Cisco Catalyst 3850, Catalyst 3650 User Manual
Cisco Catalyst 3850 Series and Cisco
Catalyst 3650 Series Switches Best
Practices Guide
First Published: November 30, 2015
Last Updated: December 14, 2015
Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.
© 2015 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface vii
Audience iii-vii
Conventions vii
Obtaining Documentation and Submitting a Service Request viii
Ease of Deployment 1-1
Purpose 1-1
Configuration Tool 1-2
Catalyst Switch Configuration Best Practices 1-2
LAN Access Switch Topology 1-4
Switch Address Plan 1-5
Initial Switch Configuration 2-7
Purpose 2-7
Prerequisites 2-7
Identify Configuration Values 2-8
Assign Initial Management Information 2-8
Configure the Hostname for Switch Identification 2-9
Configure Secure HTTPS and Secure Shell for Secure LAN Management 2-9
Configure SNMP for Remote Management 2-10
Configure Local Login and Password for Switch Access 2-10
Configure Centralized User Authentication Through TACACS+ 2-10
Assign an IP Address to the Switch 2-11
Configure the Management IP Address on an Out-of-Band Interface 2-12
Configure the Management IP Address on an In-Band Interface 2-14
Create a Management VLAN in Hardware 2-15
Verify Basic Switch Configuration 2-17
Show Running Configuration for Initial Management Information 2-17
Switch Stack Update 3-21
Purpose 3-21
Prerequisites 3-21
Identify Configuration Values 3-22
Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
i
Contents
LAN Access Switch Topology with Configured FTP Server 3-22
Performing the Stack Update 3-23
Obtain the Switch Software Image 3-23
Check the Software Version on the Stack Members 3-23
Configure the Switch to Run in Install Mode 3-24
Download the Switch Image from Cisco.com to a FTP Server 3-25
Update the Switch Stack Image 3-27
Enable Switch Image Auto-Upgrade 3-27
Verify that Stack Members Are Running the Same Software Image 3-28
Global System Configuration 4-29
Purpose 4-29
Prerequisites 4-29
Identify Configuration Values 4-29
Assign Global Configuration Information 4-30
Configure High Availability on the Switch Stack 4-31
Configure VTP Transparent Mode 4-31
Enable Rapid Per-VLAN Spanning Tree 4-32
Configure BPDU Guard for Spanning-Tree PortFast Interfaces 4-32
Configure UDLD to Detect Link Failure 4-33
Configure an Access List to Limit Switch Access 4-33
Configure System Clock and Console Timestamps 4-34
Configure DHCP Snooping Security Features 4-34
Configure ARP Inspection 4-34
Configure EtherChannel Load Balancing 4-35
Create Access Layer VLANs 4-35
Create IPv6 First Hop Security Policies 4-35
Increase the TFTP Block Size 4-36
Enable New Members to Automatically Update to the Switch Stack Image 4-36
Verify Global Switch Configuration 4-37
Show Running Configuration For Global Management Information 4-37
Uplink Interface Connectivity 5-41
Purpose 5-41
Prerequisites 5-41
Restrictions 5-41
Identify Configuration Values 5-42
LAN Access Switch Topology with Uplinks to a Distribution Switch or Distribution Router 5-43
Configure Uplink Interface Connectivity 5-44
Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
ii
Recommendations for Configuring the Uplink Interface to a Router or Switch 5-44
Configure QoS on the Uplink EtherChannel Interfaces 5-44
Configure the Uplink Interface as an EtherChannel and as a Trunk 5-45
Configure the Uplink Interface to Connect to Distribution VSS or VPC Switches 5-45
Configure the Uplink Interface to Connect to Distribution Routers (or Standalone Distribution
Switches)
5-46
Configure Security Features on the Uplink EtherChannel Interfaces 5-48
Spanning-Tree Recommendations for Uplink Interfaces Connecting to Distribution Switches 5-48
Verify Uplink Interface Configurations 5-49
Show Running Configuration for Uplink Interface Connectivity 5-49
Access Interface Connectivity 6-51
Purpose 6-51
Prerequisites 6-51
Identify Configuration Values 6-51
Contents
LAN Access Switch Topology with Connections to End Devices 6-53
Configure Access Interface Connectivity 6-53
Recommendations for Configuring Access Interfaces 6-53
