 1k storm-control multicast level pps 2k storm-control action trap ipv6 nd raguard attach-policy endhost_ipv6_raguard ipv6 guard attach-policy endhost_ipv6__guard auto qos classify police service-policy input AutoQos-4.0-Classify-Police-Input-Policy service-policy output 2P6Q3T

Display Running Configuration for Access Interface Connectivity

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 74

Display Running Configuration for Access Interface Connectivity

Access Interface Connectivity

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 75

Access Control on the Wired Network

This workflow describes a phased approach to deploy IEEE 802.1x port-based authentication to provide secure and identity-based access control at the edge of the switch stack network.

Prerequisites for Access Control on the Wired Network

• Before globally enabling IEEE 802.1x authentication, remove the EtherChannel configuration from

all of the interfaces.

• Define the authenticator (switch) to RADIUS server communication.

• Initiate Extensible Authentication Protocol (EAP) over LAN (EAPoL) messaging to successfully

authenticate the end device (or supplicant).

• Based on your requirements, choose an appropriate EAP method. For information, see the Wired

802.1x Deployment Guide.

• Automate the certificate enrollment process for supplicants, as described in the Certificate

Autoenrollment in Windows Server 2003.

• Enable machine authentication for end points, such as printers, to ensure that user login is supported.

Restrictions for Access Control on the Wired Network

• You cannot configure an IEEE 802.1x port that is a member of an EtherChannel.

• Destination ports configured with Switched Port Analyzer (SPAN) and remote SPAN (RSPAN)

cannot be enabled with IEEE 802.1x authentication.

• You cannot enable an IEEE 802.1x port on trunk or dynamic ports. Dynamic ports can negotiate with

its neighbors to become a trunk.

• Do not use port security with IEEE 802.1x. When IEEE 802.1x is enabled, port security then

becomes redundant and might interfere with the IEEE 802.1x functionality.

Identify Configuration Values

Cisco Systems, Inc.

www.cisco.com

Page 76

Identify Configuration Values

We recommend that you identify certain switch configuration values in advance so that you can proceed without interruption. We recommend that you take a print out of Table 7, and, as you follow the configuration sequence, replace the values in column B with your values in column C.

Note Depending on your authentication server settings, the authentication and accounting ports could be

assigned the values 1812 and 1813 respectively.

Note Replace the blue italicized example values with your own values.

Table 7 Secure Access Control for Wired Network Values

A. Value Name B. Example Value Names C. Your Value

Interface range

RADIUS server

RADIUS server IPv4 address

Auth-port

Acct-port

RADIUS server encryption key

Data VLAN

Voice VLAN

Auth-server dead vlan

Extended IP ACL

Access Control on the Wired Network

GigabitEthernet 1/0/1-1/0/24

AuthServer

192.168.254.14

1656

1646

cisco123

LowImpactSecurity-acl

Note Configuration examples begin in global configuration mode, unless noted otherwise.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 77

Access Control on the Wired Network

LAN Access Switch Topology with IEEE 802.1x Secure Access Control

Figure 9 LAN Access Switch Topology with IEEE 802.1x Secure Access Control

Catalyst 3850 stack in access

Switch management VLAN 100

Authentication

Data VLAN 10

Printer

Data VLAN 10

Voice VLAN 11 Data VLAN 10

Server

Desktop user direct connect

Desktop user

391703

Securing Access Using 802.1x on a wired LAN

The following tasks are to be performed in the same order that is listed here.

• Recommendations for Configuring Security on a Wired LAN

• Provision Common Wired Security Access

• Provision in Monitor Mode

• Provision in Low-Impact Mode

• Provision in High-Impact Mode

•

Recommendations for Configuring Security on a Wired LAN

IEEE 802.1x permits or denies network connectivity based on the identity of users and devices. It provides a link between the user name and IP address, MAC address, and a port on a switch. It also provides customized network access based on the identity of the end device or user.

The main components of IEEE 802.1x are:

• Supplicant (end device)

• Authenticator (switch)

• Authentication server (RADIUS or ISE)

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 78

Securing Access Using 802.1x on a wired LAN

To provide secure access to your wired switch network, we recommend that you first provision your common wired security features. Provision security modes in phased deployments (monitor mode to high-security mode) of IEEE 802.1x authentication along with MAC Authentication Bypass (MAB), which uses the MAC address of the end device (or supplicant) to make decisions about access.

Note Each phased deployment should occur over time after ensuring that your network is ready to transition

to the next security mode.

Table 8 describes the recommended IEEE 802.1x deployment scenarios that will have limited impact on

network access. Test your network infrastructure while in monitor mode. If you are satisfied, then transition to low-impact mode and allow a subset of network traffic to pass through. Finally, transition to high-security mode, requiring authorization from all end devices.

Table 8 IEEE 802.1x Deployment Modes

Monitor Mode Low-Impact Mode High-Security Mode (Closed)

• Open access for

unauthorized supplicants.

