Cisco Catalyst 3850 Manual Download Page 79 | Manualshive

Page: 79 / 120

background image

Access Control on the Wired Network

Securing Access Using 802.1x on a wired LAN

69

Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series

•

Multi-authentication mode authenticates all the devices that gain access to the network through a
single switch port, such as devices connected through IP phones.

•

Multi-authentication mode is more secure than multi-host mode (which also allows multiple data
devices) because it authenticates all the devices that try to gain access to the network.

Step 1

Run the

show run

command on your switch to ensure that your access interface connections are set up.

This output is what you inherit after performing the

“Access Interface Connectivity”

workflow

configuration for an interface connected to an IP phone.

Step 2

(Optional) If you observe excessive timeouts, fine-tune the IEEE 802.1x timers and variables. Timers
and variables are important for controlling the IEEE 802.1x authenticator process on the switch.

We recommend that you do not change the IEEE 802.1x timer and variable default settings, unless
necessary.

Begin in interface configuration mode:

Switch#show running-config

Building configuration...

Current configuration : 766 bytes

interface TenGigabitEthernet3/0/12

switchport mode access

switchport block unicast

switchport voice vlan 2

switchport port-security maximum 3

switchport port-security maximum 2 vlan access

switchport port-security violation restrict

switchport port-security aging time 1

switchport port-security aging type inactivity

switchport port-security

load-interval 30

trust device cisco-phone

storm-control broadcast level pps 1k

storm-control multicast level pps 2k

storm-control action trap

auto qos voip cisco-phone

macro description CISCO_PHONE_EVENT

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AutoQos-4.0-CiscoPhone-Input-Policy

service-policy output AutoQos-4.0-Output-Policy

ip dhcp snooping limit rate 15

dot1x timeout tx

dot1x max-reauth-req

authentication timer restart

dot1x timeout quiet-period

«
...
77
78
79
80
81
...
»

Summary of Contents for Catalyst 3850

Page 1: ...es worldwide Addresses phone numbers and fax numbers are listed on the Cisco website at www cisco com go offices Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide First Published November 30 2015 Last Updated December 14 2015 ...

Page 2: ......

Page 3: ... OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO US...

Page 4: ......

Page 5: ...tion 2 8 Configure the Hostname for Switch Identification 2 9 Configure Secure HTTPS and Secure Shell for Secure LAN Management 2 9 Configure SNMP for Remote Management 2 10 Configure Local Login and Password for Switch Access 2 10 Configure Centralized User Authentication Through TACACS 2 10 Assign an IP Address to the Switch 2 11 Configure the Management IP Address on an Out of Band Interface 2 ...

Page 6: ...TP Transparent Mode 4 31 Enable Rapid Per VLAN Spanning Tree 4 32 Configure BPDU Guard for Spanning Tree PortFast Interfaces 4 32 Configure UDLD to Detect Link Failure 4 33 Configure an Access List to Limit Switch Access 4 33 Configure System Clock and Console Timestamps 4 34 Configure DHCP Snooping Security Features 4 34 Configure ARP Inspection 4 34 Configure EtherChannel Load Balancing 4 35 Cre...

Page 7: ...equisites 6 51 Identify Configuration Values 6 51 LAN Access Switch Topology with Connections to End Devices 6 53 Configure Access Interface Connectivity 6 53 Recommendations for Configuring Access Interfaces 6 53 Configure the Interface for Access Mode 6 55 Configure VLAN Membership 6 55 Create an Interface Description 6 55 Configure Security Features on Access Interfaces 6 56 Configure QoS on th...

Page 8: ... Mobility Controller Mode 8 87 Enable the Access Point Connections 8 88 Enable a Client VLAN 8 89 Provisioning a Small Branch WLAN 8 90 Provision in Easy RADIUS 8 90 Disable Authentication to Enable Easy RADIUS 8 90 Configure QoS to Secure the WLAN 8 91 Verify Client Connectivity in RADIUS 8 91 Provision in Secure Mode 8 93 Enable the AAA RADIUS Server 8 93 Configure the WLAN with IEEE 802 1x Auth...

Page 9: ...how Running Status 9 103 Run a System Baseline for Core Resources 9 104 Obtain CPU and Core Processor Usage 9 104 Obtain Switch Memory Usage 9 106 Monitor File Systems Usage 9 106 Run a System Baseline for Environmental Resources 9 107 Other System Monitoring Considerations 9 108 Spanning Tree Monitoring 9 108 I N D E X ...

Page 10: ...Contents vi Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide ...

Page 11: ... reader values bold font Commands and keywords and user entered CLI appear in bold font italic font Document titles new or emphasized terms and arguments for which you supply values are in italic font Default responses to system prompts are in square brackets Elements in square brackets are optional x y z Required alternative keywords are grouped in braces and separated by vertical bars x y z Opti...

Page 12: ...ion and Submitting a Service Request For information on obtaining documentation using the Cisco Bug Search Tool BST submitting a service request and gathering additional information see What s New in Cisco Product Documentation at http www cisco com c en us td docs general whatsnew whatsnew html Subscribe to What s New in Cisco Product Documentation which lists all new and revised Cisco technical ...

Page 13: ...switch deployments Note Many Cisco documents are available that define best practices for a variety of features and solutions There will be some overlap between the information provided in this guide and other best practices and deployment guides When relevant this document references other existing documents so the reader can get a deeper understanding of an aspect of the 3850 operation Otherwise...