Configure the Interface for Access Mode 6-55
Configure VLAN Membership 6-55
Create an Interface Description 6-55
Configure Security Features on Access Interfaces 6-56
Configure QoS on the Access Interfaces 6-57
Verify Access Interface Configurations 6-58
Show Running Configuration for Access Interface Connectivity 6-61
Access Control on the Wired Network 7-65
Purpose 7-65
Prerequisites 7-65
Restrictions 7-65
Identify Configuration Values 7-66
LAN Access Switch Topology with IEEE 802.1x Secure Access Control 7-67
Provision IEEE 802.1x for Wired LAN 7-67
Recommendations for Configuring Security on a Wired LAN 7-67
Provision Common Wired Security Access 7-68
Provision in Monitor Mode 7-71
Provision in Low Impact Mode 7-72
Provision in High Impact Mode 7-73
Verify Secure Access Control on the Switch 7-74
Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
iii
Contents
Show Running Configuration for Provisioning Modes 7-74
Monitoring IEEE 802.1x Status and Statistics 7-77
Converged Wired and Wireless Access 8-81
Purpose 8-81
Prerequisites 8-81
Restrictions 8-82
Identify Configuration Values 8-82
LAN Access Switch Topology with Wireless Connectivity 8-83
Enable the Switch as a Wireless Controller 8-84
Install Access Point Licenses on the Switch 8-84
Verify AP-Count License Installation 8-85
Configure a Wireless Management VLAN 8-86
Configure Service Connectivity 8-86
Enable Wireless Controller Functionality 8-87
Change a Switch to Run in Mobility Controller Mode 8-87
Enable the Access Point Connections 8-88
Enable a Client VLAN 8-89
Provisioning a Small Branch WLAN 8-90
Provision in Easy-RADIUS 8-90
Disable Authentication to Enable Easy-RADIUS 8-90
Configure QoS to Secure the WLAN 8-91
Verify Client Connectivity in RADIUS 8-91
Provision in Secure Mode 8-93
Enable the AAA RADIUS Server 8-93
Configure the WLAN with IEEE 802.1x Authentication 8-94
Configure QoS Service Policies for an Open WLAN 8-94
Obtain WLAN Client IP Addresses 8-95
Manage Radio Frequency and Channel Settings 8-95
Disable Low Data Rates 8-96
Enable Clean Air 8-97
Enable Dynamic Channel Assignment 8-97
Associate WLAN Clients 8-98
Verify WLAN Client Connectivity 8-98
Verify the Converged Access Configuration on the Switch 8-99
Show Running Configuration for Wireless LAN Converged Access 8-99
iv
System Health Monitoring 9-103
Purpose 9-103
Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
I
NDEX
Contents
Prerequisites 9-103
Show Running Status 9-103
Run a System Baseline for Core Resources 9-104
Obtain CPU and Core Processor Usage 9-104
Obtain Switch Memory Usage 9-106
Monitor File Systems Usage 9-106
Run a System Baseline for Environmental Resources 9-107
Other System Monitoring Considerations 9-108
Spanning Tree Monitoring 9-108
Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
v
Contents
vi
Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
Preface
Audience
This document is written for managing the Cisco Catalyst 3850 Series Switches and the Cisco 3650
Series switches and switch stacks in their network. A basic understanding of Ethernet networking is
expected. Cisco Certified Network Associate level (CCNA) knowledge is helpful, but not required.
Conventions
This document uses the following conventions:
Convention Indication
italic blue font Example configuration values that are replaced with reader values.
bold font Commands and keywords and user-entered CLI appear in bold font.
italic font Document titles, new or emphasized terms, and arguments for which you supply values are in italic
font.
[ ]
• Default responses to system prompts are in square brackets.
• Elements in square brackets are optional.
{x | y | z} Required alternative keywords are grouped in braces and separated by vertical bars.
[x | y | z] Optional alternative keywords are grouped in brackets and separated by vertical bars.
string A nonquoted set of characters. Do not use quotation marks around the string, or the string will include
the quotation marks.
courier font Terminal sessions and information the system displays appear in courier font.