• Extensive network

visibility.

• Monitor the network. • Limited impact to end

• No impact to end devices.

• Limited access for

unauthorized supplicants.

• Differentiated access control

using dynamic ACLs.

devices.

Access Control on the Wired Network

• No access for unauthorized

supplicants.

• Heavily impacts supplicants.

Reference

For detailed information about wired mode deployments, see the TrustSec Phased Deployment

Configuration Guide.

For basic information about IEEE 802.1x protocols, see the “8021X Protocols” section of the Wired

802.1X Deployment Guide.

Provision Common Wired Security Access

IEEE 802.1x port host modes determine whether more than one client can be authenticated on the port and how authentications is enforced:

Table 9 Types of IEEE 802.1x Port Host Modes

Single-Host Multi-Host Multi-Domain Multi-Authentication

Allows only one end device to the IEEE 802.1x enabled switch port.

Unless otherwise noted, we recommend that multiple-authentication mode be configured instead of single-host mode, for increased security:

Authenticates the first MAC address and then allows an unlimited number of other MAC addresses.

Allows two endpoints on the port: one data endpoint and one voice endpoint.

Allows only one voice end device, but allows multiple data end devices. In this mode, all devices are authenticated.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 79

Access Control on the Wired Network

Switch#show running-config int Te3/0/12 Building configuration...

Current configuration : 766 bytes ! interface TenGigabitEthernet3/0/12 switchport mode access switchport block unicast switchport voice vlan 2 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security violation restrict switchport port-security aging time 1 switchport port-security aging type inactivity switchport port-security load-interval 30 trust device cisco-phone storm-control broadcast level pps 1k storm-control multicast level pps 2k storm-control action trap auto qos voip cisco-phone macro description CISCO_PHONE_EVENT spanning-tree portfast spanning-tree bpduguard enable service-policy input AutoQos-4.0-CiscoPhone-Input-Policy service-policy output AutoQos-4.0-Output-Policy ip dhcp snooping limit rate 15 end

dot1x timeout tx

-period 30 dot1x max-reauth-req 2 authentication timer restart 60 dot1x timeout quiet-period 60

• Multi-authentication mode authenticates all the devices that gain access to the network through a

single switch port, such as devices connected through IP phones.

• Multi-authentication mode is more secure than multi-host mode (which also allows multiple data

devices) because it authenticates all the devices that try to gain access to the network.

Step 1 Run the show run command on your switch to ensure that your access interface connections are set up.

This output is what you inherit after performing the “Access Interface Connectivity” workflow configuration for an interface connected to an IP phone.

Securing Access Using 802.1x on a wired LAN

Step 2 (Optional) If you observe excessive timeouts, fine-tune the IEEE 802.1x timers and variables. Timers

and variables are important for controlling the IEEE 802.1x authenticator process on the switch.

We recommend that you do not change the IEEE 802.1x timer and variable default settings, unless necessary.

Begin in interface configuration mode:

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 80

Securing Access Using 802.1x on a wired LAN

dot1x timeout supp-timeout 30 dot1x max-req 2

mab

authentication port-control auto

dot1x pae authenticator

!Enable new access control

aaa new-model

! !Set authentication list for 802.1x !

aaa authentication dot1x default group radius

! !Enable 802.1x authentication !

dot1x system-auth-control

Step 3 Set the timers on the appropriate interfaces.

These timers and variables control IEEE 802.1x authenticator operations when end devices stop functioning during authentication.

Begin in interface configuration mode.

Reference

For detailed information about the IEEE 802.1x timers and variables, see the Wired 802.1x Deployment

Guide.

Step 4 Enable MAC authentication bypass (MAB) from interface configuration mode to authenticate

supplicants that do not support IEEE 802.1x authentication.

When MAB is enabled, the switch uses the MAC address of the device as its identity. The authentication has a database of MAC addresses that are allowed network access.

We recommend that you enable MAB to support non-802.1x-compliant devices. MAB also is an alternate authentication method when end devices fail IEEE 802.1x authentication due to restricted ACL access.

Begin in interface configuration mode.

Access Control on the Wired Network

Step 5 Configure IEEE 802.1x on the appropriate interfaces.

When you configure an IEEE 802.1x parameter on a port, a dot1x authenticator is automatically created on the port. When that occurs, the dot1x pae authenticator command must also be configured to ensure that the dot1x authentication will work on legacy configurations.

Begin in interface configuration mode:

Step 6 Enable access control and IEEE 802.1x authentications.

Begin in global configuration mode.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 81

Access Control on the Wired Network

radius server AuthServer address ipv4 192.168.254.14 auth-port 1656 acct-port 1646 key cisco123

authentication host-mode multi-auth authentication open

no switchport port-security

no switchport port-security violation

no switchport port-security aging type

no switchport port-security aging time

no switchport port-security maximum

Step 7 To establish the radius server, configure the RADIUS server with IP address, UDP port for authentication

and accounting server, and server encryption key.