Page 14: ... through 10 100 1000 Ethernet with both Gigabit and 10 Gigabit uplink connectivity options When a switch is deployed in access mode it enables end devices such as IP phones wireless access points and desktops to gain access to the network The Power over Ethernet PoE switch models support PoE 30 W and UPoE 60 W to power IP phones wireless access points and IP cameras The field replaceable uplink mo...

Page 15: ...h Configuration Workflow This document focuses on configuring a switch network and is organized in a workflow pattern beginning with the initial configuration of a switch after it is racked mounted connected and powered on and ending with monitoring system health Figure 3 shows the best practice configurations described in this document See the Switch Hardware Installation Guide for information on...

Page 16: ...mage on switch stack members Yes No Configure global switch settings to define common configuration Configure QoS on wired and wireless traffic to guarantee network performance Configure switch connections to distribution switches or routers Configure switch connections to end devices such as access points IP phones laptops printers Configure secure access on the switch and on connected devices Co...

Page 17: ... always used for data and VLAN 11 is always used for voice The IP subnets for those VLANs are different across the access switches but the VLAN IDs are the same This type of address plan makes it easier to operate the network because the same VLAN IDs are consistent Table 1 IP Address Plan VLAN ID IP Address Server Description 100 192 168 1 0 24 Switch in band management VLAN 10 192 168 10 0 24 Up...

Page 18: ...Ease of Deployment Switch Address Plan 6 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series ...

Page 19: ...rent from updating a Catalyst 3750 switch stack Simply changing the boot statement to the desired bin file is not recommended for Catalyst 3850 and 3650 switch stacks The update process for Catalyst 3850 and 3650 switch stacks includes a series of package files which are extracted from the bin file and loaded into flash Prerequisites Obtain a valid Cisco Connection Online CCO account with entitled...

Page 20: ...configuration mode unless noted otherwise LAN Access Switch Topology with Configured TFTP Server Figure 1 LAN Access Switch Topology with Configured TFTP Server Performing the Stack Update Table 1 Switch Stack Update Configuration Values A Value Name B Example Value Names C Your Value hostname 3850 access Bld1Flr1 TFTP server 192 168 254 12 Flash file cat3k_caa universalk9 SSA 16 1 0 EFT3 1 bin Du...

Page 21: ... has a Cisco suggested release based on software quality stability and longevity which is designated by the symbol as displayed in Appendix 2 Cisco Catalyst 3850 48P S Switch Step 1 Download the desired bin file from Cisco com to the switch flash storage Note The purpose of this example is only to show you how the Cisco suggested release symbol is designated and not to give you recommended release...

Page 22: ... Note Since the format of the pacakges conf file has changed in Cisco IOS XE Release Denali 16 1 overwrite the old packages conf with the new packages conf file Perform the above step for eachswitch in your stack If you have a 3 member stack it will need to be done on flash flash 2 and flash 3 Note Make sure the tftp server is reachable To improve performance increase the tftp block size to 8192 U...

Page 23: ...st L3 Switch Software CAT3K_CAA UNIVERSALK9 M Version Denali 16 1 1 RELEASE SOFTWARE fc1 Technical Support http www cisco com techsupport Copyright c 1986 2015 by Cisco Systems Inc Compiled Thu 12 Nov 15 16 23 by mcpre Switch Ports Model SW Version SW Image Mode 1 32 WS C3850 24P Denali 16 1 1 CAT3K_CAA UNIVERSALK9 BUNDLE 2 32 WS C3850 24P Denali 16 1 1 CAT3K_CAA UNIVERSALK9 BUNDLE 3 32 WS C3850 2...

Page 24: ...in band network Step 8 After verifying connectivity make sure that there is enough room in flash on all the switch stack members Step 9 If you determine that files must be purged from flash run the request platform clean switch command to erase unneeded files within flash on all the stack members We recommend using the request platform clean switch command instead of individually deleting files Th...

Page 25: ...ST_20151116_230450 SSA pkg flash packages conf flash packages conf 00 flash packages conf 01 flash packages conf 02 2 flash cat3k_caa rpbase BLD_V161_0_THROTTLE_LATEST_20151116_230450 SSA pkg flash cat3k_caa srdriver BLD_V161_0_THROTTLE_LATEST_20151116_230450 SSA pkg flash cat3k_caa universalk9 BLD_V161_0_THROTTLE_LATEST_20151116_230450 SSA bin flash cat3k_caa wcm BLD_V161_0_THROTTLE_LATEST_201511...

Page 26: ...leting file flash packages conf 00 done Deleting file flash packages conf 01 done Deleting file flash packages conf 02 done SUCCESS Files deleted 2 Deleting file flash cat3k_caa rpbase BLD_V161_0_THROTTLE_LATEST_20151116_230450 SSA pkg done Deleting file flash cat3k_caa srdriver BLD_V161_0_THROTTLE_LATEST_20151116_230450 SSA pkg done Deleting file flash cat3k_caa universalk9 BLD_V161_0_THROTTLE_LA...

Page 27: ...switches are upgraded to the version currently running on the stack and also converts a member in bundle mode to install mode The auto upgrade feature automatically installs the software packages from an existing stack member to the stack member that is running incompatible software Note Auto upgrade is disabled by default Note The rolling upgrade feature is not supported request platform software...

Page 28: ...Switch Stack Update Performing the Stack Update 31 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series ...

Page 29: ...re Installation Guide to complete the following tasks 1 Rack mount the switch 2 Connect the StackWise cables 3 Connect the switch ports 4 Perform power on 5 Provision your upstream switch 6 Connect at least one Ethernet cable from the uplink interface on the switch to the upstream switch or router Identify Configuration Values We recommend that you identify certain switch configuration values in a...