< > Nonprinting characters such as passwords are in angle brackets.
!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.
Note Means reader take note. Notes contain helpful suggestions or references to material that is not covered
in the manual.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
vii
Audience
Tip The tips information might not be troubleshooting or even an action, but could be useful information,
similar to a Timesaver.
Timesaver You can save time by performing the action described in the paragraph.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a
service request, and gathering additional information, see What’s New in Cisco Product Documentation
at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised
Cisco technical documentation as an RSS feed and deliver content directly to your desktop using a reader
application. The RSS feeds are a free service.
viii
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
OL-xxxxx-xx
Ease of Deployment
This document describes best practices for deploying your Cisco Catalyst 3850 Series and Cisco
Catalyst 3650 Series switches.
Note Unless otherwise noted, the term switch refers to a standalone Catalyst 3850 switch, a Catalyst 3650
switch, or a switch stack.
A Cisco switch deployment best practice is a preferred configuration method to employ on your Catalyst
switches. It is a proven and tested way to improve network security, performance, and availability.
A best practice configuration includes an explanation of why you should perform a given task and a
sample snapshot of a full running configuration that you can extrapolate for your specific scenario.
Tip Use the configuration recommendations in this document as a template for your switch deployments.
Note Many Cisco documents are available that define best practices for a variety of features and solutions.
There will be some overlap between the information provided in this guide and other best practices and
deployment guides. When relevant, this document references other existing documents so the reader can
get a deeper understanding of an aspect of the 3850 operation. Otherwise, this document is
self-contained, and provides complete best practice configuration.
Configuration Tool
The configuration examples in this document use the Cisco IOS CLI configuration tool, which is the
most common tool used to configure a switch.
However, you do have the flexibility to use a different tool to perform switch configuration. Other
configuration tools are the Express Setup, Device Manager, and Cisco Prime.
The examples provided in this document show the CLI commands that you should execute on your
switch. You must replace the blue italicized example values with your own values.
Cisco Systems, Inc.
www.cisco.com
LAN Access Switch Topology
set system location Building 1, San Jose, CA
Dual redundant switches
in distribution layer running
VSS (Cat6500/6800/4500),
or VPC (Nexus 7000)
Desktop user
direct connect
Desktop user
Printer
Wireless access
Catalyst 3850 stack in access
Voice VLAN 11
Data VLAN 10
Data VLAN 10
Data VLAN 10
Switch management
VLAN 100
Access point VLAN 12
Trunk link
Native VLAN 999
All VLANs included
LAN Access Switch Topology
The workflows described in this document assume that a switch is deployed as a LAN access switch.
Unless noted otherwise, a switch that is in the LAN access layer is configured as a Layer 2 switch, with
all Layer 3 services provided by the directly connected distribution switch or router.
This document assumes that the switches are stacked together to form a switch stack (a common
switching unit). We recommend that you use switch stacks because of built-in redundancy. We also
recommend the use of using switch stacks when deploying switches in converged access mode (wireless
mode) and connecting access points to different stack members.
A switch deployed at the LAN access layer provides high-bandwidth connections to devices through
10/100/1000 Ethernet, with both Gigabit and 10-Gigabit uplink connectivity options.
When a switch is deployed in access mode, it enables end devices, such as IP phones, wireless access
points, and desktops to gain access to the network. The Power over Ethernet (PoE) switch models
support PoE+ (30 W) and UPoE (60 W) to power IP phones, wireless access points, and IP cameras. The
field-replaceable uplink module from the switch enables different uplink connectivity types.
Ease of Deployment
Figure 1 shows an enterprise campus deployment, where the switch is connected to a distribution layer
switch (such as a Catalyst 6500,6800,4500 or a Nexus 7000 switch).
Figure 1 LAN Access Switch Topology with Distribution Switch
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
2
Ease of Deployment
Cisco Catalyst Switch Configuration Workflow
Figure 2 shows a branch deployment, where the switch is connected to a router (ISR). Because the switch
operates as a Layer 2 switch, not many differences occur in the configuration between the campus or
branch deployment cases. Differences in the configuration are noted in the best practice procedures.