Provision in Monitor Mode

Monitor mode enables IEEE 802.1x authentication without impacting the access of the end devices (supplicants) to a switch (authenticator). This mode allows you to continuously gather the following types of data for all the devices connected to your network:

• List of IEEE 802.1x-capable devices

• List of devices that are not capable of IEEE 802.1x

• Devices with good credentials

• Devices with bad credentials.

• List of valid MAC addresses (for MAB)

Securing Access Using 802.1x on a wired LAN

• List of unknown or invalid MAC addresses (for MAB)

We recommend monitor mode as a first-phase approach to provide secure access with IEEE 802.1x. Although this mode authenticates the end devices and users (supplicants), traffic is not impacted if authentication fails.

In monitor mode, IEEE 802.1x and MAB are enabled, but access is open to all users.

Step 8 To allow hosts to gain access to a controlled port, configure multi-authentication host mode and open

authentication.

Step 9 Disable the Port Security feature, because when IEEE 802.1x is enabled, the Port Security feature

becomes redundant and might interfere with the IEEE 802.1x functionality.

Begin in interface configuration mode.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 82

Securing Access Using 802.1x on a wired LAN

authentication host-mode multi-domain

ip access-list extended LowImpactSecurity-acl

permit tcp any any established permit udp any any eq bootps permit udp any any eq tftp permit udp any any eq domain

exit interface GigabitEthernet1/0/1 ip access-group LowImpactSecurity-acl in

Provision in Low-Impact Mode

The next deployment phase in securing your network is to provision in low impact mode, which allows differentiated network access to authenticated users while permitting basic network services for all users.

Note For information about configuration of multiple-authentication mode on IEEE 802.1x ports, see

“Provision Common Wired Security Access”.

Minimize the impact to your initial network access settings and add differentiated network access to authenticated users with low-impact mode provisioning. In low-impact mode, authentication is open and network access is contained using less restrictive port ACLs. After authentication, dACLs are used to allow full network access to end devices.

Step 10 configure multi-domain mode to prevent unauthorized users from accessing an interface after an

authorized user has been authenticated.

Access Control on the Wired Network

Step 11 Add a static ACL to allow basic network access.

Configure a restrictive port ACL that allows access for configuration and a Configured Trust List (CTL).

Begin in global configuration mode.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 83

Access Control on the Wired Network

authentication host-mode multi-auth authentication open

interface GigabitEthernet 1/0/1-1/0/24

no authentication open

authentication event server dead action authorize vlan 20

authentication dead action authorize voice

Provision in High-Impact Mode

The final deployment phase of securing your wired network is high-impact mode.

This phase goes beyond low-impact mode and provisions tight access control on the network port by configuring the default IEEE 802.1x authentication mode with dynamic VLAN for differentiated access.

Step 12 Configure multi-authentication host mode, and open authentication.

Step 13 Disable RADIUS for this deployment phase.

High-impact mode provides no network access to devices and users that fail authentication. In monitor mode and low-impact mode, we recommend that you identify and resolve the devices and user accounts that have failed authentication. Transition to high-impact mode when you are confident that end devices (that need network access) authenticate successfully, and authentication fails for devices and users that do not need access.

Begin in global configuration mode.

Securing Access Using 802.1x on a wired LAN

Step 14 Assign critical VLAN assignments for situations where the authentication server is unavailable.

The following command is used to configure a port to send both new and existing hosts to the critical VLAN when the RADIUS server is unavailable. Use this command for ports in multiple authentication (multiauth) mode or if the voice domain of the port is in MDA mode.

Step 15 If the authentication server does not respond, authorize voice.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 84

Show Running Configuration for Provisioning Modes

show running-configuration

hostname 3850-access-Bld1Flr1 ! ! aaa new-model ! aaa authentication dot1x default group radius ! ip device tracking ! ! dot1x system-auth-control ! ! interface GigabitEthernet1/0/1 switchport access vlan 10 switchport mode access switchport block unicast switchport voice vlan 11 ip arp inspection limit rate 100 trust device cisco-phone authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator

storm-control broadcast level pps 1k storm-control multicast level pps 2k storm-control action trap Ipv6 nd raguard attach-policy endhost_ipv6_raguard Ipv6 guard attach-policy endhost_ipv6__guard auto qos voip cisco-phone service-policy input AutoQos-4.0-CiscoPhone-Input-Policy service-policy output AutoQos-4.0-Output-Policy ip verify source ip snooping limit rate 100 ! ! radius server AuthServer address ipv4 192.168.254.14 auth-port 1645 acct-port 1646 key cisco123 !

Show Running Configuration for Provisioning Modes

Step 1 Enter the show running-configuration command to display provisioning modes for the switch.