Page 30: ...e a Management IP Address on an In Band Interface Create a Management VLAN in Hardware Enter the show running configuration command to display the initial management information for the switch Note The following configurations should be performed in the same sequence in which they are listed here Table 3 Initial Configuration Values A Value Name B Example Value Names C Your Value Hostname 3850 acc...

Page 31: ...ns Secure Shell for Secure LAN Management section Configure Secure HTTPS and Secure Shell for Secure LAN Management Step 2 Disable the HTTP and Telnet unencrypted protocols on the switch Step 3 Configure Secure HTTP HTTPS and Secure Shell SSH to enable secure management of the switch Enabling HTTPS automatically generates a cryptographic key to use the service When SSH is configured after HTTPS yo...

Page 32: ...CACS to manage all of your network devices Step 6 Configure centralized user authentication through the TACACS protocol As networks increase the number of devices to maintain there is an operational burden to maintain local user accounts on every device A centralized authentication authorization and accounting AAA service reduces operational tasks on each device and provides an audit log of user a...

Page 33: ...directly to the CPU IP traffic on GigabitEthernet 0 0 does not use the operating network If the physical topology of the switch deployment does not support out of band then the switch can be managed with an in band IP address We recommend that the switch be assigned multiple IP addresses for high availability one IP address on the out of band interface and one on the in band interface High availab...

Page 34: ...hernet 0 0 interface Management traffic originating from the switch must be associated with the GigabitEthernet 0 0 VRF instance A Mgmt vrf is used to segment management traffic from the global routing table of the switch A default route for the Mgmt vrf is required This interface cannot be used as the source interface for sending SNMP traps Sending traps to an SNMP trap server requires an IP addr...

Page 35: ...fic that comes from the switch for instance SNMP traps use the in band IP address You can assign an IP address to your VLAN interface before you configure the VLAN on the switch The VLAN interface is not operational until the VLAN is created in hardware and at least one physical interface which is a member of the VLAN is in a forwarding state This example shows a VLAN created for management and in...

Page 36: ... well as the console or Express Setup You can skip this step if you continue to use the console to complete the configuration but required if you use another tool to complete the configuration of the switch The complete best practice configuration for uplink connectivity is explained in the Uplink Interface Connectivity workflow We recommend that you use a dummy VLAN as the native VLAN on trunk in...

Page 37: ...quire that the upstream layer device switch or router to be configured to operate in a production network and without any additional configuration changes being required vlan 100 name switch_mgmt exit vlan 999 name dummy exit The next step assumes the uplink interface is GigabitEthernet 1 1 1 but your uplink interface may be different interface GigabitEthernet 1 1 1 Switchport mode trunk Switchpor...

Page 38: ...t 4 Port 49 GigabitEthernet1 1 1 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32868 priority 32768 sys id ext 100 Address 20bb c05f b300 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio Nbr Type Gi1 1 1 Root FWD 4 128 49 P2p Gi1 1 2 Altn BLK 4 128 50 P2p show interfaces trunk Port Mode Encapsulation Status Native vlan G...

Page 39: ...Initial Switch Configuration Assign Initial Management Information 27 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series ...

Page 40: ...Initial Switch Configuration Assign Initial Management Information 28 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series ...

Page 41: ...he switch console SSH or any management tool Using tools other than the console requires you to log in using user names and passwords configured as described in the section the Initial Switch Configuration workflow Identify Configuration Values We recommend that you identify certain switch configuration values in advance so that you can proceed with this workflow without interruption We recommend ...

Page 42: ...re Data VLAN 10 Voice VLAN 11 Access points VLAN 12 Management VLAN ID 100 Wireless clients VLAN 200 VLAN name for data Data VLAN name for voice Voice VLAN name for access points Access_Points VLAN name for wireless clients Wireless_Client SNMP community strings for read only and read write access my SNMP RO name my SNMP RW name IPv6 Router Advertisement Guard policy for access interfaces endhost_...

Page 43: ...rity becomes the active member In a switch stack the member most likely to fail is the active member Therefore in a switch stack with three or more members we recommend that you configure uplink connectivity on more than one stack member and do not configure uplink connectivity on the active member This way uplink connectivity is not affected if the active member fails In this document the stack r...

Page 44: ...assic spanning tree Rapid PVST provides an instance of RSTP IEEE 802 1w for each VLAN and PVST improves the detection of indirect failures or linkup restoration events over the classic spanning tree IEEE 802 1D Recommendation Enable spanning tree even if your deployment is created without any Layer 2 loops By enabling spanning tree you ensure that if physical or logical loops are accidentally conf...

Page 45: ...ing Tree Protocol state Do not change UDLD aggressive timers Note UDLD in aggressive mode is not needed when the upstream device is a switch operating in VSS mode For more information about VSS enabled campus design see the Campus 3 0 Virtual Switching System Design Guide Configure an Access List to Limit Switch Access Step 6 If your network operation support is centralized you can increase networ...

Page 46: ... VLAN This configuration ensures that an unauthorized DHCP server cannot allocate addresses to end user devices Configure ARP Inspection ARP inspection is a security feature that prevents ARP spoofing Step 10 Enable Address Resolution Protocol ARP inspection on the data voice and management VLANs Configure EtherChannel Load Balancing Step 11 Set EtherChannels to use the traffic source and destinat...