Figure 2 LAN Access Switch Topology with Distribution Router
Voice VLAN 11
Data VLAN 10
Desktop user
behind IP phone
Data VLAN 10
Desktop user
direct connect
Data VLAN 10
Printer
Wireless access
Catalyst 3850 stack in access
Switch management
VLAN 100
Trunk link
Native VLAN 999
All VLANs included
Access point VLAN 12
Cisco Catalyst Switch Configuration Workflow
This document focuses on configuring a switch network and is organized in a workflow pattern,
beginning with the initial configuration of a switch after it is racked, mounted, connected, and powered
on, and ending with monitoring system health.
Figure 3 shows the best-practice configurations described in this document.
See the Switch Hardware Installation Guide for information on how to install a switch.
Dual redundant
routers running
HSRP
391638
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
3
Cisco Catalyst Switch Configuration Workflow
Figure 3 Cisco Catalyst Switch: Configuration Workflow
Ye s N o
Ease of Deployment
Install a switch
Complete initial switch configuration
on the first day of deploying the switch
Are switch
stack members
running the
same image?
Update the image on
switch stack members
Configure QoS on wired and wireless
traffic to guarantee network performance
Configure switch connections to end
Configure secure access
on the switch and on
connected devices
network stability and performance
Configure global switch settings
to define common configuration
Configure switch connections to
distribution switches or routers
devices (such as access points,
IP phones, laptops, printers)
Configure wireless LAN
access on the switch to enable
converged access functionality
Monitor switch health to maintain
353733
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
4
Ease of Deployment
Switch Address Plan
The VLAN IDs and IP addresses designated for a switch and used throughout this document are not a
component of practices; they are only specified for the configuration examples. Your deployment will
have an IP address plan that suits your specific network.
In this document, all IP address ranges are /24 for the sake of simplicity. We recommend that VLAN IDs
be reused across the access switches deployed.
For example, in the access layer, VLAN 10 is always used for data, and VLAN 11 is always used for
voice. The IP subnets for those VLANs are different across the access switches, but the VLAN IDs are
the same. This type of address plan makes it easier to operate the network because the same VLAN IDs
are consistent.
Table 1 IP Address Plan
VLAN ID IP Address Server Description
100 192.168.1.0/24 — Switch in-band management VLAN.
10 192.168.10.0/24 Upstream device Access data VLAN for end devices
11 192.168.11.0/24 Upstream device Access voice VLAN for IP phones
12 192.168.12.0/24 Catalyst 3850 switch Access point VLAN and subnet.
200 192.168.13.0/24 Upstream device Wireless client VLAN and subnet.
— 192.168.254.0 — IP address range for all central
Switch Address Plan
and subnet.
and subnet.
services. The services are not
physically adjacent to the switch.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
5
Switch Address Plan
Ease of Deployment
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
6
Switch Stack Update
This workflow explains how to update all members of a switch stack with the same software image.
Before proceeding with global and advanced configurations on a switch stack, all stack members must
be running the same Cisco IOS XE release to avoid mismatch issues. In addition, any new switch that
needs to join the switch stack must also be running the same Cisco IOS XE release; otherwise, the switch
stack will not converge and the new switch will remain in a standalone state.
Note Updating a Catalyst 3850 or 3650 switch stack is different from updating a Catalyst 3750 switch stack.
Simply changing the boot statement to the desired .bin file is not recommended for Catalyst 3850 and
3650 switch stacks. The update process for Catalyst 3850 and 3650 switch stacks includes a series of
package files, which are extracted from the .bin file and loaded into flash.
Prerequisites
• Obtain a valid Cisco Connection Online (CCO) account with entitled credentials.
• The process to install the new IOS version will use either FTP or TFTP. This requires a FTP or TFTP
• Install and configure the TFTP or FTP before you begin.
• Verify that the TFTP block size is set at the maximum value of 8192, as described in the “Increase
server be available to host the 3850 IOS Software, and the server reachable over an IP network.
the TFTP Block Size” section.
Cisco Systems, Inc.
www.cisco.com
Identify Configuration Values
Identify Configuration Values
We recommend that you identify certain switch configuration values in advance so that you are ready to
proceed with this section without interruption. As you follow the configuration sequence, replace the
values in column B with your values in column C.