Figure 10 show running-configuration command for Provision in Monitor Mode

Access Control on the Wired Network

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 85

Access Control on the Wired Network

show running-configuration

hostname 3850-access-Bld1Flr1 ! ! aaa new-model ! aaa authentication dot1x default group radius ! ip device tracking ! ! dot1x system-auth-control ! ! aaa session-id common interface GigabitEthernet1/0/1 switchport access vlan 10 switchport mode access switchport block unicast switchport voice vlan 11 ip arp inspection limit rate 100 trust device cisco-phone

ip access-group LowImpactSecurity-acl in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication port-control auto mab dot1x pae authenticator storm-control broadcast level pps 1k storm-control multicast level pps 2k storm-control action trap Ipv6 nd raguard attach-policy endhost_ipv6_raguard Ipv6 guard attach-policy endhost_ipv6__guard auto qos voip cisco-phone service-policy input AutoQos-4.0-CiscoPhone-Input-Policy service-policy output AutoQos-4.0-Output-Policy ip verify source ip snooping limit rate 100 ! !

ip access-group LowImpactSecurity-acl in permit tcp any any established permit udp any any eq bootps permit udp any any eq tftp permit udp any any eq domain ! radius server AuthServer address ipv4 192.168.254.14 auth-port 1645 acct-port 1646 key cisco123

Figure 11 how running-configuration command for Provision in Low-Impact Mode

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Show Running Configuration for Provisioning Modes

Page 86

Monitoring IEEE 802.1x Status and Statistics

show running-configuration

authentication event server dead action authorize vlan 20 authentication event server dead action authorize voice

authentication host-mode multi-auth authentication port-control auto mab dot1x pae authenticator storm-control broadcast level pps 1k storm-control multicast level pps 2k storm-control action trap Ipv6 nd raguard attach-policy endhost_ipv6_raguard Ipv6 guard attach-policy endhost_ipv6__guard auto qos voip cisco-phone service-policy input AutoQos-4.0-CiscoPhone-Input-Policy service-policy output AutoQos-4.0-Output-Policy ip verify source ip snooping limit rate 100 ! ! radius server AuthServer address ipv4 192.168.254.14 auth-port 1645 acct-port 1646 key cisco123

Figure 12 how running-configuration command for Provision in High-Impact Mode

Monitoring IEEE 802.1x Status and Statistics

Step 1 Use the show dot1x statistics command to display switch-related and port-related IEEE 802.1x

statistics.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Access Control on the Wired Network

Page 87

Access Control on the Wired Network

show dot1x statistics

Dot1x Global Statistics for

-------------------------------------------RxStart = 7 RxLogoff = 0 RxResp = 0 RxRespID = 8 RxReq = 0 RxInvalid = 0 RxLenErr = 0 RxTotal = 29

TxStart = 0 TxLogoff = 0 TxResp = 0 TxReq = 0 ReTxReq = 0 ReTxReqFail = 0 TxReqID = 8 ReTxReqID = 0 ReTxReqIDFail = 0 TxTotal = 8

show dot1x interface g1/0/1 statistics

Dot1x Authenticator Port Statistics for GigabitEthernet1/0/1

-------------------------------------------RxStart = 10 RxLogoff = 0 RxResp = 0 RxRespID = 10 RxInvalid = 0 RxLenErr = 0 RxTotal = 37

TxReq = 0 TxReqID = 11 TxTotal = 11

RxVersion = 1 LastRxSrcMAC = 0023.33db.e970

show dot1x all

Sysauthcontrol Enabled Dot1x Protocol Version 3

Dot1x Info for GigabitEthernet1/0/1

----------------------------------PAE = AUTHENTICATOR QuietPeriod = 60 ServerTimeout = 0 SuppTimeout = 30 ReAuthMax = 2 MaxReq = 2 TxPeriod = 30

To detect errors, filter the dot1x verbose messages that are enabled by default.

Step 2 Use the show dot1x interface statistics command to display IEEE 802.1x statistics for a specific port.

Monitoring IEEE 802.1x Status and Statistics

Step 3 Use the show dot1x all command to display the IEEE 802.1x administrative and operational status for

a switch.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 88

Monitoring IEEE 802.1x Status and Statistics

show dot1x interface g1/0/1

Dot1x Info for GigabitEthernet1/0/1

-----------------------------------

PAE = AUTHENTICATOR

QuietPeriod = 60

ServerTimeout = 0

SuppTimeout = 30

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

Step 4 Use the show dot1x interface command to display the IEEE 802.1x administrative and operational

status for a specific port.

Access Control on the Wired Network

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 89

Converged Wired and Wireless Access

This workflow explains how to enable the converged access functionality of the switch, and explains how the switch can operate as the wireless mobility controller (MC) as well as the wireless mobility anchor (MA) in a small branch deployment.

Wired and wireless features that are enabled in the same platform is referred to as converged access. The wired plus wireless features are bundled into a single Cisco IOS Software image, which reduces the number of software images that users have to qualify and certify before enabling them in their network.