Page 47: ...Ds and VLAN names in the access layer Consistent IDs and names help with consistency and network operation becomes more efficient Note Do not use VLAN 1 Note Use VLAN 200 for wireless clients only if the switch operates as a wireless controller in the converged access mode Create IPv6 First Hop Security Policies Step 13 Create and apply global IPv6 security policies on the uplink interfaces to def...

Page 48: ...ion that is running on the switch stack When new members join an existing switch stack the Cisco IOS version of the new members must match the Cisco IOS version of the existing members The Auto Upgrade feature provides the ability to automatically update new members when they join However this feature is not enabled by default Note The switch stack must be running Cisco IOS XE Release 3 3 1 or hig...

Page 49: ...plink interface always available for switch stack members Prerequisites for Uplink Interface Connectivity Ensure that the best practice configurations are set as described in the Global System Configuration workflow Restrictions for Uplink Interface Connectivity A maximum of only eight physical links can be active in a single EtherChannel group All the ports in an EtherChannel must be assigned to ...

Page 50: ... Value Name B Example Value Name C Your Value Uplink interfaces GigabitEthernet 1 1 1 GigabitEthernet 1 1 2 GigabitEthernet 2 1 1 GigabitEthernet 2 1 2 Data VLAN 10 Voice VLAN 11 Access points VLAN 12 Wireless clients VLAN 200 Management VLAN ID 100 Dummy VLAN 999 IPv6 Router Advertisement Guard policy name switch_ipv6_raguard router_ipv6_raguard IPv6 Router Advertisement Guard policy name uplink_...

Page 51: ...displays the LAN Access Switch Topology with Uplinks to a distribution switch or distribution router Figure 6 LAN Access Switch Topology with Uplinks to a Distribution Switch Dual redundant switches in distribution layer running VSS Cat6500 6800 4500 or VPC Nexus 7000 Desktop user direct connect Desktop user Printer Wireless access Catalyst 3850 stack in access Voice VLAN 11 Data VLAN 10 Data VLAN...

Page 52: ... Catalyst 3650 Switch Series Figure 7 Uplinks for a Distribution Router Dual redundant routers running HSRP Desktop user direct connect Desktop user behind IP phone Printer Wireless access Catalyst 3850 stack in access Voice VLAN 11 Data VLAN 10 Data VLAN 10 Data VLAN 10 Switch management VLAN 100 Access point VLAN 12 391936 Trunk link Native VLAN 999 All VLANs included ...

Page 53: ...s well as the distribution switch side of the EtherChannel must be configured in LACP active mode Use uplink ports on the different switches in the switch stack to connect back to the distribution switches This configuration ensures that there is no single source of failure for the switch stack If a switch in the stack owning one of the uplink connections fails there will still be an uplink port c...

Page 54: ...connection to a distribution VSS or VPC switch pair The VSS and VPC systems have an explicit configuration between the Cisco distribution switch pair That allows them to act as a single logical switch when connected to the EtherChannel The EtherChannel is configured as a trunk with VLANs 10 11 12 and 100 with the native VLAN set to 999 Note Use this switch stack uplink interface configuration only...

Page 55: ...ng tree Figure 7 shows a switch stack having a separate EtherChannel to each distribution router Each EtherChannel is configured as a trunk with VLANs 10 11 12 100 200 and 999 with the native VLAN set to 999 interface GigabitEthernet 1 1 1 description connection to Distribution VSS or VPC switch 1 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 10 11 12 100 200...

Page 56: ...to the uplink interfaces connecting to VPC VSS or standalone switch interface GigabitEthernet 1 1 1 description connection to Distribution router 1 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 10 11 12 100 200 spanning tree portfast trunk channel protocol lacp channel group 1 mode active interface GigabitEthernet 2 1 1 description connection to Distribution ...

Page 57: ... Protocol HSRP or Virtual Router Redundancy Protocol VRRP is configured for the VLANs located on the standalone distribution switches make sure that the VLAN configuration on the active switch is the same on the switch that is the spanning tree root for that VLAN Avoid flooding of traffic caused by asymmetric routing of traffic flows by configuring the arp timeout interface configuration command T...

Page 58: ...ess is 381c 1a24 d537 bia 381c 1a24 d537 MTU 1500 bytes BW 10000000 Kbit sec DLY 10 usec reliability 255 255 txload 1 255 rxload 1 255 Encapsulation ARPA loopback not set Keepalive not set Full duplex 10Gb s link type is auto media type is SFP 10GBase SR input flow control is off output flow control is unsupported ARP type ARPA ARP Timeout 04 00 00 Last input never output 00 00 19 output hang neve...

Page 59: ...Uplink Interface Connectivity Display Uplink Interface Connectivity for the Switch 51 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series ...

Page 60: ...Uplink Interface Connectivity Display Uplink Interface Connectivity for the Switch 52 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series ...

Page 61: ... to end devices are the edge of the network which network security and QoS begins Prerequisites for Access Interface Connectivity Complete the procedure described in the Global System Configuration workflow which includes the necessary configurations for the access interface configuration Complete the procedure described in the Configure QoS on an Uplink EtherChannel Interfaces workflow which incl...

Page 62: ...gabitEthernet2 0 1 48 Data VLAN 10 Voice VLAN 11 Access Points VLAN 12 Management VLAN ID 100 Wireless Clients VLAN 200 IPv6 Router Advertisement Guard policy name endhost_ipv6_raguard IPv6 Router Advertisement Guard policy name endhost_ipv6__guard QoS service policy input names See the Configure QoS on an Uplink EtherChannel Interfaces section IPPhone Input Policy Classify Police Input Policy Cla...