Note In the configuration examples, you must replace the blue italicized example values with your own values.
Table 1 Switch Stack Update Configuration Values
A. Value Name B. Example Value Names C. Your Value
hostname
TFTP server
Flash file
Switch Stack Update
3850-access-Bld1Flr1
192.168.254.12
cat3k_caa-universalk9.SSA
.16.1.0.EFT3-1.bin
Note Configuration examples begin in global configuration mode unless noted otherwise.
LAN Access Switch Topology with Configured TFTP Server
Figure 1 LAN Access Switch Topology with Configured TFTP Server
Voice VLAN 11
Data VLAN 10
Desktop user
Data VLAN 10
Desktop user
direct connect
Data VLAN 10
Printer
Catalyst 3850 stack in access
Switch management
VLAN 100
Dual redundant switches
in distribution layer running
VSS (Cat6500/6800/4500),
or VPC (Nexus 7000)
Trunk link
Native VLAN 999
All VLANs included
FTP SERVER
172.18.121.121
Access point VLAN 12
Wireless access
Performing the Stack Update
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
23
391700
Switch Stack Update
• Obtain the Switch Software Image
• Check the Software Version on the Stack Members
• Configure the Switch to Run in Install Mode
• Installing IOS image from local TFTP/FTP server
• Update the Switch Stack Image
•
Note The following tasks are to be performed in a sequence that is listed here.
Obtain the Switch Software Image
We recommend that you review the appropriate switch release notes before installation to ensure
compatibility with your network topology. Each platform on Cisco.com has a Cisco-suggested release
based on software quality, stability, and longevity, which is designated by the symbol, as displayed
in Appendix 2, “Cisco Catalyst 3850-48P-S Switch”
Performing the Stack Update
Step 1 Download the desired .bin file from Cisco.com to the switch flash storage.
Note The purpose of this example is only to show you how the Cisco-suggested release symbol is designated,
and not to give you recommended release versions because those change over time.
.
Figure 2 Cisco Catalyst 3850-48P-S Switch
Check the Software Version on the Stack Members
Step 2 Verify the running software version.
Configure the Switch to Run in Install Mode
Your switches should run in install mode while in production. This mode is not a requirement, but the
update procedure is different if your switches are running in a mode other than install mode.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
24
Performing the Stack Update
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ---* 1 32 WS-C3850-24P Denali 16.1.1 CAT3K_CAA-UNIVERSALK9
BUNDLE
2 32 WS-C3850-24P Denali 16.1.1 CAT3K_CAA-UNIVERSALK9
BUNDLE
3 32 WS-C3850-24P Denali 16.1.1 CAT3K_CAA-UNIVERSALK9
request platform software package expand switch 1 file
flash:cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.b
no boot system
boot system switch all flash:packages.conf
exit
write memory
reload
Note To learn the differences for the install and bundle installation modes, see the “Working with the Cisco
IOS File System, Configuration File, and Software Bundle Files” chapter of the Cisco IOS File System,
Configuration Files, and Bundle Files Appendix, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
Step 3 If your switch stack is running in bundle mode, use the request platform software package expand
switch file to flash command to convert it to install mode.
Step 4 After the .bin file has successfully extracted to flash, change the boot statement and boot to the
packages.conf file.
Switch Stack Update
Note Since the format of the pacakges.conf file has changed in Cisco IOS XE Release Denali 16.1, overwrite
the old packages.conf with the new packages.conf file. Perform the above step for eachswitch in your
stack. If you have a 3 member stack, it will need to be done on flash:, flash-2:, and flash-3.
Note Make sure the tftp server is reachable. To improve performance, increase the tftp block size to 8192. Use
the ip tftp blocksize bytes command in global configuration mode.
25
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
Switch Stack Update
Switch# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version
Denali 16.1.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Thu 12-Nov-15 16:23 by mcpre
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ---* 1 32 WS-C3850-24P Denali 16.1.1 CAT3K_CAA-UNIVERSALK9 BUNDLE
2 32 WS-C3850-24P Denali 16.1.1 CAT3K_CAA-UNIVERSALK9 BUNDLE
3 32 WS-C3850-24P Denali 16.1.1 CAT3K_CAA-UNIVERSALK9 BUNDLE
Step 5 Confirm that the switch stack is now running in install mode.