Converged access improves wireless bandwidth across the network and the scale of wireless deployment. For example, a 48-port Catalyst 3850 switch provides 40 Gbps of wireless throughput. This wireless capacity increases with the number of members in the stack. This ensures that the network will scale with current wireless bandwidth requirements, as dictated by IEEE 802.11n-based access points and with future wireless standards such as IEEE 802.11ac.

Prerequisites

Complete the following tasks before proceeding with wireless configuration:

• Switch stack must function in Stateful Switchover (SSO) mode.

• Interface configuration is completed, as explained in the “Access Interface Connectivity” workflow.

Restrictions

• Lightweight access points are used.

• NTP configuration should be present and operational, as explained in the “Global System

Configuration” workflow.

• A wireless site survey should be completed. The site survey identifies the proper placement of

wireless access points for the best coverage. For detailed information about the site survey process and the tool to use, see the Wireless Site Survey FAQ.

• Complete the QoS workflow.

• AP-count licenses are supported only on IP Base and IP Services licenses. See the Cisco Catalyst

3850 Switch Right-to-Use Licensing Model.

Cisco Systems, Inc.

www.cisco.com

Page 90

Identify Configuration Values

• A Catalyst 3850 switch stack can support a maximum of 50 access points.

• A Cisco Catalyst 3650 stack can support a maximum of 25 access points.

• WLAN cannot use client VLAN 0.

Identify Configuration Values

Note This workflow contains two separate IP subnets that contain VLANs used for access points and wireless

clients. The access points are on VLAN 12, and use IP subnet 192.168.12.x. The wireless clients are on VLAN 200, and use IP subnet 192.168.13.x.

Note In the configuration examples, you must replace the blue italicized example values with your own values.

Converged Wired and Wireless Access

Table 10 Wireless LAN Controller Values

A. Value Name B. Example Value Names C. Your Value

Number of access point count

10/1, 15/2

licenses and slots

Management VLAN

Management VLAN access point and description

IP address for VLAN interface

wireless-management-vlan

Wireless VLAN

Wireless Management VLAN Interface

192.168.12.2 255.255.255.0

managing access points

Access point pool

Access point client pool

Default router for client

excluded address

Wireless management interface

Access interface

Description

WLAN interface for client

APVlan10-Pool

192.168.12.0 255.255.255.0

10.1.1.1

192.168.12.1

vlan12

GigabitEthernet1/0/3

Lightweight Access Point

200

VLAN

WLAN profile and ID

Wireless client VLAN IP address

WLAN for easy-RADIUS and

Wireless_Client

192.168.13.2 255.255.254.0

OPEN_WLAN 1 open_wlan

RADIUS server

AuthServer

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 91

Converged Wired and Wireless Access

Table 10 Wireless LAN Controller Values

A. Value Name B. Example Value Names C. Your Value

IPv4 address for RADIUS

Auth-port

Acct-port

AAA group

RADIUS server dead-criteria time/tries

RADIUS server deadtime

WLAN with WPA2 and IEEE

802.1x enabled

Input service policy

Output service policy

LAN Access Switch Topology with Wireless Connectivity

192.168.254.14

1645

1646

RADIUS-GROUP

10/3

Secure_WLAN1 CISCO_WLAN

wlan-Guest-Client-Input-Policy

wlan-Guest-SSID-Output-Policy

Note Configuration examples begin in global configuration mode, unless noted otherwise.

LAN Access Switch Topology with Wireless Connectivity

This topology shows the switch stack connected to multiple routers. The most common deployment of converged access is in a branch scenario, but this workflow also applies to a campus deployment.

The switch is stacked and acts as both the MC and MA. In a single stack converged access deployment, the switch can support up to 50 directly connected access points. For converged access, at least one lightweight access point is required. A maximum of 50 access points can be supported by a switch stack.

We recommend that you distribute the access points equally across the stack to achieve reliability during switchover scenarios preventing connectivity loss to access points connected to a member or standby switch.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 92

Enable the Switch as a Wireless Controller

Dual redundant routers running HSRP

Desktop user direct connect

Desktop user behind IP phone

Printer

Wireless access

Catalyst 3850 stack in access

DHCP Server

ISE

Voice VLAN 11 Data VLAN 10

Data VLAN 10

Switch management VLAN 100

Access point VLAN 12

391701

Trunk link Native VLAN 999 All VLANs included

Figure 13 LAN Access Switch Topology with Wireless Connectivity

Converged Wired and Wireless Access

Enable the Switch as a Wireless Controller

Install Access Point Licenses on the Switch

• Install Access Point Licenses on the Switch

• Configure a Wireless Management VLAN

• Configure Service Connectivity

• Enable Wireless Controller Functionality

• Change a Switch to Run in Mobility Controller Mode

• Enable the Access Point Connections

For ease of use, an evaluation license is preinstalled on your switch, but you are required to accept the End-User-License Agreement (EULA) before the 90-day period expires.

The IP Base and IP Services image-based licenses support wireless functionality. The minimum license level for wireless functionality is IP Base.