Page 63: ...s Interface Configurations Recommendations for Configuring an Access Interface Although some end devices do not require the following access interface configurations we recommend that you perform them to ensure consistency The configurations do not interfere with the operation of the network or the attached end device and is considered safe to use When configuring your access interface you should ...

Page 64: ... where a feature explicitly has IPDT enabled IPDT is required for Centralized Web Authentication with Identity Services Engine ISE Network Mobility Services communicates with the Mobility Services Engine to track location Device Sensor watches the control packets that ingress from the attached end device and determine what type of device is attached Device Sensor uses multiple sources such as IPDT...

Page 65: ...e VLAN 1 for data or voice VLAN 1 is the default VLAN on the 3850 This is well documented and understood by experienced networking personnel Thus VLAN 1 will be more susceptible to attacks Changing the VLAN IDs to something other than VLAN1 has been a long standing Cisco recommendation for Ethernet switching Create an Interface Description Step 3 Create a description for the interface to identify ...

Page 66: ...interfaces are not put into a disabled state Unicast packets are blocked on egress and not ingress traffic The switch drops unknown unicast packets from being egressed to the end device ensuring that only the packets intended for the end device are forwarded Step 8 Configure IPv6 security on the interface to secure the end devices from malicious or unexpected operation by preventing them from tran...

Page 67: ...ly service policies to a single access interface The switch then automatically generates the modular QoS command line interface MQC service policies needed for access This example identifies some of the service policy configurations Step 10 Apply ingress and egress service policies Check the end device specific configuration to see which service policy is recommended for an end device Verify Acces...

Page 68: ...ink Down 2k pps 2k pps 0 pps Trap M Gi1 0 4 Link Down 1k pps 1k pps 0 pps Trap B Gi1 0 4 Link Down 2k pps 2k pps 0 pps Trap M show ip snooping Switch snooping is enabled Switch gleaning is disabled snooping is configured on following VLANs 10 13 100 snooping is operational on following VLANs 10 13 100 snooping is configured on the following L3 Interfaces Insertion of option 82 is disabled circuit ...

Page 69: ...ip active deny all 12 Gi1 0 4 ip active deny all 10 show port security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action Count Count Count Gi1 0 1 11 1 0 Restrict Gi1 0 2 11 1 0 Restrict Gi1 0 3 11 1 0 Restrict Gi1 0 4 11 1 0 Restrict Total Addresses in System excluding one mac per port 0 Max Addresses limit in System excluding one mac per port 4096 show ip arp inspection int...

Page 70: ...pply to many interfaces Because most of the interfaces in the access layer are configured identically using this command can save a lot of time For example the following command allows you to enter commands simultaneously on all 48 interfaces GigabitEthernet 1 0 1 to GigabitEthernet 1 0 48 Note Apply the interface range command to every switch stack member This range command will work for all inte...

Page 71: ...ecurity switchport port security aging time 2 switchport port security aging type inactivity switchport port security violation restrict ip arp inspection limit rate 100 ip snooping limit rate 100 ip verify source switchport block unicast storm control broadcast level pps 1k storm control multicast level pps 2k storm control action trap ipv6 nd raguard attach policy endhost_ipv6_raguard ipv6 guard...

Page 72: ... port security aging type inactivity switchport port security violation restrict ip arp inspection limit rate 100 ip snooping limit rate 100 ip verify source switchport block unicast storm control broadcast level pps 1k storm control multicast level pps 2k storm control action trap ipv6 nd raguard attach policy endhost_ipv6_raguard ipv6 guard attach policy endhost_ipv6__guard auto qos trust dscp s...

Page 73: ...ort port security aging time 2 switchport port security aging type inactivity switchport port security violation restrict ip arp inspection limit rate 100 ip snooping limit rate 100 ip verify source switchport block unicast storm control broadcast level pps 1k storm control multicast level pps 2k storm control action trap ipv6 nd raguard attach policy endhost_ipv6_raguard ipv6 guard attach policy ...

Page 74: ...Access Interface Connectivity Display Running Configuration for Access Interface Connectivity 64 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series ...

Page 75: ...hod For information see the Wired 802 1x Deployment Guide Automate the certificate enrollment process for supplicants as described in the Certificate Autoenrollment in Windows Server 2003 Enable machine authentication for end points such as printers to ensure that user login is supported Restrictions for Access Control on the Wired Network You cannot configure an IEEE 802 1x port that is a member ...

Page 76: ...thentication server settings the authentication and accounting ports could be assigned the values 1812 and 1813 respectively Note Replace the blue italicized example values with your own values Note Configuration examples begin in global configuration mode unless noted otherwise Table 7 Secure Access Control for Wired Network Values A Value Name B Example Value Names C Your Value Interface range G...

Page 77: ...ity Access Provision in Monitor Mode Provision in Low Impact Mode Provision in High Impact Mode Recommendations for Configuring Security on a Wired LAN IEEE 802 1x permits or denies network connectivity based on the identity of users and devices It provides a link between the user name and IP address MAC address and a port on a switch It also provides customized network access based on the identit...

Page 78: ... Phased Deployment Configuration Guide For basic information about IEEE 802 1x protocols see the 8021X Protocols section of the Wired 802 1X Deployment Guide Provision Common Wired Security Access IEEE 802 1x port host modes determine whether more than one client can be authenticated on the port and how authentications is enforced Unless otherwise noted we recommend that multiple authentication mo...