Performing the Stack Update
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
26
Performing the Stack Update
# show run | inc block
ip tftp blocksize 8192
ping 192.168.254.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.12, timeout is 2 seconds: !!!!
Installing IOS image from local TFTP/FTP server
You can use any file transfer method that you are familiar with, but we recommend TFTP or FTP.
Step 6 Confirm the block size config using the following command:
We recommend that you use a TFTP block size of 8192 (maximum allowed value) before attempting to
use TFTP or FTP to transfer a file to the switch. Refer to the “Increase the TFTP Block Size” section in
the “Global System Configuration” workflow for details.
Step 7 Make sure that there is connectivity to the TFTP server.
In this example, a TFTP server is used that is accessible through the in-band network.
Switch Stack Update
Step 8 After verifying connectivity, make sure that there is enough room in flash on all the switch stack
members.
Step 9 If you determine that files must be purged from flash, run the request platform clean switch command
to erase unneeded files within flash on all the stack members.
We recommend using the request platform clean switch command instead of individually deleting
files. The command provides a list of the files to purge so that you understand what files are deleted when
you confirm deletion.
Note Use switch all option to clean up all switches in your stack.
Note The request platform clean switch command also deletes the .bin file that is used to install the new
Cisco IOS software. After the .bin is extracted, you no longer need it.
27
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
Switch Stack Update
Device# request platform software package clean switch all file flash:
Running command on switch 1
Cleaning up unnecessary package files
Scanning boot directory for packages ... done.
Preparing packages list to delete ...
done.
Running command on switch 2
Cleaning up unnecessary package files
Scanning boot directory for packages ... done.
Preparing packages list to delete ...
done.
The following files will be deleted:
[1]:
/flash/cat3k_caa-rpbase.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/cat3k_caa-srdriver.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.bin
/flash/cat3k_caa-wcm.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/cat3k_caa-webui.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/packages.conf
/flash/packages.conf.00/flash/packages.conf.01/flash/packages.conf.02-
[2]:
/flash/cat3k_caa-rpbase.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/cat3k_caa-srdriver.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.bin
/flash/cat3k_caa-wcm.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/cat3k_caa-webui.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/packages.conf
/flash/packages.conf.00/flash/packages.conf.01/flash/packages.conf.02Do you want to proceed? [y/n]y
[1]:
Deleting file flash:cat3k_caa-rpbase.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
...
done.
Deleting file
flash:cat3k_caa-srdriver.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
... done.
Deleting file
flash:cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.bin
... done.
Deleting file flash:cat3k_caa-wcm.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg ...
done.
Deleting file flash:cat3k_caa-webui.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
...
done.
Performing the Stack Update
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
28
Performing the Stack Update
Deleting file flash:packages.conf ... done.
Deleting file flash:packages.conf.00- ... done.
Deleting file flash:packages.conf.01- ... done.
Deleting file flash:packages.conf.02- ... done.
SUCCESS: Files deleted.
[2]:
Deleting file flash:cat3k_caa-rpbase.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
...
done.
Deleting file
flash:cat3k_caa-srdriver.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
... done.
Deleting file
flash:cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.bin
... done.
Deleting file flash:cat3k_caa-wcm.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg ...
done.
Deleting file flash:cat3k_caa-webui.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
...
done.
Deleting file flash:packages.conf ... done.
Deleting file flash:packages.conf.00- ... done.
Deleting file flash:packages.conf.01- ... done.
Deleting file flash:packages.conf.02- ... done.
SUCCESS: Files deleted.
copy
tftp://admin:cisco@192.168.254.12/IOS/3850/cat3k_caa-universalk9.SSA.16.1.0.
EFT3-1.bin flash:
software install file flash: cat3k_caa-universalk9.SSA.16.1.0.EFT3-1.bin
[1 2]: Do you want to proceed with reload? [yes/no]
Switch Stack Update
Step 10 Copy the switch image to the TFTP server using the copy tftp://flash command.
The following example shows that the TFTP server (192.168.254.12) requires a user name (admin) and
password (cisco), which can easily be integrated into the copy command:
Update the Switch Stack Image
29
Step 11 Upload the image to the stack members, and then reload the switch.
The image download and installation can be performed while the stack is in-service, but to complete the
update install, you must perform a switch reload, which causes a service outage.
Step 12 After the reload completes, run the request platform software package clean switch all file flash
command.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
Switch Stack Update
request platform software package clean switch all file flash
Device# request platform software package clean switch all file flash:
Running command on switch 1
Cleaning up unnecessary package files
Scanning boot directory for packages ... done.
Preparing packages list to delete ...
done.
Running command on switch 2
Cleaning up unnecessary package files
Scanning boot directory for packages ... done.
Preparing packages list to delete ...
done.
software auto-upgrade enable
end
Performing the Stack Update
.
To verify that stack members are using the same software, use the show version command on all
members of the switch stack.
Enable Switch Image Auto-Upgrade
Step 13 Enable auto-upgrade so that new or replacement stack members are automatically upgraded with the
software running on the switch stack.
If you are adding a new member, or replacing a stack member, we recommend that you enable the auto
upgrade feature within the stack. This feature helps to avoid stack mismatch issues and ensures that any
new switches are upgraded to the version currently running on the stack and also converts a member in
bundle mode to install mode.
The auto-upgrade feature automatically installs the software packages from an existing stack member to
the stack member that is running incompatible software.
Note Auto-upgrade is disabled by default.
Note The rolling-upgrade feature is not supported.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
30
Performing the Stack Update
Switch Stack Update
31
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
Initial Switch Configuration
This workflow explains how to configure the basic settings on a switch.
Whether the configuration deployment of a switch is completed all at once or done in phases, the basic
switch settings must first be configured. The initial management configuration includes setting IP
addresses, passwords, and VLANs, which the prerequisites for future feature configuration.
Prerequisites for Initial Switch configuration
Refer to the switch Hardware Installation Guide to complete the following tasks:
1. Rack-mount the switch.
2. Connect the StackWise cables.
3. Connect the switch ports.
4. Perform power on.
5. Provision your upstream switch.
6. Connect at least one Ethernet cable from the uplink interface on the switch to the upstream switch
or router.
Identify Configuration Values
We recommend that you identify certain switch configuration values in advance so that you can proceed
with this section without interruption. We recommend that you take a print out of Table 2, and, as you
follow the configuration sequence, replace the values in column B with your values in column C.
Note Replace the blue italicized example values with your own values.
Cisco Systems, Inc.
www.cisco.com
Assign Initial Management Information
Table 3 Initial Configuration Values
A. Value Name B. Example Value Names C. Your Value
Hostname 3850-access-Bld1Flr1
SNMP community strings for
read-only and read-write access
Management VLAN ID 100
In-band management IP address
and mask
Default gateway 192.168.1.1
Secret password my-secret-password
TACAS server IP address 192.168.254.10
TACAS server secret key cisco123
Uplink interface ID
Management VRF IP address for
out-of-band interface
Mgmt-VRF default route next
hop
Native VLAN 999, dummy
Initial Switch Configuration
my-SNMP-RO-name
my-SNMP-RW-name
192.168.1.2 255.255.255.0
GigabitEthernet 1/1/1
Mgmt-vrf 192.168.128.5
255.255.255.0
192.168.128.1
Note The configuration examples provided in this document begin in global configuration mode, unless noted
otherwise.
Assign Initial Management Information
• The following configurations should be performed in the same sequence in which they are listed
here.
• Users can now proceed to the Configure Secure HTTPS ans Secure Shell for Secure LAN
Management section.
• Configure SNMP for Remote Management
• Configure Local Login and Password for Switch Access
• Configure Centralized User Authentication Through TACACS+
• Configure a Management IP Address on an Out-of-Band Interface
• Configure a Management IP Address on an In-Band Interface
• Create a Management VLAN in Hardware
• Enter the show running-configuration command to display the initial management information for
the switch.
18
Note The following configurations should be performed in the same sequence in which they are listed here.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
Loading...