The total AP-count license of a switch stack is equal to the sum of all the individual member AP-count licenses, up to a maximum of 50 AP-count licenses.

The total AP-count license of the stack is affected when stack members are added or removed:

• When a new member is added to the stack that has an existing AP-count license, then the total

available AP-count license for the switch stack is automatically recalculated.

• When members are removed from the stack, the total AP-count license is decremented from the total

available AP-count license in the stack.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 93

Converged Wired and Wireless Access

license right-to-use activate apcount 10 slot 1 acceptEULA license right-to-use activate apcount 15 slot 2 acceptEULA

show license right-to-use

Slot# License name Type Count Period left

---------------------------------------------------------1 ipbase permanent N/A Lifetime 1 lanbase permanent N/A Lifetime 1 apcount adder 10 Lifetime License Level on Reboot: ipbase Slot# License name Type Count Period left

---------------------------------------------------------2 ipbase permanent N/A Lifetime 2 lanbase permanent N/A Lifetime 2 apcount adder 15 Lifetime License Level on Reboot: ipbase

• If more access points are connected that exceed the total number of accepted AP-count licenses, a

syslog warning message is sent without disconnecting the newly connected access points until a stack reload.

• After a stack reload, the newly connected access points are removed from the total access point

count.

You can activate permanent RTU licenses after you accept the EULA. The EULA assumes you have purchased the permanent license. Use AP-count adder type licenses to activate access point licenses. The adder AP-Count license is an “add as you grow” license. You can add access point licenses as your network grows. You activate an adder AP-count license by using EXEC commands, and it is activated without a switch reload.

Step 1 Activate a permanent access point license and accept the EULA.

Access point licenses are configured for permanent or for evaluation purposes. To prevent disruptions in operation, the switch does not change licenses when an evaluation license expires. You get a warning that your evaluation license will expire and you must disable the evaluation license and purchase a permanent one.

We recommend that you purchase and activate a permanent license and accept the EULA to avoid an untimely expiration.

Enable the Switch as a Wireless Controller

The following examples activate 10 access point licenses on member 1 and 15 on member 2.

For more information about RTU licenses, see the “Configuring Right-To-Use Licenses” chapter in the System Management Configuration Guide, Cisco IOS SE Release 3E.

Verify AP-Count License Installation

Step 2 Verify the allocation of the access point licenses on the switch.

The following example shows two members in the stack:

Step 3 Verify the RTU license summary details.

The example shows that a permanent IP Services license is installed and is available upon switch reboot: Five AP-count licenses are in use.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 94

Enable the Switch as a Wireless Controller

show license right-to-use summary

License Name Type Count Period left

---------------------------------------------- ipservices permanent N/A Lifetime apcount base 0 Lifetime apcount adder 25 Lifetime

--------------------------------------------

License Level In Use: ipservices License Level on Reboot: ipservices Evaluation AP-Count: Disabled Total AP Count Licenses: 25 AP Count Licenses In-use: 5 AP Count Licenses Remaining: 20

! To activate the VLAN in the database if it does not exist.

interface vlan 12

name Wireless VLAN description Wireless Management VLAN Interface ip address 192.168.12.2 255.255.255.0 no shutdown end

Configure a Wireless Management VLAN

Converged Wired and Wireless Access

Step 4 Configure the VLAN and SVI and assign it an IP address.

A wireless management VLAN is used for access point CAPWAP and other CAWAP mobility tunnels. The creation of a wireless management VLAN is mandatory. First, configure the VLAN in hardware and then create the SVI and assign it to an IP address. (See the “Create a Management VLAN in Hardware” section in the Initial Switch Configuration workflow.)

Configure Service Connectivity

Step 5 Create a name for the server address pool and specify the subnet network number and mask of the

address pool client, and the default router for the client.

If you want the switch to receive IP address information you must configure the server with the IP address and subnet mask of the client and a router IP address to provide a default gateway for the switch.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

The server uses the DNS server to resolve the TFTP server name to an IP address, but configuration of the DNS server IP address is optional.

In small branch deployments in which the MC and MA are combined, we recommend using the switch as the server for the lightweight access points. In this deployment, the switch operates in Layer 2 mode, and the upstream router provides all routing functions.

We recommend that you exclude the IP address already used for the default router and the in-use wireless management SVI address to prevent an upstream router from allocating this IP address to an access point.

Page 95

Converged Wired and Wireless Access

ip pool APVlan10-Pool network 192.168.12.0 255.255.255.0 default-router 192.168.12.1 ip excluded-address 192.168.12.1 192.168.12.2

wireless management interface vlan12

wireless mobility controller

% Mobility role changed to Mobility Controller. Please save config and reboot the whole stack.

end write memory reload proceed with reload? [confirm] y

Enable Wireless Controller Functionality

Step 6 Configure an SVI (rather than a physical interface) as the management VLAN.

The wireless management interface command is used to source the access point CAPWAP and other CAPWAP mobility tunnels.

An SVI must be configured with an IP address before enabling the wireless controller.

Enable the Switch as a Wireless Controller

Change a Switch to Run in Mobility Controller Mode

Step 7 Enable the switch as an MC before the AP-count license installation.

In the wireless licensing model, the MA is the access point enforcer and the MC is the gatekeeper of the access points. The MC allows an access point to join the switch or not. The default role of the switch after boot up is an MA.

It is mandatory to save the configuration and reload the switch for the MC role to take effect.

Step 8 After the switch reboots, verify that the role of the switch has changed to Mobility Controller.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 96

Enable the Switch as a Wireless Controller

show wireless mobility summary

Mobility Controller Summary:

Mobility Role : Mobility Controller Mobility Protocol Port : 16666 Mobility Group Name : default Mobility Oracle IP Address : 0.0.0.0 DTLS Mode : Enabled Mobility Domain ID for 802.11r : 0xac34 Mobility Keepalive Interval : 10 Mobility Keepalive Count : 3 Mobility Control Message DSCP Value : 48 Mobility Domain Member Count : 3

Link Status is Control Link Status : Data Link Status

Controllers configured in the Mobility Domain:

IP Public IP Group Name Multicast IP Link Status

--------------------------------------------------------------------------

192.168.102.210 -N/A default 0.0.0.0 UP : UP

Converged Wired and Wireless Access

Enable the Access Point Connections

Step 9 Connect the access points directly to the switch ports to complete installation.

It is mandatory that the access point connection port be configured as an access port. The access point does not register if the port is configured as a trunk.

Note The access VLAN on the switch port should be the same as the wireless management VLAN configured

in Step 4 in this workflow.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 97

Converged Wired and Wireless Access

interface GigabitEthernet1/0/3

description Lightweight Access Point switchport host switchport access vlan 12 switchport port-security maximum 11 switchport port-security switchport port-security aging time 2 switchport port-security aging type inactivity switchport port-security violation restrict ip snooping limit rate 100 switchport block unicast storm-control broadcast level pps 1k storm-control multicast level pps 2k storm-control action trap

!Activate the client VLAN in the VLAN database. !Configure VLAN 200 if not already configured. !

vlan 200 name Wireless_Client end

interface vlan 200

description Client VLAN ip address 192.168.13.2 255.255.254.0 no shutdown end

Enable the Switch as a Wireless Controller

Enable a Client VLAN

Step 10 Configure an external server to allocate IP addresses for clients. Define a client VLAN and activate the

VLAN in the database.

Every WLAN profile must be associated with a client VLAN.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 98

Provisioning a Small Branch WLAN

wlan OPEN_WLAN 1 open_wlan client vlan 200 no security wpa no security wpa akm dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes no shutdown

Provisioning a Small Branch WLAN

• Provision in Easy-RADIUS—Easiest to configure and does not rely on outside services.

• Provision in Secure Mode—End-users are authenticated by the external RADIUS server or ISE.

• Manage Radio Frequency and Channel Settings

We highly recommend that secure mode be provisioned for security concerns. However, both WLAN modes can co-exist if the network design requires it. For example, you can provision both WLANs on a single switch with each WLAN having its own purpose in the network.

Note If your network does not permit open access for any wireless device, proceed to the “Provision in Secure

Mode” section and provision your wireless network in secure mode.

Note Guest Access network deployment is beyond the scope of this document. For detailed information, see

the “Configuring Wireless Guest Access” chapter in the Security Configuration Guide, Cisco IOS XE Release 3E, (Catalyst 3850 Switches).

Converged Wired and Wireless Access

Provision in Easy-RADIUS

Easy-RADIUS allows access to the network without authentication and is not secure.

• Disable Authentication to Enable Easy-RADIUS

• Configure QoS to Secure the WLAN

• Verify Client Connectivity in RADIUS

Note If your network does not permit open access for any wireless device, proceed to the “Provision in Secure

Mode” section and provision your wireless network in secure mode.

Disable Authentication to Enable Easy-RADIUS

Step 1 To provision in easy-RADIUS, use the no security EXEC commands to disable authentication for a

WLAN.

By default, the WLAN is enabled for security with Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2). To make the WLAN open, use the no security wpa wpa2 command.

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 99

Converged Wired and Wireless Access

wlan secure_WLAN 2 CISCO_WLAN shutdown service-policy client input wlan-Entr-Client-Input-Policy service-policy output wlan-Entr-SSID-Output-policy no shutdown exit

Note By default, the broadcast SSID is enabled, and the WLAN/SSID information is sent in the beacons. The

no broadcast-ssid command can be used to hide the SSID from being broadcast or made visible to end clients. When the SSID broadcast is disabled, the end-users will still be able to connect to the SSID by explicitly entering the SSID information manually in the wireless client network properties.

Configure QoS to Secure the WLAN

Step 2 Configure a service policy on the ingress direction to properly classify traffic.

All ingress traffic is classified the same as wired traffic. On egress, the secure WLAN is given the majority of the available bandwidth.

QoS configuration for a secure WLAN assumes that there is another WLAN with lower priority, such as a guest or open WLAN. The end users on a secure WLAN should not be impacted by non-critical traffic on other WLANs.

All WLANs share the default port_child_policy egress service policy. This policy is configured by default and does not need to be explicitly configured on a WLAN.

Provisioning a Small Branch WLAN

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Page 100

Provisioning a Small Branch WLAN

pol-edu-3850-mc-12#show wireless client summary Number of Local Clients : 2

MAC Address AP Name WLAN State Protocol

---------------------------------------------------------------------------

-----

0000.3a40.0001 pol-edu-tsim-40-6 4 UP 11a

0000.3a40.0002 pol-edu-tsim-40-1 4 UP 11a

pol-edu-3850-mc-12#show wcdb database all Total Number of Wireless Clients = 2 Clients Waiting to Join = 0 Local Clients = 2 Anchor Clients = 0 Foreign Clients = 0 MTE Clients = 0

Mac Address VlanId IPv4 Address Src If Mob

-------------- ------ --------------- ------------------ -------

0000.3a40.0001 340 153.40.125.100 0x00000000800000E2 LOCAL

0000.3a40.0002 340 153.40.125.101 0x00000000800000A1 LOCAL

Verify Client Connectivity in RADIUS

Step 3 Associate clients and verify connectivity

Clients are associated to the WLAN end device by choosing the appropriate SSID.

Client connectivity can be verified by using wireless show commands that display state and authentication information.

Converged Wired and Wireless Access

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

Cisco Catalyst 3850, Catalyst 3650 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

CONTENTS

Preface

Conventions

Obtaining Documentation and Submitting a Service Request

Ease of Deployment

Configuration Tool

LAN Access Switch Topology

Cisco Catalyst Switch Configuration Workflow

Switch Address Plan

Switch Stack Update

Prerequisites

Identify Configuration Values

LAN Access Switch Topology with Configured TFTP Server

Performing the Stack Update

Obtain the Switch Software Image

Check the Software Version on the Stack Members

Configure the Switch to Run in Install Mode

Installing IOS image from local TFTP/FTP server

Update the Switch Stack Image

Enable Switch Image Auto-Upgrade

Initial Switch Configuration

Prerequisites for Initial Switch configuration

Identify Configuration Values

Assign Initial Management Information

Configure the Hostname for Switch Identification

Configure Secure HTTPS and Secure Shell for Secure LAN Management

Configure SNMP for Remote Management

Configure Local Login and Password for Switch Access

Configure Centralized User Authentication Through TACACS+

Assign an IP Address to the Switch

Configure a Management IP Address on an Out-of-Band Interface

Configure a Management IP Address on an In-Band Interface

Create a Management VLAN in Hardware

Global System Configuration

Prerequisites for Global System Configuration

Identify Configuration Values

Assign Global Configuration Information

Configure High Availability on the Switch Stack

Configure the Switch to run in VTP Transparent Mode

Enable Rapid Per-VLAN Spanning Tree Plus

Configure BPDU Guard for Spanning-Tree PortFast Interfaces

Configure UDLD to Detect Link Failure

Configure an Access List to Limit Switch Access

Configure System Clock and Console Timestamps

Configure DHCP Snooping Security Features

Configure ARP Inspection

Configure EtherChannel Load Balancing

Create Access Layer VLANs

Create IPv6 First-Hop Security Policies

Increase the TFTP Block Size

Enable New Members to Automatically Update to the Switch Stack Image

Uplink Interface Connectivity

Prerequisites for Uplink Interface Connectivity

Restrictions for Uplink Interface Connectivity

Identify Configuration Values

LAN Access Switch Topology with Uplinks to a Distribution Switch or Distribution Router

Configure Uplink Interface Connectivity

Recommendations for Configuring an Uplink Interface to a Router or Switch

Configure QoS on an Uplink EtherChannel Interfaces

Configure an Uplink Interface as an EtherChannel and as a Trunk

Configure an Uplink Interface to Connect to a Distribution VSS or VPC Switch

Configure an Uplink Interface to Connect to a Distribution Router (or Standalone Distribution Switch)

Configure Security Features on an Uplink EtherChannel Interface

Spanning-Tree Recommendations for an Uplink Interface Connecting to a Distribution Switch

Display Uplink Interface Connectivity for the Switch

Verify Uplink Interface Configurations

Access Interface Connectivity

Prerequisites for Access Interface Connectivity

Identify Configuration Values

LAN Access Switch Topology with Connections to End Devices

Configure Access Interface Connectivity

Recommendations for Configuring an Access Interface

Configure an Interface for Access Mode

Configure VLAN Membership

Create an Interface Description

Configure Security Features on an Access Interfaces