Page 79: ...authenticator process on the switch We recommend that you do not change the IEEE 802 1x timer and variable default settings unless necessary Begin in interface configuration mode Switch show running config int Te3 0 12 Building configuration Current configuration 766 bytes interface TenGigabitEthernet3 0 12 switchport mode access switchport block unicast switchport voice vlan 2 switchport port sec...

Page 80: ...owed network access We recommend that you enable MAB to support non 802 1x compliant devices MAB also is an alternate authentication method when end devices fail IEEE 802 1x authentication due to restricted ACL access Begin in interface configuration mode Step 5 Configure IEEE 802 1x on the appropriate interfaces When you configure an IEEE 802 1x parameter on a port a dot1x authenticator is automa...

Page 81: ...n or invalid MAC addresses for MAB We recommend monitor mode as a first phase approach to provide secure access with IEEE 802 1x Although this mode authenticates the end devices and users supplicants traffic is not impacted if authentication fails In monitor mode IEEE 802 1x and MAB are enabled but access is open to all users Step 8 To allow hosts to gain access to a controlled port configure mult...

Page 82: ...icated users with low impact mode provisioning In low impact mode authentication is open and network access is contained using less restrictive port ACLs After authentication dACLs are used to allow full network access to end devices Step 10 configure multi domain mode to prevent unauthorized users from accessing an interface after an authorized user has been authenticated Step 11 Add a static ACL...

Page 83: ...resolve the devices and user accounts that have failed authentication Transition to high impact mode when you are confident that end devices that need network access authenticate successfully and authentication fails for devices and users that do not need access Begin in global configuration mode Step 14 Assign critical VLAN assignments for situations where the authentication server is unavailable...

Page 84: ... GigabitEthernet1 0 1 switchport access vlan 10 switchport mode access switchport block unicast switchport voice vlan 11 ip arp inspection limit rate 100 trust device cisco phone authentication host mode multi auth authentication open authentication port control auto mab dot1x pae authenticator storm control broadcast level pps 1k storm control multicast level pps 2k storm control action trap Ipv6...

Page 85: ...cess group LowImpactSecurity acl in authentication event fail action next method authentication host mode multi domain authentication open authentication port control auto mab dot1x pae authenticator storm control broadcast level pps 1k storm control multicast level pps 2k storm control action trap Ipv6 nd raguard attach policy endhost_ipv6_raguard Ipv6 guard attach policy endhost_ipv6__guard auto...

Page 86: ... access vlan 10 switchport mode access switchport block unicast switchport voice vlan 11 ip arp inspection limit rate 100 trust device cisco phone authentication event server dead action authorize vlan 20 authentication event server dead action authorize voice authentication host mode multi auth authentication port control auto mab dot1x pae authenticator storm control broadcast level pps 1k storm...

Page 87: ...1x statistics Dot1x Global Statistics for RxStart 7 RxLogoff 0 RxResp 0 RxRespID 8 RxReq 0 RxInvalid 0 RxLenErr 0 RxTotal 29 TxStart 0 TxLogoff 0 TxResp 0 TxReq 0 ReTxReq 0 ReTxReqFail 0 TxReqID 8 ReTxReqID 0 ReTxReqIDFail 0 TxTotal 8 show dot1x interface g1 0 1 statistics Dot1x Authenticator Port Statistics for GigabitEthernet1 0 1 RxStart 10 RxLogoff 0 RxResp 0 RxRespID 10 RxInvalid 0 RxLenErr 0...

Page 88: ... 3850 and Catalyst 3650 Switch Series Step 4 Use the show dot1x interface command to display the IEEE 802 1x administrative and operational status for a specific port show dot1x interface g1 0 1 Dot1x Info for GigabitEthernet1 0 1 PAE AUTHENTICATOR QuietPeriod 60 ServerTimeout 0 SuppTimeout 30 ReAuthMax 2 MaxReq 2 TxPeriod 30 ...

Page 89: ...he number of members in the stack This ensures that the network will scale with current wireless bandwidth requirements as dictated by IEEE 802 11n based access points and with future wireless standards such as IEEE 802 11ac Prerequisites Complete the following tasks before proceeding with wireless configuration Switch stack must function in Stateful Switchover SSO mode Interface configuration is ...

Page 90: ...s clients are on VLAN 200 and use IP subnet 192 168 13 x Note In the configuration examples you must replace the blue italicized example values with your own values Table 10 Wireless LAN Controller Values A Value Name B Example Value Names C Your Value Number of access point count licenses and slots 10 1 15 2 Management VLAN wireless management vlan Management VLAN access point and description Wir...

Page 91: ...an support up to 50 directly connected access points For converged access at least one lightweight access point is required A maximum of 50 access points can be supported by a switch stack We recommend that you distribute the access points equally across the stack to achieve reliability during switchover scenarios preventing connectivity loss to access points connected to a member or standby switc...

Page 92: ...ses support wireless functionality The minimum license level for wireless functionality is IP Base The total AP count license of a switch stack is equal to the sum of all the individual member AP count licenses up to a maximum of 50 AP count licenses The total AP count license of the stack is affected when stack members are added or removed When a new member is added to the stack that has an exist...

Page 93: ... expires You get a warning that your evaluation license will expire and you must disable the evaluation license and purchase a permanent one We recommend that you purchase and activate a permanent license and accept the EULA to avoid an untimely expiration The following examples activate 10 access point licenses on member 1 and 15 on member 2 For more information about RTU licenses see the Configu...

Page 94: ...a default gateway for the switch The server uses the DNS server to resolve the TFTP server name to an IP address but configuration of the DNS server IP address is optional In small branch deployments in which the MC and MA are combined we recommend using the switch as the server for the lightweight access points In this deployment the switch operates in Layer 2 mode and the upstream router provide...

Page 95: ...t license installation In the wireless licensing model the MA is the access point enforcer and the MC is the gatekeeper of the access points The MC allows an access point to join the switch or not The default role of the switch after boot up is an MA It is mandatory to save the configuration and reload the switch for the MC role to take effect Step 8 After the switch reboots verify that the role o...

Page 96: ...on the switch port should be the same as the wireless management VLAN configured in Step 4 in this workflow show wireless mobility summary Mobility Controller Summary Mobility Role Mobility Controller Mobility Protocol Port 16666 Mobility Group Name default Mobility Oracle IP Address 0 0 0 0 DTLS Mode Enabled Mobility Domain ID for 802 11r 0xac34 Mobility Keepalive Interval 10 Mobility Keepalive C...

Page 97: ...ight Access Point switchport host switchport access vlan 12 switchport port security maximum 11 switchport port security switchport port security aging time 2 switchport port security aging type inactivity switchport port security violation restrict ip snooping limit rate 100 switchport block unicast storm control broadcast level pps 1k storm control multicast level pps 2k storm control action tra...

Page 98: ...ment is beyond the scope of this document For detailed information see the Configuring Wireless Guest Access chapter in the Security Configuration Guide Cisco IOS XE Release 3E Catalyst 3850 Switches Provision in Easy RADIUS Easy RADIUS allows access to the network without authentication and is not secure Disable Authentication to Enable Easy RADIUS Configure QoS to Secure the WLAN Verify Client C...

Page 99: ...e the WLAN Step 2 Configure a service policy on the ingress direction to properly classify traffic All ingress traffic is classified the same as wired traffic On egress the secure WLAN is given the majority of the available bandwidth QoS configuration for a secure WLAN assumes that there is another WLAN with lower priority such as a guest or open WLAN The end users on a secure WLAN should not be i...

Page 100: ...ands that display state and authentication information pol edu 3850 mc 12 show wireless client summary Number of Local Clients 2 MAC Address AP Name WLAN State Protocol 0000 3a40 0001 pol edu tsim 40 6 4 UP 11a 0000 3a40 0002 pol edu tsim 40 1 4 UP 11a pol edu 3850 mc 12 show wcdb database all Total Number of Wireless Clients 2 Clients Waiting to Join 0 Local Clients 2 Anchor Clients 0 Foreign Cli...

Page 101: ...es for an Open WLAN DHCP Snooping Enable the AAA RADIUS Server The configuration of the RADIUS server is dependent on the RADIUS service that you choose Look for client open auth state pol edu 3850 mc 12 show access session mac 0000 3a40 0001 details Interface Capwap33 MAC Address 0000 3a40 0001 IPv6 Address fe80 200 3aff fe40 1 IPv4 Address 153 40 125 100 User Name cisco Status Authorized Domain ...

Page 102: ... recommend only WPA2 be configured with Advanced Encryption Standard AES Note WPA2 with AES encryption and IEEE 802 1x key management are enabled by default on the WLAN for the switch so you do not need to explicitly configure these security settings aaa new model aaa session id common aaa authentication dot1x default group RADIUS aaa authorization network default group RADIUS aaa accounting dot1x...

Page 103: ... on each client VLAN including the override VLAN if override is applied on the WLAN Enable bootp broadcast command It is needed for clients that send the DHCP messages with broadcast addresses and broadcast bit is set in the DHCP message On the interface Note If upstream is via a port channel the trust Config should be on the port channel interface as well Note DHCP snooping should be configured o...

Page 104: ...miting the number of supported data rates allows clients to down shift faster when retransmitting Wireless clients try to send at the fastest data rate If the transmitted frame is unsuccessful the wireless client will retransmit at the next lowest available data rate The removal of some supported data rates means that clients that need to retransmit a frame directly down shift several data rates w...

Page 105: ...on in your deployment environment The switch detects and reduces radio frequency interference when Clean Air is enabled Some sources of interference are jammers microwave ovens and bluetooth devices Enable 802 11n and 802 11g for the 2 4Ghz spectrum ap dot11 24ghz dot11g ap dot11 24ghz dot11n ap dot11 24ghz rate RATE_24M mandatory ap dot11 24ghz rate RATE_1M disable ap dot11 24ghz rate RATE_2M dis...

Page 106: ...the air metrics reported by each radio on every possible channel and provides a solution that maximizes channel bandwidth and minimizes radio frequency interference from all sources self signal other networks foreign interference and noise everything else Associate WLAN Clients Step 7 Association of WLAN clients is done on the end client device by choosing the appropriate SSID and supplying the re...

Page 107: ...0x506280000033A0 MAC Address ec55 f9c6 266b IPv6 Address Unknown IPv4 Address 121 1 0 253 User Name Employee1 Status Authorized Domain DATA Oper host mode multi auth Oper control dir both Session timeout N A Common Session ID 64010101539f285900003353 Acct Session ID Unknown Handle 0xDB000467 Current Policy No Policy Server Policies priority 100 Method status list Method State dot1x Authc Success s...

Page 108: ...68 12 1 ip excluded address 192 168 12 2 Access Point IP pool defined locally on the 3850 ip pool APVlan12 pool network 192 168 12 0 255 255 255 0 default router 192 168 12 1 Vlan 200 for wireless clients and the subnet 192 168 13 x 23 the server is external to the 3850 vlan 200 name Wireless_Client snip remember to exclude 192 168 13 2 on the server Its statically defined on the vlan 200 intf int...

Page 109: ... dot11 24ghz rate RATE_12M supported ap dot11 24ghz rate RATE_18M supported ap dot11 24ghz rate RATE_24M mandatory ap dot11 24ghz rate RATE_36M supported ap dot11 24ghz rate RATE_48M supported ap dot11 24ghz rate RATE_54M supported no ap dot11 24ghz shutdown ap dot11 5ghz shutdown ap dot11 5ghz rrm channel dca chan width 80 ap dot11 5ghz cleanair ap dot11 5ghz rate RATE_6M disable ap dot11 5ghz ra...

Page 110: ...Converged Wired and Wireless Access Show Running Configuration for Wireless LAN Converged Access 102 Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series ...

Page 111: ...he pipe feature gives the duration of uptime and any reload information Show Running Status Identify the reasons for uptime and reload Over time switches can crash and reload without your knowledge Step 1 Use the show version command to retrieve the overall switch status If you are only interested in the switch uptime and last reload you can run a more direct command using the pipe feature built i...

Page 112: ...e due to the subprocesses and tasks operating under a specific process use the show process cpu detailed command To sort for high activity usage use show process cpu sorted command CPU usage can be monitored on a per switch basis in a stacked environment At periodic intervals we recommend that you run the following variations of the show process cpu command Note The switch is a multicore platform ...

Page 113: ...ore 0 CPU utilization for five seconds 4 one minute 5 five minutes 5 Core 1 CPU utilization for five seconds 2 one minute 1 five minutes 1 Core 2 CPU utilization for five seconds 0 one minute 0 five minutes 0 Core 3 CPU utilization for five seconds 1 one minute 2 five minutes 1 PID Runtime ms Invoked uSecs 5Sec 1Min 5Min TTY Process 5639 1598657 15898882 68 0 98 1 06 1 08 1088 fed 8503 1554112 101...

Page 114: ...ompare the size of the folder against the free space available The switch has different file systems that can be listed by using the show file systems command Note An asterisk indicates the default file system If the file system has a dash or a zero 0 for the Size b field that indicates that the file system is not present or not recognized Step 6 Use the dir filesystem or the show filesystem comma...

Page 115: ...ack command to view all of the environmental outputs stack wide Although some of settings are adjustable we recommend leaving the settings with their default values dir crashinfo Directory of crashinfo 6073 drwx 1024 Jul 17 2013 17 53 48 00 00 ap_crash 12 rwx 0 Jan 1 1970 00 00 06 00 00 koops dat 11 rwx 357 Jun 1 2014 13 05 15 00 00 last_systemreport_log 13 rwx 1128623 Nov 22 2013 12 33 27 00 00 s...

Page 116: ...w spanning tree summary command to periodically monitor the stability of your spanning tree environment and ensure a loop free environment This example output shows that the switch is actually operating as the root bridge for all of the VLANs which can cause extreme network degradation if incorrectly configured show environment stack SWITCH 1 Switch 1 FAN 1 is OK Switch 1 FAN 2 is OK Switch 1 FAN ...

Page 117: ... summary Switch is in pvst mode Root bridge for VLAN0001 VLAN0011 VLAN0015 VLAN0100 VLAN0101 VLAN0881 VLAN0883 Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used...

Page 118: ...uting the ieee compatible Spanning Tree protocol Number of topology changes 7 last change ed 4d07h ago from GigabitEthernet1 0 1 VLAN0100 is executing the ieee compatible Spanning Tree protocol Number of topology changes 7 last change ed 4d07h ago from GigabitEthernet1 0 1 VLAN0101 is executing the ieee compatible Spanning Tree protocol Number of topology changes 7 last change ed 4d07h ago from Gi...

Page 119: ...sy open mode 190 End User License Agreement EULA 184 EtherChannels 135 144 evaluation license 184 H high impact mode 173 HSRP Hot Standby Router Protocol 149 HTTP HTTPS 19 I in band IP Address 114 install mode 124 IP device tracking IPDT 154 IPv6 security policies 135 L LACP Link Aggregation Control Protocol 144 low impact mode 172 M MAC Authentication Bypass MAB 168 management IP address 114 moni...

Page 120: ...ng Configuration for Initial Management Assignments 118 show version command 1103 software clean 125 127 software expand 124 spanning tree monitoring commands 1108 stack member priority 131 standalone Distribution switches 148 synchronized clock 134 T TACACS 110 TFTP and FTP server 125 TFTP block size 121 136 U Unidirectional Link Detection UDLD 133 uplink to distribution switches 148 user id 110 ...

Reviews:

No comments

Related manuals for Catalyst 3850

Brand: Farris Engineering Pages: 12

Brand: Eastern Times Technology Pages: 4

Brand: Vacon Pages: 18

Brand: Eaton Pages: 86

HomeTec Pro CFF3000

Brand: Abus Pages: 13

Brand: NAVITAS Pages: 7

Brand: Abus Pages: 2

Brand: B&G Pages: 2

Brand: B&K Pages: 9

Brand: FATEK Pages: 10

Brand: Hach Pages: 36

Brand: Hach Pages: 72

Brand: Jäger Pages: 50

Brand: Maestra Pages: 22

Brand: Lattice Pages: 23

Brand: Lattice Semiconductor Pages: 2

Brand: Lathem Pages: 4

Brand: tams elektronik Pages: 36

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands