manualshive.com logo in svg

Cisco 7600 Series, Configuration Manual

The Panasonic 7600 Series is a cutting-edge electronic device featuring advanced technology and a sleek design. To help you get the most out of your purchase, we provide a comprehensive user manual that you can download for free from our website. Discover the full potential of this remarkable product today!

Share
Download
background image

47-8

Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX

OL-4266-08

Chapter 47      Configuring Port Security

Configuring Port Security

Port security examines all traffic received by secure ports to detect violations or to recognize and secure 
new MAC addresses. When the shutdown violation mode is configured, traffic cannot enter the secure 
port after a violation has been detected, which removes the possibility that violations might cause 
excessive CPU load.

When the protect or restrict violation modes are configured, port security continues to process traffic 
after a violation occurs, which might cause excessive CPU load. Configure the port security rate limiter 
to protect the CPU against excessive load when the protect or restrict violation modes are configured. 

To configure the port security rate limiter, perform this task:

When configuring the port security rate limiter, note the following information:

  •

For the 

rate_in_pps

 value:

  –

The range is 10 through 1,000,000 (entered as 1000000).

  –

There is no default value.

  –

The lower the value, the more the CPU is protected. The rate limiter is applied to traffic both 
before and after a security violation occurs. Configure a value high enough to permit 
nonviolating traffic to reach the port security feature.

  –

Values lower than 1,000 (entered as 1000) should offer sufficient protection.

  •

For the 

burst_size

 value:

  –

The range is 1 through 255.

  –

The default is 10.

  –

The default value should provide sufficient protection.

This example shows how to configure the port security rate limiter: 

Router# 

configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# 

mls rate-limit layer2 port-security 1000

 

Router(config)# 

end

 

This example shows how to verify the configuration: 

Router# 

show mls rate-limit | include PORTSEC

 

LAYER_2 PORTSEC   On               1000       1  Not sharing

Command

Purpose

Step 1

Router(config)# 

mls rate-limit layer2 

port-security

 

rate_in_pps

 [

burst_size

Configures the port security rate limiter.

Router(config)# 

no mls rate-limit layer2 

port-security

 

Reverts to the default configuration.

Step 2

Router(config)# 

do show mls rate-limit | include 

PORTSEC

 

Verifies the configuration.

Summary of Contents for 7600 Series

Page 1: ...sman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2 18 SXF and Rebuilds and Earlier Releases Text Part Number OL 4266 08 ...

Page 2: ...LES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSE...

Page 3: ...ardware by the PFC and DFC 3 Command Line Interfaces 1 Accessing the CLI 2 Accessing the CLI through the EIA TIA 232 Console Interface 2 Accessing the CLI through Telnet 2 Performing Command Line Processing 3 Performing History Substitution 4 Cisco IOS Command Modes 4 Displaying a List of Cisco IOS Commands and Syntax 5 Securing the CLI 6 ROM Monitor Command Line Interface 7 Configuring the Router...

Page 4: ...oot Configuration 20 Configuring the Software Configuration Register 21 Specifying the Startup System Image 24 Understanding Flash Memory 24 CONFIG_FILE Environment Variable 25 Controlling Environment Variables 26 Configuring a Supervisor Engine 720 1 Using the Bootflash or Bootdisk on a Supervisor Engine 720 2 Using the Slots on a Supervisor Engine 720 2 Configuring Supervisor Engine 720 Ports 2 ...

Page 5: ...ying the Fabric Utilization 8 Displaying Fabric Errors 8 Configuring NSF with SSO Supervisor Engine Redundancy 1 Understanding NSF with SSO Supervisor Engine Redundancy 1 NSF with SSO Supervisor Engine Redundancy Overview 2 SSO Operation 2 NSF Operation 3 Cisco Express Forwarding 3 Multicast MLS NSF with SSO 4 Routing Protocols 4 NSF Benefits and Restrictions 8 Supervisor Engine Configuration Sync...

Page 6: ...chronization 3 Supervisor Engine Redundancy Guidelines and Restrictions 4 Redundancy Guidelines and Restrictions 4 RPR Guidelines and Restrictions 5 Hardware Configuration Guidelines and Restrictions 5 Configuration Mode Restrictions 6 Configuring Supervisor Engine Redundancy 6 Configuring Redundancy 6 Synchronizing the Supervisor Engine Configurations 7 Displaying the Redundancy States 7 Performi...

Page 7: ...rnet Switching 2 Understanding VLAN Trunks 3 Layer 2 LAN Port Modes 4 Default Layer 2 LAN Interface Configuration 5 Layer 2 LAN Interface Configuration Guidelines and Restrictions 5 Configuring LAN Interfaces for Layer 2 Switching 6 Configuring a LAN Port for Layer 2 Switching 7 Configuring a Layer 2 Switching Port as a Trunk 8 Configuring a LAN Interface as a Layer 2 Access Port 14 Configuring a ...

Page 8: ... 1 Understanding How VTP Works 1 Understanding the VTP Domain 2 Understanding VTP Modes 2 Understanding VTP Advertisements 3 Understanding VTP Version 2 3 Understanding VTP Pruning 4 VTP Default Configuration 5 VTP Configuration Guidelines and Restrictions 5 Configuring VTP 6 Configuring VTP Global Parameters 6 Configuring the VTP Mode 9 Displaying VTP Statistics 10 Configuring VLANs 1 Understandi...

Page 9: ...ry VLAN Configuration 7 Private VLAN Port Configuration 9 Limitations with Other Features 9 Configuring Private VLANs 11 Configuring a VLAN as a Private VLAN 11 Associating Secondary VLANs with a Primary VLAN 12 Mapping Secondary VLANs to the Layer 3 VLAN Interface of a Primary VLAN 13 Configuring a Layer 2 Interface as a Private VLAN Host Port 14 Configuring a Layer 2 Interface as a Private VLAN ...

Page 10: ... Works 1 Configuring Support for Layer 2 Protocol Tunneling 2 Configuring Standard Compliant IEEE MST 1 Understanding MST 1 MST Overview 2 MST Regions 2 IST CIST and CST 3 Hop Count 6 Boundary Ports 6 Standard Compliant MST Implementation 7 Interoperability with IEEE 802 1D 1998 STP 9 Understanding RSTP 9 Port Roles and the Active Topology 10 Rapid Convergence 11 Synchronization of Port Roles 12 B...

Page 11: ... 1s MST 1 Understanding How STP Works 2 STP Overview 2 Understanding the Bridge ID 2 Understanding Bridge Protocol Data Units 4 Election of the Root Bridge 4 STP Protocol Timers 5 Creating the Spanning Tree Topology 5 STP Port States 6 STP and IEEE 802 1Q Trunks 12 Understanding How IEEE 802 1w RSTP Works 13 IEEE 802 1w RSTP Overview 13 RSTP Port Roles 13 RSTP Port States 14 Rapid PVST 14 Understa...

Page 12: ...ng MST 34 Displaying MST Configurations 35 Configuring MST Instance Parameters 39 Configuring MST Instance Port Parameters 40 Restarting Protocol Migration 40 Configuring Optional STP Features 1 Understanding How PortFast Works 2 Understanding How BPDU Guard Works 2 Understanding How PortFast BPDU Filtering Works 2 Understanding How UplinkFast Works 3 Understanding How BackboneFast Works 4 Underst...

Page 13: ...UDLR 3 Configuring UDE and UDLR 3 Configuring UDE 3 Configuring UDLR 6 Configuring PFC3BXL and PFC3B Mode Multiprotocol Label Switching 1 PFC3BXL and PFC3B Mode MPLS Label Switching 1 Understanding MPLS 2 Understanding PFC3BXL and PFC3B Mode MPLS Label Switching 2 Supported Hardware Features 5 Supported Cisco IOS Features 5 MPLS Guidelines and Restrictions 7 PFC3BXL and PFC3B Mode MPLS Supported C...

Page 14: ...N Routing and Forwarding Instance 9 Configuring Multicast VRF Routing 15 Configuring Interfaces for Multicast Routing to Support MVPN 20 Sample Configurations for MVPN 22 MVPN Configuration with Default MDTs Only 22 MVPN Configuration with Default and Data MDTs 24 Configuring IP Unicast Layer 3 Switching 1 Understanding How Layer 3 Switching Works 2 Understanding Hardware Layer 3 Switching 2 Under...

Page 15: ...Understanding How IPv4 Multicast Layer 3 Switching Works 1 IPv4 Multicast Layer 3 Switching Overview 2 Multicast Layer 3 Switching Cache 2 Layer 3 Switched Multicast Packet Rewrite 3 Partially and Completely Switched Flows 4 Non RPF Traffic Processing 5 Multicast Boundary 7 Understanding How IPv4 Bidirectional PIM Works 7 Default IPv4 Multicast Layer 3 Switching Configuration 7 IPv4 Multicast Laye...

Page 16: ...rectional PIM Information 25 Using IPv4 Debug Commands 27 Clearing IPv4 Multicast Layer 3 Switching Statistics 27 Redundancy for Multicast Traffic 28 Configuring MLDv2 Snooping for IPv6 Multicast Traffic 1 Understanding How MLDv2 Snooping Works 2 MLDv2 Snooping Overview 2 MLDv2 Messages 3 Source Based Filtering 3 Explicit Host Tracking 3 MLDv2 Snooping Proxy Reporting 4 Joining an IPv6 Multicast G...

Page 17: ... Querier Configuration Guidelines and Restrictions 8 Enabling the IGMP Snooping Querier 9 Configuring IGMP Snooping 9 Enabling IGMP Snooping 10 Configuring a Static Connection to a Multicast Receiver 11 Configuring a Multicast Router Port Statically 11 Configuring the IGMP Snooping Query Interval 11 Enabling IGMP Fast Leave Processing 12 Configuring Source Specific Multicast SSM Mapping 12 Enablin...

Page 18: ...onfiguring Unicast RPF Check 3 Understanding Cisco IOS ACL Support 1 Cisco IOS ACL Configuration Guidelines and Restrictions 1 Hardware and Software ACL Support 2 Configuring IPv6 Address Compression 3 Optimized ACL Logging with a PFC3 5 Understanding OAL 5 OAL Guidelines and Restrictions 5 Configuring OAL 6 Guidelines and Restrictions for Using Layer 4 Operators in ACLs 7 Determining Layer 4 Oper...

Page 19: ... PFC3 23 Monitoring Packet Drop Statistics 24 Displaying Rate Limiter Information 26 Understanding How Control Plane Policing Works 28 CoPP Default Configuration 28 CoPP Configuration Guidelines and Restrictions 28 Configuring CoPP 29 Monitoring CoPP 31 Defining Traffic Classification 32 Traffic Classification Overview 32 Traffic Classification Guidelines 33 Sample Basic ACLs for CoPP Traffic Clas...

Page 20: ...ces 14 Configuring the DHCP Snooping Database Agent 14 Configuration Examples for the Database Agent 15 Displaying a Binding Table 18 Configuring Dynamic ARP Inspection 1 Understanding DAI 1 Understanding ARP 2 Understanding ARP Spoofing Attacks 2 Understanding DAI and ARP Spoofing Attacks 2 Interface Trust States and Network Security 3 Rate Limiting of ARP Packets 4 Relative Priority of ARP ACLs ...

Page 21: ...PFC QoS 1 Understanding How PFC QoS Works 2 Port Types Supported by PFC QoS 2 Overview 2 Component Overview 6 Understanding Classification and Marking 17 Policers 20 Understanding Port Based Queue Types 23 PFC QoS Default Configuration 30 PFC QoS Global Settings 30 Default Values With PFC QoS Enabled 31 Default Values With PFC QoS Disabled 50 PFC QoS Configuration Guidelines and Restrictions 50 Ge...

Page 22: ...iguring the Ingress LAN Port CoS Value 93 Configuring Standard Queue Drop Threshold Percentages 93 Mapping QoS Labels to Queues and Drop Thresholds 99 Allocating Bandwidth Between Standard Transmit Queues 109 Setting the Receive Queue Size Ratio 111 Configuring the Transmit Queue Size Ratio 112 Common QoS Scenarios 113 Sample Network Design Overview 113 Classifying Traffic from PCs and IP Phones i...

Page 23: ...Globally 18 Enabling Queueing Only Mode 19 Configuring a Class Map to Classify MPLS Packets 20 Configuring the MPLS Packet Trust State on Ingress Ports 22 Configuring a Policy Map 23 Displaying a Policy Map 28 Configuring PFC3BXL or PFC3B Mode MPLS QoS Egress EXP Mutation 29 Configuring EXP Value Maps 31 MPLS DiffServ Tunneling Modes 32 Short Pipe Mode 32 Uniform Mode 33 MPLS DiffServ Tunneling Re...

Page 24: ...olicy 4 NAC Layer 2 IP Validation 4 Configuring NAC 12 Default NAC Configuration 12 NAC Layer 2 IP Guidelines Limitations and Restrictions 12 Configuring NAC Layer 2 IP Validation 13 Configuring EAPoUDP 17 Configuring Identity Profiles and Policies 17 Configuring a NAC AAA Down Policy 18 Monitoring and Maintaining NAC 22 Clearing Table Entries 22 Displaying NAC Information 22 Configuring IEEE 802 ...

Page 25: ...he 802 1X Configuration to the Default Values 15 Displaying 802 1X Status 16 Configuring Port Security 1 Understanding Port Security 1 Port Security with Dynamically Learned and Static MAC Addresses 2 Port Security with Sticky MAC Addresses 3 Default Port Security Configuration 3 Port Security Guidelines and Restrictions 3 Configuring Port Security 4 Enabling Port Security 5 Configuring the Port S...

Page 26: ...be Message Interval 5 Displaying Disabled LAN Interfaces 5 Displaying UDLD Neighbor Interfaces 5 Resetting Disabled LAN Interfaces 5 Configuring NetFlow 1 Understanding NetFlow 1 NetFlow Overview 2 NetFlow on the MSFC 2 NetFlow on the PFC 3 Default NetFlow Configuration 5 NetFlow Configuration Guidelines and Restrictions 5 Configuring NetFlow 6 Configuring NetFlow on the PFC 6 Configuring NetFlow ...

Page 27: ... Guidelines and Restrictions 10 VSPAN Guidelines and Restrictions 11 RSPAN Guidelines and Restrictions 11 ERSPAN Guidelines and Restrictions 12 Configuring Local SPAN RSPAN and ERSPAN 14 Configuring Destination Port Permit Lists Optional 14 Configuring Local SPAN 15 Configuring RSPAN 16 Configuring ERSPAN 19 Configuring Source VLAN Filtering for Local SPAN and RSPAN 24 Configuring a Destination Po...

Page 28: ...stics 1 Understanding How Online Diagnostics Work 1 Configuring Online Diagnostics 2 Setting Bootup Online Diagnostics Level 2 Configuring On Demand Online Diagnostics 3 Scheduling Online Diagnostics 4 Configuring Health Monitoring Diagnostics 5 Running Online Diagnostic Tests 5 Starting and Stopping Online Diagnostic Tests 6 Displaying Online Diagnostic Tests and Test Results 7 Performing Memory ...

Page 29: ... Forwarding Engine Tests 7 TestNewIndexLearn 7 TestDontConditionalLearn 7 TestBadBpduTrap 8 TestMatchCapture 8 TestStaticEntry 9 DFC Layer 2 Forwarding Engine Tests 9 TestDontLearn 9 TestNewLearn 10 TestIndexLearn 10 TestConditionalLearn 11 TestTrap 11 TestBadBpdu 12 TestProtocolMatchChannel 13 TestCapture 13 TestStaticEntry 14 PFC Layer 3 Forwarding Engine Tests 14 TestFibDevices 14 TestIPv4FibSh...

Page 30: ...ssSpan 25 Fabric Tests 26 TestFabricSnakeForward 26 TestFabricSnakeBackward 27 TestSynchedFabChannel 27 TestFabricCh0Health 28 TestFabricCh1Health 28 Exhaustive Memory Tests 28 TestFibTcamSSRAM 29 TestAsicMemory 29 TestAclQosTcam 30 TestNetflowTcam 30 TestQoSTcam 30 IPSEC Services Modules Tests 32 TestIPSecClearPkt 32 TestHapiEchoPkt 32 TestIPSecEncryptDecryptPkt 33 Stress Tests 33 TestTrafficStre...

Page 31: ...Contents 29 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 TestFirmwareDiagStatus 36 A P P E N D I X A Acronyms 1 I N D E X ...

Page 32: ...ries routers Related Documentation The following publications are available for the Cisco 7600 series routers Cisco 7600 Series Router Installation Guide Cisco 7600 Series Router Module Installation Guide Cisco IOS Master Command List Release 12 2SX Cisco 7600 Series Router Cisco IOS System Message Guide Release Notes for Cisco IOS Release 12 2SX on the Supervisor Engine 720 Supervisor Engine 32 a...

Page 33: ..._installation_and_configuratio n_guides_list html For information about MIBs go to this URL http www cisco com public sw center netmgmt cmtk mibs shtml Conventions This document uses the following conventions Convention Description boldface font Commands command options and keywords are in boldface italic font Arguments for which you supply values are in italics Elements in square brackets are opt...

Page 34: ... which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication RSS feed and set content to be delivered directly to your desktop using a reader application The RSS feeds are a free service and Cisco currently supports RSS Version 2 0 Tip For...

Page 35: ...chassis modules and software features supported by the Cisco 7600 series routers refer to the Release Notes for Cisco IOS Release 12 2SX on the Supervisor Engine 720 Supervisor Engine 32 and Supervisor Engine 2 User Interfaces Release 12 2SX supports configuration using the following interfaces CLI See Chapter 2 Command Line Interfaces SNMP Refer to the Release 12 2 IOS Configuration Fundamentals ...

Page 36: ... accessing the router web page is the enable level password of the router Command Purpose Step 1 Router dir device_name Displays the contents of the device If you are installing Embedded CiscoView for the first time or if the CiscoView directory is empty skip to Step 4 Step 2 Router delete device_name cv Removes existing files from the CiscoView directory Step 3 Router squeeze device_name Recovers...

Page 37: ... Features Supported in Hardware by the PFC3 PFC2 DFC3 and DFC The PFC3 PFC2 DFC3 and DFC provide hardware support for these Cisco IOS software features Access Control Lists ACLs for Layer 3 ports and VLAN interfaces Permit and deny actions of input and output standard and extended ACLs Note Flows that require ACL logging are processed in software on the MSFC Except on MPLS interfaces reflexive ACL...

Page 38: ... provides TCAM support for the authentication policy Port to Application Mapping PAM PAM is done in software on the MSFC To configure firewall features see Chapter 44 Configuring the Cisco IOS Firewall Feature Set Hardware assisted NetFlow Aggregation See Understanding NDE section on page 51 2 Software Features Supported in Hardware by the PFC3 and DFC3 The PFC3 and DFC3 provide hardware support f...

Page 39: ...red with the tunnel key command GRE Tunneling and IP in IP Tunneling The PFC3 and DFC3s support the following tunnel commands tunnel destination tunnel mode gre tunnel mode ipip tunnel source tunnel ttl tunnel tos Other supported types of tunneling run in software on the MSFC3 The tunnel ttl command default 255 sets the TTL of encapsulated packets The tunnel tos command if present sets the ToS byt...

Page 40: ...ace uses one internal VLAN Each tunnel interface uses one additional router MAC address entry per router MAC address The PFC3A does not support any PFC QoS features on tunnel interfaces The PFC3B and PFC3BXL support PFC QoS features on tunnel interfaces The MSFC3 supports tunnels configured with egress features on the tunnel interface Examples of egress features are output Cisco IOS ACLs NAT for i...

Page 41: ...html The Release 12 2 publications at this URL http www cisco com en US products sw iosswrel ps1835 products_installation_and_configuratio n_guides_list html This chapter consists of these sections Accessing the CLI page 2 2 Performing Command Line Processing page 2 3 Performing History Substitution page 2 4 Cisco IOS Command Modes page 2 4 Displaying a List of Cisco IOS Commands and Syntax page 2...

Page 42: ...dule Installation Guide for console interface cable connection procedures To make a console connection perform this task After making a console connection you see this display Press Return for Console prompt Router enable Password Router Accessing the CLI through Telnet Note Before you can make a Telnet connection to the router you must configure an IP address see the Configuring IPv4 Routing and ...

Page 43: ...keyboard shortcuts for entering and editing commands Command Purpose Step 1 telnet hostname ip_addr Makes a Telnet connection from the remote host to the router you want to access Step 2 Password password Router Initiates authentication Note If no password has been configured press Return Step 3 Router enable Initiates enable mode enable Step 4 Password password Router Completes enable mode enable...

Page 44: ...o all commands you must enter privileged EXEC mode Normally you must type in a password to access privileged EXEC mode From privileged EXEC mode you can type in any EXEC command or access global configuration mode The configuration modes allow you to make changes to the running configuration If you later save the configuration these commands are stored across reboots You must start at global confi...

Page 45: ... begin with a particular character sequence type in those characters followed by the question mark Do not include a space This form of help is called word help because it completes a word for you Router co collect configure connect copy Table 2 3 Frequently Used Cisco IOS Command Modes Mode Description of Use How to Access Prompt User EXEC Connect to remote devices change terminal settings on a te...

Page 46: ...ur network or compromise your network security You can create a strong and flexible security scheme for your router by configuring one or more of these security features Protecting access to privileged EXEC commands At a minimum you should configure separate passwords for the user EXEC and privileged EXEC enable IOS command modes You can further increase the level of security by configuring userna...

Page 47: ...ut securing the CLI see Cisco IOS Security Configuration Guide Securing User Services Release 12 2SX at this URL http www cisco com en US docs ios sec_user_services configuration guide 12_2sx sec_securing_use r_services_12 2sx_book html ROM Monitor Command Line Interface The ROM monitor is a ROM based program that executes upon platform power up reset or when a fatal exception occurs The router en...

Page 48: ...8 Chapter 2 Command Line Interfaces ROM Monitor Command Line Interface Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html ...

Page 49: ...r complete syntax and usage information for the commands used in this chapter refer to these publications The Cisco IOS Master Command List Release 12 2SX at this URL http www cisco com en US docs ios mcl 122sxmcl 12_2sx_mcl_book html The Release 12 2 publications at this URL http www cisco com en US products sw iosswrel ps1835 products_installation_and_configuratio n_guides_list html This chapter...

Page 50: ... Server page 3 14 Using the Setup Facility or the setup Command These sections describe the setup facility and the setup command Setup Overview page 3 2 Configuring the Global Parameters page 3 3 Configuring Interfaces page 3 8 Setup Overview At initial startup the router automatically defaults to the setup facility The setup command facility functions exactly the same as a completely unconfigured...

Page 51: ...parameters follow these steps Step 1 Connect a console terminal to the console interface on the supervisor engine and then boot the system to the user EXEC prompt Router The following display appears after you boot the Cisco 7600 series router depending on your configuration your display might not exactly match the example System Bootstrap Version 6 1 2 Copyright c 1994 2000 by cisco Systems Inc c...

Page 52: ...ricted Rights clause at FAR sec 52 227 19 and subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS sec 252 227 7013 cisco Systems Inc 170 West Tasman Drive San Jose California 95134 1706 Cisco Internetwork Operating System Software IOS tm MSFC2 Software C6MSFC2 BOOT M Version 12 1 3a E4 EARLY DEPLOYMENT R ELEASE SOFTWARE fc1 Copyright c 1986 2000 by cisco Syste...

Page 53: ...yes response displayed during the setup facility shows a router at first time startup that is nothing has been configured Current interface summary Interface IP Address OK Method Status Protocol Vlan1 unassigned YES TFTP administratively down down GigabitEthernet1 1 unassigned YES TFTP administratively down down GigabitEthernet1 2 unassigned YES TFTP administratively down down GigabitEthernet3 1 u...

Page 54: ...r Step 4 Enter the enable secret password when the following is displayed remember this password for future reference The enable secret is a password used to protect access to privileged EXEC and configuration modes This password after entered becomes encrypted in the configuration Enter enable secret barney Step 5 Enter the enable password when the following is displayed remember this password fo...

Page 55: ... IP and then select EIGRP Configure IP yes Configure EIGRP routing yes Your IGRP autonomous system number 1 301 Step 8 Enter yes or no to accept or refuse SNMP management Configure SNMP Network Management yes Community string public For complete SNMP information and procedures refer to these publications Cisco IOS Configuration Fundamentals Configuration Guide Release 12 2 Cisco IOS System Managem...

Page 56: ...itional interface configuration information on each of the modules available refer to the individual configuration notes that shipped with your modules Note The examples in this section are intended as examples only Your configuration might look differently depending on your system configuration To configure interfaces follow these steps Step 1 At the prompt for the Gigabit Ethernet interface conf...

Page 57: ...onfiguration mode and use the configure command Check the current state of the router using the show version command which displays the software version and the interfaces as follows Router show version Cisco Internetwork Operating System Software IOS tm c6sup2_rp Software c6sup2_rp JSV M Version 12 1 5c EX EARLY DEPLOY Synced to mainline version 12 1 5c TAC Home Software Ios General CiscoIOSRoadm...

Page 58: ...e mode The prompt will change to the privileged EXEC prompt as follows Router Step 4 At the prompt enter the configure terminal command to enter configuration mode as follows Router configure terminal Enter configuration commands one per line End with CNTL Z Router config At the prompt enter the interface type slot interface command to enter interface configuration mode as follows Router config in...

Page 59: ...255 255 255 224 output truncated line con 0 exec timeout 0 0 transport input none line vty 0 4 exec timeout 0 0 password lab login transport input lat pad mop telnet rlogin udptn nasi end Router Saving the Running Configuration Settings To store the configuration or changes to your startup configuration in NVRAM enter the copy running config startup config command at the privileged EXEC prompt as ...

Page 60: ...CMP redirect cache is empty Router Configuring a Static Route If your Telnet station or SNMP network management workstation is on a different network from your router and a routing protocol has not been configured you might need to add a static routing table entry for the network where your end station is located To configure a static route perform this task This example shows how to use the ip ro...

Page 61: ... mop telnet rlogin udptn nasi end Router This example shows how to use the ip route command to configure a static route to a workstation at IP address 171 20 5 3 on the router with subnet mask and connected over VLAN 1 Router configure terminal Router config ip route 171 20 5 3 255 255 255 255 vlan 1 Router config end Router This example shows how to use the show running config command to confirm ...

Page 62: ...t is not already installed Step 2 Determine the MAC address from the label on the chassis Step 3 Add an entry in the BOOTP configuration file usually usr etc bootptab for each router Press Return after each entry to create a blank line between each entry See the example BOOTP configuration file that follows in Step 4 Step 4 Enter the reload command to reboot and automatically request the IP addres...

Page 63: ...and Privilege Level Configuration section on page 3 19 Using the enable password and enable secret Commands To provide an additional layer of security particularly for passwords that cross the network or that are stored on a TFTP server you can use either the enable password or enable secret commands Both commands configure an encrypted password that you must enter to access enable mode the defaul...

Page 64: ...lay the password or access level configuration see the Displaying the Password Access Level and Privilege Level Configuration section on page 3 19 Setting or Changing a Line Password To set or change a password on a line perform this task To display the password or access level configuration see the Displaying the Password Access Level and Privilege Level Configuration section on page 3 19 Setting...

Page 65: ...IOS software to encrypt passwords perform this task Encryption occurs when the current configuration is written or when a password is configured Password encryption is applied to all passwords including authentication key passwords the privileged command password console and virtual terminal line access passwords and Border Gateway Protocol BGP neighbor passwords The service password encryption co...

Page 66: ... Privilege Level for a Command To set the privilege level for a command perform this task To display the password or access level configuration see the Displaying the Password Access Level and Privilege Level Configuration section on page 3 19 Changing the Default Privilege Level for Lines To change the default privilege level for a given line or a group of lines perform this task To display the p...

Page 67: ...assword follow these steps Step 1 Connect to the console interface Step 2 Configure the router to boot up without reading the configuration memory NVRAM Step 3 Reboot the system Step 4 Access enable mode which can be done without a password when one is not configured Step 5 View or change the password or erase the configuration Step 6 Reconfigure the router to boot up and read the NVRAM as it norm...

Page 68: ... mode or loads the supervisor engine software Two user configurable parameters determine how the router boots the configuration register and the BOOT environment variable The configuration register is described in the Modifying the Boot Field and Using the boot Command section on page 3 22 The BOOT environment variable is described in the Specifying the Startup System Image section on page 3 24 Un...

Page 69: ... select a boot source and default boot filename To enable or disable the Break function To control broadcast addresses To set the console terminal baud rate To load operating software from flash memory To recover a lost password To allow you to manually boot the system using the boot command at the bootstrap program prompt To force an automatic boot from the system bootstrap software boot image or...

Page 70: ...y or enter the command and include additional boot instructions such as the name of a file stored in flash memory or a file that you specify for booting from a network server If you use the boot command without specifying a file or any other boot instructions the system boots from the default flash image the first image in onboard flash memory Otherwise you can instruct the system to boot from a s...

Page 71: ... exit configuration mode The new value settings are saved to memory however the new settings do not take effect until the system software is reloaded by rebooting the system Step 5 Enter the show version EXEC command to display the configuration register value currently in effect and that will be used at the next reload The value is displayed on the last line of the screen display as in this examp...

Page 72: ...pecifying the Startup System Image You can enter multiple boot commands in the startup configuration file or in the BOOT environment variable to provide backup methods for loading a system image Note Store the system software image in the sup bootflash disk0 or disk1 device only Supervisor Engine 720 has disk1 A non ATA Flash PC card in a Supervisor Engine 2 is slot0 Non ATA Flash PC cards are too...

Page 73: ... the Cisco IOS Configuration Fundamentals Configuration Guide Release 12 2 Cisco IOS File Management Loading and Maintaining System Images at this URL http www cisco com en US docs ios 12_2 configfun configuration guide fcf008 html Step 2 Configure the system to boot automatically from the file in flash memory You might need to change the configuration register value See the Modifying the Boot Fie...

Page 74: ... the Modifying Downloading and Maintaining Configuration Files chapter of the Configuration Fundamentals Configuration Guide for details on setting the CONFIG_FILE variable Note When you use the boot system global configuration command you affect only the running configuration You must save the environment variable setting to your startup configuration to place the information under ROM monitor co...

Page 75: ...ty page 4 2 Note For complete syntax and usage information for the commands used in this chapter refer to the Cisco IOS Master Command List Release 12 2SX at this URL http www cisco com en US docs ios mcl 122sxmcl 12_2sx_mcl_book html With a 3 slot chassis install the Supervisor Engine 720 in either slot 1 or 2 With a 6 slot or a 9 slot chassis install the Supervisor Engine 720 in either slot 5 or...

Page 76: ...sk1 Configuring Supervisor Engine 720 Ports Supervisor Engine 720 port 1 has a small form factor pluggable SFP connector and has no unique configuration options Supervisor Engine 720 port 2 has an RJ 45 connector and an SFP connector default To use the RJ 45 connector you must change the configuration To configure port 2 on a Supervisor Engine 720 to use either the RJ 45 connector or the SFP conne...

Page 77: ... as the ingress port the DFC3 forwards the packet locally the packet never leaves the module If the egress port is on a different fabric enabled module the DFC3 sends the packet to the egress module which sends it out the egress port If the egress port is on a different nonfabric enabled module the DFC3 sends the packet to the Supervisor Engine 720 The Supervisor Engine 720 fabric interface transf...

Page 78: ...ated command To configure how many fabric enabled modules must be installed before they use truncated mode instead of bus mode enter the fabric switching mode allow truncated threshold number command To return to the default truncated mode threshold enter the no fabric switching mode allow truncated threshold command Monitoring the Switch Fabric Functionality The switch fabric functionality suppor...

Page 79: ...Displaying Fabric Channel Switching Modes To display the fabric channel switching mode of one or all modules perform this task This example shows how to display the fabric channel switching mode of module 2 Router show fabric switching mode module 2 Module Slot Switching Mode 2 dCEF Router This example shows how to display the fabric channel switching mode of all modules Router show fabric switchi...

Page 80: ...OK 5 0 8G OK Up Timeout 6 0 20G OK Up BufError 8 0 8G OK OK 8 1 8G OK OK 9 0 8G Down DDRsync OK Router Displaying the Fabric Utilization To display the fabric utilization of one or all modules perform this task This example shows how to display the fabric utilization of all modules Router show fabric utilization all Lo Percentage of Low priority traffic Hi Percentage of High priority traffic slot ...

Page 81: ... on all modules Router show fabric errors Module errors slot channel crc hbeat sync DDR sync 1 0 0 0 0 0 8 0 0 0 0 0 8 1 0 0 0 0 9 0 0 0 0 0 Fabric errors slot channel sync buffer timeout 1 0 0 0 0 8 0 0 0 0 8 1 0 0 0 9 0 0 0 0 Router Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US produc...

Page 82: ...4 8 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 4 Configuring a Supervisor Engine 720 Configuring and Monitoring the Switch Fabric Functionality ...

Page 83: ...pervisor Engine 32 has a PFC3B and operates in PFC3B mode The Supervisor Engine 32 is supported in the WS 6503 and WS 6503 E 3 slot chassis but not the CISCO7603 chassis With a 3 slot or a 4 slot chassis install the Supervisor Engine 32 in either slot 1 or 2 With a 6 slot or a 9 slot chassis install the Supervisor Engine 32 in either slot 5 or 6 With a 13 slot chassis install the Supervisor Engine...

Page 84: ...32 Ports The console port for the Supervisor Engine 32 port is an EIA TIA 232 RS 232 port The Supervisor Engine 32 also has two Universal Serial Bus USB 2 0 ports that are not currently enabled WS SUP32 GE 3B ports 1 through 8 have small form factor pluggable SFP connectors and port 9 is a 10 100 1000 Mbps RJ 45 port WS SUP32 10GE ports 1 and 2 are 10 Gigabit Ethernet ports that accept XENPAKs and...

Page 85: ...upervisor Engine 2 page 6 1 Understanding How the Switch Fabric Module Works page 6 2 Configuring the Switch Fabric Module page 6 3 Monitoring the Switch Fabric Module page 6 5 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html ...

Page 86: ...lization software revision and basic system information Switch Fabric Module Slots With a 13 slot chassis install the Switch Fabric Modules in either slot 7 or 8 Note In a 13 slot chassis only slots 9 through 13 support dual switch fabric interface switching modules for example WS X6816 GBIC With all other chassis install the Switch Fabric Modules in either slot 5 or 6 Switch Fabric Redundancy The...

Page 87: ...ct version of the DBus header is forwarded over the switch fabric channel which provides the best possible performance Truncated mode The router uses this mode for traffic between fabric enabled modules when there are both fabric enabled and nonfabric enabled modules installed In this mode the router sends a truncated version of the traffic the first 64 bytes of the frame over the switch fabric ch...

Page 88: ...command power is removed from any nonfabric enabled modules installed in the router To allow fabric enabled modules to use truncated mode enter the fabric switching mode allow truncated command To prevent fabric enabled modules from using truncated mode enter the no fabric switching mode allow truncated command To configure how many fabric enabled modules must be installed before they use truncate...

Page 89: ...odules only the supervisor engine remains active Configuring an LCD Message To configure a message for display on the LCD perform this task When configuring a message for display on the LCD note the following information The d parameter is a delimiting character You cannot use the delimiting character in the message The delimiter is a character of your choice a pound sign for example You can use t...

Page 90: ...OS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 6 Configuring the Supervisor Engine 2 and the Switch Fabric Module Monitoring the Switch Fabric Module Note The Switch Fabric Module does not require any user configuration ...

Page 91: ...y status perform this task This example shows how to display the switch fabric module redundancy status Router show fabric active Active fabric card in slot 5 No backup fabric card in the system Router Displaying Fabric Channel Switching Modes To display the fabric channel switching mode of one or all modules perform this task This example shows how to display the fabric channel switching mode of ...

Page 92: ... 4 0 OK OK Router Displaying the Fabric Utilization To display the fabric utilization of one or all modules perform this task This example shows how to display the fabric utilization of all modules Router show fabric utilization all slot channel Ingress Egress 1 0 0 0 3 0 0 0 3 1 0 0 4 0 0 0 4 1 0 0 6 0 0 0 6 1 0 0 7 0 0 0 7 1 0 0 Router Displaying Fabric Errors To display fabric errors of one or ...

Page 93: ... errors on all modules Router show fabric errors slot channel module module module fabric crc hbeat sync sync 1 0 0 0 0 0 3 0 0 0 0 0 3 1 0 0 0 0 4 0 0 0 0 0 4 1 0 0 0 0 6 0 0 0 0 0 6 1 0 0 0 0 7 0 0 0 0 0 7 1 0 0 0 0 Router Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw rout...

Page 94: ...10 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 6 Configuring the Supervisor Engine 2 and the Switch Fabric Module Monitoring the Switch Fabric Module ...

Page 95: ...es All releases support RPR and RPR see Chapter 8 Configuring RPR and RPR Supervisor Engine Redundancy NSF with SSO does not support IPv6 multicast traffic This chapter consists of these sections Understanding NSF with SSO Supervisor Engine Redundancy page 7 1 Supervisor Engine Configuration Synchronization page 7 9 NSF Configuration Tasks page 7 11 Copying Files to the Redundant Supervisor Engine...

Page 96: ...llowing a redundant supervisor engine to take over if the primary supervisor engine fails Cisco NSF works with SSO to minimize the amount of time a network is unavailable to its users following a switchover while continuing to forward IP packets Cisco 7600 series routers also support route processor redundancy RPR route processor redundancy plus RPR and single router mode with stateful switchover ...

Page 97: ... support NSF it will rebuild routing information from NSF aware or NSF capable neighbors Each protocol depends on CEF to continue forwarding packets during switchover while the routing protocols rebuild the Routing Information Base RIB tables After the routing protocols have converged CEF updates the FIB table and removes stale route entries CEF then updates the line cards with the new FIB informa...

Page 98: ...ets are leaked to the router during switchover so that the protocols can converge Because the traffic does not need to be forwarded by software for control driven protocols such as bidirectional PIM the router will continue to leak packets using the old cache for these protocols The router builds the mroute cache and installs the shortcuts in hardware After the new routes are learned a timer is tr...

Page 99: ...lish a BGP session with the NSF capable device This function will allow interoperability with non NSF aware BGP peers and without NSF functionality but the BGP session with non NSF aware BGP peers will not be graceful restart capable Note BGP support in NSF requires that neighbor networking devices be NSF aware that is the devices must have the graceful restart capability and advertise that capabi...

Page 100: ...posed standard Note If you configure IETF on the networking device but neighbor routers are not IETF compatible NSF will abort following a switchover If the neighbor routers on a network segment are not NSF aware you must use the Cisco configuration option The Cisco IS IS configuration transfers both protocol adjacency and link state information from the active to the redundant supervisor engine A...

Page 101: ...NSF restart will not be attempted by IS IS until the interval time expires This functionality prevents IS IS from attempting back to back NSF restarts EIGRP Operation When an EIGRP NSF capable router initially comes back up from an NSF restart it has no neighbor and its topology table is empty The router is notified by the redundant now active supervisor engine when it needs to bring up the interf...

Page 102: ...onvergence signal and then floods its topology table to all awaiting NSF aware peers NSF Benefits and Restrictions Cisco NSF provides these benefits Improved network availability NSF continues forwarding network traffic and application state information so that user session information is maintained after a switchover Overall network stability Network stability may be improved with the reduction i...

Page 103: ...oring devices participating in BGP NSF must be NSF capable and configured for BGP graceful restart OSPF NSF for virtual links is not supported All OSPF networking devices on the same network segment must be NSF aware running an NSF software image For IETF IS IS all neighboring devices must be running an NSF aware software image IPv4 Multicast NSF with SSO is supported by the PFC3 only The underlyi...

Page 104: ...nfig file to the startup config file on the active supervisor engine to trigger synchronization of the startup config file on the redundant supervisor engine Supervisor engine switchover takes place after the failed supervisor engine completes a core dump A core dump can take up to 15 minutes To get faster switchover time disable core dump on the supervisor engines With a Supervisor Engine 720 and...

Page 105: ...lowing configuration restrictions apply during the startup synchronization process You cannot perform configuration changes during the startup bulk synchronization If you attempt to make configuration changes during this process the following message is generated Config mode locked out till standby initializes If configuration changes occur at the same time as a supervisor engine switchover these ...

Page 106: ... state 8 STANDBY HOT Mode Duplex Unit Primary Unit ID 5 Redundancy Mode Operational sso Redundancy Mode Configured sso Split Mode Disabled Manual Swact Enabled Communications Up client count 29 client_notification_TMR 30000 milliseconds keep_alive TMR 9000 milliseconds keep_alive count 1 keep_alive threshold 18 RF debug mask 0x0 Router Configuring Multicast MLS NSF with SSO Note The commands in th...

Page 107: ... router show cef state CEF Status RP CEF enabled running dCEF enabled running CEF switching enabled running CEF default capabilities Always FIB switching yes Default CEF switching yes Command Purpose Step 1 Router configure terminal Enters global configuration mode Step 2 Router config mls ip multicast sso convergence time time Specifies the maximum time to wait for protocol convergence valid valu...

Page 108: ...ful restart function is configured on the SSO enabled networking device and on the neighbor devices To verify follow these steps Step 1 Verify that bgp graceful restart appears in the BGP configuration of the SSO enabled router by entering the show running config command Router show running config router bgp 120 Command Purpose Step 1 Router configure terminal Enters global configuration mode Step...

Page 109: ...iy IPv4 Multicast advertised and received Graceful Restart Capabilty advertised and received Remote Restart timer is 120 seconds Address families preserved by peer IPv4 Unicast IPv4 Multicast Received 1539 messages 0 notifications 0 in queue Sent 1544 messages 0 notifications 0 in queue Default minimum time between advertisement runs is 30 seconds Configuring OSPF NSF Note All peer devices partici...

Page 110: ... of areas in this router is 1 1 normal 0 stub 0 nssa External flood list length 0 Non Stop Forwarding enabled last NSF restart 00 02 06 ago took 44 secs Area BACKBONE 0 Number of interfaces in this area is 1 0 loopback Area has no authentication SPF algorithm executed 3 times Configuring IS IS NSF To configure IS IS NSF perform this task Command Purpose Step 1 Router configure terminal Enters glob...

Page 111: ... restart enabled router show isis nsf NSF is ENABLED mode cisco RP is ACTIVE standby ready bulk sync complete NSF interval timer expired NSF restart enabled Checkpointing enabled no errors Local state ACTIVE Peer state STANDBY HOT Mode SSO The following display shows sample output for the Cisco configuration on the standby RP In this example note the presence of NSF restart enabled router show isi...

Page 112: ...estart retransmissions 0 Maximum L1 NSF Restart retransmissions 3 L1 NSF ACK requested FALSE L1 NSF CSNP requested FALSE NSF L2 Restart state Running NSF p2p Restart retransmissions 0 Maximum L2 NSF Restart retransmissions 3 L2 NSF ACK requested FALSE Interface GigabitEthernet2 0 0 NSF L1 Restart state Running NSF L1 Restart retransmissions 0 Maximum L1 NSF Restart retransmissions 3 L1 NSF ACK req...

Page 113: ...is eigrp 100 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1 1 K2 0 K3 1 K4 0 K5 0 EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 Redistributing eigrp 100 EIGRP NSF aware route hold timer is 240s EIGRP NS...

Page 114: ...upervisor Engine Enter this command to copy a file to the disk0 device on a redundant supervisor engine Router copy source_device source_filename slavedisk0 target_filename Enter this command to copy a file to the bootflash device on a redundant supervisor engine Router copy source_device source_filename slavesup bootflash target_filename Enter this command to copy a file to the bootflash device o...

Page 115: ...18 SXE and later releases RPR and RPR support IPv6 multicast traffic Release 12 2 18 SXD and later releases support nonstop forwarding NSF with stateful switchover SSO on all supervisor engines see Chapter 7 Configuring NSF with SSO Supervisor Engine Redundancy This chapter consists of these sections Understanding RPR and RPR page 8 2 Supervisor Engine Redundancy Guidelines and Restrictions page 8...

Page 116: ...nchronization between active and redundant supervisor engines Hardware signals that detect and decide the active or redundant status of supervisor engines Clock synchronization every 60 seconds from the active to the redundant supervisor engine A redundant supervisor engine that is booted but not all subsystems are up if the active supervisor engine fails the redundant supervisor engine become ful...

Page 117: ...ional RPR enhances RPR by providing the following additional benefits Reduced switchover time Depending on the configuration the switchover time is 30 or more seconds Installed modules are not reloaded Because both the startup configuration and the running configuration are continually synchronized from the active to the redundant supervisor engine installed modules are not reloaded during a switc...

Page 118: ...ly initialized it only interacts with the active supervisor engine to receive incremental changes to the configuration files as they occur You cannot enter CLI commands on the redundant supervisor engine Supervisor Engine Redundancy Guidelines and Restrictions These sections describe supervisor engine redundancy guidelines and restrictions Redundancy Guidelines and Restrictions page 8 4 RPR Guidel...

Page 119: ...ssions All Automatic Protection System APS state information Both supervisor engines must run the same version of Cisco IOS software If the supervisor engines are not running the same version of Cisco IOS software the redundant supervisor engine comes online in RPR mode Supervisor engine redundancy does not support nondefault VLAN data file names or locations Do not enter the vtp file file_name co...

Page 120: ... are met the router functions in RPR mode by default Configuration Mode Restrictions The following configuration restrictions apply during the startup synchronization process You cannot perform configuration changes during the startup bulk synchronization If you attempt to make configuration changes during this process the following message is generated Config mode locked out till standby initiali...

Page 121: ...lex mode Communications Down Reason Simplex mode client count 11 client_notification_TMR 30000 milliseconds keep_alive TMR 4000 milliseconds keep_alive count 0 keep_alive threshold 7 RF debug mask 0x0 Router Synchronizing the Supervisor Engine Configurations During normal operation the startup config and config registers configuration are synchronized by default between the two supervisor engines ...

Page 122: ...ou must reload both supervisor engines FSU from EHSA is not supported To perform an FSU perform this task Command Purpose Step 1 Router copy source_device source_filename disk0 disk1 target_filename Copies the new Cisco IOS image to the disk0 device or the disk1 device on the active supervisor engine Or Router copy source_device source_filename sup bootflash target_filename Copies the new Cisco IO...

Page 123: ...ion synchronization changes have completed Step 5 Router redundancy force switchover Conducts a manual switchover to the redundant supervisor engine The redundant supervisor engine becomes the new active supervisor engine running the new Cisco IOS image The modules are reloaded and the module software is downloaded from the new active supervisor engine The old active supervisor engine reboots with...

Page 124: ... 8 Configuring RPR and RPR Supervisor Engine Redundancy Copying Files to an MSFC Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html ...

Page 125: ...l page 9 16 Monitoring and Maintaining Interfaces page 9 17 Checking the Cable Status Using the TDR page 9 19 Note For complete syntax and usage information for the commands used in this chapter refer to these publications The Cisco IOS Master Command List Release 12 2SX at this URL http www cisco com en US docs ios mcl 122sxmcl 12_2sx_mcl_book html The Release 12 2 publications at this URL http w...

Page 126: ... display information about a specific port or all the ports Using the Interface Command Note You use the commands described in this section to configure both physical ports and logical interfaces These procedures apply to all interface configuration processes Begin the interface configuration process in global configuration mode To use the interface command follow these steps Step 1 Enter the conf...

Page 127: ...6sup2_rp JSV M Version 12 1 5c EX EARLY DEPLOY Synced to mainline version 12 1 5c TAC Home Software Ios General CiscoIOSRoadmap 12 1 Copyright c 1986 2001 by cisco Systems Inc Compiled Wed 28 Mar 01 17 52 by hqluong Image text base 0x30008980 data base 0x315D0000 ROM System Bootstrap Version 12 1 3r E2 RELEASE SOFTWARE fc1 BOOTFLASH c6sup2_rp Software c6sup2_rp JSV M Version 12 1 5c EX EARLY DEPL ...

Page 128: ...buted to all interfaces within that range until you exit out of the interface range configuration mode To configure a range of interfaces with the same configuration perform this task When configuring a range of interfaces note the following information For information about macros see the Defining and Using Interface Range Macros section on page 9 6 You can enter up to five comma separated ranges...

Page 129: ...N Line protocol on Interface FastEthernet5 3 changed state to up Oct 6 08 24 36 LINEPROTO 5 UPDOWN Line protocol on Interface FastEthernet5 4 changed state to up Router config if This example shows how to use a comma to add different interface type strings to the range to reenable all Fast Ethernet ports in the range 5 1 to 5 5 and both Gigabit Ethernet ports 1 1 and 1 2 Router config if interface...

Page 130: ...ce range enet_list FastEthernet5 1 4 Router To use an interface range macro in the interface range command perform this task This example shows how to change to the interface range configuration mode using the interface range macro enet_list Router config interface range macro enet_list Router config if Configuring Optional Interface Features These sections describe optional interface features Con...

Page 131: ...ou decide to configure the port speed and duplex modes manually consider the following information If you set the Ethernet port speed to auto the router automatically sets the duplex mode to auto If you enter the no speed command the router automatically configures both speed and duplex to auto If you configure an Ethernet port speed to a value other than auto for example 10 100 or 1000 Mbps confi...

Page 132: ...t If you set the port speed to auto on a 10 100 Mbps or a 10 100 1000 Mbps Ethernet port both speed and duplex are autonegotiated You cannot change the duplex mode of autonegotiation ports To set the duplex mode of an Ethernet or Fast Ethernet port perform this task This example shows how to set the duplex mode to full on Fast Ethernet port 5 4 Router config interface fastethernet 5 4 Router confi...

Page 133: ... duplex mode of Fast Ethernet port 5 4 Router show interfaces fastethernet 5 4 FastEthernet5 4 is up line protocol is up Hardware is Cat6K 100Mb Ethernet address is 0050 f0ac 3058 bia 0050 f0ac 3058 MTU 1500 bytes BW 100000 Kbit DLY 100 usec reliability 255 255 txload 1 255 rxload 1 255 Encapsulation ARPA loopback not set Keepalive set 10 sec Full duplex 100Mb s ARP type ARPA ARP Timeout 04 00 00 ...

Page 134: ...o frame support Understanding Jumbo Frame Support page 9 10 Configuring MTU Sizes page 9 12 Caution The following switching modules support a maximum ingress frame size of 8 092 bytes WS X6516 GE TX when operating at 100 Mbps WS X6148 RJ 45 WS X6148 RJ 45V and WS X6148 RJ21 WS X6148 RJ21V WS X6248 RJ 45 and WS X6248 TEL WS X6248A RJ 45 and WS X6248A TEL WS X6348 RJ 45 WS X6348 RJ45V and WS X6348 R...

Page 135: ...not configured with large enough MTU sizes if the do not fragment bit is not set the PFC sends the traffic to the MSFC to be fragmented and routed in software If the do not fragment bit is set the PFC drops the traffic Bridged and Routed Traffic Size Check at Egress 10 10 100 and 100 Mbps Ethernet Ports 10 10 100 and 100 Mbps Ethernet LAN ports configured with a nondefault MTU size transmit frames...

Page 136: ...e Configuring the Global Egress LAN Port MTU Size section on page 9 13 VLAN Interfaces You can configure a different MTU size on each Layer 3 VLAN interface Configuring a nondefault MTU size on a VLAN interface limits traffic to the nondefault MTU size You can configure the MTU size on VLAN interfaces to support jumbo frames Configuring MTU Sizes These sections describe how to configure MTU sizes ...

Page 137: ...ts on the Cisco 7600 series routers use flow control to stop the transmission of frames to the port for a specified time other Ethernet ports use flow control to respond to flow control requests If a Gigabit Ethernet or 10 Gigabit Ethernet port receive buffer becomes full the port transmits an IEEE 802 3x pause frame that requests remote ports to delay sending frames for a specified time All Ether...

Page 138: ...the following information For a Gigabit Ethernet port when the configuration of the remote ports is unknown you can use the send desired keywords to configure the Gigabit Ethernet port to send pause frames Supported only on Gigabit Ethernet ports Use the send on keywords to configure a port to send pause frames Use the send off keywords to configure a port not to send pause frames This example sho...

Page 139: ...0 milliseconds and the Debounce Timer Enabled is 1 second This example shows how to enable the port debounce timer on Fast Ethernet port 5 12 Router config interface fastethernet 5 12 Router config if link debounce Router config if end This example shows how to display the port debounce timer settings Router show interfaces debounce include enable Fa5 12 enable 3100 Command Purpose Step 1 Router c...

Page 140: ...e Cisco 7600 Series Router Installation Guide When a module has been removed or installed the Cisco 7600 series router stops processing traffic for the module and scans the system for a configuration change Each interface type is verified against the system configuration and then the system runs diagnostics on the new module There is no disruption to normal operation during module insertion or rem...

Page 141: ...To display information about the interface perform these tasks This example shows how to display the status of Fast Ethernet port 5 5 Router show protocols fastethernet 5 5 FastEthernet5 5 is up line protocol is up Router Clearing Counters on an Interface To clear the interface counters shown with the show interfaces command perform this task Command Purpose Router show ibc Displays current intern...

Page 142: ...nd Restarting an Interface You can shut down an interface which disables all functions on the specified interface and shows the interface as unavailable on all monitoring command displays This information is communicated to other network servers through all dynamic routing protocols The interface is not included in any routing updates To shut down an interface and then restart it perform this task...

Page 143: ...acing an existing router upgrading to Gigabit Ethernet or installing new cables The port must be up before running the TDR test If the port is down you cannot enter the test cable diagnostics tdr command successfully and the following message is displayed Router test cable diagnostics tdr interface gigabitethernet2 12 Interface Gi2 12 is administratively down Use no shutdown to enable interface be...

Page 144: ...9 20 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 9 Configuring Interfaces Checking the Cable Status Using the TDR ...

Page 145: ...US docs ios mcl 122sxmcl 12_2sx_mcl_book html To configure Layer 3 interfaces see Chapter 22 Configuring Layer 3 Interfaces This chapter consists of these sections Understanding How Layer 2 Switching Works page 10 1 Default Layer 2 LAN Interface Configuration page 10 5 Layer 2 LAN Interface Configuration Guidelines and Restrictions page 10 5 Configuring LAN Interfaces for Layer 2 Switching page 10...

Page 146: ...7600 series router can connect to a single workstation or server or to a hub through which workstations or servers connect to the network On a typical Ethernet hub all ports connect to a common backplane within the hub and the bandwidth of the network is shared by all devices attached to the hub If two stations establish a session that uses a significant level of bandwidth the network performance ...

Page 147: ... TX WS X6548 GE 45AF WS X6148 GE TX WS X6148V GE TX WS X6148 GE 45AF 802 1Q 802 1Q is an industry standard trunking encapsulation You can configure a trunk on a single Ethernet port or on an EtherChannel For more information about EtherChannel see Chapter 12 Configuring EtherChannels Ethernet trunk ports support several trunking modes see Table 10 2 on page 10 4 You can specify whether the trunk u...

Page 148: ... 802 1Q encapsulation on the trunk link switchport trunk encapsulation negotiate Specifies that the LAN port negotiate with the neighboring LAN port to become an ISL preferred or 802 1Q trunk depending on the configuration and capabilities of the neighboring LAN port Table 10 2 Layer 2 LAN Port Modes Mode Function switchport mode access Puts the LAN port into permanent nontrunking mode and negotia...

Page 149: ...E TX WS X6148 GE 45AF Table 10 3 Layer 2 LAN Interface Default Configuration Feature Default Interface mode Before entering the switchport command Layer 3 unconfigured After entering the switchport command switchport mode dynamic desirable Trunk encapsulation switchport trunk encapsulation negotiate Allowed VLAN range VLANs 1 to 4094 except reserved VLANs see Table 14 1 on page 14 2 VLAN range eli...

Page 150: ...opology for all VLANs When you connect a Cisco router to a non Cisco router through an 802 1Q trunk the MST of the non Cisco router and the native VLAN spanning tree of the Cisco router combine to form a single spanning tree topology known as the Common Spanning Tree CST Because Cisco switches transmit BPDUs to the SSTP multicast MAC address on VLANs other than the native VLAN of the trunk non Cis...

Page 151: ...or Layer 2 is retained in the memory but not in the running configuration and is applied to the port whenever the port switches back to Layer 2 To restore the default configuration of the port in the memory and in the running configuration use the default interface command To avoid potential issues while changing the role of a port using the switchport command shut down the interface before applyi...

Page 152: ...e 10 7 before performing the tasks in this section When you enter the switchport command with no other keywords Step 3 in the previous section the default mode is switchport mode dynamic desirable and switchport trunk encapsulation negotiate To configure the Layer 2 switching port as an ISL or 802 1Q trunk perform this task When configuring the Layer 2 switching port as an ISL or 802 1Q trunk note...

Page 153: ... Configuring the Layer 2 Trunk Not to Use DTP Note Complete the steps in the Configuring a LAN Port for Layer 2 Switching section on page 10 7 before performing the tasks in this section To configure the Layer 2 trunk not to use DTP perform this task When configuring the Layer 2 trunk not to use DTP note the following information Before entering the switchport mode trunk command you must configure...

Page 154: ...guring the Access VLAN Note Complete the steps in the Configuring a LAN Port for Layer 2 Switching section on page 10 7 before performing the tasks in this section To configure the access VLAN perform this task Note Complete the steps in the Completing Trunk Configuration section on page 10 12 after performing the tasks in this section Configuring the 802 1Q Native VLAN Note Complete the steps in ...

Page 155: ...lan parameter is either a single VLAN number from 1 through 4094 or a range of VLANs described by two VLAN numbers the lesser one first separated by a dash Do not enter any spaces between comma separated vlan parameters or in dash specified ranges All VLANs are allowed by default You can remove VLAN 1 If you remove VLAN 1 from a trunk the trunk interface continues to send and receive management tr...

Page 156: ...ces as pruning ineligible Note Complete the steps in the Completing Trunk Configuration section on page 10 12 after performing the tasks in this section Completing Trunk Configuration To complete Layer 2 trunk configuration perform this task Verifying Layer 2 Trunk Configuration To verify Layer 2 trunk configuration perform this task Command Purpose Router config if switchport trunk pruning vlan n...

Page 157: ... interface fastethernet 5 8 Building configuration Current configuration interface FastEthernet5 8 no ip address switchport switchport trunk encapsulation dot1q end Router show interfaces fastethernet 5 8 switchport Name Fa5 8 Switchport Enabled Administrative Mode dynamic desirable Operational Mode trunk Administrative Trunking Encapsulation negotiate Operational Trunking Encapsulation dot1q Nego...

Page 158: ...p 2 Router config if shutdown Optional Shuts down the interface to prevent traffic flow until configuration is complete Step 3 Router config if switchport Configures the LAN port for Layer 2 switching Note You must enter the switchport command once without any keywords to configure the LAN port as a Layer 2 port before you can enter additional switchport commands with keywords Step 4 Router config...

Page 159: ...rType field value on 802 1Q tagged or 802 1p tagged frames To configure a custom value for the EtherType field perform this task When configuring a custom EtherType field value note the following information To use a custom EtherType field value all network devices in the traffic path across the network must support the custom EtherType field value You can configure a custom EtherType field value ...

Page 160: ...es frames that are tagged with any other EtherType field value into the access VLAN If you misconfigure a custom EtherType field value frames might be placed into the wrong VLAN See the Release Notes for Cisco IOS Release 12 2SX on the Supervisor Engine 720 Supervisor Engine 32 and Supervisor Engine 2 for a list of the modules that support custom IEEE 802 1Q EtherType field values This example sho...

Page 161: ...are a pair of a Layer 2 interfaces switchports or port channels where one interface is configured to act as a backup to the other Flex Links are typically configured in service provider or enterprise networks where customers do not want to run STP Flex Links provide link level redundancy that is an alternative to Spanning Tree Protocol STP STP is automatically disabled on Flex Links interfaces To ...

Page 162: ...tion Flex Links Default Configuration page 11 2 Flex Links Configuration Guidelines and Restrictions page 11 2 Configuring Flex Links page 11 3 Flex Links Default Configuration There is no default Flex Links configuration Flex Links Configuration Guidelines and Restrictions When configuring Flex Links follow these guidelines and restrictions You can configure only one Flex Links backup link for an...

Page 163: ...iguring port security on Flex Links ports Configuring Flex Links To configure Flex Links perform this task This example shows how to configure an interface with a backup interface and how to verify the configuration Router configure terminal Router conf interface fastethernet1 1 Router conf if switchport backup interface fastethernet1 2 Router conf if exit Router show interface switchport backup R...

Page 164: ...ubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Table 11 1 Flex Links Monitoring Command Command Purpose show interface type1 slot port port channel number switchport backup 1 type ethernet fastethernet gigabitethernet or tengigabitethernet Displays the Flex Links backup interface configured for...

Page 165: ... chapter consists of these sections Understanding How EtherChannels Work page 12 1 EtherChannel Feature Configuration Guidelines and Restrictions page 12 5 Configuring EtherChannels page 12 7 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_se...

Page 166: ...erChannel feature sends a trap that identifies the router the EtherChannel and the failed link Inbound broadcast and multicast packets on one segment in an EtherChannel are blocked from returning on any other segment of the EtherChannel Understanding How EtherChannels Are Configured These sections describe how EtherChannels are configured EtherChannel Configuration Overview page 12 2 Understanding...

Page 167: ...desirable mode can form an EtherChannel successfully with another LAN port that is in desirable mode A LAN port in desirable mode can form an EtherChannel with another LAN port in auto mode A LAN port in auto mode cannot form an EtherChannel with another LAN port that is also in auto mode because neither port will initiate negotiation Table 12 1 EtherChannel Modes Mode Description on Mode that for...

Page 168: ...g the LACP System Priority and System ID section on page 12 10 LACP uses the system priority with the router MAC address to form the system ID and also during negotiation with other systems Note The LACP system ID is the combination of the LACP system priority value and the MAC address of the router LACP port priority You must configure an LACP port priority on each port configured to use LACP The...

Page 169: ...or IP addresses EtherChannel load balancing can also use Layer 4 port numbers EtherChannel load balancing can use either source or destination or both source and destination addresses or ports The selected mode applies to all EtherChannels configured on the router EtherChannel load balancing can use MPLS Layer 2 information Use the option that provides the balance criteria with the greatest variet...

Page 170: ... in the channel For Layer 2 EtherChannels Assign all LAN ports in the EtherChannel to the same VLAN or configure them as trunks If you configure an EtherChannel from trunking LAN ports verify that the trunking mode is the same on all the trunks LAN ports in an EtherChannel with different trunk modes can operate unpredictably An EtherChannel supports the same allowed range of VLANs on all the LAN p...

Page 171: ...es for Layer 3 EtherChannels Note When configuring Layer 2 EtherChannels you cannot put Layer 2 LAN ports into manually created port channel logical interfaces If you are configuring a Layer 2 EtherChannel do not perform the procedures in this section see the Configuring Channel Groups section on page 12 8 When configuring Layer 3 EtherChannels you must manually create the port channel logical int...

Page 172: ... you must manually create the port channel logical interface first see the Configuring Port Channel Logical Interfaces for Layer 3 EtherChannels section on page 12 7 and then put the Layer 3 LAN ports into the channel group as described in this section When configuring Layer 2 EtherChannels configure the LAN ports with the channel group command as described in this section which automatically crea...

Page 173: ...ter show running config interface fastethernet 5 6 Building configuration Current configuration interface FastEthernet5 6 no ip address switchport switchport access vlan 10 switchport mode access channel group 2 mode desirable end Step 4 Router config if channel group group_number mode active auto desirable on passive Configures the LAN port in a port channel and specifies the mode see Table 12 1 ...

Page 174: ...the configuration of port channel interface 2 after the LAN ports have been configured Router show etherchannel 12 port channel Port channels in the group Port channel Po12 Age of the Port channel 04d 18h 58m 50s Logical slot port 14 1 Number of ports 0 GC 0x00000000 HotStandBy port null Port state Port channel Ag Not Inuse Protocol PAgP Router Configuring the LACP System Priority and System ID Th...

Page 175: ... dst mac Source and destination MAC addresses src dst port Source and destination Layer 4 port src ip Source IP addresses src mac Source MAC addresses src port Source Layer 4 port This example shows how to configure EtherChannel to use source and destination IP addresses Router configure terminal Router config port channel load balance src dst ip Router config end Router config This example shows ...

Page 176: ... best results configure the same number of minimum links on both ends of the EtherChannel This example shows how to configure port channel interface 1 to be inactive if fewer than 2 member ports are active in the EtherChannel Router configure terminal Router config interface port channel 1 Router config if port channel min links 2 Router config if end Tip For additional information including confi...

Page 177: ...rmation see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Understanding How VTP Works VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition deletion and renaming of VLANs within a VTP domain A VTP domain also called a VLAN management domain is made up of one or more net...

Page 178: ...on number If you configure the router as VTP transparent you can create and modify VLANs but the changes affect only the individual router When you make a change to the VLAN configuration on a VTP server the change is propagated to all network devices in the VTP domain VTP advertisements are transmitted out all trunk connections VTP maps VLANs dynamically across multiple LAN types with unique name...

Page 179: ... a Token Ring environment you must use version 2 VTP version 2 supports the following features not supported in version 1 Token Ring support VTP version 2 supports Token Ring LAN switching and VLANs Token Ring Bridge Relay Function TrBRF and Token Ring Concentrator Relay Function TrCRF For more information about Token Ring VLANs see the Understanding How VLANs Work section on page 14 1 Unrecognize...

Page 180: ...ork Switch 1 and port 2 on Switch 4 are assigned to the Red VLAN A broadcast is sent from the host connected to Switch 1 Switch 1 floods the broadcast and every network device in the network receives it even though Switches 3 5 and 6 have no ports in the Red VLAN You enable pruning globally on the Cisco 7600 series router see the Enabling VTP Pruning section on page 13 7 You configure pruning on L...

Page 181: ...igibility when VTP pruning is enabled or disabled for the VTP domain when any given VLAN exists or not and when the LAN port is currently trunking or not VTP Default Configuration Table 13 1 shows the default VTP configuration VTP Configuration Guidelines and Restrictions When implementing VTP in your network follow these guidelines and restrictions Supervisor engine redundancy does not support no...

Page 182: ...e pruning eligibility configuration applies globally to all trunks on the router You cannot configure pruning eligibility separately for each trunk When you configure VLANs as pruning eligible or pruning ineligible pruning eligibility for those VLANs is affected on that router only not on all network devices in the VTP domain VTPv1 and VTPv2 do not propagate configuration information for extended ...

Page 183: ...ng config file Enabling VTP Pruning To enable VTP pruning in the management domain perform this task This example shows one way to enable VTP pruning in the management domain Router configure terminal Router config vtp pruning Pruning switched ON This example shows how to enable VTP pruning in the management domain with any release Router vtp pruning Pruning switched ON This example shows how to v...

Page 184: ...TP version Do not enable VTP version 2 unless every network device in the VTP domain supports version 2 Note In a Token Ring environment you must enable VTP version 2 for Token Ring VLAN switching to function properly on devices that support Token Ring interfaces To enable VTP version 2 perform this task This example shows one way to enable VTP version 2 Router configure terminal Router config vtp...

Page 185: ...V2 Mode Disabled VTP Traps Generation Disabled MD5 digest 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80 Configuration last modified by 0 0 0 0 at 8 12 99 15 04 49 Local updater ID is 172 20 52 34 on interface Gi1 1 first interface found Router This example shows how to configure the router as a VTP client Router configuration terminal Router config vtp mode client Setting device to VTP CLIENT mode Route...

Page 186: ...ple shows how to verify the configuration Router show vtp status VTP Version 2 Configuration Revision 247 Maximum VLANs supported locally 1005 Number of existing VLANs 33 VTP Operating Mode Transparent VTP Domain Name Lab_Network VTP Pruning Mode Enabled VTP V2 Mode Disabled VTP Traps Generation Disabled MD5 digest 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80 Configuration last modified by 0 0 0 0 at 8...

Page 187: ...of V1 summary errors 0 VTP pruning statistics Trunk Join Transmitted Join Received Summary advts received from non pruning capable device Fa5 8 43071 42766 5 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html ...

Page 188: ...13 12 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 13 Configuring VTP Configuring VTP ...

Page 189: ...tml This chapter consists of these sections Understanding How VLANs Work page 14 1 VLAN Default Configuration page 14 6 VLAN Configuration Guidelines and Restrictions page 14 8 Configuring VLANs page 14 9 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_produc...

Page 190: ...ing Protocol VTP The extended range VLANs are not propagated so you must configure extended range VLANs manually on each network device Table 14 1 describes the VLAN ranges The following information applies to VLAN ranges Layer 3 LAN ports WAN interfaces and subinterfaces and some software features use internal VLANs in the extended range You cannot use an extended range VLAN that has been allocat...

Page 191: ...rCRF VLANs Parent VLAN number for TrCRF VLANs Spanning Tree Protocol STP type for TrCRF VLANs Understanding Token Ring VLANs The following section describes the two Token Ring VLAN types supported on network devices running VTP version 2 Token Ring TrBRF VLANs page 14 3 Token Ring TrCRF VLANs page 14 4 Note Cisco 7600 series routers do not support Inter Switch Link ISL encapsulated Token Ring fram...

Page 192: ...ed state For more information see the VLAN Configuration Guidelines and Restrictions section on page 14 8 To accommodate IBM System Network Architecture SNA traffic you can use a combination of SRT and SRB modes In a mixed mode the TrBRF determines that some ports logical ports connected to TrCRFs operate in SRB mode while other ports operate in SRT mode Token Ring TrCRF VLANs Token Ring Concentra...

Page 193: ... the maximum hop count you limit the maximum number of hops an explorer is allowed to traverse If a port determines that the explorer frame it is receiving has traversed more than the number of hops specified it does not forward the frame The TrCRF determines the number of hops an explorer has traversed by the number of bridge hops in the route information field If the ISL connection between netwo...

Page 194: ... Ranges Parameter Default Range VLAN ID 1 1 4094 VLAN name default for VLAN 1 VLANvlan_ID for other Ethernet VLANs 802 10 SAID 10vlan_ID 100001 104094 MTU size 1500 1500 18190 Translational bridge 1 0 0 1005 Translational bridge 2 0 0 1005 VLAN state active active suspend Pruning eligibility VLANs 2 1001 are pruning eligible VLANs 1006 4094 are not pruning eligible Table 14 3 FDDI VLAN Defaults an...

Page 195: ...al bridge 1 0 0 1005 Translational bridge 2 0 0 1005 VLAN state active active suspend Bridge mode srb srb srt ARE max hops 7 0 13 STE max hops 7 0 13 Backup CRF disabled disable enable Table 14 5 FDDI Net VLAN Defaults and Ranges Parameter Default Range VLAN ID 1004 1 1005 VLAN name fddinet default 802 10 SAID 101004 1 4294967294 MTU size 1500 1500 18190 Bridge number 1 0 15 STP type ieee auto ibm...

Page 196: ...at file which is stored in nonvolatile memory You can cause inconsistency in the VLAN database if you manually delete the vlan dat file If you want to modify the VLAN configuration or VTP use the commands described in this guide and in the Cisco IOS Master Command List Release 12 2SX publication To do a complete backup of your configuration include the vlan dat file in the backup The Cisco IOS end...

Page 197: ... page 14 10 VLAN Configuration in Global Configuration Mode If the router is in VTP server or transparent mode see the Configuring VTP section on page 13 6 you can configure VLANs in global and config vlan configuration modes When you configure VLANs in global and config vlan configuration modes the VLAN configuration is saved in the vlan dat file To display the VLAN configuration enter the show v...

Page 198: ...Creating or Modifying an Ethernet VLAN User configured VLANs have unique IDs from 1 to 4094 except for reserved VLANs see Table 14 1 on page 14 2 Enter the vlan command with an unused ID to create a VLAN Enter the vlan command for an existing VLAN to modify the VLAN you cannot modify an existing VLAN that is being used by a Layer 3 port or a software feature See the VLAN Default Configuration sect...

Page 199: ...e following information You cannot delete the default VLANs for the different media types Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005 When you delete a VLAN any LAN ports configured as access ports assigned to that VLAN become inactive The ports remain associated with the VLAN and inactive until you assign them to a new VLAN This example shows how to create an Ethernet VLAN in global...

Page 200: ...wing a reload To configure the internal VLAN allocation policy perform this task When you configure the internal VLAN allocation policy note the following information Enter the ascending keyword to allocate internal VLANs from 1006 and up Enter the descending keyword to allocate internal VLAN from 4094 and down This example shows how to configure descending as the internal VLAN allocation policy R...

Page 201: ...not Layer 2 trunks Do not configure translation of ingress native VLAN traffic on an 802 1Q trunk Because 802 1Q native VLAN traffic is untagged it cannot be recognized for translation You can translate traffic from other VLANs to the native VLAN of an 802 1Q trunk Do not remove the VLAN to which you are translating from the trunk The VLAN translation configuration applies to all ports in a port g...

Page 202: ... 128 ISL 802 1Q WS X6502 10GE 1 1 1 port in 1 group 32 802 1Q WS X6724 SFP 24 2 1 12 13 24 128 ISL 802 1Q WS X6816 GBIC 16 2 1 8 9 16 32 802 1Q WS X6516A GBIC 16 2 1 8 9 16 32 802 1Q WS X6516 GBIC 16 2 1 8 9 16 32 802 1Q WS X6748 GE TX 48 4 1 12 13 24 25 36 37 48 128 ISL 802 1Q WS X6516 GE TX 16 2 1 8 9 16 32 802 1Q WS X6524 100FX MM 24 1 1 24 32 ISL 802 1Q WS X6548 RJ 45 48 1 1 48 32 ISL 802 1Q W...

Page 203: ...t to configure Step 2 Router config if switchport vlan mapping enable Enables VLAN translation Step 3 Router config if switchport vlan mapping original_vlan_ID translated_vlan_ID Translates a VLAN to another VLAN The valid range is 1 to 4094 When you configure a VLAN mapping from the original VLAN to the translated VLAN on a port traffic arriving on the original VLAN gets mapped or translated to t...

Page 204: ...pings on the Cisco 7600 series router You can only map 802 1Q VLANs to Ethernet type ISL VLANs Do not enter the native VLAN of any 802 1Q trunk in the mapping table When you map an 802 1Q VLAN to an ISL VLAN traffic on the 802 1Q VLAN corresponding to the mapped ISL VLAN is blocked For example if you map 802 1Q VLAN 1007 to ISL VLAN 200 traffic on 802 1Q VLAN 200 is blocked VLAN mappings are local...

Page 205: ... vlan dat file You should create a backup of the vlan dat file in addition to backing up the running config and startup config files If you replace the existing supervisor engine copy the startup config file as well as the vlan dat file to restore the system The vlan dat file is read on bootup and you will have to reload the supervisor engine after uploading the file To view the file location use ...

Page 206: ...14 18 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 14 Configuring VLANs Configuring VLANs ...

Page 207: ...vate VLAN Configuration Guidelines and Restrictions page 15 6 Configuring Private VLANs page 15 11 Monitoring Private VLANs page 15 17 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Understanding How Private VLANs Work These...

Page 208: ...ted by a pair of private VLANs a primary VLAN and a secondary VLAN A private VLAN domain can have multiple private VLAN pairs one pair for each subdomain All VLAN pairs in a private VLAN domain share the same primary VLAN The secondary VLAN ID differentiates one subdomain from another see Figure 15 1 Figure 15 1 Private VLAN Domain A private VLAN domain has only one primary VLAN Every port in a pr...

Page 209: ...raffic might enter or leave the router through a trunk interface Primary Isolated and Community VLANs Primary VLANs and the two types of secondary VLANs isolated VLANs and community VLANs have these characteristics Primary VLAN The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the isolated and community host ports and to other promiscuous ports Isolated VLAN ...

Page 210: ... configuration and to avoid other use of the VLANs configured as private VLANs configure private VLANs on all intermediate devices including devices that have no private VLAN ports IP Addressing Scheme with Private VLANs When you assign a separate VLAN to each customer an inefficient IP addressing scheme is created as follows Assigning a block of addresses to a customer VLAN can result in unused I...

Page 211: ...ANs you must manually configure private VLANs on all routers in the Layer 2 network If you do not configure the primary and secondary VLAN association in some routers in the network the Layer 2 databases in these routers are not merged This situation can result in unnecessary flooding of private VLAN traffic on those routers Private VLAN Interaction with Other Features These sections describe how ...

Page 212: ...ulticast traffic is not forwarded between ports in the same isolated VLAN or between ports in different secondary VLANs Private VLANs and SVIs A router virtual interface SVI is the Layer 3 interface of a Layer 2 VLAN Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs Configure Layer 3 VLAN SVIs only for primary VLANs Do not configure Layer...

Page 213: ...hat the primary isolated and community VLANs spanning tree topologies match so that the VLANs can properly share the same forwarding database If you enable MAC address reduction on the router we recommend that you enable MAC address reduction on all the devices in your network to ensure that the STP topologies of the private VLANs match In a network where private VLANs are configured if you enable...

Page 214: ...LAN maps on private VLAN primary and secondary VLANs When a frame is Layer 2 forwarded within a private VLAN the same VLAN map is applied at the ingress side and at the egress side When a frame is routed from inside a private VLAN to an external port the private VLAN map is applied at the ingress side For frames going upstream from a host port to a promiscuous port the VLAN map configured on the s...

Page 215: ...es are trunk connected and the primary and secondary VLANs have not been removed from the trunk All primary isolated and community VLANs associated within a private VLAN must maintain the same topology across trunks You are highly recommended to configure the same STP bridge parameters and trunk port parameters on all associated VLANs in order to maintain the same topology Limitations with Other F...

Page 216: ...ociated primary VLAN When you delete a static MAC address from a private VLAN port you must remove all instances of the configured MAC address from the private VLAN Note Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated VLANs For example a MAC address learned in a secondary VLAN is replicated in the primary VLAN When the original dynamic MAC address is de...

Page 217: ...f one port within the group of 24 ports is one of these ports listed and has the above properties any isolated or community VLAN configuration for other ports within the 24 ports is inactive To reactivate the ports remove the isolated or community VLAN port configuration and enter the shutdown and no shutdown commands Configuring Private VLANs These sections contain configuration information Confi...

Page 218: ... and verify the configuration Router configure terminal Router config vlan 440 Router config vlan private vlan isolated Router config vlan end Router show vlan private vlan Primary Secondary Type Interfaces 202 primary 303 community 440 isolated Associating Secondary VLANs with a Primary VLAN To associate secondary VLANs with a primary VLAN perform this task Step 3 Router config vlan end Exits con...

Page 219: ...uration Router configure terminal Router config vlan 202 Router config vlan private vlan association 303 307 309 440 Router config vlan end Router show vlan private vlan Primary Secondary Type Interfaces 202 303 community 202 304 community 202 305 community 202 306 community 202 307 community 202 309 community 202 440 isolated 308 community Mapping Secondary VLANs to the Layer 3 VLAN Interface of ...

Page 220: ...e configuration Router configure terminal Router config interface vlan 202 Router config if private vlan mapping add 303 307 309 440 Router config if end Router show interfaces private vlan mapping Interface Secondary VLAN Type vlan202 303 community vlan202 304 community vlan202 305 community vlan202 306 community vlan202 307 community vlan202 309 community vlan202 440 isolated Router Configuring ...

Page 221: ...abled ALL Pruning VLANs Enabled 2 1001 Capture Mode Disabled Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port To configure a Layer 2 interface as a private VLAN promiscuous port perform this task Step 4 Router config if switchport private vlan host association primary_vlan_ID secondary_vlan_ID Associates the Layer 2 port with a private VLAN Router config if no switchport private ...

Page 222: ...rfaces fastethernet 5 2 switchport Name Fa5 2 Switchport Enabled Administrative Mode private vlan promiscuous Operational Mode down Administrative Trunking Encapsulation negotiate Negotiation of Trunking On Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Administrative private vlan host association none Inactive Administrative private vlan mapping 202 VLAN0202 303 VLAN0303 440 VLAN0...

Page 223: ... 0 1 Gi3 0 4 10 503 non operational Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Table 15 1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces including the VLANs to w...

Page 224: ...15 18 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 15 Configuring Private VLANs Monitoring Private VLANs ...

Page 225: ...nding Cisco IP Phone Support page 16 1 Default Cisco IP Phone Support Configuration page 16 5 Cisco IP Phone Support Configuration Guidelines and Restrictions page 16 5 Configuring Cisco IP Phone Support page 16 6 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 t...

Page 226: ...re QoS to trust the Layer 3 IP precedence or Layer 2 CoS value in the voice traffic refer to Chapter 41 Configuring PFC QoS Note You can configure the ports on WS X6548 RJ 45 and WS X6548 RJ 21 switching modules to trust received Layer 2 CoS values QoS port architecture 1p1q0t 1p3q1t The WS X6548 RJ 45 and WS X6548 RJ 21 switching modules cannot supply power to Cisco IP phones Configure QoS polici...

Page 227: ...ess port on the Cisco IP phone to either of these two modes Trusted mode All traffic received through the access port on the Cisco IP phone passes through the Cisco IP phone unchanged Untrusted mode All traffic in 802 1Q or 802 1p frames received through the access port on the Cisco IP phone is marked with a configured Layer 2 CoS value The default Layer 2 CoS value is 0 Untrusted mode is the defa...

Page 228: ... correct amount of power is determined from the CDP messaging with the Cisco IP phone the supervisor engine reduces or increases the allocated power For example the default allocated power is 7 W A Cisco IP phone requiring 6 3 W is plugged into a port The supervisor engine allocates 7 W for the Cisco IP phone and powers it up Once the Cisco IP phone is operational it sends a CDP message with the a...

Page 229: ...recedence value on switching modules with QoS port architecture 1p4t 2q2t The following conditions indicate that the Cisco IP phone and a device attached to the Cisco IP phone are in the same VLAN and must be in the same IP subnet If they both use 802 1p or untagged frames If the Cisco IP phone uses 802 1p frames and the device uses untagged frames If the Cisco IP phone uses untagged frames and th...

Page 230: ...ue the default is 5 for voice traffic and 3 for voice control traffic The router puts the 802 1p voice traffic into the access VLAN Enter the untagged keyword to send CDP packets that configure the Cisco IP phone to transmit untagged voice traffic The router puts the untagged voice traffic into the access VLAN Enter the none keyword to allow the Cisco IP phone to use its own configuration and tran...

Page 231: ...guring Data Traffic Support To configure the way in which the Cisco IP phone transmits data traffic perform this task When configuring the way in which the Cisco IP phone transmits data traffic note the following information To send CDP packets that configure the Cisco IP phone to trust tagged traffic received from a device connected to the access port on the Cisco IP phone do not enter the cos ke...

Page 232: ... Support To configure inline power support perform this task When configuring inline power support note the following information To configure auto detection of a Cisco IP phone enter the auto keyword To disable auto detection of a Cisco IP phone enter the never keyword This example shows how to disable inline power on Fast Ethernet port 5 1 Router configure terminal Router config interface fastet...

Page 233: ...pter 16 Configuring Cisco IP Phone Support Configuring Cisco IP Phone Support Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html ...

Page 234: ...16 10 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 16 Configuring Cisco IP Phone Support Configuring Cisco IP Phone Support ...

Page 235: ...mation including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Understanding How 802 1Q Tunneling Works 802 1Q tunneling enables service providers to use a single VLAN to support customers who have multiple VLANs while preserving customer VLAN IDs and keeping traf...

Page 236: ... a customer device and the tunnel port is called an asymmetrical link because one end is configured as an 802 1Q trunk port and the other end is configured as a tunnel port You assign the tunnel port to an access VLAN ID unique to each customer See Figure 17 1 on page 17 2 and Figure 17 2 on page 17 3 Figure 17 1 IEEE 802 1Q Tunnel Ports in a Service Provider Network Customer A VLANs 1 to 100 Cust...

Page 237: ...l ports as required to support the customer devices that need to communicate through the tunnel An egress tunnel port strips the 2 byte Ethertype field 0x8100 and the 2 byte length field and transmits the traffic with the 802 1Q tag still intact to an 802 1Q trunk port on a customer device The 802 1Q trunk port on the customer device strips the 802 1Q tag and puts the traffic into the appropriate ...

Page 238: ...frames can be tunneled as long as the jumbo frame length combined with the 802 1Q tag does not exceed the maximum frame size Because tunnel traffic has the added ethertype and length field and retains the 802 1Q tag within the router the following restrictions exist The Layer 3 packet within the Layer 2 frame cannot be identified in tunnel traffic Layer 3 and higher parameters cannot be identified...

Page 239: ... 802 1Q tunnel ports as follows Router config if spanning tree bpdufilter enable Router config if spanning tree portfast Note Spanning tree BPDU filtering is enabled automatically on tunnel ports At least one VLAN must be available for Native VLAN tagging vlan dot1q tag native option If you use all the available VLANs and then try to enable the vlan dot1q tag native option the option will not be e...

Page 240: ...guring the Router to Tag Native VLAN Traffic The vlan dot1q tag native command is a global command that configures the router to tag native VLAN traffic and admit only 802 1Q tagged frames on 802 1Q trunks dropping any untagged traffic including untagged traffic in the native VLAN Command Purpose Step 1 Router config interface type1 slot port 1 type ethernet fastethernet gigabitethernet or tengiga...

Page 241: ...g vlan dot1q tag native Router config end Router show vlan dot1q tag native Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Command Purpose Step 1 Router config vlan dot1q tag native Configures the router to tag native VLAN t...

Page 242: ...17 8 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 17 Configuring IEEE 802 1Q Tunneling Configuring 802 1Q Tunneling ...

Page 243: ... and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Understanding How Layer 2 Protocol Tunneling Works Layer 2 protocol tunneling allows Layer 2 protocol data units PDUs CDP STP and VTP to be tunneled through a network This section uses the following terminology Edge router The router connec...

Page 244: ...e tunnel The encapsulation involves rewriting the destination media access control MAC address in the PDU An ingress edge router rewrites the destination MAC address of the PDUs received on a Layer 2 tunnel port with the Cisco proprietary multicast address 01 00 0c cd cd d0 The PDU is then flooded to the native VLAN of the Layer 2 tunnel port If you enable Layer 2 protocol tunneling on a port PDUs...

Page 245: ...rdisable recovery cause This example shows how to configure Layer 2 protocol tunneling and shutdown thresholds on port 5 1 for CDP STP and VTP and verify the configuration Router configure terminal Router config interface fastethernet 5 1 Router config if switchport Router config if l2protocol tunnel shutdown threshold cdp 10 Router config if l2protocol tunnel shutdown threshold stp 10 Router conf...

Page 246: ...onfig if no l2protocol tunnel shutdown threshold cdp 10 Router config if no l2protocol tunnel shutdown threshold stp 10 Router config if no l2protocol tunnel shutdown threshold vtp 10 Router config if no l2protocol tunnel cdp Router config if no l2protocol tunnel stp Router config if no l2protocol tunnel vtp Router config if end Router show l2protocol tunnel summary Port Protocol Threshold cos cdp...

Page 247: ...n supported in releases earlier than Release 12 2 18 SXF For complete syntax and usage information for the commands used in this chapter refer to the Cisco IOS Master Command List Release 12 2SX at this URL http www cisco com en US docs ios mcl 122sxmcl 12_2sx_mcl_book html This chapter consists of these sections Understanding MST page 19 1 Understanding RSTP page 19 9 Configuring MST page 19 15 D...

Page 248: ...shaking which eliminates the 802 1D forwarding delay and quickly transitions root bridge ports and designated ports to the forwarding state MST improves spanning tree operation and maintains backward compatibility with these STP versions Original 802 1D spanning tree Existing Cisco proprietary Multiple Instance STP MISTP Existing Cisco per VLAN spanning tree plus PVST Rapid per VLAN spanning tree ...

Page 249: ... region known as the IST All other MST instances are numbered from 1 to 4094 The IST is the only spanning tree instance that sends and receives BPDUs All of the other spanning tree instance information is contained in MSTP records M records which are encapsulated within MST BPDUs Because the MST BPDU carries information for all instances the number of BPDUs that need to be processed to support mul...

Page 250: ... each with its own CIST regional root As routers receive superior IST information from a neighbor in the same region they leave their old subregions and join the new subregion that contains the true CIST regional root which causes all subregions to shrink except for the one that contains the true CIST regional root For correct operation all routers in the MST region must agree on the same CIST reg...

Page 251: ...s use MST BPDUs to communicate with MST routers IEEE 802 1s Terminology Some MST naming conventions used in the prestandard implementation have been changed to include identification of some internal and regional parameters These parameters are used only within an MST region compared to external parameters that are used throughout the whole network Because the CIST is the only spanning tree instan...

Page 252: ... the received remaining hop count by one and propagates this value as the remaining hop count in the BPDUs it generates When the count reaches zero the router discards the BPDU and ages the information held for the port The message age and maximum age information in the RSTP portion of the BPDU remain the same throughout the region and the same values are propagated by the region designated ports ...

Page 253: ...xample router C would receive a BPDU with the same consistent sender switch ID of root whether or not A or B is designated for the segment Standard Compliant MST Implementation The standard compliant MST implementation includes features required to meet the standard as well as some of the desirable prestandard functionality that is not yet incorporated into the published standard These sections de...

Page 254: ...PDU AY cannot detect that a prestandard router is connected to Y and continues to send standard BPDUs The port BY is fixed in a boundary and no load balancing is possible between A and B The same problem exists on segment X but B might transmit topology changes Figure 19 2 Standard Compliant and Prestandard Router Interoperation Note We recommend that you minimize the interaction between standard ...

Page 255: ...when the router to which this router is connected has joined the region To restart the protocol migration process force the renegotiation with neighboring routers use the clear spanning tree detected protocols privileged EXEC command If all the 802 1D routers on the link are RSTP routers they can process MST BPDUs as if they are RSTP BPDUs Therefore MST routers send either a Version 0 configuratio...

Page 256: ...rd the leaves of the spanning tree A backup port can exist only when two ports are connected in a loopback by a point to point link or when a router has two or more connections to a shared LAN segment Disabled port Has no role within the operation of the spanning tree A port with the root or a designated port role is included in the active topology A port with the alternate or backup port role is ...

Page 257: ...r A is a smaller numerical value than the priority of router B Router A sends a proposal message a configuration BPDU with the proposal flag set to router B proposing itself as the designated router After receiving the proposal message router B selects as its new root port the port from which the proposal message was received forces all nonedge ports to the blocking state and sends an agreement me...

Page 258: ... If a designated port is in the forwarding state and is not configured as an edge port it transitions to the blocking state when the RSTP forces it to synchronize with new root information In general when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions its port state is set to blocking After ensuring that all of the ports are sy...

Page 259: ...DU Information page 19 14 BPDU Format and Processing Overview The RSTP BPDU format is the same as the 802 1D BPDU format except that the protocol version is set to 2 A new 1 byte Version 1 Length field is set to zero which means that no Version 1 protocol information is present Table 19 3 describes the RSTP flag fields 2 Block 9 Forward 1 Proposal 4 Agreement 6 Proposal Root port Designated port 8...

Page 260: ...RSTP triggers a reconfiguration If the port is proposed and is selected as the new root port RSTP forces all the other ports to synchronize If the BPDU received is an RSTP BPDU with the proposal flag set the router sends an agreement message after all of the other ports are synchronized If the BPDU is an 802 1D BPDU the router does not set the proposal flag and starts the forward delay timer for t...

Page 261: ...ropagation When an RSTP router receives a TC message from another router through a designated or root port it propagates the change to all of its nonedge designated ports and to the root port excluding the port on which it is received The router starts the TC while timer for all such ports and flushes the information learned on them Protocol migration For backward compatibility with 802 1D routers...

Page 262: ...sion number and VLAN to instance mapping on each router within the MST region through the command line interface CLI or SNMP For load balancing across redundant paths in the network to work all VLAN to instance mapping assignments must match otherwise all traffic flows on a single link All MST boundary ports must be forwarding for load balancing between a PVST and an MST cloud or between a rapid P...

Page 263: ...anning tree instance at a time To specify the MST region configuration and enable MST perform this task Command Purpose Step 1 Router configure terminal Enters global configuration mode Step 2 Router config spanning tree mst configuration Enters MST configuration mode Step 3 Router config mst instance instance_id vlan vlan_range Maps VLANs to an MST instance For instance_id the range is 0 to 4094 ...

Page 264: ...e region region1 set the configuration revision to 1 display the pending configuration apply the changes and return to global configuration mode Router config spanning tree mst configuration Router config mst instance 1 vlan 10 20 Router config mst name region1 Router config mst revision 1 Router config mst show pending Pending MST configuration Name region1 Revision 1 Instances configured 2 Insta...

Page 265: ...switch priority 4096 is the value of the least significant bit of a 4 bit switch priority value as shown in Table 20 2 on page 20 3 If your network consists of routers that both do and do not support the extended system ID it is unlikely that the router with the extended system ID support will become the root bridge The extended system ID increases the switch priority value every time the VLAN num...

Page 266: ...u used when you configured the primary root bridge with the spanning tree mst instance_id root primary global configuration command Command Purpose Step 1 Router config configure terminal Enters global configuration mode Step 2 Router config config spanning tree mst instance_id root primary diameter net_diameter hello time seconds Optional Configures a router as the root bridge For instance_id you...

Page 267: ...meter net_diameter hello time seconds Optional Configures a router as the secondary root bridge For instance_id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 Optional For diameter net_diameter specify the maximum number of routers between any two end stations The range is 2 to 7 This keyword is avai...

Page 268: ...and blocks the other interfaces To configure the MST cost of an interface perform this task Step 3 Router config if spanning tree mst instance_id port priority priority Configures the port priority For instance_id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For priority the range is 0 to 240 in in...

Page 269: ...oot primary and the spanning tree mst instance_id root secondary global configuration commands to modify the switch priority Step 3 Router config if spanning tree mst instance_id cost cost Configures the cost If a loop occurs MST uses the path cost when selecting an interface to place into the forwarding state A lower path cost represents higher speed transmission For instance_id you can specify a...

Page 270: ...Configures the switch priority For instance_id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For priority the range is 0 to 61440 in increments of 4096 the default is 32768 The lower the number the more likely the router will be chosen as the root bridge Priority values are 0 4096 8192 12288 16384 2...

Page 271: ...pose Command Purpose Step 1 Router configure terminal Enters global configuration mode Step 2 Router config spanning tree mst forward time seconds Optional Configures the forward time for all MST instances The forward delay is the number of seconds a port waits before changing from its spanning tree learning and listening states to the forwarding state For seconds the range is 4 to 30 the default ...

Page 272: ... Command Purpose Step 1 Router configure terminal Enters global configuration mode Step 2 Router config spanning tree mst max age seconds Optional Configures the maximum aging time for all MST instances The maximum aging time is the number of seconds a router waits without receiving spanning tree configuration messages before attempting a reconfiguration For seconds the range is 6 to 40 the defaul...

Page 273: ...if the port is in STP compatibility mode To override the default link type setting perform this task Command Purpose Step 1 Router configure terminal Enters global configuration mode Step 2 Router config interface type1 slot port port channel number 1 type ethernet fastethernet gigabitethernet or tengigabitethernet Optional Specifies an interface to configure and enters interface configuration mod...

Page 274: ...ontinue to assign a boundary role to a port when the router to which it is connected has joined the region To restart the protocol migration process force the renegotiation with neighboring routers on the router use the clear spanning tree detected protocols privileged EXEC command To restart the protocol migration process on a specific interface use the clear spanning tree detected protocols inte...

Page 275: ...ormation for the commands used in this chapter refer to the Cisco IOS Master Command List Release 12 2SX at this URL http www cisco com en US docs ios mcl 122sxmcl 12_2sx_mcl_book html For information on configuring the PortFast UplinkFast and BackboneFast STP enhancements see Chapter 21 Configuring Optional STP Features This chapter consists of these sections Understanding How STP Works page 20 2...

Page 276: ... best loop free path throughout a switched Layer 2 network Layer 2 LAN ports send and receive STP frames at regular intervals Network devices do not forward these frames but use the frames to construct a loop free path Multiple active paths between end stations cause loops in the network If a loop exists in the network end stations might receive duplicate messages and network devices might learn e...

Page 277: ...ridge ID unique for each VLAN If you have a network device in your network with the extended system ID enabled you should also enable the extended system ID on all other Layer 2 connected network devices to avoid undesirable root bridge election and spanning tree topology issues When the extended system ID is enabled the root bridge priority becomes a multiple of 4096 plus the VLAN ID With the ext...

Page 278: ... path cost A designated bridge for each LAN segment is selected This is the network device closest to the root bridge through which frames are forwarded to the root A root port is selected This is the port providing the best path from the bridge to the root bridge Ports included in the spanning tree are selected Election of the Root Bridge For each VLAN the network device with the highest priority...

Page 279: ...the path between source and destination end stations in a switched network might not be ideal For instance connecting higher speed links to a port that has a higher number than the current root port can cause a root port change The goal is to make the fastest link the root port For example assume that one port on Switch B is a fiber optic link and another port on Switch B an unshielded twisted pai...

Page 280: ... propagate through the switched LAN before starting to forward frames They must allow the frame lifetime to expire for frames that have been forwarded using the old topology Each Layer 2 LAN port on a Cisco 7600 series router using STP exists in one of the following five states Blocking The Layer 2 LAN port does not participate in frame forwarding Listening First transitional state after the block...

Page 281: ...e the following process occurs 1 The Layer 2 LAN port is put into the listening state while it waits for protocol information that suggests it should go to the blocking state 2 The Layer 2 LAN port waits for the forward delay timer to expire moves the Layer 2 LAN port to the learning state and resets the forward delay timer 3 In the learning state the Layer 2 LAN port continues to block frame forw...

Page 282: ... the ports move to the listening state A port always enters the blocking state following initialization Figure 20 3 Interface 2 in Blocking State A Layer 2 LAN port in the blocking state performs as follows Discards frames received from the attached segment Discards frames switched from another port for forwarding Does not incorporate end station location into its address database There is no lear...

Page 283: ...ort in the listening state performs as follows Discards frames received from the attached segment Discards frames switched from another LAN port for forwarding Does not incorporate end station location into its address database There is no learning at this point so there is no address database update Receives BPDUs and directs them to the system module Receives processes and transmits BPDUs receiv...

Page 284: ...rt in the learning state performs as follows Discards frames received from the attached segment Discards frames switched from another port for forwarding Incorporates end station location into its address database Receives BPDUs and directs them to the system module Receives processes and transmits BPDUs received from the system module Receives and responds to network management messages Filtering...

Page 285: ...the forwarding state performs as follows Forwards frames received from the attached segment Forwards frames switched from another port for forwarding Incorporates end station location information into its address database Receives BPDUs and directs them to the system module Processes BPDUs received from the system module Receives and responds to network management messages Filtering database Frame...

Page 286: ...mpose some limitations on the STP strategy for a network In a network of Cisco network devices connected through 802 1Q trunks the network devices maintain one instance of STP for each VLAN allowed on the trunks However non Cisco 802 1Q network devices maintain only one instance of STP for all VLANs allowed on the trunks When you connect a Cisco network device to a non Cisco device through an 802 ...

Page 287: ...t or a LAN A new root port and the designated port on the other side of the bridge transition to forwarding using an explicit handshake between them RSTP allows router port configuration so that the ports can transition to forwarding directly when the router reinitializes RSTP as specified in 802 1w supersedes STP specified in 802 1D but remains compatible with STP RSTP provides backward compatibi...

Page 288: ...ogy RSTP ensures that every root port and designated port transition to forwarding and ensures that all alternate ports and backup ports are always in the discarding state Rapid PVST Rapid PVST uses the existing configuration for PVST however Rapid PVST uses RSTP to provide faster convergence Independent VLANs run their own RSTP instance Dynamic entries are flushed immediately on a per port basis ...

Page 289: ...different VLAN and spanning tree instance assignments in different parts of the network A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments You must configure a set of bridges with the same MST configuration information which allows them to participate in a specific set of spanning tree instances Interconnected bridges that have the same MST configurat...

Page 290: ...s MST BPDUs The original spanning trees computed by MSTP are called M trees M trees are active only within the MST region M trees merge with the IST at the boundary of the MST region and form the CST MST provides interoperability with PVST by generating PVST BPDUs for the non CST VLANs MST supports some of the PVST extensions in MSTP as follows UplinkFast and BackboneFast are not available in MST ...

Page 291: ... port of a pseudobridge a port at the edge of a region to another port follows a path entirely contained within the pseudobridge or MST region Data traffic belonging to different VLANs may follow different paths within the MST regions established by MST Loop prevention is achieved by either of the following Blocking the appropriate pseudobridge ports by allowing one forwarding port on the boundary...

Page 292: ... When you connect a PVST router to two different MST regions the topology change from the PVST router does not pass beyond the first MST region In this case the topology changes are only propagated in the instance to which the VLAN is mapped The topology change stays local to the first MST region and the CAM entries in the other region are not flushed To make the topology change visible throughout...

Page 293: ...s the only member of the MST region An MST bridge interconnected by a LAN A LAN s designated bridge has the same MST configuration as an MST bridge All the bridges on the LAN can process MST BPDUs If you connect two MST regions with different MST configurations the MST regions do the following Load balance across redundant paths in the network If two MST regions are redundantly connected all traff...

Page 294: ...ntermediate bridge If the port connects to another bridge that can send back an agreement then the port starts forwarding immediately Otherwise the port needs twice the forward delay time to start forwarding again You must explicitly configure the ports that are connected to the hosts and routers as edge ports while using MST To prevent a misconfiguration the PortFast operation is turned off if th...

Page 295: ...ge number of either existing or new logical VLAN ports should be completed during a maintenance window because the complete MST database gets reinitialized for any incremental change such as adding new VLANs to instances or moving VLANs across instances Table 20 5 STP Default Configuration Feature Default Value Enable state STP enabled for all VLANs Bridge priority 32768 STP port priority configur...

Page 296: ...itchport keyword Caution We do not recommend disabling spanning tree even in a topology that is free of physical loops Spanning tree serves as a safeguard against misconfigurations and cabling errors Do not disable spanning tree in a VLAN without ensuring that there are no physical loops present in the VLAN Enabling STP Note STP is enabled by default on VLAN 1 and on all newly created VLANs You ca...

Page 297: ... VLAN This example shows how to enable STP on VLAN 200 Router configure terminal Router config spanning tree vlan 200 Router config end Router Note Because STP is enabled by default entering a show running command to view the resulting configuration does not display the command you entered to enable STP This example shows how to verify the configuration Router show spanning tree vlan 200 VLAN0200 ...

Page 298: ...ry include Extended Extended system ID is enabled Configuring the Root Bridge Cisco 7600 series routers maintain a separate instance of STP for each active VLAN A bridge ID consisting of the bridge priority and the bridge MAC address is associated with each instance For each VLAN the network device with the highest priority lowest numerical bridge ID becomes the root bridge for that VLAN To config...

Page 299: ...e the root bridge is less than 1 The spanning tree vlan vlan_ID root command can cause the following effects If the extended system ID is disabled and if all network devices in VLAN 100 have the default priority of 32768 entering the spanning tree vlan 100 root primary command on the router sets the bridge priority for VLAN 100 to 8192 which causes the router to become the root bridge for VLAN 100...

Page 300: ...configure multiple backup root bridges Use the same network diameter and hello time values as you used when configuring the primary root bridge To configure a Cisco 7600 series router as the secondary root bridge perform this task This example shows how to configure the Cisco 7600 series router as the secondary root bridge for VLAN 10 with a network diameter of 4 Router configure terminal Router c...

Page 301: ...ter config if end Router This example shows how to verify the configuration of Fast Ethernet port 4 4 Router show spanning tree interface fastethernet 4 4 Vlan Role Sts Cost Prio Nbr Status VLAN0001 Back BLK 200000 160 196 P2p VLAN0006 Back BLK 200000 160 196 P2p VLAN0198 Back BLK 200000 160 196 P2p VLAN0199 Back BLK 200000 160 196 P2p VLAN0200 Back BLK 200000 160 196 P2p Router Command Purpose St...

Page 302: ...g tree interface fastethernet 4 4 Vlan Role Sts Cost Prio Nbr Status VLAN0001 Back BLK 200000 160 196 P2p VLAN0006 Back BLK 200000 160 196 P2p VLAN0199 Back BLK 200000 160 196 P2p VLAN0200 Desg FWD 200000 64 196 P2p Router You also can display spanning tree information for VLAN 200 using the following command Router show spanning tree vlan 200 interface fastEthernet 4 4 Interface Role Sts Cost Pri...

Page 303: ...ace fastEthernet 4 4 Router config if spanning tree vlan 200 cost 2000 Router config if Z Router This example shows how to verify the configuration Router show spanning tree vlan 200 interface fastEthernet 4 4 Interface Role Sts Cost Prio Nbr Status Command Purpose Step 1 Router config interface type1 slot port port channel port_channel_number 1 type ethernet fastethernet gigabitethernet or tengig...

Page 304: ...e the STP bridge priority of a VLAN when the extended system ID is disabled perform this task To configure the STP bridge priority of a VLAN when the extended system ID is enabled perform this task Command Purpose Step 1 Router config spanning tree vlan vlan_ID priority bridge_priority Configures the bridge priority of a VLAN when the extended system ID is disabled The bridge_priority value can be...

Page 305: ...dify the hello time To configure the STP hello time of a VLAN perform this task This example shows how to configure the hello time for VLAN 200 to 7 seconds Router configure terminal Router config spanning tree vlan 200 hello time 7 Router config end Router This example shows how to verify the configuration Router show spanning tree vlan 200 bridge Hello Max Fwd Step 2 Router config end Exits conf...

Page 306: ...um aging time for a VLAN perform this task Command Purpose Step 1 Router config spanning tree vlan vlan_ID forward time forward_time Configures the forward time of a VLAN The forward_time value can be from 4 to 30 seconds The vlan_ID value can be 1 through 4094 except reserved VLANs see Table 14 1 on page 14 2 Router config no spanning tree vlan vlan_ID forward time Reverts to the default forward ...

Page 307: ...u can avoid explicitly configuring the link type To configure a specific link type enter the spanning tree linktype command Restarting Protocol Migration A router running both MSTP and RSTP supports a built in protocol migration process that enables the router to interoperate with legacy 802 1D switches If this router receives a legacy 802 1D configuration BPDU a BPDU with the protocol version set...

Page 308: ...e Revision 0 Instance Vlans mapped Command Purpose Step 1 Router show spanning tree mst configuration Displays the current MST configuration Step 2 Router config spanning tree mode mst Configures MST mode Step 3 Router config spanning tree mst configuration Configures the MST region by entering the MST configuration submode Router config no spanning tree mst configuration Clears the MST configurat...

Page 309: ...ig mst no instance 1 vlan 2500 Router config mst show pending Pending MST configuration Name cisco Revision 2 Instance Vlans mapped 0 1 1999 2500 3001 4094 1 2000 2499 2501 3000 Router config exit Router config no spanning tree mst configuration Router config do show spanning tree mst configuration Name Revision 0 Instance Vlans mapped 0 1 4094 Displaying MST Configurations To display MST configur...

Page 310: ...mst instance 1 vlan 1 10 Router config mst name cisco Router config mst revision 1 Router config mst Z Router show spanning tree mst configuration Name cisco Revision 1 Instance Vlans mapped 0 11 4094 1 1 10 Step 5 Router show spanning tree mst number interface interface name detail Displays MST information for a given port and a given instance Step 6 Router show spanning tree mst x interface Y de...

Page 311: ... 200000 128 197 P2p Fa4 48 Boun FWD 200000 128 240 P2p Bound STP Router show spanning tree mst 1 MST01 vlans mapped 1 10 Bridge address 00d0 00b8 1400 priority 32769 32768 sysid 1 Root this switch for MST01 Interface Role Sts Cost Prio Nbr Status Fa4 4 Back BLK 1000 160 196 P2p Fa4 5 Desg FWD 200000 128 197 P2p Fa4 48 Boun FWD 200000 128 240 P2p Bound STP Router show spanning tree mst interface fa...

Page 312: ...t4 48 of MST01 is boundary forwarding Port info port id 128 240 priority 128 cost 200000 Designated root address 00d0 00b8 1400 priority 32769 cost 0 Designated bridge address 00d0 00b8 1400 priority 32769 port id 128 240 Timers message expires in 0 sec forward delay 0 forward transitions 1 Bpdus MRecords sent 78 received 0 Router show spanning tree vlan 10 MST01 Spanning tree enabled protocol mst...

Page 313: ...0 mst bridge hello time unchanged at 2 mst bridge forward delay unchanged at 15 Router config Z Router Router show spanning tree mst MST00 vlans mapped 11 4094 Bridge address 00d0 00b8 1400 priority 24576 24576 sysid 0 Root this switch for CST and IST Configured hello time 2 forward delay 15 max age 20 max hops 20 Interface Role Sts Cost Prio Nbr Status Fa4 4 Back BLK 1000 160 196 P2p Fa4 5 Desg F...

Page 314: ...enables the router to interoperate with legacy 802 1D switches If this router receives a legacy 802 1D configuration BPDU a BPDU with the protocol version set to 0 it sends only 802 1D BPDUs on that port An MSTP router can also detect that a port is at the boundary of a region when it receives a legacy BPDU an MST BPDU version 3 associated with a different region or an RST BPDU version 2 However t...

Page 315: ...dard IEEE 802 1s MST This example shows how to restart protocol migration Router clear spanning tree detected protocols interface fastEthernet 4 4 Router Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html ...

Page 316: ...20 42 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 20 Configuring STP and Prestandard IEEE 802 1s MST Configuring Prestandard IEEE 802 1s MST ...

Page 317: ...TP and Prestandard IEEE 802 1s MST This chapter consists of these sections Understanding How PortFast Works page 21 2 Understanding How BPDU Guard Works page 21 2 Understanding How PortFast BPDU Filtering Works page 21 2 Understanding How UplinkFast Works page 21 3 Understanding How BackboneFast Works page 21 4 Understanding How EtherChannel Guard Works page 21 6 Understanding How Root Guard Works...

Page 318: ...ccess ports If you enable PortFast on a port connected to a router you might create a temporary bridging loop Understanding How BPDU Guard Works When enabled on a port BPDU Guard shuts down a port that receives a BPDU When configured globally BPDU Guard is only effective on ports in the operational PortFast state In a valid configuration PortFast Layer 2 LAN interfaces do not receive BPDUs Recepti...

Page 319: ...ast convergence after a direct link failure and achieves load balancing between redundant Layer 2 links using uplink groups An uplink group is a set of Layer 2 LAN interfaces per VLAN only one of which is forwarding at any given time Specifically an uplink group consists of the root port which is forwarding and a set of blocked ports except for self looping ports The uplink group provides an alter...

Page 320: ... a link to which the network device is not directly connected an indirect link has failed that is the designated bridge has lost its connection to the root bridge Under normal STP rules the network device ignores inferior BPDUs for the configured maximum aging time as specified by the STP max age command The network device tries to determine if it has an alternate path to the root bridge If the in...

Page 321: ... the forwarding state Figure 21 3 shows an example topology with no link failures Switch A the root bridge connects directly to Switch B over link L1 and to Switch C over link L2 The Layer 2 LAN interface on Switch C that connects directly to Switch B is in the blocking state Figure 21 3 BackboneFast Example Before Indirect Link Failure If link L1 fails Switch C cannot detect this failure because ...

Page 322: ...device learns that Switch B is the designated bridge to Switch A the root bridge Figure 21 5 Adding a Network Device in a Shared Medium Topology Understanding How EtherChannel Guard Works EtherChannel guard detects a misconfigured EtherChannel where interfaces on the Cisco 7600 series router are configured as an EtherChannel while interfaces on the other device are not or not all the interfaces on...

Page 323: ...ere is a physical link error on this port The port recovers from this loop inconsistent state as soon as it receives a BPDU You can enable loop guard on a per port basis When you enable loop guard it is automatically applied to all of the active instances or VLANs to which that port belongs When you disable loop guard it is disabled for the specified ports Disabling loop guard moves all loop incon...

Page 324: ...unidirectional loop guard blocks the channel even if other links in the channel are functioning properly If a set of ports that are already blocked by loop guard are grouped together to form a channel spanning tree loses all the state information for those ports and the new channel port may obtain the forwarding state with a designated role If a channel is blocked by loop guard and the channel bre...

Page 325: ...g tree portfast default Router config Z Root bridge for VLAN0010 EtherChannel misconfiguration guard is enabled Extended system ID is disabled Portfast is enabled by default PortFast BPDU Guard is disabled by default Portfast BPDU Filter is disabled by default Loopguard is disabled by default UplinkFast is disabled BackboneFast is disabled Pathcost method used is long Step 4 Router config if end E...

Page 326: ... etc to this interface when portfast is enabled can cause temporary bridging loops Use with CAUTION Router config if Z Router show spanning tree interface fastEthernet 4 4 detail Port 196 FastEthernet4 4 of VLAN0010 is forwarding Port path cost 1000 Port priority 160 Port Identifier 160 196 Designated root has priority 32768 address 00d0 00b8 140a Designated bridge has priority 32768 address 00d0 ...

Page 327: ...r config interface fastEthernet 4 4 Router config if spanning tree bpdufilter enable Router config if Z Router show spanning tree interface fastEthernet 4 4 Vlan Role Sts Cost Prio Nbr Status VLAN0010 Desg FWD 1000 160 196 Edge P2p Router show spanning tree interface fastEthernet 4 4 detail Router show spanning tree interface fastEthernet 4 4 detail Port 196 FastEthernet4 4 of VLAN0010 is forwardi...

Page 328: ... 2 vlans 0 0 0 3 3 Router Enabling UplinkFast UplinkFast increases the bridge priority to 49152 and adds 3000 to the STP port cost of all Layer 2 LAN interfaces on the Cisco 7600 series router decreasing the probability that the router will become the root bridge UplinkFast cannot be enabled on VLANs that have been configured for bridge priority To enable UplinkFast on a VLAN with bridge priority ...

Page 329: ...Fast is not supported on Token Ring VLANs This feature is supported for use with third party network devices To enable BackboneFast perform this task This example shows how to enable BackboneFast Router configure terminal Command Purpose Step 1 Router config spanning tree uplinkfast Router config spanning tree uplinkfast max update rate max_update_rate Enables UplinkFast Enables UplinkFast with an...

Page 330: ...uard Router configure terminal Router config spanning tree etherchannel guard misconfig Router config end Router This example shows how to verify the configuration Router show spanning tree summary include EtherChannel EtherChannel misconfiguration guard is enabled To display the interfaces that are in the errdisable state enter the show interface status err disable command After the misconfigurat...

Page 331: ...ers message age 0 forward delay 0 hold 0 Number of transitions to forwarding state 1 The port is in the portfast mode by portfast trunk configuration Link type is point to point by default Bpdu filter is enabled Loop guard is enabled by default on the port BPDU sent 0 received 0 To enable loop guard on a port perform this task Command Purpose Step 1 Router config interface type1 slot port port cha...

Page 332: ...id is 160 196 designated path cost 0 Timers message age 0 forward delay 0 hold 0 Number of transitions to forwarding state 1 The port is in the portfast mode by portfast trunk configuration Link type is point to point by default Bpdu filter is enabled Loop guard is enabled on the port BPDU sent 0 received 0 Router Tip For additional information including configuration examples and troubleshooting ...

Page 333: ... URL http www cisco com en US products sw iosswrel ps1835 products_installation_and_configuratio n_guides_list html This chapter consists of these sections Layer 3 Interface Configuration Guidelines and Restrictions page 22 2 Configuring Subinterfaces on Layer 3 Interfaces page 22 2 Configuring IPv4 Routing and Addresses page 22 4 Configuring IPX Routing and Network Numbers page 22 8 Configuring A...

Page 334: ...0 series routers do not support Integrated routing and bridging IRB Concurrent routing and bridging CRB Remote source route bridging RSRB Use bridge groups on VLAN interfaces sometimes called fall back bridging to bridge nonrouted protocols Bridge groups on VLAN interfaces are supported in software on the MSFC Cisco 7600 series routers do not support the IEEE bridging protocol for bridge groups Co...

Page 335: ...nterface You cannot configure a subinterface VLAN on a Layer 3 VLAN interface You cannot configure a VLAN used with a Layer 3 VLAN interface on a subinterface Note You cannot configure a VLAN used on one interface or subinterface on another interface or subinterface You can configure subinterfaces with any normal range or extended range VLAN ID in VTP transparent mode Because VLAN IDs 1 to 1005 ar...

Page 336: ...hardware instead of being forwarded to the MSFC To prevent policy routing of traffic addressed to the MSFC configure PBR ACLs to deny traffic addressed to the MSFC Any options in Cisco IOS ACLs that provide filtering in a PBR route map that would cause flows to be sent to the MSFC to be switched in software are ignored For example logging is not supported in ACEs in Cisco IOS ACLs that provide fil...

Page 337: ...rfaces Configuring IPv4 Routing and Addresses To configure PBR refer to the Cisco IOS Quality of Service Solutions Configuration Guide Release 12 2 Classification Configuring Policy Based Routing at this URL http www cisco com en US docs ios 12_2 qos configuration guide qcfpbr_ps1835_TSD_Products_C onfiguration_Guide_Chapter html ...

Page 338: ... Ethernet address is 0050 f0ac 3058 bia 0050 f0ac 3058 Internet address is 172 20 52 106 29 MTU 1500 bytes BW 100000 Kbit DLY 100 usec reliability 255 255 txload 1 255 rxload 1 255 Encapsulation ARPA loopback not set Command Purpose Step 1 Router config ip routing Enables IPv4 routing Required only if IPv4 routing is disabled Step 2 Router config router ip_routing_protocol Specifies an IPv4 routin...

Page 339: ...stEthernet5 4 is up line protocol is up Internet address is 172 20 52 106 29 Broadcast address is 255 255 255 255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined 224 0 0 10 Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Security level is default Split hori...

Page 340: ... fatipx_r html To configure routing for Internetwork Packet Exchange IPX and configure IPX on a Layer 3 interface perform this task Command Purpose Step 1 Router config ipx routing Enables IPX routing Step 2 Router config router ipx_routing_protocol Specifies an IP routing protocol This step might include other commands such as specifying the networks to route with the network command Step 3 Route...

Page 341: ..._2 atipx command reference fatipx_r html To configure routing for AppleTalk perform this task beginning in global configuration mode This example shows how to enable AppleTalk routing and assign an AppleTalk cable range and zone name to interface VLAN 100 Router configure terminal 1 type ethernet fastethernet gigabitethernet or tengigabitethernet or ge wan Command Purpose Step 1 Router config appl...

Page 342: ...er Protocols on Layer 3 Interfaces Refer to these publications for information about configuring other protocols on Layer 3 interfaces Cisco IOS Apollo Domain VINES DECnet ISO CLNS and XNS Configuration Guide Release 12 2 at this URL http www cisco com en US docs ios 12_2 apollo configuration guide fapolo_c html Cisco IOS Apollo Domain VINES DECnet ISO CLNS and XNS Command Reference Release 12 2 a...

Page 343: ...mcl_book html These sections describe UDE and UDLR Understanding UDE and UDLR page 23 1 Configuring UDE and UDLR page 23 3 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Understanding UDE and UDLR These sections describe UDE...

Page 344: ...re supported on the interfaces of these switching modules WS X6704 10GE 4 port 10 Gigabit Ethernet WS X6816 GBIC 16 port Gigabit Ethernet WS X6516A GBIC 16 port Gigabit Ethernet WS X6516 GBIC 16 port Gigabit Ethernet Understanding UDE These sections describe UDE UDE Overview page 23 2 Understanding Hardware Based UDE page 23 2 Understanding Software Based UDE page 23 3 UDE Overview On Cisco 7600 s...

Page 345: ...c UDLR intercepts packets that need to be sent on receive only interfaces and sends them on UDLR back channel tunnels When routers receive these packets over UDLR back channel tunnels UDLR makes the packets appear as if received on send only interfaces UDLR back channel tunnels support these IPv4 features Address Resolution Protocol ARP Next Hop Resolution Protocol NHRP Emulation of a bidirectiona...

Page 346: ...ectional EtherChannels cannot support PAgP or LACP To create a unidirectional EtherChannel you must configure the EtherChannel on mode You can configure software based UDE on the physical ports in an EtherChannel You cannot configure software based UDE on any nonphysical interfaces for example port channel interfaces When you implement hardware based UDE on a port or configure software based UDE o...

Page 347: ...ode will automatically disable ip routing on the port You must manually configure static ip route and arp entry in order to route ip traffic This example shows how to configure 10 Gigabit Ethernet port 1 2 as a UDE receive only port Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface tengigabitethernet 1 2 Router config if unidirectional rece...

Page 348: ... interface fastethernet 6 1 unidirectional Unidirectional Ethernet is not supported on FastEthernet6 1 Configuring UDLR These sections describe how to configure UDLR UDLR Back Channel Tunnel Configuration Guidelines page 23 6 Configuring a Receive Only Tunnel Interface for a UDE Send Only Port page 23 7 Configuring a Send Only Tunnel Interface for a UDE Receive Only Port page 23 7 UDLR Back Channe...

Page 349: ...abit Ethernet port 1 2 ARP and NHRP are enabled Command Purpose Step 1 Router config interface tunnel number Selects the tunnel interface Step 2 Router config if tunnel udlr receive only ude_send_only_port Associates the tunnel receive only interface with the UDE send only port Step 3 Router config if ip address ipv4_address Configures the tunnel IPv4 address Step 4 Router config if tunnel source ...

Page 350: ...uter ospf pid network 10 0 0 0 0 255 255 255 area 0 Router B Configuration ip multicast routing tengigabitethernet 1 2 is receive only interface tengigabitethernet 1 2 unidirectional receive only ip address 10 1 0 2 255 255 0 0 ip pim sparse dense mode Configure tunnel as send only UDLR tunnel interface tunnel 0 tunnel source 11 0 0 2 tunnel destination 11 0 0 1 tunnel udlr send only tengigabiteth...

Page 351: ...ions at this URL http www cisco com en US products sw iosswrel ps1835 products_installation_and_configuratio n_guides_list html This chapter consists of these sections PFC3BXL and PFC3B Mode MPLS Label Switching page 24 1 PFC3BXL or PFC3B Mode VPN Switching page 24 10 Any Transport over MPLS page 24 13 Tip For additional information including configuration examples and troubleshooting information ...

Page 352: ...at the ingress edge of the MPLS network and are removed popped at the egress edge The core network LSRs provider or P routers read the labels apply the appropriate services and forward the packets based on the labels Incoming labels are aggregate or nonaggregate The aggregate label indicates that the arriving MPLS packet must be switched through an IP lookup to find the next hop and the outgoing i...

Page 353: ...ks that support PFC3BXL and PFC3B mode MPLS label switching Routing protocol generates a routing information base RIB that is used for forwarding IP and MPLS data packets For Cisco Express Forwarding CEF necessary routing information from the RIB is extracted and built into a forwarding information base FIB The label distribution protocol LDP obtains routes from the RIB and distributes the label a...

Page 354: ...and a VPN label when there is no penultimate hop popping PHP the packet carries the explicit null label on top of the VPN label The PFC3BXL or PFC3B looks up the top label in the FIB TCAM and recirculates the packet Then the PFC3BXL or PFC3B handles the remaining label as described in the preceding paragraph depending on whether it is an aggregate or nonaggregate label Packets with the explicit nu...

Page 355: ...ed for the outgoing label QoS Information on Differentiated Services DiffServ and ToS from IP packets can be mapped to MPLS EXP field MPLS VPN Support Up to 1024 VRFs can be supported over 511 VRFs requires recirculation Ethernet over MPLS The Ethernet frame can be encapsulated at the ingress to the MPLS domain and the Ethernet frame can be decapsulated at the egress Packet recirculation The PFC3B...

Page 356: ... Tunnels This feature allows the router to establish MPLS TE tunnels that span multiple Interior Gateway Protocol IGP areas and levels removing the restriction that had required the tunnel head end and tail end routers to be in the same area See this publication http www cisco com en US docs ios 12_2s feature guide fsiarea3 html MPLS virtual private networks VPNs This feature allows you to deploy ...

Page 357: ...ne See the Any Transport over MPLS section on page 24 13 MPLS Guidelines and Restrictions When configuring PFC3BXL or PFC3B MPLS follow these guidelines and restrictions PFC3BXL or PFC3B mode supports up to 8 load shared paths Cisco IOS releases for other platforms support only 8 load shared paths PFC3BXL or PFC3B mode supports MTU checking and fragmentation Note Fragmentation is supported with so...

Page 358: ...ion If the packet has three labels or less and the underlying packet is IPv4 then the PFC3BXL or PFC3B uses the source and destination IPv4 address If the underlying packet is not IPv4 or more than three labels are present the PFC3BXL or PFC3B parses down as deep as the fifth or lowest label and uses it for hashing MPLS Layer 2 VPN Load Balancing Load balancing is based on the VC label in the MPLS...

Page 359: ...67 1 50 88 0 0 0 24 0 Gi7 16 75 0 21 2 Router show mls cef 88 0 0 0 detail Codes M mask entry V value entry A adjacency index P priority bit D full don t switch m load balancing modnumber B BGP Bucket sel V0 Vlan 0 C0 don t comp bit 0 V1 Vlan 1 C1 don t comp bit 1 RVTEN RPF Vlan table enable RVTSEL RPF Vlan table select Format IPV4_DA 8 xtag vpn pi cr recirc tos prefix Format IPV4_SA 9 xtag vpn pi...

Page 360: ... same access or security policies as a private network VPN based on MPLS technology provides the benefits of routing isolation and security as well as simplified routing and better scalability Refer to the Cisco IOS software documentation for a conceptual MPLS VPN overview and configuration details at this URL http www cisco com en US docs ios 12_2 switch configuration guide xcftagov_ps1835_TSD_Pr...

Page 361: ...ation based upon a label lookup in the FIB Note The PFC3BXL or PFC3B allocates only one aggregate label per VRF If aggregate labels are used for disposition in an egress PE many prefixes on the multiple interfaces may be associated with the label In this case the PFC3BXL or PFC3B must perform an IP lookup to determine the final destination The IP lookup may require recirculation MPLS VPN Guideline...

Page 362: ... 100 10 route target export 100 1 route target import 100 1 mpls label protocol ldp mpls ldp logging neighbor changes mls mpls tunnel recir interface Loopback0 ip address 10 4 4 4 255 255 255 255 interface GigabitEthernet4 2 description Catalyst link to P2 no ip address mls qos trust dscp interface GigabitEthernet4 2 42 encapsulation dot1Q 42 ip address 10 0 3 2 255 255 255 0 tag switching ip inte...

Page 363: ... over MPLS AToM transports Layer 2 packets over an MPLS backbone AToM uses a directed Label Distribution Protocol LDP session between edge routers for setting up and maintaining connections Forwarding occurs through the use of two level labels that provide switching between the edge routers The external label tunnel label routes the packet over the MPLS backbone to the egress PE at the ingress PE ...

Page 364: ...S backbone using a directed LDP session between edge routers for setting up and maintaining connections Forwarding occurs through the use of two level labels that provide switching between the edge routers The external label tunnel label routes the packet over the MPLS backbone to the egress PE at the ingress PE The VC label is a demuxing label that determines the connection at the tunnel endpoint...

Page 365: ...engine and not to the EoMPLS cloud The native VLAN of a trunk must not be configured as an EoMPLS VLAN In PFC3BXL or PFC3B mode all protocols for example CDP VTP BPDUs are tunneled across the MPLS cloud without conditions ISL encapsulation is not supported for the interface that receives EoMPLS packets Unique VLANs are required across interfaces You cannot use the same VLAN ID on different interfa...

Page 366: ...not support VC type 5 for subinterface VLAN based EoMPLS Port mode Allows all traffic on a port to share a single VC across an MPLS network Port mode uses VC type 5 Note For both VLAN mode and port mode PFC3BXL and PFC3B mode EoMPLS does not allow local switching of packets between interfaces unless you use loopback ports A system can have both an OSM or FlexWAN configuration and PFC3BXL or PFC3B ...

Page 367: ...Verifying the Configuration To verify and display the configuration of Layer 2 VLAN transport over MPLS tunnels perform the following To display a single line for each VLAN naming the VLAN status and ports enter the show vlan brief command Router show vlan brief VLAN Name Status Ports 1 default active 2 VLAN0002 active Command Purpose Step 1 Router configure terminal Enters global configuration mo...

Page 368: ...2 12 12 12 0 Local LDP Ident 13 13 13 13 0 TCP connection 12 12 12 12 646 13 13 13 13 11010 State Oper Msgs sent rcvd 1649 1640 Downstream Up time 23 42 45 LDP discovery sources GE WAN3 3 Src IP addr 34 0 0 2 Addresses bound to peer LDP Ident 23 2 1 14 37 0 0 2 12 12 12 12 34 0 0 2 99 0 0 1 Peer LDP Ident 11 11 11 11 0 Local LDP Ident 13 13 13 13 0 TCP connection 11 11 11 11 646 13 13 13 13 11013 ...

Page 369: ...18 Create time 01 24 44 last status change time 00 10 55 Signaling protocol LDP peer 11 11 11 11 0 up MPLS VC labels local 20 remote 18 Group ID local 71 remote 89 MTU local 1500 remote 1500 Remote interface description Sequencing receive disabled send disabled VC statistics packet totals receive 1009 send 1019 byte totals receive 133093 send 138089 packet drops receive 0 send 0 Local interface Vl...

Page 370: ... Building configuration Current configuration 86 bytes interface FastEthernet8 48 no ip address xconnect 75 0 78 1 1 encapsulation mpls end Sub Interface Based Mode router show run interface g7 11 Building configuration Current configuration 118 bytes interface GigabitEthernet7 11 description Traffic Generator no ip address logging event link status speed nonegotiate end router show run int g7 11 ...

Page 371: ...al interface GigabitEthernet7 47 Ethernet Destination address 75 0 80 1 VC ID 1 VC status receive UP send DOWN VC type receive 5 send 5 Tunnel label not ready destination not in LFIB Output interface unknown imposed label stack MPLS VC label local 10579 remote 10038 Linecard VC statistics packet totals receive 0 send 0 byte totals receive 0 send 0 packet drops receive 0 send 0 Control flags receiv...

Page 372: ...Peer LDP Ident 11 11 11 11 0 Local LDP Ident 13 13 13 13 0 TCP connection 11 11 11 11 646 13 13 13 13 11013 State Oper Msgs sent rcvd 1724 1730 Downstream Up time 1d00h LDP discovery sources Targeted Hello 13 13 13 13 11 11 11 11 active passive Addresses bound to peer LDP Ident 11 11 11 11 37 0 0 1 23 2 1 13 To make sure the label forwarding table is built correctly enter the show mpls forwarding ...

Page 373: ...ate of the currently routed VCs enter the show mpls l2transport vc command Router show mpls l2transport vc Local intf Local circuit Dest address VC ID Status Vl2 Eth VLAN 2 11 11 11 11 2 UP Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_seri...

Page 374: ...24 24 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 24 Configuring PFC3BXL and PFC3B Mode Multiprotocol Label Switching Any Transport over MPLS ...

Page 375: ...22sxmcl 12_2sx_mcl_book html This chapter contains these sections Understanding How MVPN Works page 25 1 MVPN Configuration Guidelines and Restrictions page 25 7 Configuring MVPN page 25 8 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_serie...

Page 376: ...RF maintains the routing and forwarding information that is needed for its particular VRF instance An MVRF is created and configured in the same way as existing VRFs except multicast routing is also enabled on each MVRF A multicast domain constitutes the set of hosts that can send multicast traffic to each other within the MPLS network For example the multicast domain for a customer that wanted to...

Page 377: ...age the sending PE router removes the high bandwidth multicast stream from the default MDT and begins transmitting it over the new data MDT 6 The sending PE router continues to send a DATA MDT JOIN message every 60 seconds as long as the multicast stream continues to exceed the defined threshold If the stream falls below the threshold for more than 60 seconds the sending PE router stops sending th...

Page 378: ...w York site sends a join request that flows across the default MDT for the multicast domain The PE router associated with the multicast session source PE1 receives the request Figure 25 2 shows how the PE router forwards the request to the CE router associated with the multicast source CE1a 72756 MPLS Core P4 PE4 PE3 PE2 CE2 CE1b CE1a Multicast sender Local multicast recipient PE1 CE4 CE3 P1 P2 P3...

Page 379: ...RF in the multicast domain The MVRF uses the tunnel interface to access the multicast domain to provide a conduit that connects an MVRF and the global MVRF On the router the MTI is a tunnel interface created with the interface tunnel command with a class D multicast address All PE routers that are configured with a default MDT for this MVRF create a logical network in which each PE router appears ...

Page 380: ...t carry unicast routed traffic PE Router Routing Table Support for MVPN Each PE router that supports the MVPN feature uses the following routing tables to ensure that the VPN and MVPN traffic is routed correctly Default routing table Standard routing table used in all Cisco routers This table contains the routes that are needed for backbone traffic and for non MPLS VPN unicast and multicast traffi...

Page 381: ...h a time to live TTL value of 2 it drops the packet instead of encapsulating it and forwarding it across the MVPN link Because such packets would normally be dropped by the PE at the other end of the MVPN link this does not affect traffic flow If the core multicast routing uses SSM then the data and default multicast distribution tree MDT groups must be configured within the SSM range of IPv4 addr...

Page 382: ...articular VPN connection Each PE router that supports a particular MVRF must be configured with the same mdt default command The router supports only ingress replication when MVPN is configured If a router is currently configured for egress replication it is forced into ingress replication when the first MVRF is configured If a router is currently configured for egress replication we recommend per...

Page 383: ...config mls ip multicast replication mode ingress Router config do show mls ip multicast capability include Current Current mode of replication is Ingress Configuring a Multicast VPN Routing and Forwarding Instance These sections describe how to configure a multicast VPN routing and forwarding MVRF instance for each VPN connection on each PE router that is to handle the traffic for each particular ...

Page 384: ... number 101 3 32 bit IPv4 address your 16 bit number 192 168 122 15 1 This example show how to configure 55 1111 as the route distinguisher and verify the configuration Router config vrf rd 55 1111 Router config vrf do show ip vrf blue Name Default RD Interfaces blue 55 1111 Command or Action Purpose Step 1 Router configure terminal Enters global configuration mode Step 2 Router config ip vrf vrf_...

Page 385: ...xport route target extended community and verify the configuration Router config vrf route target both 55 1111 Router config vrf do show ip vrf detail VRF blue default RD 55 1111 default VPNID not set VRF Table ID 1 No interfaces Connected addresses are not in global routing table Export VPN route target communities RT 55 1111 Import VPN route target communities RT 55 1111 No import route map No e...

Page 386: ...Wildcard bitmask to be applied to the multicast group address to create a range of possible addresses This allows you to limit the maximum number of data MDTs that each MVRF can support threshold threshold_value Optional Defines the threshold value in kilobits at which multicast traffic should be switched from the default MDT to the data MDT The threshold_value parameter can range from 1 through 4...

Page 387: ...rd 200 3 route target export 200 3 route target import 200 3 mdt default 239 1 1 3 ip vrf mvpn cus249 rd 200 249 route target export 200 249 route target import 200 249 mdt default 239 1 1 249 mdt data 239 1 1 128 0 0 0 7 Displaying VRF Information To display all of the VRFs that are configured on the router use the show ip vrf command Router show ip vrf Name Default RD Interfaces green 1 52 Gigab...

Page 388: ...ARSE01SWRP 4 10 10 10 9 228 2 0 1 default H red 5 6 6 6 6 234 1 1 1 default H red 5 131 2 1 2 228 1 1 75 data send H red 5 131 2 1 2 228 1 1 76 data send H red 5 131 2 1 2 228 1 1 77 data send H red 5 131 2 1 2 228 1 1 78 data send H Router To display routing information for a particular VRF use the show ip route vrf command Router show ip route vrf red Codes C connected S static I IGRP R RIP M mo...

Page 389: ... Dense 00 16 25 00 02 49 H 6 9 0 100 228 1 0 1 00 14 13 00 03 29 flags FT Incoming interface GigabitEthernet3 1 3001 RPF nbr 0 0 0 0 RPF MFD Outgoing interface list Tunnel1 Forward Sparse Dense 00 14 13 00 02 46 H Router Note In this example the show ip mroute vrf command shows that Tunnel1 is the MDT tunnel interface MTI being used by this VRF Configuring Multicast VRF Routing These sections desc...

Page 390: ...r configure terminal Router config ip multicast routing vrf blue Configuring a PIM VRF Register Message Source Address To configure a PIM VRF register message source address perform this task This example show how to configure a PIM VRF register message source address Router config ip pim vrf blue register source loopback 3 Command or Action Purpose Step 1 Router configure terminal Enters global c...

Page 391: ...im vrf blue rp address 198 196 100 33 Configuring a Multicast Source Discovery Protocol MSDP Peer To configure an MSDP peer perform this task When configuring an MSDP peer note the following information vrf vrf_name Specifies a particular VRF instance to be used peer_name peer_address Domain Name System DNS name or IP address of the MSDP peer router connect source interface_type interface_number I...

Page 392: ...ring the maximum number of routes note the following information vrf vrf_name Enables route limiting for the specified VRF limit The number of multicast routes that can be added The range is from 1 to 2147483647 with a default of 2147483647 threshold Optional Number of multicast routes that can be added before a warning message occurs The valid range is from 1 to the value of the limit parameter T...

Page 393: ...tarting and ending VRFs are shown ip multicast routing ip multicast routing vrf lite ip multicast routing vrf vpn201 ip multicast routing vrf vpn202 ip multicast routing vrf vpn249 ip multicast routing vrf vpn250 ip multicast cache headers ip pim rp address 192 0 1 1 ip pim vrf lite rp address 104 1 1 2 ip pim vrf vpn201 rp address 192 200 1 1 ip pim vrf vpn202 rp address 192 200 2 1 ip pim vrf vp...

Page 394: ...ulticast PIM must be configured on all interfaces that are being used for IPv4 multicast traffic In a VPN multicast environment you should enable PIM on at least all of the following interfaces Physical interface on a provider edge PE router that is connected to the backbone Loopback interface that is used for BGP peering Loopback interface that is used as the source for the sparse PIM rendezvous ...

Page 395: ...s how to configure PIM sparse mode on a physical interface Router configure terminal interface gigabitethernet 10 1 Router config if ip pim sparse mode This example shows how to configure PIM sparse mode on a loopback interface Router configure terminal Router config interface loopback 2 Router config if ip pim sparse mode Configuring an Interface for IPv4 VRF Forwarding To configure an interface ...

Page 396: ... GigabitEthernet1 15 description Backbone connection ip address 10 8 4 2 255 255 255 0 ip pim sparse mode ip pim vrf blue rp address 192 7 25 1 ip pim rp address 10 1 1 1 Sample Configurations for MVPN This section contains the following sample configurations for the MVPN feature MVPN Configuration with Default MDTs Only page 25 22 MVPN Configuration with Default and Data MDTs page 25 24 MVPN Conf...

Page 397: ...l ldp mpls ldp logging neighbor changes mpls ldp explicit null mpls traffic eng tunnels tag switching tdp discovery directed hello accept from 1 tag switching tdp router id Loopback0 force mls ip multicast replication mode ingress mls ip multicast flow stat timer 9 mls ip multicast bidir gm scan interval 10 mls flow ip destination no mls flow ipv6 mls rate limit unicast cef glean 10 10 mls qos mls...

Page 398: ...up 229 1 1 2 ip igmp static group 229 1 1 4 interface GigabitEthernet3 20 ip vrf forwarding mvpn cus1 ip address 192 16 1 1 255 255 255 0 ip pim sparse dense mode MVPN Configuration with Default and Data MDTs The following sample configuration includes three MVRFs that have been configured for both default and data MDTs Only the configuration that is relevant to the MVPN configuration is shown ip ...

Page 399: ...gm scan interval 10 no mls flow ip no mls flow ipv6 mls cef error action freeze vlan internal allocation policy ascending vlan access log ratelimit 2000 interface Loopback1 ip address 155 255 255 1 255 255 255 255 ip pim sparse mode interface Loopback4 ip vrf forwarding v4 ip address 155 255 4 4 255 255 255 255 ip pim sparse mode interface Loopback11 ip vrf forwarding v1 ip address 155 255 255 11 ...

Page 400: ...ip address 157 155 1 155 255 255 255 0 ip pim bsr border ip pim sparse dense mode interface GigabitEthernet6 1 no ip address shutdown interface GigabitEthernet6 2 ip address 9 1 10 155 255 255 255 0 media type rj45 interface Vlan1 no ip address shutdown router ospf 11 vrf v1 router id 155 255 255 11 log adjacency changes redistribute connected subnets tag 155 redistribute bgp 1 subnets tag 155 net...

Page 401: ... no auto summary no synchronization exit address family address family ipv4 vrf v2 redistribute ospf 22 no auto summary no synchronization exit address family address family ipv4 vrf v1 redistribute ospf 11 no auto summary no synchronization exit address family ip classless ip route 9 255 254 1 255 255 255 255 9 1 10 254 no ip http server ip pim bidir enable ip pim rp address 50 255 2 2 MCAST MVPN...

Page 402: ...it any ip access list standard MCAST MVPN MDT v1 permit 226 1 0 0 0 0 255 255 ip access list standard MCAST MVPN MDT v2 permit 226 2 0 0 0 0 255 255 ip access list standard MCAST MVPN MDT v3 permit 226 3 0 0 0 0 255 255 ip access list standard MCAST MVPN RP v4 permit 227 0 0 0 0 255 255 255 access list 1 permit 226 1 1 1 access list 2 deny 226 1 1 1 access list 2 permit any Tip For additional info...

Page 403: ...tio n_guides_list html IPX traffic is fast switched on the MSFC For more information refer to this URL http www cisco com en US docs ios 12_2 atipx configuration guide fatipx_c html For information about IP multicast Layer 3 switching see Chapter 28 Configuring IPv4 Multicast Layer 3 Switching This chapter consists of these sections Understanding How Layer 3 Switching Works page 26 2 Default Hardw...

Page 404: ...itching for TCP intercept reflexive ACL forwarding decisions Hardware Cisco Express Forwarding CEF switching for all other IP unicast traffic Hardware Layer 3 switching on the PFC supports modules that do not have a DFC The MSFC forwards traffic that cannot be Layer 3 switched Traffic is hardware Layer 3 switched after being processed by access lists and quality of service QoS Hardware Layer 3 swi...

Page 405: ...r multicast packets replicates as necessary the rewritten packet to Destination B s subnet A received IP unicast packet is formatted conceptually as follows After the router rewrites an IP unicast packet it is formatted conceptually as follows Hardware Layer 3 Switching Examples Figure 26 1 on page 26 4 shows a simple network topology In this example Host A is on the Sales VLAN IP subnet 171 59 1 ...

Page 406: ...rnet V2 0 ARPA 802 3 with 802 2 with 1 byte control SAP1 Source IP Address 171 59 1 2 171 59 1 2 Host A 171 59 1 2 Host B 171 59 3 1 Host C 171 59 2 2 171 59 2 2 171 59 1 2 171 59 2 2 Data 171 59 3 1 171 59 2 2 171 59 1 2 Dd Bb Dd Cc Dd Aa Marketing Engineering Sales Destination IP Address Rewrite Src Dst MAC Address Destination VLAN MSFC Subnet 1 Sales MAC Aa MAC Dd MAC Bb MAC Cc Subnet 3 Marketi...

Page 407: ... Layer 3 switching With a PFC and DFCs if present hardware Layer 3 switching uses per flow load balancing based on IP source and destination addresses Per flow load balancing avoids the packet reordering that can be necessary with per packet load balancing For any given flow all PFC and DFC equipped switches make exactly the same load balancing decision which can result in nonrandom load balancing...

Page 408: ...splay adjacency statistics Router show adjacency gigabitethernet 9 5 detail Protocol Interface Address IP GigabitEthernet9 5 172 20 53 206 11 504 packets 6110 bytes 00605C865B82 000164F83FA50800 ARP 03 49 31 Note Adjacency statistics are updated approximately every 60 seconds Tip For additional information including configuration examples and troubleshooting information see the documents listed on...

Page 409: ... html The Cisco IOS IPv6 Command Reference http www cisco com en US docs ios ipv6 command reference ipv6_book html These sections provide additional information about IPv6 multicast support on Cisco 7600 series routers Features that Support IPv6 Multicast page 27 2 IPv6 Multicast Guidelines and Restrictions page 27 2 New or Changed IPv6 Multicast Commands page 27 3 Configuring IPv6 Multicast Layer...

Page 410: ...p www cisco com en US docs ios 12_2t ipv6 ipv6_vgf html IPv6 Multicast Guidelines and Restrictions These guidelines and restrictions apply to IPv6 multicast support on Cisco 7600 series routers With Release 12 2 18 SXE and later releases the PFC3 and DFC3 provide hardware support for the following Completely switched IPv6 multicast flows IPv6 PIM Sparse Mode PIM SM S G forwarding Multicast RPF che...

Page 411: ...ase 12 2SX for information about these IPv6 multicast commands which are new or changed in Release 12 2 18 SXE ipv6 mfib hardware switching mls rate limit multicast ipv6 see Chapter 36 Configuring Denial of Service Protection show ipv6 mfib show mls rate limit see Chapter 36 Configuring Denial of Service Protection show platform software ipv6 multicast show tcam interface Configuring IPv6 Multicas...

Page 412: ...re Bridging and Drop Counts page 27 7 Displaying the Shared and Well Known Hardware Adjacency Counters page 27 8 Note The show commands in the following sections are for a router with a DFC3 equipped switching module in slot 1 and a Supervisor Engine 720 with a PFC3 in slot 6 Verifying MFIB Clients This example shows the complete output of the show ipv6 mrib client command Router show ipv6 mrib cl...

Page 413: ...Ingress Ingress Verifying the S G Forwarding Capability This example shows how to verify the S G forwarding Router show platform software ipv6 multicast capability include S G S G forwarding for IPv6 supported using Netflow Verifying the G Forwarding Capability This example shows how to verify the G forwarding Router show platform software ipv6 multicast capability include G G bridging for IPv6 is...

Page 414: ...ion Capability Replication Mode 1 Ingress Ingress 2 Egress Ingress 6 Egress Ingress 8 Ingress Ingress Displaying Subnet Entries This example shows how to display subnet entries Router show platform software ipv6 multicast connected IPv6 Multicast Subnet entries Flags H Installed in ACL TCAM X Not installed in ACL TCAM due to label full exception Interface Vlan20 H S 20 1 G FF00 Interface Vlan10 H ...

Page 415: ...pe Shortcut count S G 100 G 0 Output deleted IPv6 Multicast Netflow SC summary on Slot 6 Shortcut Type Shortcut count S G 100 G 0 Output truncated Note The NetFlow G count is always zero because PIM SM G forwarding is supported in software on the MSFC3 Displaying the FIB Hardware Bridging and Drop Counts This example shows how to display the FIB hardware bridging and drop hardware counts Router sh...

Page 416: ...djacencies Index Packets Bytes Subnet bridge adjacency 0x7F802 0 0 Control bridge adjacency 0x7 0 0 StarG_M bridge adjacency 0x8 0 0 S_G bridge adjacency 0x9 0 0 Default drop adjacency 0xA 0 0 StarG spt INF adjacency 0xB 0 0 StarG spt INF adjacency 0xC 0 0 SLOT 6 Shared IPv6 Mcast Adjacencies Index Packets Bytes Subnet bridge adjacency 0x7F802 0 0 Control bridge adjacency 0x7 0 0 StarG_M bridge ad...

Page 417: ... This chapter consists of these sections Understanding How IPv4 Multicast Layer 3 Switching Works page 28 1 Understanding How IPv4 Bidirectional PIM Works page 28 7 Default IPv4 Multicast Layer 3 Switching Configuration page 28 7 IPv4 Multicast Layer 3 Switching Configuration Guidelines and Restrictions page 28 8 Configuring IPv4 Multicast Layer 3 Switching page 28 9 Configuring IPv4 Bidirectional...

Page 418: ... determination The PFC and the DFCs all use the Layer 2 multicast forwarding table to determine on which ports Layer 2 multicast traffic should be forwarded if any The multicast forwarding table entries are populated in conjunction with Internet Group Management Protocol IGMP snooping see Chapter 30 Configuring IGMP Snooping for IPv4 Multicast Traffic Multicast Layer 3 Switching Cache This section...

Page 419: ...he source VLAN the PFC must perform a packet rewrite when it replicates the traffic to the other VLANs the router also bridges the packet in the source VLAN When the PFC receives the multicast packet it is conceptually formatted as follows The PFC rewrites the packet as follows Changes the source MAC address in the Layer 2 frame header from the MAC address of the host to the MAC address of the MSF...

Page 420: ...e flow using the ip multicast ttl threshold command If the multicast helper is configured on the RPF interface for the flow and multicast to broadcast translation is required With a PFC2 if the outgoing interface is a generic routing encapsulation GRE tunnel interface With a PFC3 and releases earlier than Release 12 2 18 SXE if the outgoing interface is a generic routing encapsulation GRE tunnel i...

Page 421: ...witched flow is that multicast statistics on a per packet basis for that flow cannot be recorded Therefore the PFC periodically sends multicast packet and byte count statistics for all completely switched flows to the MSFC The MSFC updates the corresponding multicast routing table entry and resets the expiration timer for that multicast route Note A G state is created on the PIM RP or for PIM dens...

Page 422: ...ets have to be seen on the router for the PIM assert mechanism to function properly Use CEF based or NetFlow based rate limiting to limit the rate of RPF failures in dense mode networks and sparse mode transit networks For information on configuring ACL based filtering of RPF failures see the Configuring ACL Based Filtering of RPF Failures section on page 28 17 Rate Limiting of RPF Failure Traffic...

Page 423: ...AM entries or modifies existing ACL TCAM entries if other ACL based features are active on the interface To verify TCAM resource utilization enter the show tcam counts ip command If you configure the filter autorp keyword the administrative boundary also examines auto RP discovery and announcement messages and removes any auto RP group range announcements from the auto RP packets that are denied b...

Page 424: ...nge 0 to 255 which is used by routing protocols Layer 3 switching is supported for groups 224 0 2 to 239 Note Groups in the 224 0 0 range are reserved for routing control packets and must be flooded to all forwarding ports of the VLAN These addresses map to the multicast MAC address range 01 00 5E 00 00 xx where xx is in the range 0 0xFF For PIM auto RP multicast groups IP multicast group addresse...

Page 425: ...pported Configuring IPv4 Multicast Layer 3 Switching These sections describe how to configure IP multicast Layer 3 switching Source Specific Multicast with IGMPv3 IGMP v3lite and URD page 28 10 Enabling IPv4 Multicast Routing Globally page 28 10 Enabling IPv4 PIM on Layer 3 Interfaces page 28 10 Enabling IP Multicast Layer 3 Switching on Layer 3 Interfaces page 28 11 Configuring the Replication Mo...

Page 426: ... enable IP multicast routing globally before you can enable IP multicast Layer 3 switching on Layer 3 interfaces For complete information and procedures refer to these publications Cisco IOS IP and IP Routing Configuration Guide Release 12 2 at this URL http www cisco com en US docs ios 12_2 ip configuration guide fipr_c html Cisco IOS IP and IP Routing Command Reference Release 12 1 at this URL h...

Page 427: ...y default on the Layer 3 interface when you enable PIM on the interface Perform this task only if you disabled IP multicast Layer 3 switching on the interface and you want to reenable it PIM can be enabled on any Layer 3 interface including VLAN interfaces Note You must enable PIM on all participating Layer 3 interfaces before IP multicast Layer 3 switching will function For information on configu...

Page 428: ...this action by entering the mls ip multicast replication mode egress command so that the system continues to work in egress replication mode even if there are fabric enabled modules installed that do not support egress replication for example OSMs You can also configure the system to operate only in ingress replication mode If the system is functioning in automatic detection mode and you install a...

Page 429: ...mls ip multicast replication mode ingress command restores the system to automatic detection mode To enable IP multicast Layer 3 switching perform this task This example shows how to enable the replication mode Router config mls ip multicast replication mode egress Router show mlp ip multicast capability Current mode of replication is Ingress Configured replication mode is Egress Slot Multicast re...

Page 430: ...s which are associated with the switch fabric connection that the replication engine supports When you enable this feature the multicast expansion table MET for each replication engine is populated with the local Layer 3 interfaces only This action prevents replication for interfaces that are not supported by the replication engine nonlocal interfaces and increases replication performance Local eg...

Page 431: ...Layer 3 switching threshold perform this task This example shows how to configure the Layer 3 switching threshold to 10 packets per second Router config mls ip multicast threshold 10 Router config Enabling Installation of Directly Connected Subnets In PIM sparse mode a first hop router that is the designated router for the interface may need to encapsulate the source traffic in a PIM register mess...

Page 432: ...ip multicast flow stat timer 10 Router config Enabling Shortcut Consistency Checking When you enable the shortcut consistency checking feature the multicast route table and the multicast hardware entries are checked for consistency and any inconsistencies are corrected You can view inconsistencies by entering the show mls ip multicast consistency check command If consistency checking is enabled th...

Page 433: ... Failure Rate Limiting Information To display RPF failure rate limiting information perform this task This example shows how to display RPF failure rate limiting information Router show mls ip multicast summary 10004 MMLS entries using 1280464 bytes of memory Number of partial hardware switched flows 4 Number of complete hardware switched flows 10000 Router Command Purpose Step 1 Router config int...

Page 434: ...ist 1 deny 239 0 0 0 0 255 255 255 Router config access list 1 permit 224 0 0 0 15 255 255 255 Router config interface gigabitethernet 5 2 Router config if ip multicast boundary 1 Displaying IPv4 Multicast Layer 3 Hardware Switching Summary Note The show interface statistics command does not display hardware switched packets only packets switched by software The show ip pim interface count command...

Page 435: ... 28552 bytes of memory 13 groups 3 30 average sources per group Forwarding Counts Pkt Count Pkts per second Avg Pkt Size Kilobits per second Other counts Total RPF failed Other drops OIF null rate limit etc Group 224 2 136 89 Source count 1 Group pkt count 29051 Source 132 206 72 28 32 Forwarding 29051 278 1186 0 Other 85724 8 56665 Router Note The tive counter means that the outgoing interface li...

Page 436: ... Redirect outbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled IP multicast multilayer switching is enabled IP mls switching is enabled Router This example shows how to display the IP multicast Layer 3 switching configuration of Gigabit Ethernet interface 1 2 Router show interfaces gigabitEthernet 1 2 GigabitEthernet1 2 is up line protocol is up connected Hardware ...

Page 437: ... 00 16 41 00 00 00 RP 10 15 1 20 flags SJC Incoming interface GigabitEthernet4 8 RPF nbr 10 15 1 20 Outgoing interface list GigabitEthernet4 9 Forward Sparse Dense 00 16 41 00 00 00 H 230 13 13 2 00 16 41 00 00 00 RP 10 15 1 20 flags SJC Incoming interface GigabitEthernet4 8 RPF nbr 10 15 1 20 RPF MFD Outgoing interface list GigabitEthernet4 9 Forward Sparse Dense 00 16 41 00 00 00 H 10 20 1 15 23...

Page 438: ...n 10 Multicast hardware switched flows 10 1 0 15 224 2 2 15 Incoming interface Vlan10 Packets switched 0 Hardware switched outgoing interfaces MFD installed Vlan10 10 1 0 19 224 2 2 19 Incoming interface Vlan10 Packets switched 1970 Hardware switched outgoing interfaces MFD installed Vlan10 10 1 0 11 224 2 2 11 Incoming interface Vlan10 Packets switched 0 Hardware switched outgoing interfaces MFD ...

Page 439: ...otification received 0 MSM sent 205170 MSM ACK received 205170 Delete notifications received 0 Flow Statistics messages received 35211 MLS Multicast statistics Flow install Ack 996508 Flow install Nack 1 Flow update Ack 1415959 Flow update Nack 0 Flow delete Ack 774953 Complete flow install Ack 958469 Router Configuring IPv4 Bidirectional PIM These sections describe how to configure IPv4 bidirecti...

Page 440: ...example shows how to set the IPv4 bidirectional PIM RP RPF scan interval Router config mls ip multicast bidir gm scan interval 30 Router config Command Purpose Step 1 Router config ip pim rp adress ip_address access_list override Statically configures the IP address of the rendezvous point for the group When you specify the override option the static rendezvous point is used Step 2 Router config a...

Page 441: ...FD Outgoing interface list GigabitEthernet2 1 Bidir Upstream Sparse Dense 00 00 02 00 00 00 H Vlan30 Forward Sparse Dense 00 00 02 00 02 57 H 225 1 2 0 00 00 04 00 02 55 RP 3 3 3 3 flags BC Bidir Upstream GigabitEthernet2 1 RPF nbr 10 53 1 7 RPF MFD Outgoing interface list GigabitEthernet2 1 Bidir Upstream Sparse Dense 00 00 04 00 00 00 H Vlan30 Forward Sparse Dense 00 00 04 00 02 55 H 225 1 4 1 0...

Page 442: ...d02h 00 02 39 ttl threshold 5 This example shows how to display the entries for a specific multicast group address Router show mls ip multicast group 230 31 31 1 Multicast hardware switched flows 230 31 31 1 Incoming interface Vlan611 Packets switched 1778 Hardware switched outgoing interfaces Vlan131 Vlan151 Vlan415 Gi4 16 Vlan611 RPF MFD installed This example shows how to display PIM group to a...

Page 443: ...he Displaying IPv4 Multicast Layer 3 Switching Statistics section on page 28 22 Table 28 2 IP Multicast Layer 3 Switching Debug Commands Command Description no debug mls ip multicast events Displays IP multicast Layer 3 switching events no debug mls ip multicast errors Turns on debug messages for multicast MLS related errors no debug mls ip multicast group group_id group_mask Turns on debugging fo...

Page 444: ...rce IP address of the server sourcing the multicast stream PIM configured on all related Layer 3 interfaces The unicast routing table is used to do path selection for PIM PIM uses RPF checks to ultimately determine the shortest path tree SPT between the client receiver VLAN and the source multicast VLAN Therefore the objective of PIM is to find the shortest unicast path between the receiver subnet...

Page 445: ...isco com en US docs ios mcl 122sxmcl 12_2sx_mcl_book html To constrain IPv4 Multicast traffic see Chapter 30 Configuring IGMP Snooping for IPv4 Multicast Traffic MLD version 1 is not supported This chapter consists of these sections Understanding How MLDv2 Snooping Works page 29 2 Default MLDv2 Snooping Configuration page 29 8 MLDv2 Snooping Configuration Guidelines and Restrictions page 29 8 MLDv...

Page 446: ...rward IPv6 multicast traffic only to those ports that want to receive it MLDv2 which runs at Layer 3 on a multicast router generates Layer 3 MLDv2 queries in subnets where the multicast traffic needs to be routed For information about MLDv2 see this publication http www cisco com en US docs ios ipv6 configuration guide 12_2sx ipv6_12_2sx_book html You can configure the MLDv2 snooping querier on th...

Page 447: ...d Filtering MLDv2 uses source based filtering which enables hosts and routers to specify which multicast sources should be allowed or blocked for a specific multicast group Source based filtering either allows or blocks traffic based on the following information in MLDv2 messages Source lists INCLUDE or EXCLUDE mode Because the Layer 2 table is MAC group VLAN based with MLDv2 hosts it is preferabl...

Page 448: ...ast Group Hosts join IPv6 multicast groups either by sending an unsolicited MLDv2 report or by sending an MLDv2 report in response to a general query from an IPv6 multicast router the router forwards general queries from IPv6 multicast routers to all ports in a VLAN The router snoops these reports In response to a snooped MLDv2 report the router creates an entry in its Layer 2 forwarding table for...

Page 449: ... from other packets for the multicast group The first entry in the table tells the router to send only MLDv2 packets to the CPU This prevents the router from becoming overloaded with multicast frames The second entry tells the router to send frames addressed to the 0x0100 5E01 0203 multicast MAC address that are not MLDv2 packets MLDv2 to the multicast router and to the host that has joined the gr...

Page 450: ...eneral queries called a silent leave or they can send an MLDv2 filter mode change record When MLDv2 snooping receives a filter mode change record from a host that configures the EXCLUDE mode for a group MLDv2 snooping sends out a MAC addressed general query to determine if any other hosts connected to that interface are interested in traffic for the specified multicast group If MLDv2 snooping does...

Page 451: ...ce list is exactly the same as the source list received in the leave message the router removes the host from the LTL index and stops forwarding this multicast group traffic to this host If the source lists do not match the router does not remove the host from the LTL index until the host is no longer interested in receiving traffic from any source Note Disabling explicit host tracking disables fa...

Page 452: ... 1 described in RFC 2710 Hosts that support only MLD version 1 interoperate with a router running MLD version 2 Mixed LANs with both MLD version 1 and MLD version 2 hosts are supported MLDv2 snooping supports private VLANs Private VLANs do not impose any restrictions on MLDv2 snooping MLDv2 snooping constrains traffic in MAC multicast groups 0100 5e00 0001 to 0100 5eff ffff MLDv2 snooping does not...

Page 453: ...pport it One router is elected as the querier Enabling the MLDv2 Snooping Querier Use the MLDv2 snooping querier to support MLDv2 snooping in a VLAN where PIM and MLDv2 are not configured because the multicast traffic does not need to be routed To enable the MLDv2 snooping querier in a VLAN perform this task This example shows how to enable the MLDv2 snooping querier on VLAN 200 and verify the con...

Page 454: ...5 Note Except for the global enable command all MLDv2 snooping commands are supported only on VLAN interfaces Enabling MLDv2 Snooping To enable MLDv2 snooping globally perform this task This example shows how to enable MLDv2 snooping globally and verify the configuration Router config ipv6 mld snooping Router config end Router show ipv6 mld interface vlan 200 include globally MLD snooping is globa...

Page 455: ...ing sent to other ports in the same VLAN This example shows how to configure a static connection to a multicast receiver Router config mac address table static 0050 3e8d 6400 vlan 12 interface fastethernet 5 7 Configuring a Multicast Router Port Statically To configure a static connection to a multicast router perform this task Step 3 Router config if end Exits configuration mode Step 4 Router sho...

Page 456: ...precedence To configure the interval for the MLD snooping queries sent by the router perform this task This example shows how to configure the MLD snooping query interval Router config if ipv6 mld snooping last member query interval 1000 Router config if exit Router show ipv6 mld interface vlan 200 include last MLD snooping last member query response interval is 1000 ms Step 3 Router config if end...

Page 457: ...ng SSM Safe Reporting To enable source specific multicast SSM safe reporting perform this task This example shows how to SSM safe reporting Router config interface vlan 10 Router config if ipv6 mld snooping ssm safe reporting Command Purpose Step 1 Router config interface vlan vlan_ID Selects a VLAN interface Step 2 Router config if ipv6 mld snooping fast leave Enables fast leave processing in the...

Page 458: ... to enable explicit host tracking Router config interface vlan 25 Router config if ipv6 mld snooping report suppression Router config if end Router Router show ipv6 mld interface vlan 25 include report suppression MLD snooping report suppression is enabled Command Purpose Step 1 Router config interface vlan vlan_ID Selects a VLAN interface Step 2 Router config if ipv6 mld snooping explicit trackin...

Page 459: ...r show ipv6 mld snooping mrouter vlan 1 vlan ports 1 Gi1 1 Gi2 1 Fa3 48 Router Router Displaying MAC Address Multicast Entries To display MAC address multicast entries for a VLAN perform this task This example shows how to display MAC address multicast entries for VLAN 1 Router show mac address table multicast vlan 1 vlan mac address type qos ports 1 0100 5e02 0203 static Gi1 1 Gi2 1 Fa3 48 Router...

Page 460: ...1 Router show ipv6 mld snooping mrouter vlan 1 vlan ports 1 Gi1 1 Gi2 1 Fa3 48 Router This example shows IGMP snooping statistics information for VLAN 25 Router show ipv6 mld snooping statistics interface vlan 25 Snooping staticstics for Vlan25 channels 2 hosts 1 Source Group Interface Reporter Uptime Last Join Last Leave 10 1 1 1 226 2 2 2 Gi1 2 Vl25 16 27 2 3 00 01 47 00 00 50 10 2 2 2 226 2 2 2...

Page 461: ...ter 29 Configuring MLDv2 Snooping for IPv6 Multicast Traffic This chapter consists of these sections Understanding How IGMP Snooping Works page 30 1 Default IGMP Snooping Configuration page 30 7 IGMP Snooping Configuration Guidelines and Restrictions page 30 8 IGMP Snooping Querier Configuration Guidelines and Restrictions page 30 8 Enabling the IGMP Snooping Querier page 30 9 Configuring IGMP Sno...

Page 462: ...3 IGMP traffic Note If a multicast group has only sources and no receivers in a VLAN IGMP snooping constrains the multicast traffic to only the multicast router ports Joining a Multicast Group Hosts join multicast groups either by sending an unsolicited IGMP join message or by sending an IGMP join message in response to a general query from a multicast router the router forwards general queries fr...

Page 463: ...ackets from other packets for the multicast group The first entry in the table tells the switching engine to send only IGMP packets to the CPU This prevents the CPU from becoming overloaded with multicast frames The second entry tells the switching engine to send frames addressed to the 0x0100 5E01 0203 multicast MAC address that are not IGMP packets IGMP to the multicast router and to the host th...

Page 464: ...ey can send a group specific IGMPv2 leave message When IGMP snooping receives a group specific IGMPv2 leave message from a host it sends out a MAC based general query to determine if any other devices connected to that interface are interested in traffic for the specific multicast group If IGMP snooping does not receive an IGMP Join message in response to the general query it assumes that no other...

Page 465: ... more than one host is connected to a Layer 2 LAN port some hosts might be dropped inadvertently Fast leave processing is supported only with IGMP version 2 hosts Understanding the IGMP Snooping Querier Use the IGMP snooping querier to support IGMP snooping in a VLAN where PIM and IGMP are not configured because the multicast traffic does not need to be routed In a network where IP multicast routi...

Page 466: ...d hosts send BLOCK_OLD_SOURCES src list messages for a specific group when they no longer want to receive traffic from that source When the router receives such a message from a host it parses the list of sources for that host for the given group If this source list is exactly the same as the source list received in the leave message the router removes the host from the LTL index and stops forward...

Page 467: ...d builds an explicit tracking database that contains the following information The port connected to the host The channels reported by the host The filter mode for each group reported by the host The list of sources for each group reported by the hosts The router filter mode of each group For each group the list of hosts requesting the source Note Turning off explicit host tracking disables fast l...

Page 468: ...en configuring the IGMP snooping querier follow these guidelines and restrictions The IGMP snooping querier does not support querier elections Enable the IGMP snooping querier on only one router in the VLAN CSCsk48795 Configure the VLAN in global configuration mode see Chapter 14 Configuring VLANs Configure an IP address on the VLAN interface see Chapter 22 Configuring Layer 3 Interfaces When enab...

Page 469: ... Multicast Layer 3 Switching or enable the IGMP snooping querier in the subnet see the Enabling the IGMP Snooping Querier section on page 30 9 IGMP snooping allows Cisco 7600 series routers to examine IGMP packets and make forwarding decisions based on their content These sections describe how to configure IGMP snooping Enabling IGMP Snooping page 30 10 Configuring a Static Connection to a Multica...

Page 470: ...Router interface vlan 25 Router config if ip igmp snooping Router config if end Router show ip igmp interface vl25 include snooping IGMP snooping is globally enabled IGMP snooping is enabled on this interface IGMP snooping fast leave is disabled and querier is disabled IGMP snooping explicit tracking is enabled on this interface IGMP snooping last member query interval on this interface is 1000 ms...

Page 471: ...er Router config if ip igmp snooping mrouter interface fastethernet 5 6 Router config if Configuring the IGMP Snooping Query Interval You can configure the interval for which the router waits after sending a group specific query to determine if hosts are still interested in a specific multicast group Note When both IGMP fast leave processing and the IGMP query interval are configured fast leave pr...

Page 472: ...end Router show ip igmp interface vlan 200 include fast leave IGMP snooping fast leave is enabled on this interface Router config if Configuring Source Specific Multicast SSM Mapping Note Release 12 2 18 SXD3 and later releases support SSM mapping Do not configure SSM mapping in a VLAN that supports IGMPv3 multicast receivers To configure SSM mapping refer to this publication http www cisco com en...

Page 473: ...hows how to enable explicit host tracking Router config interface vlan 25 Router config if ip igmp snooping explicit tracking Router config if end Router show ip igmp snooping explicit tracking vlan 25 Source Group Interface Reporter Filter_mode 10 1 1 1 226 2 2 2 Vl25 1 2 16 27 2 3 INCLUDE 10 2 2 2 226 2 2 2 Vl25 1 2 16 27 2 3 INCLUDE Command Purpose Step 1 Router config interface vlan vlan_ID Se...

Page 474: ...rfaces in VLAN 1 Router show ip igmp snooping mrouter vlan 1 vlan ports 1 Gi1 1 Gi2 1 Fa3 48 Router Router Displaying MAC Address Multicast Entries To display MAC address multicast entries for a VLAN perform this task This example shows how to display MAC address multicast entries for VLAN 1 Router show mac address table multicast vlan 1 vlan mac address type qos ports 1 0100 5e02 0203 static Gi1 ...

Page 475: ...TL threshold is 0 Multicast designated router DR is 43 0 0 1 this system IGMP querying router is 43 0 0 1 this system Multicast groups joined by this system number of users 224 0 1 40 1 IGMP snooping is globally enabled IGMP snooping is enabled on this interface IGMP snooping fast leave is disabled and querier is disabled IGMP snooping explicit tracking is enabled on this interface IGMP snooping l...

Page 476: ...ping statistics interface vlan 25 Snooping statistics for Vlan25 channels 2 hosts 1 Source Group Interface Reporter Uptime Last Join Last Leave 10 1 1 1 226 2 2 2 Gi1 2 Vl25 16 27 2 3 00 01 47 00 00 50 10 2 2 2 226 2 2 2 Gi1 2 Vl25 16 27 2 3 00 01 47 00 00 50 Router Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page...

Page 477: ...ing page 31 5 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Understanding How PIM Snooping Works In networks where a Layer 2 router interconnects several routers such as an Internet exchange point IXP the router floods IP m...

Page 478: ...strations show the flow of traffic and flooding that results in networks without PIM snooping enabled and the flow of traffic and traffic restriction when PIM snooping is enabled Figure 31 1 shows the flow of a PIM join message without PIM snooping enabled In the figure the switches flood the PIM join message intended for Router B to all connected routers Figure 31 1 PIM Join Message Flow without ...

Page 479: ...he figure the switches flood the data traffic intended for Router A to all connected routers Figure 31 3 Data Traffic Flow without PIM Snooping Figure 31 4 shows the flow of data traffic with PIM snooping enabled In the figure the switches forward the data traffic only to the router that needs to receive it Router A Router C Router D Router B Router A G PIM join RP Source Receiver IGMP join 99474 ...

Page 480: ...e payload of the join or prune message Directly connected sources are supported for bidirectional PIM groups Traffic from directly connected sources is forwarded to the designated router and designated forwarder for a VLAN In some cases a nondesignated router NDR can receive a downstream S G join For source only networks the initial unknown traffic is flooded only to the designated routers and des...

Page 481: ...PIM snooping globally perform this task This example shows how to enable PIM snooping globally and verify the configuration Router config ip pim snooping Router config end Router show ip pim snooping Global runtime mode Enabled Global admin mode Enabled Number of user enabled VLANs 1 User enabled VLANs 10 Router Note You do not need to configure an IP address or IP PIM in order to run PIM snooping...

Page 482: ... the designated router DR This method of operation can send unnecessary multicast packets to the designated router The network must carry the unnecessary traffic and the designated router must process and drop the unnecessary traffic To reduce the traffic sent over the network to the designated router disable designated router flooding With designated router flooding disabled PIM snooping only pas...

Page 483: ...266 08 Chapter 31 Configuring PIM Snooping Configuring PIM Snooping Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html ...

Page 484: ...31 8 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 31 Configuring PIM Snooping Configuring PIM Snooping ...

Page 485: ... that exits the Cisco 7600 series router through ports to which only disinterested multicast routers are connected RGMP reduces network congestion by forwarding multicast traffic to only those routers that are configured to receive it Note To use RGMP you must enable IGMP snooping on the Cisco 7600 series router IGMP snooping constrains multicast traffic that exits through LAN ports to which hosts...

Page 486: ...c that exits through LAN ports on which it detects an RGMP enabled router If a non RGMP enabled router is detected on a LAN port that port receives all multicast traffic RGMP does not support directly connected multicast sources in the network A directly connected multicast source will send multicast traffic into the network without signaling through RGMP or PIM This multicast traffic will not be ...

Page 487: ... multicast groups that might map to a MAC address The capability of the Cisco 7600 series router to constrain traffic is limited by its content addressable memory CAM table capacity Enabling RGMP on Layer 3 Interfaces To enable RGMP on a Layer 3 interface perform this task This example shows how to configure RGMP on FastEthernet port 3 3 Router configure terminal Enter configuration commands one p...

Page 488: ...32 4 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 32 Configuring RGMP Enabling RGMP on Layer 3 Interfaces ...

Page 489: ...Note For complete syntax and usage information for the commands used in this chapter refer to these publications The Cisco IOS Master Command List Release 12 2SX at this URL http www cisco com en US docs ios mcl 122sxmcl 12_2sx_mcl_book html The Release 12 2 publications at this URL http www cisco com en US products sw iosswrel ps1835 products_installation_and_configuratio n_guides_list html This ...

Page 490: ...g check Unicast RPF check Understanding PFC3 Unicast RPF Check Support page 33 2 Understanding PFC2 Unicast RPF Check Support page 33 3 Unicast RPF Check Guidelines and Restrictions page 33 3 Configuring Unicast RPF Check page 33 3 Understanding PFC3 Unicast RPF Check Support For a complete explanation of how Unicast RPF check works refer to the Cisco IOS Security Configuration Guide Release 12 2 ...

Page 491: ...at has multiple return paths for example load sharing Unicast RPF Check Guidelines and Restrictions When configuring Unicast RPF check follow these guidelines and restrictions If you configure Unicast RPF check to filter with an ACL the PFC determines whether or not traffic matches the ACL The PFC sends the traffic denied by the RPF ACL to the MSFC for the Unicast RPF check Packets permitted by th...

Page 492: ...s sent to the log server Note When you enter the ip verify unicast source reachable via command the Unicast RPF check mode changes on all ports in the router This example shows how to enable Unicast RPF exist only check mode on Gigabit Ethernet port 4 1 Router config interface gigabitethernet 4 1 Router config if ip verify unicast source reachable via any Router config if end Router This example s...

Page 493: ... on any additional interfaces are redirected punted to the MSFC3 for Unicast RPF check in software pass The PFC3 performs the Unicast RPF check in hardware for single path and two path prefixes Unicast RPF check is disabled for packets coming from multipath prefixes with three or more reverse path interfaces these packets always pass the Unicast RPF check interface group The PFC3 performs the Unic...

Page 494: ...iguration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Command Purpose Step 1 Router config mls ip cef rpf interface group 0 1 2 3 interface1 interface2 interface3 interface4 Configures a multiple path RPF interface group on a PFC3 Step 2 Router config mls ip cef rpf interface...

Page 495: ...p_ps6017_TS D_Products_Configuration_Guide_Chapter html Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Cisco IOS ACL Configuration Guidelines and Restrictions The following guidelines and restrictions apply to Cisco IOS ACL ...

Page 496: ...ng ACL configuration Hardware and Software ACL Support Access control lists ACLs can be processed in hardware by the Policy Feature Card PFC a Distributed Forwarding Card DFC or in software by the Multilayer Switch Feature Card MSFC The following behavior describes software and hardware handling of ACLs ACL flows that match a deny statement in standard and extended ACLs input and output are droppe...

Page 497: ...ed do not include all of the hardware switching platform counters Configuring IPv6 Address Compression Access control lists ACLs are implemented in hardware in the Policy Feature Card PFC which uses the source or destination IP address and port number in the packet to index the ACL table The index has a maximum address length of 128 bits The IP address field in an IPv6 packet is 128 bits and the p...

Page 498: ... the hardware compresses these addresses Embedded IPv4 address This address is compressed by removing the upper 16 bits No information is lost when the hardware compresses these addresses Link Local These addresses are compressed by removing the zeros in bits 95 80 and are identified using the same packet type as the embedded IPv4 address No information is lost when the hardware compresses these a...

Page 499: ... and Restrictions The following guidelines and restrictions apply to OAL OAL and VACL capture are incompatible Do not configure both features on the router With OAL configured use SPAN to capture traffic OAL is supported only on the PFC3 OAL supports only IPv4 unicast packets OAL supports VACL logging of permitted ingress traffic OAL does not support port ACLs PACLs OAL does not provide hardware s...

Page 500: ...When configuring OAL global parameters note the following information entries number_of_entries Sets the maximum number of entries cached Range 0 1 048 576 entered without commas Default 8192 interval seconds Sets the maximum time interval before an entry is sent to be logged Also if the entry is inactive for this duration it is removed from the cache Range 5 86 400 1440 minutes or 24 hours entere...

Page 501: ...Ls These sections describe guidelines and restrictions when configuring ACLs that include Layer 4 port operations Determining Layer 4 Operation Usage page 34 8 Determining Logical Operation Unit Usage page 34 8 Command Purpose Step 1 Router config interface type1 slot port 1 type any that supports Layer 3 switched traffic Specifies the interface to configure Step 2 Router config if logging ip acce...

Page 502: ... gt 11 deny Note There is no limit to the use of eq operators as the eq operator does not use a logical operator unit LOU or a Layer 4 operation bit See the Determining Logical Operation Unit Usage section on page 34 8 for a description of LOUs Layer 4 operations are considered different if the same operator operand couple applies once to a source port and once to a destination port For example in...

Page 503: ... src port lt 9 deny src port range 11 13 deny dst port neq 6 permit The Layer 4 operations and LOU usage is as follows ACL1 Layer 4 operations 5 ACL2 Layer 4 operations 4 LOUs 4 An explanation of the LOU usage follows LOU 1 stores gt 10 and lt 9 LOU 2 stores gt 11 and neq 6 LOU 3 stores gt 20 with space for one more LOU 4 stores range 11 13 range needs the entire LOU Tip For additional information...

Page 504: ... 10 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 34 Understanding Cisco IOS ACL Support Guidelines and Restrictions for Using Layer 4 Operators in ACLs ...

Page 505: ...S SVC NAM 2 and WS SVC NAM 1 network analysis modules This restriction is removed in Release 12 2 17d SXB and later releases OAL and VACL capture are incompatible Do not configure both features on the router With OAL configured see the Optimized ACL Logging with a PFC3 section on page 34 5 use SPAN to capture traffic This chapter consists of these sections Understanding VACLs page 35 1 Configuring...

Page 506: ...an ACL to a routed interface in the VLAN a packet coming in to the VLAN is first checked against the VACL and if permitted is then checked against the input ACL before it is handled by the routed interface When the packet is routed to another VLAN it is first checked against the output ACL applied to the routed interface and if permitted the VACL configured for the destination VLAN is applied If a...

Page 507: ... are applied on routed and Layer 3 switched packets For routed or Layer 3 switched packets the ACLs are applied in the following order 1 VACL for input VLAN 2 Input Cisco IOS ACL 3 Output Cisco IOS ACL 4 VACL for output VLAN Figure 35 2 Applying VACLs on Routed Packets Supervisor Engine Host B VLAN 20 Host A VLAN 10 120554 Bridged Bridged VACL VACL Input IOS ACL Output IOS ACL Routed MSFC ...

Page 508: ... b VACL for output VLAN 3 Packets originating from router VACL for output VLAN Figure 35 3 Applying VACLs on Multicast Packets Configuring VACLs These sections describe how to configure VACLs VACL Configuration Overview page 35 5 Defining a VLAN Access Map page 35 5 Configuring a Match Clause in a VLAN Access Map Sequence page 35 6 Configuring an Action Clause in a VLAN Access Map Sequence page 35...

Page 509: ...ed for that packet type the packet is denied To use access control for both bridged and routed traffic you can use VACLs alone or a combination of VACLs and ACLs You can define ACLs on the VLAN interfaces to use access control for both the input and output routed traffic You can define a VACL to use access control for the bridged traffic The following caveats apply to ACLs when used with VACLs Pac...

Page 510: ...ched to WAN interfaces support only standard and extended Cisco IOS IP ACLs Use the no keyword to remove a match clause or specified ACLs in the clause For information about named MAC Layer ACLs refer to the Configuring MAC ACLs section on page 41 67 For information about Cisco IOS ACLs refer to the Cisco IOS Security Configuration Guide Release 12 2 Traffic Filtering and Firewalls at this URL htt...

Page 511: ...ts are logged in software Only dropped IP packets can be logged The redirect action allows you to specify up to five interfaces which can be physical interfaces or EtherChannels You cannot specify packets to be redirected to an EtherChannel member or a VLAN interface The redirect interface must be in the VLAN for which the VACL access map is configured With a PFC3 if a VACL is redirecting traffic ...

Page 512: ... VLAN does not exist or is not operational You cannot apply a VACL to a secondary private VLAN VACLs applied to primary private VLANs also apply to secondary private VLANs Use the no keyword to clear VLAN access maps from VLANs or WAN interfaces See the VLAN Access Map Configuration and Verification Examples section on page 35 9 Verifying VLAN Access Map Configuration To verify VLAN access map con...

Page 513: ...opped and logged and all other IP packets are forwarded Router config vlan access map ganymede 10 Router config access map match ip address net_10 Router config access map action drop log Router config access map exit Router config vlan access map ganymede 20 Router config access map match ip address any_host Router config access map action forward Router config access map exit Router config vlan ...

Page 514: ... config interface gigabitEthernet 5 1 Router config if switchport capture Router config if end This example shows how to display VLAN access map information Router show vlan access map mordred Vlan access map mordred 10 match ip address net_10 action forward capture Router This example shows how to display mappings between VACLs and VLANs For each VACL map there is information about the VLANs that...

Page 515: ...er config vlan access log maxflow 800 Router config vlan access log ratelimit 2200 Router config vlan access log threshold 4000 Command Purpose Step 1 Router config vlan access log maxflow max_number Sets the log table size The content of the log table can be deleted by setting the maxflow number to 0 The default is 500 with a valid range of 0 to 2048 When the log table is full logged packets from...

Page 516: ... 4266 08 Chapter 35 Configuring VLAN ACLs Configuring VACL Logging Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html ...

Page 517: ...lease 12 2 at this URL http www cisco com en US docs ios 12_2 security command reference fsecur_r html Note For complete syntax and usage information for the commands used in this chapter refer to these publications The Cisco IOS Master Command List Release 12 2SX at this URL http www cisco com en US docs ios mcl 122sxmcl 12_2sx_mcl_book html The Release 12 2 publications at this URL http www cisc...

Page 518: ... these protection methods Security ACLs page 36 2 Security ACLs page 36 2 QoS ACLs page 36 3 FIB Rate Limiting page 36 4 ARP Throttling page 36 5 uRPF Check page 36 5 TCP Intercept page 36 6 Security ACLs The Cisco 7600 series router can deny DoS packets in hardware using security access control lists ACLs Security ACLs are applied in hardware using the TCAM to traffic that can be easily identifie...

Page 519: ... 2 Layer 3 and Layer 4 information The result of a security VACL lookup against a packet can be a permit a deny a permit and capture or a redirect When you associate a security VACL with a particular VLAN all traffic must be permitted by the security VACL before the traffic is allowed into the VLAN Security VACLs are enforced in hardware so there is no performance penalty for applying security VAC...

Page 520: ...r FIB Rate Limiting Note The PFC2 CPU rate limiters are off by default The forwarding information base FIB rate limiting feature allows all packets that require software processing to be rate limited This example shows traffic destined for a nonexistent host address on a locally connected subnet Normally the ARP request would result in an ARP reply and the installation of a FIB adjacency for this ...

Page 521: ...ast Traffic storm control is configured on an interface and is disabled by default The configuration example here enables broadcast address storm control on interface FastEthernet 2 3 to a level of 20 percent When the broadcast traffic exceeds the configured level of 20 percent of the total available bandwidth of the port within a 1 second traffic storm control interval traffic storm control will ...

Page 522: ... with requests for connections that have unreachable return addresses The three way handshake is never completed and the connections cannot be established The amount of session requests to which the server host is responding can overwhelm the server host and prevent legitimate users from connecting to legitimate services such as web sites and email servers TCP intercept prevents the SYN flooding b...

Page 523: ...nly the requests that come from specific networks Only the requests that are destined for specific servers This example defines the source in the access list as any it does not attempt to filter the source address because it is difficult to know exactly who to intercept packets from The destination is specified to protect the destination servers from the TCP SYN flood attack If an access list matc...

Page 524: ...a TCAM bridge result to a Layer 3 redirect result pointing to the MSFC Packets hitting the TCAM entries with the altered Layer 3 redirect rate limit result will be rate limited according to the instructions set in CLI by the network administrator Both the ingress and egress values will be the same as they both share the same rate limiter register If the ACL bridge ingress egress rate limiting is d...

Page 525: ... Status Packets s ACL BRIDGE IN Off ACL BRIDGE OUT Off L3_SEC_FEATURES Off VACL LOG Off FIB RECEIVE Off FIB GLEAN Off FIB CEF Receive and FIB Glean Cases Unicast Only The FIB receive rate limiter provides the capability to rate limit all packets that contain the MSFC IP address as the destination address The rate limiters do not discriminate between good frames and bad frames Note Do not enable th...

Page 526: ...l system plus TACACS or RADIUS server based on the IP address The server passes additional access list entries down to the router to allow the users through after authentication These ACLs are stored and processed in software and if there are many users utilizing auth proxy the MSFC may be overwhelmed Rate limiting would be advantageous in this situation IPSec and inspection are also done by the M...

Page 527: ... host is denied Router config access list 101 deny ip host 10 1 1 10 any Router config access list 101 permit ip any any Security ACLs also protect against the spoofing of addresses For example assume that a source address A is on the inside of a network and a router interface that is pointing to the Internet You can apply an inbound ACL on the router Internet interface that denies all addresses w...

Page 528: ...Router config policy map icmp_policer Router config pmap class icmp_class Router config pmap c police 96000 16000 conform action transmit exceed action policed dscp transmit drop Router config pmap c exit Router config pmap exit uRPF Check When you enable the unicast reverse path forwarding uRPF check packets that lack a verifiable source IP address such as spoofed IP source addresses are discarde...

Page 529: ...ontrol on all LAN ports and multicast and unicast storm control on Gigabit Ethernet ports When two or three suppression modes are configured simultaneously they share the same level settings If broadcast suppression is enabled and if multicast suppression is also enabled and configured at a 70 percent threshold the broadcast suppression will also have a setting for 70 percent Network Under SYN Att...

Page 530: ...ly police routing protocols and ARP packets to the router but also polices traffic through the box with less granularity than CoPP The policing mechanism shares the root configuration with a policing avoidance mechanism The policing avoidance mechanism lets the routing protocol and ARP packets flow through the network when they reach a QoS policer This mechanism can be configured using the mls qos...

Page 531: ...ent rate limiting scenarios to share the same register The registers are assigned on a first come first serve basis If all registers are being utilized the only way to configure another rate limiter is to free one register The hardware based rate limiters available on the PFC3 are as follows Ingress and egress ACL bridged packets uRPF check failures FIB receive cases FIB glean cases Layer 3 securi...

Page 532: ...rate limit command both the ACL bridged in and the ACL bridged out display the new value of 40000 pps Router show mls rate limit Rate Limiter Type Status Packets s Burst MCAST NON RPF Off MCAST DFLT ADJ On 100000 100 MCAST DIRECT CON Off ACL BRIDGED IN On 40000 50 ACL BRIDGED OUT On 40000 50 IP FEATURES Off uRPF Check Failure The uRPF check failure rate limiter allows you to configure a rate for t...

Page 533: ... status is displayed The exception is the TTL failure rate limiter its value shares the same value as the other members in the register if you have manually enabled the feature FIB CEF Receive Cases Unicast Only The FIB receive rate limiter provides the capability to rate limit all packets that contain the MSFC IP address as the destination address The rate limiters do not discriminate between goo...

Page 534: ...ow to rate limit the security features to the MSFC to 100000 pps with a burst of 10 packets Router config mls rate limit unicast ip features 100000 10 ICMP Redirect Unicast Only The ICMP redirect rate limiter allows you to rate limit ICMP traffic For example when a host sends packets through a nonoptimal router the MSFC sends ICMP redirect messages to the host to correct its sending path If this t...

Page 535: ...ter config mls rate limit layer2 pdu 20000 20 Layer 2 Protocol Tunneling This rate limiter limits the Layer 2 protocol tunneling packets which include control PDUs CDP STP and VTP packets destined for the supervisor engine These packets are encapsulated in software rewriting the destination MAC address in the PDU and then forwarded to a proprietary multicast address 01 00 0c cd cd d0 You cannot en...

Page 536: ...icast directly connected rate limiter limits the multicast packets from directly connected sources This example shows how to rate limit the multicast packets to 30000 pps with a burst of 30 Router config mls rate limit multicast ipv4 connected 30000 30 The ip option keyword and the ip option rate limiter are supported in PFC3B or PFC3BXL mode only This example shows how to set the rate limiters fo...

Page 537: ...not sure about which rate limiter to share with use the share auto keywords to enable dynamic sharing When you enable dynamic sharing the system selects a preconfigured rate limiter and shares the given rate limiter with the preconfigured rate limiter This example shows how to choose dynamic sharing for the route cntrl rate limiter Router config mls rate limit multicast ipv6 route cntl share auto ...

Page 538: ... require protection Use the interface range command to configure a security ACL on multiple interfaces Table 36 3 PFC3 Hardware based Rate Limiter Default Setting Rate Limiter Default Status ON OFF Default Value Ingress Egress ACL Bridged Packets OFF RPF Failures ON 100 pps burst of 10 packets FIB Receive cases OFF FIB Glean Cases OFF Layer 3 Security features OFF ICMP Redirect OFF ICMP Unreachabl...

Page 539: ...the rate of broadcast or some multicast traffic in hardware The PFC3 has separate multicast rate limiters The Supervisor Engine 2 does not have separate multicast rate limiters FIB rate limiting does not differentiate between legitimate and illegitimate traffic for example tunnels Telnet FIB rate limiting applies aggregate rate limiting and not per flow rate limiting PFC3 When configuring DoS prot...

Page 540: ...e limit Layer 2 multicast traffic Monitoring Packet Drop Statistics You can capture the incoming or outgoing traffic on an interface and send a copy of this traffic to an external interface for monitoring by a traffic analyzer To capture traffic and forward it to an external interface use the monitor session command When capturing traffic these restrictions apply The incoming captured traffic is n...

Page 541: ...8 label 1 lookup_type 0 protocol IP packet type 0 T Index Dest Ip Addr Source Ip Addr DPort SPort TCP F Pro MRFM X TOS TN COD F P V 18396 0 0 0 0 0 0 0 0 P 0 P 0 0 0 0 0 0 M 18404 0 0 0 0 0 0 0 0 0 0 0 0 0 R rslt L3_DENY_RESULT rtr_rslt L3_DENY_RESULT V 36828 0 0 0 0 0 0 0 0 P 0 P 0 0 0 0 0 0 M 36836 0 0 0 0 0 0 0 0 0 0 0 0 0 R rslt L3_DENY_RESULT rtr_rslt L3_DENY_RESULT Router You can also use th...

Page 542: ...config if switchport capture Router config if switchport capture allowed vlan add 100 Displaying Rate Limiter Information The show mls rate limit command displays information about the configured rate limiters The show mls rate limit usage command displays the hardware register that is used by a rate limiter type If the register is not used by any rate limiter type Free is displayed in the output ...

Page 543: ...PTION Off LAYER_2 PDU Off LAYER_2 PT Off IP ERRORS On 100 10 Group 0 S CAPTURE PKT Off MCAST IGMP Off MCAST IPv6 DIRECT CON Off MCAST IPv6 G M BRIDG Off MCAST IPv6 G BRIDGE Off MCAST IPv6 SG BRIDGE Off MCAST IPv6 ROUTE CNTL Off MCAST IPv6 DFLT DROP Off MCAST IPv6 SECOND DR Off Router To display the usage of the hardware rate limiters use the show mls rate limit usage command Router show mls rate l...

Page 544: ... control and management planes You can use CoPP to protect the control and management planes and ensure routing stability reachability and packet delivery CoPP uses a dedicated control plane configuration through the modular QoS CLI MQC to provide filtering and rate limiting capabilities for the control plane packets CoPP Default Configuration CoPP is disabled by default CoPP Configuration Guideli...

Page 545: ...and is not entered CoPP will only work in software and will not provide any benefit to the hardware Neither egress CoPP nor silent mode is supported CoPP is only supported on ingress service policy output CoPP cannot be applied to the control plane interface ACE hit counters in hardware are only for ACL logic You can rely on software ACE hit counters and the show access list show policy map contro...

Page 546: ... config ip access list extended access list name Router config ext nacl permit deny protocol source source wildcard destination destination wildcard precedence precedence tos tos established log log input time range time range name fragments Defines ACLs to match traffic permit sets the conditions under which a packet passes a named IP access list deny sets the conditions under which a packet does...

Page 547: ...arl in slot 5 0 bytes 5 minute offered rate 0 bps aggregate forwarded 0 bytes action transmit exceeded 0 bytes action drop aggregate forward 0 bps exceed 0 bps Software Counters Class map CoPP normal match all 0 packets 0 bytes 5 minute offered rate 0 bps drop rate 0 bps Match access group 130 police 96000 bps 3125 limit 3125 extended limit conformed 0 packets 0 bytes action transmit exceeded 0 pa...

Page 548: ...rating network performance statistics for the purpose of reporting For example using Cisco IOS IP service level agreements SLAs to generate ICMP with different DSCP settings in order to report on response times within different QoS data classes Monitoring Traffic used for monitoring a router Traffic should be permitted but should never pose a risk to the router with CoPP this traffic can be permit...

Page 549: ...ive importance The actual number of classes needed might differ and should be selected based on your local requirements and security policies You do not have to define policies that match bidirectionally You only need to identify traffic unidirectionally from the network to the MSFC since the policy is applied on ingress only Sample Basic ACLs for CoPP Traffic Classification This section shows sam...

Page 550: ...that originated the pings Router config access list 122 permit icmp any any echo reply This example shows how to allow pings to the router Router config access list 122 permit icmp any any echo This example shows how to define ACL 123 for the undesirable class Router config access list 123 remark explicitly defined undesirable traffic Note In the following example ACL 123 is a permit entry for cla...

Page 551: ...ample shows how to enable sticky ARP on interface 5 1 Router configure terminal Router config interface gigabitethernet 5 1 Router config if ip sticky arp Router config if end Router Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home...

Page 552: ...36 36 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 36 Configuring Denial of Service Protection Configuring Sticky ARP ...

Page 553: ... html This chapter consists of the following major sections Understanding DHCP Snooping page 37 1 Default Configuration for DHCP Snooping page 37 6 DHCP Snooping Configuration Restrictions and Guidelines page 37 7 Configuring DHCP Snooping page 37 9 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco c...

Page 554: ...re filters messages and rate limits traffic from untrusted sources In an enterprise network devices under your administrative control are trusted sources These devices include the switches routers and servers in your network Any device beyond the firewall or outside your network is an untrusted source Host ports are generally treated as untrusted sources In a service provider environment any devic...

Page 555: ...ch the message was received The router receives a DHCP packet that includes a relay agent IP address that is not 0 0 0 0 In releases earlier than Release 12 2 18 SXF1 the router drops DHCP packets that include option 82 information that are received on untrusted ports With Release 12 2 18 SXF1 and later releases to support trusted edge routers that are connected to untrusted aggregation router por...

Page 556: ...the circuit ID or both to assign IP addresses and implement policies such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID The DHCP server then echoes the option 82 field in the DHCP reply The DHCP server unicasts the reply to the router if the request was relayed to the server by the router When the client and server are on the same subnet the ser...

Page 557: ...The database agent stores the bindings in a file at a configured location Upon reload the router reads the file to build the database for the bindings The router keeps the file current by writing to the file as the database changes The format of the file that contains the bindings is as follows initial checksum TYPE DHCP SNOOPING VERSION 1 BEGIN entry 1 checksum 1 entry 2 checksum 1 2 entry n chec...

Page 558: ...ntry read from the file is ignored and so are all the entries following the failed entry The router also ignores all those entries from the file whose lease time has expired This is possible because the lease time might indicate an expired time An entry from the file is also ignored if the interface referred to in the entry no longer exists on the system or if it is a router port or a DHCP snoopin...

Page 559: ...figuration command ip dhcp relay information policy global configuration command ip dhcp relay information trust all global configuration command ip dhcp relay information option global configuration command ip dhcp relay information trusted interface configuration command If you enter these commands the router returns an error message and the configuration is not applied DHCP Snooping Configurati...

Page 560: ...ation information refer to Configuring DHCP in the Cisco IOS IP and IP Routing Configuration Guide at http www cisco com en US docs ios 12_2 ip configuration guide 1cfdhcp html 2 Enable DHCP snooping on at least one VLAN By default DHCP snooping is inactive on all VLANs Refer to the Enabling DHCP Snooping on VLANs section on page 37 12 3 Ensure that DHCP server is connected through a trusted inter...

Page 561: ...mmand as the last configuration step or enable the DHCP feature during a scheduled maintenance period because after you enable DHCP snooping globally the router drops DHCP requests until you configure the ports To enable DHCP snooping globally perform this task This example shows how to enable DHCP snooping globally Router configure terminal Enter configuration commands one per line End with CNTL ...

Page 562: ...on untrusted port feature enabled the router does not drop DHCP packets that include option 82 information that are received on untrusted ports Do not enter the ip dhcp snooping information option allowed untrusted command on an aggregation router to which any untrusted devices are connected With Release 12 2 18 SXF1 and later releases to enable untrusted ports to accept DHCP packets that include ...

Page 563: ...t and the client hardware address is a Layer 3 field in the DHCP packet To enable DHCP snooping MAC address verification perform this task This example shows how to disable DHCP snooping MAC address verification Router config no ip dhcp snooping verify mac address Router config do show ip dhcp snooping include hwaddr Verification of hwaddr field is disabled Router config This example shows how to ...

Page 564: ...h separated pairs of VLAN numbers This example shows how to enable DHCP snooping on VLANs 10 through 12 Router configure terminal Router config ip dhcp snooping vlan 10 12 Router config This example shows another way to enable DHCP snooping on VLANs 10 through 12 Router configure terminal Router config ip dhcp snooping vlan 10 12 This example shows another way to enable DHCP snooping on VLANs 10 t...

Page 565: ... Trusted Rate limit pps FastEthernet5 12 yes unlimited Router This example shows how to configure Fast Ethernet port 5 12 as untrusted Router configure terminal Router config interface FastEthernet 5 12 Router config if no ip dhcp snooping trust Router config if do show ip dhcp snooping begin pps Interface Trusted Rate limit pps FastEthernet5 12 no unlimited Router Command Purpose Step 1 Router co...

Page 566: ...Ethernet5 12 no 100 Router Configuring the DHCP Snooping Database Agent To configure the DHCP snooping database agent perform one or more of the following tasks Command Purpose Step 1 Router config interface type1 slot port port channel number 1 type ethernet fastethernet gigabitethernet or tengigabitethernet Selects the interface to configure Note Select only LAN ports configured with the switchp...

Page 567: ...ing the Database Agent page 37 15 Example 2 Reading Binding Entries from a TFTP File page 37 17 Example 3 Adding Information to the DHCP Snooping Database page 37 18 Example 1 Enabling the Database Agent The following example shows how to configure the DHCP snooping database agent to store the bindings at a given location and to view the configuration and operating state Router configure terminal ...

Page 568: ...s and VLAN set for which the router already has a binding the entry from the remote file is ignored when the file is read This condition is referred to as the binding collision An entry in a file may no longer be valid because the lease indicated by the entry may have expired by the time it is read The expired leases counter indicates the number of bindings that are ignored because of this conditi...

Page 569: ...le from 10 1 1 1 via GigabitEthernet1 1 OK 457 bytes Database downloaded successfully Router 00 01 29 DHCP_SNOOPING 6 AGENT_OPERATION_SUCCEEDED DHCP snooping database Read succeeded Router show ip dhcp snoop data Agent URL Write delay Timer 300 seconds Abort Timer 300 seconds Agent Running No Delay Timer Expiry Not Running Abort Timer Expiry Not Running Last Succeded Time 15 24 34 UTC Sun Jul 8 20...

Page 570: ...nding 1 1 1 vlan 1 1 1 1 1 interface gi1 1 expiry 1000 Router show ip dhcp snooping binding MacAddress IpAddress Lease sec Type VLAN Interface 00 01 00 01 00 01 1 1 1 1 992 dhcp snooping 1 GigabitEthernet1 1 Router Displaying a Binding Table The DHCP snooping binding table for each router contains binding entries that correspond to untrusted ports The table does not contain information about hosts...

Page 571: ...ge http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Table 37 2 show ip dhcp snooping binding Command Output Field Description MAC Address Client hardware MAC address IP Address Client IP address assigned from the DHCP server Lease seconds IP address lease time Type Binding type dynamic binding learned by DHCP snooping or statically configured binding VLAN VL...

Page 572: ...37 20 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 37 Configuring DHCP Snooping Configuring DHCP Snooping ...

Page 573: ... http www cisco com en US docs ios mcl 122sxmcl 12_2sx_mcl_book html This chapter consists of these sections Understanding DAI page 38 1 Default DAI Configuration page 38 5 DAI Configuration Guidelines and Restrictions page 38 6 Configuring DAI page 38 6 DAI Configuration Samples page 38 16 Tip For additional information including configuration examples and troubleshooting information see the docu...

Page 574: ... and MAC addresses are shown in parentheses for example Host A uses IP address IA and MAC address MA When Host A needs to communicate to Host B at the IP layer it broadcasts an ARP request for the MAC address associated with IP address IB When the router and Host B receive the ARP request they populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA for ...

Page 575: ...ddresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header see the Enabling Additional Validation section on page 38 11 Interface Trust States and Network Security DAI associates a trust state with each interface on the router Packets arriving on trusted interfaces bypass all DAI validation checks and tho...

Page 576: ...ndings isolate routers running DAI at Layer 3 from routers not running DAI For configuration information see the Sample Two One Switch Supports DAI section on page 38 21 Note Depending on the setup of the DHCP server and the network it might not be possible to validate a given ARP packet on all routers in the VLAN Rate Limiting of ARP Packets The router performs DAI validation checks which rate li...

Page 577: ...l configuration command to configure the number of entries in the buffer and the number of entries needed in the specified interval to generate system messages You specify the type of packets that are logged by using the ip arp inspection vlan logging global configuration command For configuration information see the Configuring DAI Logging section on page 38 13 Default DAI Configuration Table 38 ...

Page 578: ... need not match the trust state of the channel Conversely when you change the trust state on the port channel the router configures a new trust state on all the physical ports that comprise the channel The operating rate for the port channel is cumulative across all the physical ports within the channel For example if you configure the port channel with an ARP rate limit of 400 pps all the interfa...

Page 579: ...configure terminal Router config ip arp inspection vlan 10 12 This example shows another way to enable DAI on VLANs 10 through 12 Router configure terminal Router config ip arp inspection vlan 10 11 12 This example shows how to enable DAI on VLANs 10 through 12 and VLAN 15 Router configure terminal Router config ip arp inspection vlan 10 12 15 This example shows how to verify the configuration Rou...

Page 580: ...s task This example shows how to configure Fast Ethernet port 5 12 as trusted Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface fastethernet 5 12 Router config if ip arp inspection trust Router config if do show ip arp inspection interfaces include Int 5 12 Interface Trust State Rate pps Burst Interval Fa5 12 Trusted None N A Applying ARP A...

Page 581: ...the ACL Packets are permitted only if the access list permits them This example shows how to apply an ARP ACL named example_arp_acl to VLANs 10 through 12 and VLAN 15 Router configure terminal Enter configuration commands one per line End with CNTL Z Router config ip arp inspection filter example_arp_acl vlan 10 12 15 Router config do show ip arp inspection vlan 10 12 15 begin Vlan Vlan Configurat...

Page 582: ... for the configured trust state After you configure the rate limiting value the interface retains the rate limiting value even when you change its trust state If you enter the no ip arp inspection limit interface configuration command the interface reverts to its default rate limiting value For configuration guidelines about limiting the rate of incoming ARP packets on trunk ports and EtherChannel...

Page 583: ...fy at least one of the keywords Each ip arp inspection validate command overrides the configuration from any previous commands If an ip arp inspection validate command enables src and dst mac validations and a second ip arp inspection validate command enables IP validation only the src and dst mac validations are disabled as a result of the second command Command Purpose Step 1 Router configure te...

Page 584: ...on Disabled IP Address Validation Disabled This example shows how to enable dst mac additional validation Router configure terminal Enter configuration commands one per line End with CNTL Z Router config ip arp inspection validate dst mac Router config do show ip arp inspection include abled Source Mac Validation Disabled Destination Mac Validation Enabled IP Address Validation Disabled This examp...

Page 585: ...em message for the entry If the log buffer overflows it means that a log event does not fit into the log buffer and the display for the show ip arp inspection log privileged EXEC command is affected Two dashes appear instead of data except for the packet count and the time No other statistics are provided for the entry If you see this entry in the display increase the number of entries in the log ...

Page 586: ...Router config do show ip arp inspection log include Syslog Syslog rate 12 entries per 2 seconds This example shows how to configure DAI logging to send 20 messages every 60 seconds Router configure terminal Enter configuration commands one per line End with CNTL Z Router config ip arp inspection log buffer logs 20 interval 60 Router config do show ip arp inspection log include Syslog Syslog rate 2...

Page 587: ...ngs none Does not log packets that match DHCP bindings dhcp bindings permit Logs DHCP binding permitted packets This example shows how to configure the DAI log filtering for VLAN 100 not to log packets that match ACLs Router configure terminal Enter configuration commands one per line End with CNTL Z Router config ip arp inspection vlan 100 logging acl match none Router config do show running conf...

Page 588: ...connected to Router A Both hosts acquire their IP addresses from the same DHCP server Router A has the bindings for Host 1 and Host 2 and Router B has the binding for Host 2 Router A Fast Ethernet port 6 3 is connected to the Router B Fast Ethernet port 3 3 Note DAI depends on the entries in the DHCP snooping binding database to verify IP to MAC address bindings in incoming ARP requests and ARP re...

Page 589: ...AN 1 and verify the configuration RouterA configure terminal Enter configuration commands one per line End with CNTL Z RouterA config ip arp inspection vlan 1 RouterA config end RouterA show ip arp inspection vlan 1 Source Mac Validation Disabled Destination Mac Validation Disabled IP Address Validation Disabled Vlan Configuration Operation ACL Match Static ACL 1 Enabled Active Vlan ACL Logging DH...

Page 590: ...reflected in the following statistics RouterA show ip arp inspection statistics vlan 1 Vlan Forwarded Dropped DHCP Drops ACL Drops 1 2 0 0 0 Vlan DHCP Permits ACL Permits Source MAC Failures 1 2 0 0 Vlan Dest MAC Failures IP Validation Failures 1 0 0 RouterA If Host 1 then tries to send an ARP request with an IP address of 1 1 1 3 the packet is dropped and an error message is logged 00 12 08 SW_DA...

Page 591: ...on vlan 1 RouterB config end RouterB show ip arp inspection vlan 1 Source Mac Validation Disabled Destination Mac Validation Disabled IP Address Validation Disabled Vlan Configuration Operation ACL Match Static ACL 1 Enabled Active Vlan ACL Logging DHCP Logging 1 Deny Deny RouterB Step 3 Configure Fast Ethernet port 3 3 as trusted RouterB configure terminal Enter configuration commands one per lin...

Page 592: ...001 0001 the packet is forwarded and the statistics are updated appropriately RouterB show ip arp inspection statistics vlan 1 Vlan Forwarded Dropped DHCP Drops ACL Drops 1 1 0 0 0 Vlan DHCP Permits ACL Permits Source MAC Failures 1 1 0 0 Vlan Dest MAC Failures IP Validation Failures 1 0 0 RouterB If Host 2 attempts to send an ARP request with the IP address 1 1 1 2 DAI drops the request and logs ...

Page 593: ...ermit the IP address 1 1 1 1 and the MAC address 0001 0001 0001 and verify the configuration RouterA configure terminal Enter configuration commands one per line End with CNTL Z RouterA config arp access list H2 RouterA config arp nacl permit ip host 1 1 1 1 mac host 1 1 1 RouterA config arp nacl end RouterA show arp access list ARP access list H2 permit ip host 1 1 1 1 mac host 0001 0001 0001 Ste...

Page 594: ...by Router A the statistics are updated appropriately Switch show ip arp inspection statistics vlan 1 Vlan Forwarded Dropped DHCP Drops ACL Drops 1 5 0 0 0 Vlan DHCP Permits ACL Permits Source MAC Failures 1 0 5 0 Vlan Dest MAC Failures IP Validation Failures 1 0 0 Switch Tip For additional information including configuration examples and troubleshooting information see the documents listed on this...

Page 595: ...Understanding Traffic Storm Control A traffic storm occurs when packets flood the LAN creating excessive traffic and degrading network performance The traffic storm control feature prevents LAN ports from being disrupted by a broadcast multicast or unicast traffic storm on physical interfaces Traffic storm control also called traffic suppression monitors incoming traffic levels over a 1 second tra...

Page 596: ...sure traffic the most significant implementation factor is setting the percentage of total available bandwidth that can be used by controlled traffic Because packets do not arrive at uniform intervals the 1 second interval during which controlled traffic activity is measured can affect the behavior of traffic storm control The following are examples of traffic storm control behavior If you enable ...

Page 597: ...supports multicast and unicast traffic storm control on Gigabit and 10 Gigabit Ethernet LAN ports Most FastEthernet switching modules do not support multicast and unicast traffic storm control with the exception of WS X6148A RJ 45 and the WS X6148 SFP The switch supports broadcast traffic storm control on all LAN ports except on those modules previously noted Except for BPDUs traffic storm control...

Page 598: ...Step 2 Router config if storm control broadcast level level level Enables broadcast traffic storm control on the interface configures the traffic storm control level and applies the traffic storm control level to all traffic storm control modes enabled on the interface Router config if no storm control broadcast level Disables broadcast traffic storm control on the interface Step 3 Router config i...

Page 599: ...Building configuration Current configuration 176 bytes Router interface GigabitEthernet4 10 Router switchport Router switchport mode access Router storm control broadcast level 70 00 Router storm control multicast level 70 00 Router spanning tree portfast edge Router end Router configure terminal Router config interface gigabitethernet 4 10 Router config if storm control unicast level 20 Router co...

Page 600: ...w interfaces interface_type slot port port channel number counters command does not display the discard count You must the storm control keyword to display the discard count Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html ...

Page 601: ...ts hw routers ps368 tsd_products_support_series_home html Understanding UUFB or UMFB By default unknown unicast and multicast traffic is flooded to all Layer 2 ports in a VLAN You can prevent this behavior by using the UUFB and UMFB features to prevent or limit this traffic The UUFB and UMFB features block unknown unicast and multicast traffic flooding at a specific port only permitting egress tra...

Page 602: ...ip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Command Purpose Step 1 Router configure terminal Enters global configuration mode Step 2 Router config interface type1 slot port port channel number 1 type ethernet fastethernet ...

Page 603: ... does not support Network Based Application Recognition NBAR With a Supervisor Engine 2 PFC2 and MSFC2 you can configure NBAR on Layer 3 interfaces instead of PFC QoS The PFC2 provides hardware support for input ACLs on ports where you configure NBAR When PFC QoS is enabled the traffic through ports where you configure NBAR passes through the ingress and egress queues and drop thresholds When PFC ...

Page 604: ...s are Ethernet ports on Ethernet switching modules except for the 4 port Gigabit Ethernet WAN GBIC modules OSM 4GE WAN and OSM 2 4GE WAN Some OSMs have four Ethernet LAN ports in addition to WAN ports With Release 12 2 17b SXA and later releases PFC QoS supports optical services module OSM ports OSM ports are the WAN ports on OSMs Refer to the following publication for information about additional...

Page 605: ...e with the port CoS value in these situations If the traffic is not in an ISL 802 1Q or 802 1p frame If a port is configured as untrusted On OSM ATM and POS ports PFC QoS always sets ingress CoS equal to zero Congestion avoidance If you configure an Ethernet LAN port to trust CoS or DSCP QoS classifies the traffic on the basis of its Layer 2 CoS value or its Layer 3 DSCP value and assigns it to an...

Page 606: ...any type of port DFCs implement PFC QoS locally on switching modules For FlexWAN module traffic Ingress FlexWAN QoS features can be applied to FlexWAN ingress traffic Ingress FlexWAN traffic can be Layer 3 switched by the PFC3 or routed in software by the MSFC Egress PFC QoS is not applied to FlexWAN ingress traffic Egress FlexWAN QoS can be applied to FlexWAN egress traffic For LAN port traffic I...

Page 607: ...N traffic can be Layer 3 switched by the PFC2 or routed in software by the MSFC2 Egress FlexWAN QoS can be applied to FlexWAN egress traffic For LAN port traffic Ingress LAN port QoS features can be applied to LAN port ingress traffic Ingress LAN port traffic can be Layer 2 or Layer 3 switched by the PFC2 or routed in software by the MSFC2 Egress LAN port QoS can be applied to LAN port egress traf...

Page 608: ... page 41 9 PFC QoS Egress Port Features page 41 13 Port Trust CoS IP Prec DSCP MPLS Exp DSCP map Final internal DSCP is mapped to CoS Identify traffic based on match criteria ACL L2 IP DSCP IP Prec MPLS Exp Class map Scheduler operates on WRR DWRR SP Ingress Port Egress Port PFC DFC Policy Result SP DSCP CoS rewrite C l a s s i f i c a t i o n CoS determies queue selection Scheduler queue and thre...

Page 609: ...4266 08 Chapter 41 Configuring PFC QoS Understanding How PFC QoS Works Ingress LAN Port PFC QoS Features These sections provide an overview of the ingress port QoS features Flowchart of Ingress LAN Port PFC QoS Features page 41 8 Port Trust page 41 9 Ingress Congestion Avoidance page 41 9 ...

Page 610: ...se 12 2 18 SXF5 and later releases support the ignore port trust feature DSCP based queue mapping is supported only on WS X6708 10GE ports 154684 Yes Frame enters switch Port set to untrusted ISL or 802 1Q No No No Port set to trust ipprec Port set to trust dscp Ingress CoS Mutation IP traffic with recognizable ToS byte IP traffic with recognizable ToS byte Ignore port trust enabled DSCP based que...

Page 611: ...precedence port or configured by a policy map to trust IP precedence is called trust IP precedence traffic DSCP A port configured to trust DSCP is called a trust DSCP port Traffic received through a trust DSCP port or configured by a policy map to trust DSCP is called trust DSCP traffic Traffic received through an untrusted port is called untrusted traffic Ingress Congestion Avoidance PFC QoS impl...

Page 612: ... DFC3B WS F6K DFC3BXL for use on dCEF256 and CEF256 modules with a Supervisor Engine 720 WS F6700 DFC3A WS F6700 DFC3B WS F6700 DFC3BXL for use on CEF720 modules with a Supervisor Engine 720 PFC and DFC QoS Feature List and Flowchart Table 41 1 lists the QoS features supported on the different versions of PFCs and DFCs Table 41 1 QoS Features Supported on PFCs and DFCs Feature PFC2 DFC PFC3A DFC3A...

Page 613: ... When ignore port trust is not configured When ignore port trust is configured received DSCP if any is initial internal DSCP otherwise port CoS is mapped to initial internal DSCP Received IP Precedence Map Map Map 154644 Policer Marker Optional Policy map Initial Internal DSCP Final Internal DSCP Egress DSCP Egress DSCP Mutation only on PFC3 Received DSCP CoS Received or Port Map Policer Marker Op...

Page 614: ...CoS value in tagged IP traffic For tagged traffic without a recognizable ToS byte PFC QoS maps the received CoS value to the initial internal DSCP value For untagged traffic without a recognizable ToS byte PFC QoS maps the port CoS value to the initial internal DSCP value For trust IP precedence traffic PFC QoS does the following For IP traffic PFC QoS maps the received IP precedence value to the ...

Page 615: ...king ingress LAN port configured for port based PFC QoS traffic in all VLANs received through the port is subject to the policy map attached to the port On a nontrunk ingress LAN port configured for VLAN based PFC QoS traffic received through the port is subject to the policy map attached to the port s VLAN On a trunking ingress LAN port configured for VLAN based PFC QoS traffic received through t...

Page 616: ...al internal DSCP value associated with the traffic PFC QoS sends the derived CoS value to the egress LAN ports for use in classification and congestion avoidance and to be written into ISL and 802 1Q frames Note With Release 12 2 18 SXF5 and later releases you can configure WS X6708 10GE ports to use the final internal DSCP value for egress LAN port classification and congestion avoidance see the ...

Page 617: ...nterfaces You can attach an output policy map to a Layer 3 interface either a LAN port configured as a Layer 3 interface or a VLAN interface to apply a policy map to egress traffic Note Output policies do not support microflow policing With a PFC3 you cannot apply microflow policing to ARP traffic You cannot set a trust state in an output policy Egress ACL Support for Remarked DSCP Note Egress ACL...

Page 618: ...ayer 2 features for example VACLs before being processed by egress PFC QoS On an interface where egress ACL support for remarked DSCP is configured if a Layer 2 feature matches the ingress QoS modified IP precedence or DSCP value the Layer 2 feature might redirect or drop the matched packets which prevents them from being processed by egress QoS After packets have been processed by ingress PFC QoS...

Page 619: ...assification and congestion avoidance see the Configuring DSCP Based Queue Mapping section on page 41 100 In Releases earlier than Release 12 2 18 SXF5 ingress LAN port classification marking and congestion avoidance use Layer 2 CoS values only The following sections describe classification and marking at trusted and untrusted ingress ports Classification and Marking at Untrusted Ingress Ports pag...

Page 620: ...fication and Marking at Trust IP Precedence Ports You should configure ports to trust IP precedence only if they receive traffic that carries valid Layer 3 IP precedence For traffic from trust IP precedence ports PFC QoS maps the received IP precedence value to the initial internal DSCP value Because the ingress port queues and thresholds use Layer 2 CoS PFC QoS does not implement ingress port con...

Page 621: ...rface There are two ways to configure filtering in policy map classes Access control lists ACLs Class map match commands for IP precedence and DSCP values Policy map classes specify actions with the following optional commands Policy map set commands For untrusted traffic or if ignore port trust is enabled PFC QoS can use configured IP precedence or DSCP values as the final internal DSCP value The...

Page 622: ...roflow Policers page 41 22 Overview of Policers Policing allows you to rate limit incoming and outgoing traffic so that it adheres to the traffic forwarding rules defined by the QoS configuration Sometimes these configured rules for how traffic should be forwarded through the system are referred to as a contract If the traffic does not adhere to this contract it is marked down to a lower DSCP valu...

Page 623: ...3 it limits the TFTP traffic for all flows combined on VLAN 1 and VLAN 3 to 1 Mbps You define per interface aggregate policers in a policy map class with the police command If you attach a per interface aggregate policer to multiple ingress ports it polices the matched traffic on each ingress port separately You create named aggregate policers with the mls qos aggregate policer command If you atta...

Page 624: ...nd destination node to be part of the same flow including traffic with different source nodes or source sockets By default microflow policers only affect traffic routed by the MSFC To enable microflow policing of other traffic including traffic in bridge groups enter the mls qos bridged command With a PFC2 you must enable bridged mircoflow policing for routed traffic as well With a PFC3 you cannot...

Page 625: ...ress LAN port trust state of matched traffic with trust DSCP or with the trust state defined by a trust policy map class command By default the markdown table is configured so that no markdown occurs the marked down DSCP values are equal to the original DSCP values To enable markdown configure the table appropriately for your network When you apply both ingress policing and egress policing to the ...

Page 626: ...e if CoS 2 is assigned to queue 1 threshold 2 and the threshold 2 levels are 40 percent low and 80 percent high then frames with CoS 2 will not be dropped until queue 1 is at least 40 percent full As the queue depth approaches 80 percent frames with CoS 2 have an increasingly higher probability of being discarded rather than being admitted to the queue Once the queue is over 80 percent full all Co...

Page 627: ...drop thresholds 1q8t indicates one standard queue with eight configurable tail drop thresholds 2q8t indicates two standard queues each with eight configurable tail drop thresholds 8q4t indicates eight standard queues each with four thresholds each configurable as either WRED drop or tail drop 8q8t indicates eight standard queues each with eight thresholds each configurable as either WRED drop or t...

Page 628: ...wing architectures 2q2t indicates two standard queues each with two configurable tail drop thresholds 1p2q2t indicates the following One strict priority queue Two standard queues each with two configurable WRED drop thresholds 1p3q1t indicates the following One strict priority queue Three standard queues with these thresholds One threshold configurable as either WRED drop or tail drop One nonconfi...

Page 629: ...upervisor Engines Ingress Queue and Drop Thresholds Ingress Queue Scheduler Egress Queue and Drop Thresholds Egress Queue Scheduler Total Buffer Size Ingress Buffer Size Egress Buffer Size WS SUP720 1p1q4t 1p2q2t WRR 512 KB 73 KB 439 KB WS SUP720 3B WS SUP720 3BXL WS SUP32 10GE 2q8t WRR 1p3q8t DWRR SRR 10 Gigabit Ethernet ports 193 MB 105 MB 88 MB Gigabit Ethernet port 17 7 MB 9 6 MB 8 1 MB WS SUP...

Page 630: ... 5 3 MB WS X6148A 45AF WS X6148X2 RJ 45 1p1q0t 1p3q1t DWRR 1 116 KB 28 KB 1 088 KB WS X6148X2 45AF WS X6196 RJ 21 WS X6196 21AF WS X6024 10FL MT 1q4t 2q2t WRR 64 KB 8 KB 56 KB Table 41 4 Gigabit and 10 100 1000 Ethernet Modules Modules Ingress Queue and Drop Thresholds Ingress Queue Scheduler Egress Queue and Drop Thresholds Egress Queue Scheduler Total Buffer Size Ingress Buffer Size Egress Buffe...

Page 631: ... KB 439 KB WS X6416 GBIC WS X6416 GE MT WS X6316 GE TX WS X6148 GE TX 1q2t 1 4 MB 185 KB 1 2 MB WS X6148V GE TX WS X6148 GE 45AF WS X6148A GE TX 1p3q8t DWRR 5 5 MB 120 KB 5 4 MB WS X6148A GE 45AF Table 41 5 10 Gigabit Ethernet Modules Modules Ingress Queue and Drop Thresholds Ingress Queue Scheduler Egress Queue and Drop Thresholds Egress Queue Scheduler Total Buffer Size Ingress Buffer Size Egres...

Page 632: ...or VLAN based PFC QoS Port based Received CoS to initial internal DSCP map initial internal DSCP set from received CoS values CoS 0 DSCP 0 CoS 1 DSCP 8 CoS 2 DSCP 16 CoS 3 DSCP 24 CoS 4 DSCP 32 CoS 5 DSCP 40 CoS 6 DSCP 48 CoS 7 DSCP 56 Received IP precedence to initial internal DSCP map initial internal DSCP set from received IP precedence values IP precedence 0 DSCP 0 IP precedence 1 DSCP 8 IP pr...

Page 633: ...rcentages and CoS Value Mappings page 41 32 Note The ingress LAN port trust state defaults to untrusted with QoS enabled Receive Queue Limits Transmit Queue Limit s Policy maps None Protocol independent MAC ACL filtering Disabled VLAN based MAC ACL QoS filtering Disabled Feature Default Value Feature Default Value 2q8t Low priority 80 High priority 20 8q4t Low priority 80 Intermediate queues 0 Hig...

Page 634: ... Queues page 41 35 1p2q1t Low priority 70 High priority 15 Strict priority 15 1p3q8t Low priority 50 Medium priority 20 High priority 15 Strict priority 15 1p7q4t Standard queue 1 lowest priority 50 Standard queue 2 20 Standard queue 3 15 Standard queues 4 through 7 0 Strict priority 15 1p7q8t Standard queue 1 lowest priority 50 Standard queue 2 20 Standard queue 3 15 Standard queues 4 through 7 0...

Page 635: ...8t Transmit Queues page 41 44 1p7q4t Transmit Queues page 41 45 1p7q8t Transmit Queues page 41 48 1p3q1t Transmit Queues page 41 49 1p2q1t Transmit Queues page 41 50 Note The receive queue values shown are the values in effect when the port is configured to trust CoS or DSCP When the port is untrusted the receive queue values are the same as when QoS is globally disabled 1q2t Receive Queues Featur...

Page 636: ...oS 2 and 3 Tail drop 60 WRED drop Not supported Threshold 3 CoS 4 and 5 Tail drop 80 WRED drop Not supported Threshold 4 CoS 6 and 7 Tail drop 100 WRED drop Not supported Feature Default Value Standard receive queue Threshold 1 CoS 0 and 1 Tail drop 50 WRED drop Not supported Threshold 2 CoS 2 and 3 Tail drop 60 WRED drop Not supported Threshold 3 CoS 4 Tail drop 80 WRED drop Not supported Thresho...

Page 637: ...alue Standard receive queue Threshold 1 CoS 0 Tail drop Disabled 70 WRED drop Enabled 40 low 70 high Threshold 2 CoS 1 Tail drop Disabled 70 WRED drop Enabled 40 low 70 high Threshold 3 CoS 2 Tail drop Disabled 80 WRED drop Enabled 50 low 80 high Threshold 4 CoS 3 Tail drop Disabled 80 WRED drop Enabled 50 low 80 high Threshold 5 CoS 4 Tail drop Disabled 90 WRED drop Enabled 60 low 90 high Thresho...

Page 638: ...l drop 50 WRED drop Not supported Threshold 2 CoS None Tail drop 50 WRED drop Not supported Threshold 3 CoS 1 2 3 4 Tail drop 60 WRED drop Not supported Threshold 4 CoS None Tail drop 60 WRED drop Not supported Threshold 5 CoS 6 and 7 Tail drop 80 WRED drop Not supported Threshold 6 CoS None Tail drop 80 WRED drop Not supported Threshold 7 CoS 5 Tail drop 100 WRED drop Not supported Threshold 8 Co...

Page 639: ... 1 CoS 0 and 1 Tail drop 70 WRED drop Not supported Threshold 2 CoS 2 and 3 Tail drop 80 WRED drop Not supported Threshold 3 CoS 4 Tail drop 90 WRED drop Not supported Threshold 4 CoS 6 and 7 Tail drop 100 WRED drop Not supported Thresholds 5 8 CoS None Tail drop 100 WRED drop Not supported Standard receive queue 2 high priority Threshold 1 CoS 5 Tail drop 100 WRED drop Not supported Thresholds 2 ...

Page 640: ... drop Disabled 80 WRED drop Enabled 40 low 80 high Threshold 3 CoS 4 DSCP Tail drop Disabled 90 WRED drop Enabled 50 low 90 high Threshold 4 CoS 6 and 7 DSCP Tail drop Disabled 100 WRED drop Enabled 50 low 100 high Standard receive queue 2 intermediate priority Threshold 1 CoS None DSCP 14 Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold 2 CoS None DSCP 12 Tail drop Enabled 100 ...

Page 641: ...None DSCP 18 Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold 4 CoS None DSCP None Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Standard receive queue 4 intermediate priority Threshold 1 CoS None DSCP 24 and 30 Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold 2 CoS None DSCP 28 Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold 3 ...

Page 642: ...oS None DSCP None Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold 4 CoS None DSCP None Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Standard receive queue 6 intermediate priority Threshold 1 CoS None DSCP 48 63 Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold 2 CoS None DSCP None Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold...

Page 643: ... CoS None DSCP None Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold 4 CoS None DSCP None Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Standard receive queue 8 high priority Threshold 1 CoS 5 DSCP 40 and 46 Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold 2 CoS None DSCP None Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold 3 Co...

Page 644: ...0 high Threshold 4 CoS 6 and 7 Tail drop Disabled 100 WRED drop Enabled 50 low 100 high Thresholds 5 8 CoS None Tail drop Disabled 100 WRED drop Enabled 50 low 100 high Standard receive queues 2 7 intermediate priorities Thresholds 1 8 CoS None Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Standard receive queue 8 highest priority Threshold 1 CoS 5 Tail drop Enabled 100 WRED drop Disab...

Page 645: ... drop 100 WRED drop Not supported Feature Default Value Standard transmit queue 1 low priority Threshold 1 CoS 0 and 1 Tail drop Not supported WRED drop 40 low 70 high Threshold 2 CoS 2 and 3 Tail drop Not supported WRED drop 70 low 100 high Standard transmit queue 2 high priority Threshold 1 CoS 4 and 6 Tail drop Not supported WRED drop 40 low 70 high Threshold 2 CoS 7 Tail drop Not supported WRE...

Page 646: ...None Tail drop Disabled 100 WRED drop Enabled 70 low 100 high Thresholds 5 8 CoS None Tail drop Disabled 100 WRED drop Enabled 50 low 100 high Standard transmit queue 2 medium priority Threshold 1 CoS 2 Tail drop Disabled 70 WRED drop Enabled 40 low 70 high Threshold 2 CoS 3 and 4 Tail drop Disabled 100 WRED drop Enabled 70 low 100 high Thresholds 3 8 CoS None Tail drop Disabled 100 WRED drop Enab...

Page 647: ...il drop Disabled 100 WRED drop Enabled 70 low 100 high Threshold 3 CoS 4 DSCP Tail drop Disabled 100 WRED drop Enabled 70 low 100 high Threshold 4 CoS 6 and 7 DSCP Tail drop Disabled 100 WRED drop Enabled 70 low 100 high Standard transmit queue 2 intermediate priority Threshold 1 CoS None DSCP 14 Tail drop Disabled 70 WRED drop Enabled 40 low 70 high Threshold 2 CoS None DSCP 12 Tail drop Disabled...

Page 648: ...None DSCP 18 Tail drop Disabled 100 WRED drop Enabled 70 low 100 high Threshold 4 CoS None DSCP None Tail drop Disabled 100 WRED drop Enabled 70 low 100 high Standard transmit queue 4 intermediate priority Threshold 1 CoS None DSCP 24 and 30 Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold 2 CoS None DSCP 28 Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold 3 C...

Page 649: ...oS None DSCP None Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold 4 CoS None DSCP None Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Standard transmit queue 6 intermediate priority Threshold 1 CoS None DSCP 48 63 Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold 2 CoS None DSCP None Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshol...

Page 650: ...ow 100 high Threshold 3 CoS None DSCP None Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Threshold 4 CoS None DSCP None Tail drop Enabled 100 WRED drop Disabled 100 low 100 high Strict priority transmit queue CoS 5 DSCP 40 and 46 Tail drop 100 nonconfigurable Feature Default Value Standard transmit queue 1 lowest priority Threshold 1 CoS 0 Tail drop Disabled 70 WRED drop Enabled 40 low...

Page 651: ... 100 high Thresholds 2 8 CoS None Tail drop Disabled 100 WRED drop Enabled 100 low 100 high Standard transmit queues 4 7 intermediate priorities Thresholds 1 8 CoS None Tail drop Disabled 100 WRED drop Enabled 100 low 100 high Strict priority transmit queue CoS 5 Tail drop 100 nonconfigurable Feature Default Value Standard transmit queue 1 lowest priority Threshold 1 CoS 0 and 1 Tail drop Disabled...

Page 652: ...rted Granularity for CIR and PIR Token Bucket Sizes page 41 55 IP Precedence and DSCP Values page 41 56 Feature Default Value Standard transmit queue 1 lowest priority Threshold 1 CoS 0 1 2 and 3 Tail drop Not supported WRED drop Enabled 70 low 100 high Standard transmit queue 3 high priority Threshold 1 CoS 4 6 and 7 Tail drop Not supported WRED drop Enabled 70 low 100 high Strict priority transm...

Page 653: ...tFlow and NetFlow data export NDE do not support interfaces where egress ACL support for remarked DSCP is configured When egress ACL support for remarked DSCP is configured on any interface you must configure an interface specific flowmask to enable NetFlow and NDE support on interfaces where egress ACL support for remarked DSCP is not configured Enter either the mls flow ip interface destination ...

Page 654: ...igure these commands only on physical ports Do not configure these commands on logical interfaces priority queue cos map wrr queue cos map wrr queue random detect wrr queue random detect max threshold wrr queue random detect min threshold wrr queue threshold wrr queue queue limit wrr queue bandwidth rcv queue cos map rcv queue bandwidth rcv queue random detect rcv queue random detect max threshold...

Page 655: ...roflow policing to IPv6 multicast traffic With egress ACL support for remarked DSCP configured the PFC3 does not provide hardware assistance for these features Cisco IOS reflexive ACLs TCP intercept Context Based Access Control CBAC Network Address Translation NAT With a PFC3 you cannot apply microflow policing to ARP traffic The PFC3 does not apply egress policing to traffic that is being bridged...

Page 656: ...leases PFC QoS supports the match any class map command PFC QoS supports class maps that contain a single match command PFC QoS does not support these class map commands match cos match classmap match destination address match input interface match qos group match source address Policy Map Command Restrictions PFC QoS does not support these policy map commands class class_name destination address ...

Page 657: ... 16777216 16 Mbs 262144 256 Kb 16777217 to 33554432 32 Mbs 524288 512 Kb 33554433 to 67108864 64 Mbs 1048576 1 Mb 67108865 to 134217728 128 Mbs 2097152 2 Mb 134217729 to 268435456 256 Mbs 4194304 4 Mb 268435457 to 536870912 512 Mbs 8388608 8 Mb 536870913 to 1073741824 1 Gps 16777216 16 Mb 1073741825 to 2147483648 2 Gps 33554432 32 Mb 2147483649 to 4294967296 4 Gps 67108864 64 Mb 4294967296 to 8589...

Page 658: ...1 1 0 1 0 1 0 1 0 1 0 1 2 3 4 5 6 7 4 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 0 0 1 1 0 0 1 1 0 1 0 1 0 1 0 1 32 33 34 35 36 37 38 39 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0 1 1 1 1 0 0 1 1 0 0 1 1 0 1 0 1 0 1 0 1 8 9 10 11 12 13 14 15 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0 1 1 1 1 0 0 1 1 0 0 1 1 0 1 0 1 0 1 0 1 40 41 42 43 44 45 46 47 ...

Page 659: ...3 Configuring Standard Queue Drop Threshold Percentages page 41 93 Mapping QoS Labels to Queues and Drop Thresholds page 41 99 Allocating Bandwidth Between Standard Transmit Queues page 41 109 Setting the Receive Queue Size Ratio page 41 111 Configuring the Transmit Queue Size Ratio page 41 112 Note PFC QoS processes both unicast and multicast traffic Enabling PFC QoS Globally To enable PFC QoS gl...

Page 660: ... ignore port trust is enabled PFC QoS does the following For IP traffic PFC QoS uses the received DSCP value as the initial internal DSCP value For traffic without a recognizable ToS byte PFC QoS maps the port CoS value to the initial internal DSCP value This example shows how to enable ignore port trust and verify the configuration Router configure terminal Router config mls qos marking ignore po...

Page 661: ...c traffic in IP in IP tunnels and traffic in GRE tunnels To enable DSCP transparency which preserves the received Layer 3 ToS byte perform this task When you preserve the received Layer 3 ToS byte QoS uses the marked or marked down CoS value for egress queueing and in egress tagged traffic This example shows how to preserve the received Layer 3 ToS byte and verify the configuration Router configur...

Page 662: ...ed command on the Layer 3 multicast ingress interfaces By default microflow policers affect only routed traffic To enable microflow policing of bridged traffic on specified VLANs perform this task Command Purpose Step 1 Router config mls qos queueing only Enables queueing only mode on the router Router config no mls qos queueing only Disables PFC QoS globally on the router Note You cannot disable ...

Page 663: ...relevant to application of PFC QoS to egress traffic on Layer 3 interfaces By default PFC QoS uses policy maps attached to LAN ports For ports configured as Layer 2 LAN ports with the switchport keyword you can configure PFC QoS to use policy maps attached to a VLAN Ports not configured with the switchport keyword are not associated with a VLAN To enable VLAN based PFC QoS on a Layer 2 LAN port pe...

Page 664: ...ber If you do not enter an IP ACL name or number egress ACL support for remarked DSCP is enabled for all IP ingress IP traffic on the interface This example shows how to enable egress ACL support for remarked DSCP on Fast Ethernet port 5 36 Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface fastethernet 5 36 Router config if platform ip feat...

Page 665: ...t is the sum of all the independent policing rates In Release 12 2 18 SXE and later releases you can apply aggregate policers to IPv6 traffic With a PFC3 policing uses the Layer 2 frame size With a PFC2 policing uses the Layer 3 packet size See the PFC QoS Configuration Guidelines and Restrictions section on page 41 50 for information about rate and burst size granularity The valid range of values...

Page 666: ...ile traffic as follows The default conform action is transmit which sets the policy map class trust state to trust DSCP unless the policy map class contains a trust command To set PFC QoS labels in untrusted traffic enter the set dscp transmit keyword to mark matched untrusted traffic with a new DSCP value or enter the set prec transmit keyword to mark matched untrusted traffic with a new IP prece...

Page 667: ... a named aggregate policer with a 1 Mbps rate limit and a 10 MB burst size that transmits conforming traffic and marks down out of profile traffic Router config mls qos aggregate policer aggr 1 1000000 10000000 conform action transmit exceed action policed dscp transmit Router config end Router This example shows how to verify the configuration Router show mls qos aggregate policer aggr 1 ag1 1000...

Page 668: ...support IPX ACLs With the PFC3 you can configure MAC ACLs to filter IPX traffic With a PFC2 PFC QoS supports IPX ACLs that contain a source network parameter and the optional destination network and destination node parameters PFC QoS does not support IPX ACLs that contain other parameters for example source node protocol source socket destination socket or service type With a PFC2 or PFC3 PFC QoS...

Page 669: ...ypes for example IPv4 traffic IPv6 traffic and MPLS traffic in addition to MAC layer traffic You can configure these interface types for protocol independent MAC ACL filtering VLAN interfaces without IP addresses Physical LAN ports configured to support EoMPLS Logical LAN subinterfaces configured to support EoMPLS Ingress traffic permitted or denied by a MAC ACL on an interface configured for prot...

Page 670: ... interface 6 1 for protocol independent MAC ACL filtering and how to verify the configuration Router config interface gigabitethernet 6 1 Router config if mac packet classify Router config if end Router show running config interface gigabitethernet 6 1 begin 6 1 interface GigabitEthernet6 1 mtu 9216 no ip address mac packet classify mpls l2transport route 4 4 4 4 4094 end This example shows how to...

Page 671: ... in MAC ACLs used for VACL filtering With Release 12 2 18 SXD and later releases the vlan keyword for VLAN based QoS filtering in MAC ACLs can be globally enabled or disabled and is disabled by default You can enter MAC addresses as three 2 byte values in dotted hexadecimal format For example 0030 9629 9f84 You can enter MAC address masks as three 2 byte values in dotted hexadecimal format Use 1 b...

Page 672: ...hase IV Route 0x6004 lat DEC Local Area Transport LAT 0x6005 diagnostic DEC DECnet Diagnostics 0x6007 lavc sca DEC Local Area VAX Cluster LAVC SCA 0x6008 amber DEC AMBER 0x6009 mumps DEC MUMPS 0x0800 ip Malformed invalid or deliberately corrupt IP frames 0x8038 dec spanning DEC LANBridge Management 0x8039 dsm DEC DSM DDP 0x8040 netbios DEC PATHWORKS DECnet NETBIOS Emulation 0x8041 msdos DEC Local ...

Page 673: ...entries to an existing list are placed at the end of the list You cannot add entries to the middle of a list This example shows how to create an ARP ACL named arp_filtering that only permits ARP traffic from IP address 1 1 1 1 Router config arp access list arp_filtering Router config arp nacl permit ip host 1 1 1 1 mac any Configuring a Class Map These sections describe class map configuration Cre...

Page 674: ...the PFC3 supports the match protocol ipv6 command Because of conflicting TCAM lookup flow key bit requirements you cannot configure IPv6 DSCP based filtering and IPv6 Layer 4 range based filtering on the same interface For example If configure both a DSCP value and a Layer 4 greater than gt or less than lt operator in an IPv6 ACE you cannot use the ACL for PFC QoS filtering If configure a DSCP val...

Page 675: ...precedence values Note Does not support source based or destination based microflow policing Router config cmap no match precedence ipp_value1 ipp_value2 ipp_valueN Clears configured IP precedence values from the class map Router config cmap match dscp dscp_value1 dscp_value2 dscp_valueN Optional for IPv4 or IPv6 traffic only Configures the class map to filter based on up to eight DSCP values Note...

Page 676: ...contain one or more policy map classes each with different policy map commands Configure a separate policy map class in the policy map for each type of traffic that an interface receives Put all commands for each type of traffic in the same policy map class PFC QoS does not attempt to apply commands from more than one policy map class to matched traffic These sections describe policy map configura...

Page 677: ...wing information Policy maps can contain one or more policy map classes Put all trust state and policing commands for each type of traffic in the same policy map class PFC QoS only applies commands from one policy map class to traffic After traffic has matched the filtering in one policy map class QoS does apply the filtering configured in other policy map classes For hardware switched traffic PFC...

Page 678: ...ass Marking page 41 76 Configuring the Policy Map Class Trust State page 41 77 Configuring Policy Map Class Policing page 41 77 Configuring Policy Map Class Marking In Release 12 2 18 SXF5 and later releases when the ignore port trust feature is enabled PFC QoS supports policy map class marking for all traffic with set policy map class commands In all releases PFC QoS supports policy map class mar...

Page 679: ... set dscp transmit or set prec transmit keywords as arguments to the exceed action keyword PFC QoS does not detect the use of unsupported keywords until you attach a policy map to an interface These sections describe configuration of policy map class policing Using a Named Aggregate Policer page 41 77 Configuring a Per Interface Policer page 41 78 Note Policing with the conform action transmit key...

Page 680: ...and egress policing to the same traffic both the input policy and the output policy must either mark down traffic or drop traffic PFC QoS does not support ingress markdown with egress drop or ingress drop with egress markdown With Release 12 2 18 SXE and later releases you can apply aggregate and microflow policers to IPv6 traffic With a PFC3 policing uses the Layer 2 frame size With a PFC2 polici...

Page 681: ...resses to be part of the same flow including traffic with different EtherTypes Microflow policers do not support the maximum_burst_bytes parameter the pir bits_per_second keyword and parameter or the violate action keyword Note The flowmask requirements of microflow policing NetFlow and NetFlow data export NDE might conflict The valid range of values for the CIR bits_per_second parameter is as fol...

Page 682: ...hat aggregate and microflow policers that are applied to the same traffic each specify the same conform action behavior Optional For traffic that exceeds the CIR you can specify an exceed action as follows For marking without policing you can enter the transmit keyword to transmit all matched out of profile traffic The default exceed action is drop except with a maximum_burst_bytes parameter drop ...

Page 683: ...map configuration perform this task This example shows how to verify the configuration Router show policy map max pol ipp5 Policy Map max pol ipp5 class ipp5 class ipp5 police flow 10000000 10000 conform action set prec transmit 6 exceed action policed dscp transmit trust precedence police 2000000000 2000000 2000000 conform action set prec transmit 6 exceed action policed dscp transmit Router Atta...

Page 684: ...ching modules Aggregate policing does not combine flow statistics from different DFC equipped switching modules You can display aggregate policing statistics for each DFC equipped switching module and for the PFC and any non DFC equipped switching modules supported by the PFC Each PFC or DFC polices independently which might affect QoS features being applied to traffic that is distributed across t...

Page 685: ...CP mutation These sections describe how to configure egress DSCP mutation on a PFC3 Configuring Named DSCP Mutation Maps page 41 83 Attaching an Egress DSCP Mutation Map to an Interface page 41 84 Configuring Named DSCP Mutation Maps To configure a named DSCP mutation map perform this task When configuring a named DSCP mutation map note the following information You can enter up to 8 DSCP values t...

Page 686: ...and the second digit is in the top row In the example shown DSCP 30 maps to DSCP 08 Attaching an Egress DSCP Mutation Map to an Interface To attach an egress DSCP mutation map to an interface perform this task This example shows how to attach the egress DSCP mutation map named mutmap1 to Fast Ethernet port 5 36 Router configure terminal Enter configuration commands one per line End with CNTL Z Rou...

Page 687: ...not support ingress CoS mutation Ports that are not configured to trust received CoS do not support ingress CoS mutation Ingress CoS mutation does not change the CoS value carried by the customer frames When the customer traffic exits the 802 1Q tunnel the original CoS is intact Ingress CoS mutation configuration applies to all ports in a port group The port groups are WS X6704 10GE 4 ports 4 port...

Page 688: ...at do not support ingress CoS mutation This restriction extends without limit through all port group linked member ports and port channel interface linked ports There can be only be one ingress CoS mutation configuration applied to all port group linked member ports and port channel interface linked ports Configuring Ingress CoS Mutation Maps To configure an ingress CoS mutation map perform this t...

Page 689: ...rfaces Gi1 1 Router Configuring DSCP Value Maps These sections describe how DSCP values are mapped to other values Mapping Received CoS Values to Internal DSCP Values page 41 88 Mapping Received IP Precedence Values to Internal DSCP Values page 41 88 Configuring DSCP Markdown Values page 41 89 Mapping Internal DSCP Values to Egress CoS Values page 41 90 Command Purpose Step 1 Router config interfa...

Page 690: ...orm this task This example shows how to configure the received IP precedence to internal DSCP map Router configure terminal Enter configuration commands one per line End with CNTL Z Router config mls qos map ip prec dscp 0 1 2 3 4 5 6 7 Router config end Router Command Purpose Step 1 Router config mls qos map cos dscp dscp1 dscp2 dscp3 dscp4 dscp5 dscp6 dscp7 dscp8 Configures the received CoS to i...

Page 691: ...s equal to the normal_burst_bytes parameter which occurs if you do not enter the maximum_burst_bytes parameter the exceed action policed dscp transmit keywords cause PFC QoS to mark traffic down as defined by the policed dscp max burst markdown map To avoid out of sequence packets configure the markdown maps so that conforming and nonconforming traffic uses the same queue You can enter up to 8 DSC...

Page 692: ... 09 1 10 11 12 13 14 15 16 17 18 19 2 20 21 22 23 24 25 26 27 28 29 3 30 31 32 33 34 35 36 37 38 39 4 40 41 42 43 44 45 46 47 48 49 5 50 51 52 53 54 55 56 57 58 59 6 60 61 62 63 Output Truncated Router Note In the Policed dscp displays the marked down DSCP values are shown in the body of the matrix the first digit of the original DSCP value is in the column labeled d1 and the second digit is in th...

Page 693: ... end Router This example shows how to verify the configuration Router show mls qos map begin Dscp cos map Dscp cos map dscp d1d2 d1 d2 0 1 2 3 4 5 6 7 8 9 0 00 00 00 00 00 00 00 00 00 01 1 01 01 01 01 01 01 00 02 02 02 2 02 02 02 02 00 03 03 03 03 03 3 03 03 00 04 04 04 04 04 04 04 4 00 05 05 05 05 05 05 05 00 06 5 06 06 06 06 00 06 07 07 07 07 6 07 07 07 07 Output Truncated Router Note In the Dsc...

Page 694: ...icy With Release 12 2 17b SXA and later releases you can configure IEEE 8021 Q tunnel ports configured with the mls qos trust cos command to use a mutated CoS value instead of the received CoS value Configuring Ingress CoS Mutation on IEEE 802 1Q Tunnel Ports section on page 41 85 Use the no mls qos trust command to set the port state to untrusted This example shows how to configure Gigabit Ethern...

Page 695: ...configure the CoS value for an ingress LAN port perform this task This example shows how to configure the CoS value 5 on Fast Ethernet port 5 24 and verify the configuration Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface fastethernet 5 24 Router config if mls qos cos 5 Router config if end Router show queueing interface fastethernet 5 24...

Page 696: ...n you configure multiple threshold standard queues note the following information The first percentage that you enter sets the lowest priority threshold The second percentage that you enter sets the next highest priority threshold The last percentage that you enter sets the highest priority threshold The percentages range from 1 to 100 A value of 10 indicates a threshold when the buffer is 10 perc...

Page 697: ...guring a WRED Drop Transmit Queue These port types have only WRED drop thresholds in their transmit queues 1p2q2t transmit 1p2q1t transmit Command Purpose Step 1 Router config interface fastethernet gigabitethernet slot port Selects the interface to configure Step 2 Router config if rcv queue threshold queue_id thr1 thr2 thr3 thr4 thr5 thr6 thr7 thr8 Configures the receive queue tail drop threshol...

Page 698: ...Purpose Step 1 Router config interface type1 slot port 1 type fastethernet gigabitethernet or tengigabitethernet Selects the interface to configure Step 2 Router config if rcv queue threshold queue_id thr1 thr2 thr3 thr4 thr5 thr6 thr7 thr8 Configures the tail drop thresholds Router config if no rcv queue threshold queue_id Reverts to the default tail drop thresholds Step 3 Router config if rcv qu...

Page 699: ...stethernet gigabitethernet or tengigabitethernet Selects the interface to configure Step 2 Router config if wrr queue threshold queue_id thr1 thr2 thr3 thr4 thr5 thr6 thr7 thr8 Configures the tail drop thresholds Router config if no wrr queue threshold queue_id Reverts to the default tail drop thresholds Step 3 Router config if wrr queue random detect min threshold queue_id thr1 thr2 thr3 thr4 thr...

Page 700: ... value of 10 indicates a threshold when the buffer is 10 percent full Always set threshold 2 to 100 percent Ethernet and Fast Ethernet 1q4t ports do not support receive queue tail drop thresholds This example shows how to configure receive queue 1 threshold 1 and transmit queue 1 threshold 1 for Gigabit Ethernet port 2 1 Router configure terminal Enter configuration commands one per line End with ...

Page 701: ...nes and Restrictions page 41 99 Configuring DSCP Based Queue Mapping page 41 100 Configuring CoS Based Queue Mapping page 41 105 Queue and Drop Threshold Mapping Guidelines and Restrictions When mapping QoS labels to queues and thresholds note the following information When SRR is enabled you cannot map any CoS values or DSCP values to strict priority queues Queue number 1 is the lowest priority s...

Page 702: ...onfig if mls qos queue mode mode dscp Router config if end This example shows how to verify the configuration Router show queueing interface tengigabitethernet 6 1 include Queueing Mode Queueing Mode In Tx direction mode dscp Queueing Mode In Rx direction mode dscp Configuring Ingress DSCP Based Queue Mapping Ingress DSCP to queue mapping is supported only on ports configured to trust DSCP These s...

Page 703: ... queue and threshold You can enter multiple commands to map additional DSCP values to the queue and threshold You must enter a separate command for each queue and threshold Command Purpose Step 1 Router config interface tengigabitethernet slot port Selects the interface to configure Step 2 Router config if mls qos trust dscp Configures the port to trust received DSCP values Router config if no mls...

Page 704: ...0 1 Router config if end Router Note The receive queue mapping is shown in the second queue thresh dscp map displayed by the show queueing interface command This example shows how to verify the configuration Router show queueing interface tengigabitethernet 1 1 begin queue thresh dscp map Output Truncated queue thresh dscp map 1 1 0 1 2 3 4 5 6 7 8 9 11 13 15 16 17 19 21 23 25 27 29 31 33 39 41 42...

Page 705: ...lues 0 and 1 to standard transmit queue 1 threshold 1 for 10 Gigabit Ethernet port 6 1 port 6 1 Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface tengigabitethernet 6 1 Router config if wrr queue dscp map 1 1 0 1 Router config if end Router Command Purpose Step 1 Router config interface tengigabitethernet slot port Selects the interface to ...

Page 706: ... 53 54 55 56 57 58 59 60 61 62 63 6 2 6 3 6 4 7 1 7 2 7 3 7 4 8 1 40 46 Output Truncated Router Mapping DSCP Values to the Transmit Strict Priority Queue To map DSCP values to the transmit strict priority queue perform this task Command Purpose Step 1 Router config interface tengigabitethernet slot port Selects the interface to configure Step 2 Router config if priority queue dscp map queue_ dscp1...

Page 707: ...thresh dscp map queue thresh dscp map Output Truncated 8 1 7 40 46 Output Truncated Router Configuring CoS Based Queue Mapping These sections describe how to configure CoS based queue mapping Mapping CoS Values to Standard Receive Queue Thresholds page 41 105 Mapping CoS Values to Standard Transmit Queue Thresholds page 41 106 Mapping CoS Values to Strict Priority Queues page 41 107 Mapping CoS Va...

Page 708: ...w to map the CoS values 0 and 1 to standard transmit queue 1 threshold 1 for Fast Ethernet port 5 36 Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface fastethernet 5 36 Router config if wrr queue cos map 1 1 0 1 Router config if end Router This example shows how to verify the configuration Router show queueing interface fastethernet 5 36 be...

Page 709: ...cos map 1 7 Router config if end Router This example shows how to verify the configuration Router show queueing interface gigabitethernet 1 1 Output Truncated Transmit queues type 1p2q2t Output Truncated queue thresh cos map 1 1 0 1 1 2 2 3 2 1 4 2 2 6 3 1 5 7 Receive queues type 1p1q4t Output Truncated queue thresh cos map 1 1 0 1 1 2 2 3 1 3 4 1 4 6 2 1 5 7 Output Truncated Router Command Purpos...

Page 710: ...he low priority standard transmit queue Queue 2 is the high priority standard transmit queue There are two thresholds in each queue Enter up to 8 CoS values to map to the threshold This example shows how to map the CoS values 0 and 1 to standard transmit queue 1 threshold 1 for Fast Ethernet port 5 36 Router configure terminal Enter configuration commands one per line End with CNTL Z Router config...

Page 711: ...q1t 1p2q1t 1p3q8t 1p7q4t and 1p7q8t ports Note You configure DWRR ports with the same commands that you use on WRR ports Weighted round robin WRR WRR allows a queue to use more than the allocated bandwidth if the other queues are not using any up to the total bandwidth of the port WRR is the dequeuing algorithm on all other ports With Release 12 2 18 SXF and later releases you can enter percentage...

Page 712: ...ue_percentage intermediate_priority_queue_percentages high_priority_queue_percentage Or Router config if wrr queue bandwidth shape low_priority_queue_weight intermediate_priority_queue_weights high_priority_queue_weight Allocates bandwidth between standard transmit queues Enter the bandwidth keyword to configure DWRR or WRR Enter the shape keyword to configure SRR Use of SRR prevents use of the st...

Page 713: ...percent This example shows how to set the receive queue size ratio for Fast Ethernet port 2 2 Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface fastethernet 2 2 Router config if rcv queue queue limit 75 15 Router config if end Router This example shows how to verify the configuration Router show queueing interface fastethernet 2 2 include q...

Page 714: ...sets the egress strict priority queue size equal to the high priority queue size Estimate the mix of low priority to high priority traffic on your network for example 80 percent low priority traffic and 20 percent high priority traffic Use the estimated percentages as queue weights You must enter weights for all the standard transmit queues on the interface 2 3 or 7 weights Valid values are from 1...

Page 715: ...ibed in the Sample Network Design Overview section on page 41 113 This section uses this sample network to describe some regularly used QoS configurations These sections describe some common QoS scenarios Sample Network Design Overview page 41 113 Classifying Traffic from PCs and IP Phones in the Access Layer page 41 114 Accepting the Traffic Priority Value on Interswitch Links page 41 117 Priorit...

Page 716: ...fic identification Instead they can administer QoS policies based on these previously set priority values This approach simplifies policy administration Note You should develop a QoS deployment strategy for assigning packet priorities to your particular network traffic types and applications For more information on QoS guidelines refer to RFC 2597 and RFC 2598 as well as the various QoS design gui...

Page 717: ...PC are attached has been configured for a voice VLAN VLAN 110 which is used to separate the phone traffic subnet 10 1 110 0 24 from the PC traffic 10 1 10 0 24 The voice VLAN subnet uniquely identifies the voice traffic The UDP and TCP port numbers identify the different applications This is the access port access control list ACL configuration Identify the Voice Traffic from an IP Phone VVLAN ip ...

Page 718: ...N interfaces only the PFC3 supports output policies In this example you apply the policy as an input service policy to each interface that has a PC and IP phone attached This example uses port based QoS which is the default for Ethernet ports interface FastEthernet5 1 service policy input IPPHONE PC A QoS policy now has been successfully configured to classify the traffic coming in from both an IP...

Page 719: ...t is set not to trust incoming traffic priority settings the priority setting of the incoming traffic is rewritten to the lowest priority zero Traffic that arrives on an interface that is set to trust incoming traffic priority settings retains its priority setting Examples of ports on which it might be valid to trust incoming priority settings are ports that are connected to IP phones and other IP...

Page 720: ...cheduling function is responsible for transmitting the high priority traffic with greater frequency than the low priority traffic The net effect is a differentiated service for the various traffic classes These two concepts are fundamental to the provision of differentiated service for various traffic classes Assigning the traffic to a particular queue Setting the queue scheduling algorithm Once Q...

Page 721: ... 01 01 01 02 02 02 02 2 02 02 02 02 03 03 03 03 03 03 3 03 03 04 04 04 04 04 04 04 04 4 05 05 05 05 05 05 05 05 06 06 5 06 06 06 06 06 06 07 07 07 07 6 07 07 07 07 Router The example marked the voice traffic with a DSCP value of 46 You can use the command output to translate DSCP 46 to CoS 5 You can use the command output to translate the other marked DSCP values to CoS values You can make changes...

Page 722: ...network Only minor changes are typically necessary and this example includes no changes If your network requires different mapping see the Mapping CoS Values to Standard Transmit Queue Thresholds section on page 41 106 Now you understand how traffic is assigned to the available queues on the output ports of the router The next concept to understand is how the queue weights operate which is called ...

Page 723: ...d is called policing Policing is implemented in the PFC hardware with no performance impact A policer operates by allowing the traffic to flow freely as long as the traffic rate remains below the configured transmission rate Traffic bursts are allowed provided that they are within the configured burst size Any traffic that exceeds the configured rate and burst can be either dropped or marked down ...

Page 724: ... allowed in this traffic class This example configures the CIR to be 50 Mbps The 1562500 parameter defines the CIR burst size for traffic in this traffic class this example uses a default maximum burst size Set the CIR burst size to the maximum TCP window size used on the network The conform action keywords define what the policer does with CLASSIFY OTHER packets transmitted when the traffic level...

Page 725: ...avoidance with Layer 2 CoS value based drop thresholds A drop threshold is the percentage of queue buffer utilization above which frames with a specified Layer 2 CoS value is dropped leaving the buffer available for frames with higher priority Layer 2 CoS values Differentiated Services Code Point DSCP is a Layer 3 QoS label carried in the six most significant bits of the ToS byte in the IP header ...

Page 726: ... the assignment of Layer 2 frames to a queue PFC QoS assigns frames to a queue based on Layer 2 CoS values Shaped round robin SRR is a dequeuing algorithm Threshold Percentage of queue capacity above which traffic is dropped Type of Service ToS is a one byte field that exists in an IP version 4 header that is used to specify the priority value applied to the packet The ToS field consists of eight ...

Page 727: ...rking available for PFC3BXL or PFC3B mode MPLS QoS are managed from the modular QoS command line interface CLI The modular QoS CLI MQC is a command line interface that allows you to define traffic classes create and configure traffic policies policy maps and then attach those traffic policies to interfaces A detailed description of the modular QoS CLI can be found in the Cisco IOS Quality of Servi...

Page 728: ...d is a 3 bit field The maximum number of classes would be less after reserving some values for control plane traffic or if some of the classes have a drop precedence associated with them EXP bits define the QoS treatment per hop behavior that a node should give to a packet It is the equivalent of the DiffServ Code Point DSCP in the IP network A DSCP defines a class and drop precedence The EXP bits...

Page 729: ...IP packets transported through their networks By choosing different values for the MPLS EXP field you can mark packets so that packets have the priority that they require during periods of congestion By default the IP precedence value is copied into the MPLS EXP field during imposition You can mark the MPLS EXP bits with a PFC3BXL or PFC3B mode MPLS QoS policy Trust For received Layer 3 MPLS packe...

Page 730: ...uring a Policy Map section on page 42 23 for information Preserving IP ToS The PFC3BXL or PFC3B automatically preserves the IP ToS during all MPLS operations including imposition swapping and disposition You do not need to enter a command to save the IP ToS EXP Mutation You can configure a named egress EXP mutation map to mutate the internal DSCP derived EXP value before it is used as the egress E...

Page 731: ...into the MPLS EXP field at the edge of the network However the service provider might want to set QoS for an MPLS packet to a different value determined by the service offering In that case the service provider can set the MPLS EXP field The IP header remains available for the customer s use the QoS of an IP packet is not changed as the packet travels through the MPLS network For more information ...

Page 732: ...ng interface The nonaggregate label indicates that the packet contains the IP next hop information This section describes how edge LERs can operate at either the ingress or the egress side of an MPLS network At the ingress side of an MPLS network LERs process packets as follows 1 Layer 2 or Layer 3 traffic enters the edge of the MPLS network at the edge LER PE1 2 The PFC3BXL or PFC3B receives the ...

Page 733: ...network there is no IP precedence field for the queueing algorithm to use because the packets are MPLS packets The packets remain MPLS packets until they arrive at PE2 the provider edge router LERs at the Output Edge of an MPLS Network At the egress side of an MPLS network LERs process packets as follows 1 MPLS labeled packets and 802 1p bits or IP ToS bits from a core LSR arrive at the egress LER...

Page 734: ...The out of profile packets can be either dropped or marked down in the DSCP This section describes PFC3BXL or PFC3B mode MPLS QoS for the following LERs at the EoMPLS Edge page 42 8 LERs at the IP Edge MPLS MPLS VPN page 42 9 LSRs at the MPLS Core page 42 13 Note The following sections refer to QoS features for LAN ports OSM ports and FlexWAN ports For details about how the different features work...

Page 735: ...3B Mode MPLS QoS page 42 12 Classification at MPLS to IP Ingress Port page 42 12 Classification at MPLS to IP Egress Port page 42 12 LERs at the IP Edge MPLS MPLS VPN This section provides information about QoS features for LERs at the ingress CE to PE and egress PE to CE edges for MPLS and MPLS VPN networks Both MPLS and MPLS VPN support general MPLS QoS features See the MPLS VPN section on page ...

Page 736: ...e CoS derived from the internal DSCP to the IP ToS byte in the egress packet For IP to MPLS traffic the PFC3BXL or PFC3B will map the internal DSCP to the imposed EXP value A PFC3BXL or PFC3B policy to mark MPLS EXP sets the internal DSCP If it is applied to all traffic then for IP to IP traffic the egress port rewrites the IP ToS according to the ingress IP policy or trust The CoS is mapped from ...

Page 737: ...y The PFC3BXL queues the packet based on COS derived from EXP to DSCP to CoS mapping The underlying IP DSCP is either preserved after egress decapsulation or overwritten from the EXP through the EXP to DSCP map IP classification for aggregate label hits in VPN CAM The PFC3BXL or PFC3B does one of the following Preserves the underlying IP ToS Rewrites the IP ToS by a value derived from the EXP to D...

Page 738: ... however you cannot use both in the same output policy If the egress port is a trunk the LAN ports and OSM GE WAN ports copy the egress CoS into the egress 802 1Q field Note For MPLS to IP egress IP ACL or QoS is not effective on the egress interface if the egress interface has MPLS IP or tag IP enabled The exception is a VPN CAM hit in which case the packet is classified on egress as IP MPLS VPN ...

Page 739: ...inside the MPLS domain MPLS to MPLS PFC3BXL or PFC3B mode MPLS QoS at the MPLS core supports the following Per EXP policing based on a service policy Copying the input topmost EXP value into the newly imposed EXP value Optional EXP mutation changing of EXP values on an interface edge between two neighboring MPLS domains on the egress boundary between MPLS domains Microflow policing based on indivi...

Page 740: ...ps the internal DSCP to the EXP value in the imposed label using the internal DSCP to EXP map It then copies the EXP value in the imposed label to the underlying swapped label The PFC3BXL or PFC3B assigns the egress CoS using the internal DSCP to CoS global map If the DSCP maps are consistent the egress CoS is based on the EXP value in the imposed label The PFC3BXL or PFC3B can mark in profile and...

Page 741: ...PFC3BXL or PFC3B MPLS QoS Default Configuration This section describes the PFC3BXL or PFC3B MPLS QoS default configuration The following global PFC3BXL or PFC3B MPLS QoS settings apply Feature Default Value PFC QoS global enable state Note With PFC QoS disabled and all other PFC QoS parameters at default values default EXP is mapped from IP precedence Note With PFC QoS enabled and all other PFC Qo...

Page 742: ...DSCP 16 23 EXP 2 DSCP 24 31 EXP 3 DSCP 32 39 EXP 4 DSCP 40 47 EXP 5 DSCP 48 55 EXP 6 DSCP 56 63 EXP 7 Marked down DSCP from DSCP map Marked down DSCP value equals original DSCP value no mark down EXP mutation map No mutation map by default Policers None Policy maps None MPLS flow mask in NetFlow table Label EXP value MPLS core QoS There are four possibilities at the MPLS core QoS Swapping Incoming...

Page 743: ... When QoS is queuing only the EXP value is based on the received IP ToS For EoMPLS imposition when the received packet is a non IP packet When QoS is disabled the EXP value is based on the ingress CoS When QoS is queuing only the EXP value is based on the received IP ToS For MPLS to MPLS operations Swapping when QoS is disabled the EXP value is based on the original EXP value in the absence of EXP...

Page 744: ...ring the MPLS Packet Trust State on Ingress Ports page 42 22 Configuring a Policy Map page 42 23 Displaying a Policy Map page 42 28 Configuring PFC3BXL or PFC3B Mode MPLS QoS Egress EXP Mutation page 42 29 Configuring EXP Value Maps page 42 31 Enabling QoS Globally Before you can configure QoS on the PFC3BXL or PFC3B you must enable the QoS functionality globally using the mls qos command This com...

Page 745: ...kets with COS changed by policing 0 Non IP packets with COS changed by policing 3 MPLS packets with EXP changed by policing 0 Enabling Queueing Only Mode To enable queueing only mode perform this task When you enable queueing only mode the router does the following Disables marking and policing globally Configures all ports to trust Layer 2 CoS Note The router applies the port CoS value to untagge...

Page 746: ... of EXP mutation Imposing an additional label when QoS is disabled the EXP value is based on the original EXP value in the absence of EXP mutation Imposing additional label when QoS is queuing only the EXP value is based on the original EXP value in the absence of EXP mutation Popping one label when QoS is disabled the EXP value is based on the underlying EXP value Popping one label when QoS is qu...

Page 747: ...000000 conform action transmit exceed action drop Router show running config interface fastethernet 3 27 Building configuration Current configuration 173 bytes interface FastEthernet3 27 ip address 47 0 0 1 255 0 0 0 tag switching ip end Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface fastethernet 3 27 Router config if service policy inpu...

Page 748: ... Fl AgForward By AgPoliced By Id Id Vl300 5 In x 44 1 No 0 0 0 Fa3 27 5 Out iptcp 24 2 0 0 0 All 5 Default 0 0 No 0 3466610741 0 Restrictions and Usage Guidelines The following restrictions and guidelines apply when classifying MPLS packets The match mpls experimental command specifies the name of an EXP field value to be used as the match criterion against which packets are checked to determine i...

Page 749: ...ach with different policy map commands Configure a separate policy map class in the policy map for each type of traffic that an interface receives Put all commands for each type of traffic in the same policy map class PFC3BXL or PFC3B MPLS QoS does not attempt to apply commands from more than one policy map class to matched traffic Configuring a Policy Map to Set the EXP Value on All Imposed Label...

Page 750: ...xperimental imposition 3 Router show class iptcp Class Map match all iptcp id 62 Match access group101 Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface fastethernet 3 27 Router config if ser in ip2tag Router config if Routers 1w4d SYS 5 CONFIG_I Configured from console by console Router show pol ip2tag Policy Map ip2tag Class iptcp set mpl...

Page 751: ...er show policy map ip2tag Policy Map ip2tag Class iptcp set mpls experimental imposition 3 EXP Value Imposition Guidelines and Restrictions When setting the EXP value on all imposed labels follow these guidelines and restrictions Use the set mpls experimental imposition command during label imposition This command sets the MPLS EXP field on all imposed label entries The set mpls experimental impos...

Page 752: ...ion protocol source port and destination port For additional information on aggregate and microflow policing see the Policers section on page 41 20 To configure traffic policing use the police command For information on this command see the Cisco IOS Master Command List Release 12 2SX This is an example of creating a policy map with a policer Router config policy map ip2tag Router config pmap clas...

Page 753: ...g Trust Fl AgForward By AgPoliced By Id Id Fa3 27 5 In iptcp 24 2 No 0 0 0 Vl300 5 In x 44 1 No 0 0 0 All 5 Default 0 0 No 0 3468105262 0 Router show policy interface fastethernet 3 27 FastEthernet3 27 Service policy input ip2tag class map iptcp match all Match access group 101 police 1000000 bps 1000000 limit 1000000 extended limit Earl in slot 5 0 bytes 5 minute offered rate 0 bps aggregate forw...

Page 754: ... label stack With MPLS the flow key is based on the label and EXP value there is no flowmask option Otherwise flow key operation is similar to IP to IP See the Configuring a Policy Map section on page 41 74 You can use the police command to set the pushed label entry value to a value different from the default value during label imposition When imposing labels onto the received IP traffic with the...

Page 755: ... set mpls exp imposition transmit exceeded 0 bytes action drop aggregate forward 0 bps exceed 0 bps class map class default match any Match any Class map class default match any 0 packets 0 bytes 5 minute offered rate 0 bps drop rate 0 bps Match any Configuring PFC3BXL or PFC3B Mode MPLS QoS Egress EXP Mutation You can configure a named egress EXP mutation map to mutate the internal DSCP derived E...

Page 756: ...uter config interface fastethernet 3 26 Router config if mls qos exp mutation mutemap2 Router config if end Command Purpose Step 1 Router config mls qos map exp mutation name mutated_exp1 mutated_exp2 mutated_exp3 mutated_exp4 mutated_exp5 mutated_exp6 mutated_exp7 mutated_exp8 Configures a named EXP mutation map Router config no mls qos map exp mutation name Reverts to the default map Step 2 Rout...

Page 757: ...Named Egress DSCP to Egress EXP Map To configure a named egress DSCP to egress EXP map perform this task This example shows how to configure a named egress DSCP to egress EXP map Router config mls qos map dscp exp 20 25 to 3 Router config Command Purpose Step 1 Router config mls qos map exp dscp values Configures the ingress EXP value to internal DSCP map You must enter eight DSCP values correspon...

Page 758: ...marking throughout the network including CE and core routers EXP marking is propagated to the underlying ToS byte For a description see the Uniform Mode section on page 42 33 For the configuration procedure see the Configuring Uniform Mode section on page 42 40 Both tunneling modes affect the behavior of edge and penultimate label switching routers LSRs where labels are put onto packets and remove...

Page 759: ...l information see MPLS DiffServ Tunneling Modes at this URL http www cisco com en US docs ios 12_2t 12_2t13 feature guide ftdtmode html Short Pipe Mode Restrictions and Guidelines The following restriction applies to Short Pipe mode Short Pipe mode is not supported if the MPLS to IP egress interface is EoMPLS the adjacency has the end of marker EOM bit set Uniform Mode In Uniform mode packets are ...

Page 760: ...pied into the next lower level label 5 When all MPLS labels have been removed from the packet that is sent out as an IP packet the IP precedence or DSCP value is set to the last changed EXP value in the core The following is an example when there are IP precedence bit markings 1 At CE1 customer equipment 1 the IP packet has an IP precedence value of 3 2 When the packet arrives in the MPLS network ...

Page 761: ...bility of the MPLS layer management by control on managed customer edge CE routers MPLS can tunnel a packet s QoS that is the QoS is transparent from edge to edge With QoS transparency the IP marking in the IP packet is preserved across the MPLS network The MPLS EXP field can be marked differently and separately from the PHB marked in the IP precedence or DSCP field Configuring Short Pipe Mode The...

Page 762: ...erface This procedure classifies packets based on their MPLS EXP field and provides appropriate discard and scheduling treatments Command Purpose Step 1 Router config mls qos Enables QoS functionality Step 2 Router config access list ipv4_acl_number_or_name permit any Creates an IPv4 access list Step 3 Router config class map class_name Creates a class map Step 4 Router config cmap match access gr...

Page 763: ...unctionality Step 2 Router config class map class_name Specifies the class map to which packets will be mapped matched Creates a traffic class Step 3 Router config c map match mpls experimental exp_list Specifies the MPLS EXP field values used as a match criteria against which packets are checked to determine if they belong to the class Step 4 Router config policy map name Configures the QoS polic...

Page 764: ...s qos Enables QoS functionality Step 2 Router config class map class_name Specifies the class map to which packets will be mapped matched Creates a traffic class Step 3 Router config c map match mpls experimental exp_list Specifies the MPLS EXP field values used as a match criteria against which packets are checked to determine if they belong to the class Step 4 Router config policy map name Confi...

Page 765: ...ut output qos Command Purpose Step 1 Router config mls qos Enables QoS functionality Step 2 Router config class map class_name Specifies the class map to which packets will be mapped matched Creates a traffic class Step 3 Router config c map match ip dscp dscp_values Uses the DSCP values as the match criteria Step 4 Router config policy map name Configures the QoS policy for packets that match the...

Page 766: ... map to set the MPLS EXP field in imposed label entries perform this task Command Purpose Step 1 Router config mls qos Enables QoS functionality Step 2 Router config access list ipv4_acl_number_or_name permit any Creates an IPv4 access list Step 3 Router config class map class_name Creates a class map Step 4 Router config cmap match access group ipv4_acl_number_or_name Configures the class map to ...

Page 767: ...ty Step 2 Router config class map class_name Specifies the class map to which packets will be mapped matched Creates a traffic class Step 3 Router config c map match mpls experimental exp_list Specifies the MPLS EXP field values used as a match criteria against which packets are checked to determine if they belong to the class Step 4 Router config policy map name Configures the QoS policy for pack...

Page 768: ...p to which packets will be mapped matched Creates a traffic class Step 3 Router config c map match ip precedence precedence value Identifies IP precedence values as match criteria Step 4 Router config policy map name Configures the QoS policy for packets that match the class or classes Step 5 Router config p map class class_name Associates the traffic class with the service policy Step 6 Router co...

Page 769: ...ap match ip precedence 4 Router config policy map output qos Router config p map class IP PREC 4 Router config p map c bandwidth percent 40 Router config p map class class default Router config p map c random detect Router config interface GE WAN 3 2 32 Router config if mpls propagate cos Router config if service policy output output qos Tip For additional information including configuration examp...

Page 770: ...42 44 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 42 Configuring PFC3BXL or PFC3B Mode MPLS QoS Configuring Uniform Mode ...

Page 771: ...d_products_support_series_home html Understanding PFC QoS Statistics Data Export The PFC QoS statistics data export feature generates per LAN port and per aggregate policer utilization information and forwards this information in UDP packets to traffic monitoring planning or accounting applications You can enable PFC QoS statistics data export on a per LAN port or on a per aggregate policer basis ...

Page 772: ...S Statistics Data Export Field Delimiter page 43 9 Enabling PFC QoS Statistics Data Export Globally To enable PFC QoS statistics data export globally perform this task This example shows how to enable PFC QoS statistics data export globally and verify the configuration Router configure terminal Router config mls qos statistics export Router config end Table 43 1 PFC QoS Default Configuration Featu...

Page 773: ...nfigure terminal Router config interface fastethernet 5 24 Router config if mls qos statistics export Router config if end Router show mls qos statistics export info QoS Statistics Data Export Status and Configuration information Export Status enabled Export Interval 300 seconds Export Delimiter Export Destination Not configured QoS Statistics Data Export is enabled on following ports FastEthernet...

Page 774: ...t Delimiter Export Destination Not configured QoS Statistics Data Export is enabled on following ports FastEthernet5 24 QoS Statistics Data export is enabled on following shared aggregate policers aggr1M Router When enabled for a named aggregate policer PFC QoS statistics data export contains the following fields separated by the delimiter character Export type 3 for an aggregate policer Aggregate...

Page 775: ...atistics Data Export is enabled on following ports FastEthernet5 24 QoS Statistics Data export is enabled on following shared aggregate policers aggr1M QoS Statistics Data Export is enabled on following class maps class3 Router When enabled for a class map PFC QoS statistics data export contains the following fields separated by the delimiter character For data from a physical port Export type 4 f...

Page 776: ...rval To set the time interval for the PFC QoS statistics data export perform this task This example shows how to set the PFC QoS statistics data export interval and verify the configuration Router configure terminal Router config mls qos statistics export interval 250 Router config end Command Purpose Step 1 Router config mls qos statistics export interval interval_in_seconds Sets the time interva...

Page 777: ... is a syslog server the exported data is prefaced with a syslog header Table 43 2 lists the supported PFC QoS data export facility and severity parameter values Command Purpose Step 1 Router config mls qos statistics export destination host_name host_ip_address port port_number syslog facility facility_name severity severity_value Configures the PFC QoS statistics data export destination host and ...

Page 778: ...ination 172 20 52 3 UDP port 514 Facility local6 Severity debug QoS Statistics Data Export is enabled on following ports FastEthernet5 24 QoS Statistics Data export is enabled on following shared aggregate policers aggr1M QoS Statistics Data Export is enabled on following class maps class3 lpr line printer subsytem local5 reserved for local use news netnews subsytem local6 reserved for local use u...

Page 779: ...estination 172 20 52 3 UDP port 514 Facility local6 Severity debug QoS Statistics Data Export is enabled on following ports FastEthernet5 24 QoS Statistics Data export is enabled on following shared aggregate policers aggr1M QoS Statistics Data Export is enabled on following class maps class3 Tip For additional information including configuration examples and troubleshooting information see the do...

Page 780: ...43 10 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 43 Configuring PFC QoS Statistics Data Export Configuring PFC QoS Statistics Data Export ...

Page 781: ...Based Access Control CBAC The PFC installs entries in the NetFlow table to direct flows that require CBAC to the MSFC where the CBAC is applied in software on the MSFC Authentication Proxy After authentication on the MSFC the PFC provides TCAM support for the authentication policy Port to Application Mapping PAM PAM is done in software on the MSFC For more information about Cisco IOS firewall feat...

Page 782: ...ect command on a port CBAC modifies ACLs on other ports to permit the inspected traffic to flow through the network device On Cisco 7600 series routers you must enter the mls ip inspect command to permit traffic through any ACLs that would deny the traffic through other ports Refer to the Additional CBAC Configuration section on page 44 3 for more information Reflexive ACLs and CBAC have conflicti...

Page 783: ...and deny_ftp_f On a Cisco 7600 series router when ports are configured to deny traffic CBAC permits traffic to flow bidirectionally only through the port configured with the ip inspect command You must configure other ports with the mls ip inspect command If the FTP session enters on VLAN 100 and needs to leave on VLAN 200 CBAC on a Cisco 7600 series router permits the FTP traffic only through ACL...

Page 784: ... 44 Configuring the Cisco IOS Firewall Feature Set Additional CBAC Configuration Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html ...

Page 785: ...x_mcl_book html The Network Admission Control feature module at this URL http www cisco com en US docs ios 12_3t 12_3t8 feature guide gt_nac html The Cisco IOS Security Command Reference Release 12 3 at this URL http www cisco com en US docs ios 12_3 security command reference secur_r html This chapter contains these sections Understanding NAC page 45 1 Configuring NAC page 45 12 Tip For additiona...

Page 786: ...s chapter is a Layer 2 feature the term switch is used for Cisco 7600 routers Release 12 2 18 SXF does not support NAC Layer 2 IEEE 802 1x NAC provides posture validation for routed traffic on Cisco 7600 series routers Posture validation reduces the exposure of a virus to the network This feature allows network access based on the antivirus credentials of the network device that is requesting netw...

Page 787: ...licy enforcement at the network edge and controls the physical access to the network based on the access policy of the client The switch relays Extensible Authentication Protocol EAP messages between the endpoints and the authentication server For Cisco 7600 series routers the encapsulation information in the EAP messages can be based on the User Datagram Protocol UDP When using UDP the switch use...

Page 788: ...dated and the user s policies can be downloaded from the ACS Note When the AAA server is down the AAA down policy is applied only if there is no existing policy associated with the host Typically during revalidation when the AAA server goes down the policies being used for the host are retained NAC Layer 2 IP Validation You can use NAC Layer 2 IP on an access port on an edge switch to which an end...

Page 789: ... switch creates an entry in the session table to track the posture validation status of the host and follows this process to determine the NAC policy 1 If the host is in the exception list the switch applies the user configured NAC policy to the host 2 If EoU bypass is enabled the switch sends a nonresponsive host request to the Cisco Secure ACS and applies the access policy from the server to the...

Page 790: ...hentication server returns an Access Accept message with the posture token and the policy attributes to the switch The switch updates the EAPoUDP session table and enforces the access limitations which provides segmentation and quarantine of poorly postured clients or by denying network access There are two types of policies that apply to ports during posture validation Host Policy The Host policy...

Page 791: ... NAC actions are taken url redirect and url redirect acl Specifies the local URL policy on the switch The switches use these cisco av pair VSAs as follows url redirect HTTP or HTTPS URL url redirect acl switch ACL name or number These AV pairs enable the switch to intercept an HTTP or HTTPS request from the endpoint device and forward the client web browser to the specified redirect address from w...

Page 792: ...t server After the AAA server receives the audit result it computes an access policy based on the audit result and is sent down to NAD for enforcement on its next request ACLs If you configure NAC Layer 2 IP validation on a switch port you must also configure a default port ACL on a switch port You should also apply the default ACL to IP traffic for hosts that have not completed posture validation...

Page 793: ...PoUDP session on the host and the host is no longer validated The default value of the idle timer is calculated as the probe interval times the number of probe retries By default the idle timer default is 90 seconds which is the probe interval of 30 seconds times the number of probe retries of 3 The switch maintains a list of known hosts to track hosts that have initiated posture validation When t...

Page 794: ...alyst 3750 3560 3550 2970 2960 2955 2950 and 2940 switches and for Cisco EtherSwitch service modules the limit to remove inactive entries is 512 For Cisco 7600 series routers and Catalyst 4000 and 6000 switches the limit is 2048 After an interface link is restored the switch sends ARP probes for the entry associated with the interface The switch ages out entries for hosts that do not respond to AR...

Page 795: ...ure validation by sending a Status Query message to the host If the host sends a message to the switch that the posture has changed the switch revalidates the posture of the host NAC Layer 2 IP Validation and Redundant Supervisor Engines On Cisco 7600 series routers with redundant supervisor engines when RPR mode redundancy is configured a switchover causes the loss of all information about curren...

Page 796: ...lidation is enabled you must configure an ACL on the switch port to which hosts are connected The ACL must permit EAPoUDP traffic for LPIP to function NAC Layer 2 IP does not validate the posture of IPv6 traffic and does not apply access policies to IPv6 traffic NAC Layer 2 IP is not supported if the switchport is part of a private VLAN NAC Layer 2 IP ARP traffic redirected to the CPU cannot be sp...

Page 797: ...g the traffic causes the traffic to be denied The downloaded LPIP host policy always overrides the default interface policy The DHCP traffic should be permitted in the interface default ACL and the host policy for DHCP snooping to function If dynamic ARP inspection is enabled on the ingress VLAN the switch initiates posture validation only after the ARP packets are validated The traffic sent to th...

Page 798: ... wildcard bits to the source Optional Enter log to cause an informational logging message about the packet that matches the entry to be sent to the console Step 5 Router config interface interface_id Enters interface configuration mode Step 6 Router config ip access group access_list_number name in Controls access to the specified interface Step 7 Router config ip admission name rule_name Applies ...

Page 799: ...ng spaces are ignored but spaces within and at the end of the key are used If you use spaces in the key do not enclose the key in quotation marks unless the quotation marks are part of the key This key must match the encryption used on the RADIUS daemon If you want to use multiple RADIUS servers reenter this command Step 14 Router config radius server attribute 8 include in access req If the switc...

Page 800: ... NAC client device entries on the switch or on the specified interface use the clear eou privileged EXEC command To clear entries in the IP device tracking table use the clear ip device tracking privileged EXEC command This example shows how to configure NAC Layer 2 IP validation on a switch interface Router configure terminal Router config ip admission nac eapoudp Router config access list 5 perm...

Page 801: ... Admission Control feature module Step 3 Router config interface interface_id Enters interface configuration mode Step 4 Router config eou default eou max retry number eou timeout aaa seconds hold period seconds retransmit seconds revalidation seconds status query seconds eou revalidate Enables and configures the EAPoUDP association for the specified interface For more information about the defaul...

Page 802: ...C AAA Down Policy Note This feature is only available on the Catalyst 6500 series switch and the Catalyst 7600 router To configure NAC AAA down policy perform this task Step 5 Router config identity prof device authorize not authorize ip address ip_address mac address mac_address type cisco ip phone policy policy_name Authorizes the specified IP device and applies the specified policy to the devic...

Page 803: ...ls access to the specified interface Step 6 Router config if ip admission name rule name Applies the specified IP NAC rule to the interface To remove the IP NAC rule that was applied to a specific interface use the no ip admission rule name interface configuration command Step 7 Router config exit Returns to global configuration mode Step 8 Router config aaa new model Enables AAA Step 9 Router con...

Page 804: ...status If there is no traffic to the RADIUS server the NAD sends dummy radius packets to the RADIUS server based on the idle time If you want to use multiple RADIUS servers reenter this command Step 14 Router config radius server attribute 8 include in access req Optional Configures the switch to send the Framed IP Address RADIUS attribute Attribute 8 in access request or accounting request packet...

Page 805: ...fastEthernet 2 13 Router config if ip admission AAA_DOWN Router config if exit Router show ip admission configuration Show running output aaa new model aaa authentication eou default group radius aaa authorization network default local ip admission name AAA_DOWN eapoudp event timeout aaa policy identity global_policy identity policy global_policy access group global_acl interface FastEthernet2 13 ...

Page 806: ...ng NAC Information To display NAC information perform one of the following tasks Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Command Purpose Router show dot1x all interface interface_id statistics interface interface_id D...

Page 807: ...uring 802 1X Port Based Authentication page 46 7 Displaying 802 1X Status page 46 16 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Understanding 802 1X Port Based Authentication The IEEE 802 1X standard defines a client ser...

Page 808: ...hentication server Performs the actual authentication of the client The authentication server validates the identity of the client and notifies the router whether or not the client is authorized to access the LAN and router services Because the router acts as the proxy the authentication service is transparent to the client The Remote Authentication Dial In User Service RADIUS security system with...

Page 809: ...ore requests for authentication information When the client receives the frame it responds with an EAP response identity frame If the client does not receive an EAP request identity frame from the router during bootup the client can initiate authentication by sending an EAPOL start frame which prompts the router to request the client s identity Note If 802 1X is not enabled or supported on the net...

Page 810: ...nds the request for a fixed number of times Because no response is received the client begins sending frames as if the port is in the authorized state You control the port authorization state by using the dot1x port control interface configuration command and these keywords force authorized Disables 802 1X port based authentication and causes the port to transition to the authorized state without ...

Page 811: ...e of a port transitions from up to down or if an EAPOL logoff frame is received the port returns to the unauthorized state Supported Topologies The 802 1X port based authentication is supported in two topologies Point to point Wireless LAN In a point to point configuration see Figure 46 1 on page 46 2 only one client can be connected to the 802 1X enabled router port The router detects the client ...

Page 812: ...protocol enable state Disabled force authorized Note The port transmits and receives normal traffic without 802 1X based authentication of the client Periodic reauthentication Disabled Number of seconds between reauthentication attempts 3600 seconds Quiet period 60 seconds number of seconds that the router remains in the quiet state following a failed authentication exchange with the client Retran...

Page 813: ...rce port The 802 1X protocol is not supported on ports configured with voice VLAN Configuring 802 1X Port Based Authentication These sections describe how to configure 802 1X port based authentication Enabling 802 1X Port Based Authentication page 46 7 Configuring Router to RADIUS Server Communication page 46 9 Enabling Periodic Reauthentication page 46 10 Manually Reauthenticating the Client Conn...

Page 814: ...ws how to verify the configuration Router show dot1x all Dot1x Info for interface FastEthernet5 1 Command Purpose Step 1 Router config aaa new model Enables AAA Router config no aaa new model Disables AAA Step 2 Router config aaa authentication dot1x default method1 method2 Creates an 802 1X port based authentication method list Router config no aaa authentication dot1x default list_name Clears th...

Page 815: ...try configured acts as the failover backup to the first one The RADIUS host entries are tried in the order that they were configured To configure the RADIUS server parameters perform this task When you configure the RADIUS server parameters note the following information For hostname or ip_address specify the host name or IP address of the remote RADIUS server Specify the key string on a separate ...

Page 816: ...es_list html Note You also need to configure some settings on the RADIUS server These settings include the IP address of the router and the key string to be shared by both the server and the router For more information refer to the RADIUS server documentation This example shows how to configure the RADIUS server parameters on the router Router configure terminal Router config ip radius source inte...

Page 817: ...cation for the Client Connected to a Port Note Initializing authentication disables any existing authentication before authenticating the client connected to the port To initialize the authentication for the client connected to a port perform this task Step 3 Router config if dot1x timeout reauth period seconds Sets the number of seconds between reauthentication attempts The range is 1 to 65535 th...

Page 818: ...ntity frame from the router with an EAP response identity frame If the router does not receive this response it waits a set period of time known as the retransmission time and then retransmits the frame Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication se...

Page 819: ... router to client retransmission time for the EAP request frame to 25 seconds Router config if dot1x timeout supp timeout 25 Command Purpose Step 1 Router config interface type1 slot port 1 type ethernet fastethernet gigabitethernet or tengigabitethernet Selects an interface to configure Step 2 Router config if dot1x timeout tx period seconds Sets the number of seconds that the router waits for a ...

Page 820: ...an EAP request identity frame assuming no response is received to the client before restarting the authentication process Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers To set the router to client frame retransmission number perform this task C...

Page 821: ...g interface fastethernet 5 1 Router config if dot1x port control auto Router config if dot1x host mode multi host Resetting the 802 1X Configuration to the Default Values To reset the 802 1X configuration to the default values perform this task Step 3 Router config if end Returns to privileged EXEC mode Step 4 Router show dot1x all Verifies your entries 1 type ethernet fastethernet gigabitethernet...

Page 822: ...erface use the show dot1x interface interface id privileged EXEC command For detailed information about the fields in these displays refer to the Cisco IOS Master Command List Release 12 2SX Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_ser...

Page 823: ...s of these sections Understanding Port Security page 47 1 Default Port Security Configuration page 47 3 Port Security Guidelines and Restrictions page 47 3 Configuring Port Security page 47 4 Displaying Port Security Settings page 47 13 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US prod...

Page 824: ...er a secure MAC address is configured or learned on one secure port the sequence of events that occurs when port security detects that secure MAC address on a different port in the same VLAN is known as a MAC move violation See the Configuring the Port Security Violation Mode on a Port section on page 47 6 for more information about the violation modes After you have set the maximum number of secu...

Page 825: ...ually reenable it by entering the shutdown and no shut down interface configuration commands Enter the clear port security dynamic global configuration command to clear all dynamically learned secure addresses See the Cisco IOS Master Command List Release 12 2SX for complete syntax information Port security learns unauthorized MAC addresses with a bit set that causes traffic to them or from them t...

Page 826: ...2 18 SXE port security does not support IEEE 802 1Q tunnel ports Port security does not support Switch Port Analyzer SPAN destination ports Port security does not support EtherChannel port channel interfaces With releases earlier than Release 12 2 33 SXH port security and 802 1X port based authentication cannot both be configured on the same port If you try to enable 802 1X port based authenticati...

Page 827: ... line End with CNTL Z Router config interface fastethernet 5 36 Router config if switchport Router config if switchport mode trunk Router config if switchport nonegotiate Router config if switchport port security Router config if do show port security interface fastethernet 5 36 include Port Security Port Security Enabled Command Purpose Step 1 Router config interface type1 slot port 1 type ethern...

Page 828: ...releases the port can be a tunnel port or a PVLAN port Step 2 Router config if switchport Configures the port as a Layer 2 switchport Step 3 Router config if switchport mode access Configures the port as a Layer 2 access port Note A port in the default mode dynamic desirable cannot be configured as a secure port Step 4 Router config if switchport port security Enables port security on the port Rou...

Page 829: ...inst overutilization when you configure the protect or restrict violation modes configure the packet drop rate limiter see the Configuring the Port Security Rate Limiter section on page 47 7 This example shows how to configure the protect security violation mode on Fast Ethernet port 5 12 Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface fa...

Page 830: ...10 through 1 000 000 entered as 1000000 There is no default value The lower the value the more the CPU is protected The rate limiter is applied to traffic both before and after a security violation occurs Configure a value high enough to permit nonviolating traffic to reach the port security feature Values lower than 1 000 entered as 1000 should offer sufficient protection For the burst_size value...

Page 831: ... a dash separated pair of VLAN numbers You can enter a comma separated list of VLAN numbers and dash separated pairs of VLAN numbers This example shows how to configure a maximum of 64 secure MAC addresses on Fast Ethernet port 5 12 Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface fastethernet 3 12 Router config if switchport port security...

Page 832: ...mac address sticky command all sticky secure MAC addresses on the port are converted to dynamic secure MAC addresses To preserve dynamically learned sticky MAC addresses and configure them on a port following a bootup or a reload after the dynamically learned sticky MAC addresses have been learned you must enter a write memory or copy running config startup config command to save them in the start...

Page 833: ...runk if you do not configure a VLAN for a static secure MAC address it is secure in the VLAN configured with the switchport trunk native vlan command This example shows how to configure a MAC address 1000 2000 3000 as secure on Fast Ethernet port 5 12 and verify the configuration Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface fastetherne...

Page 834: ... the secure MAC address aging type on a port With a PFC2 you cannot configure the secure MAC address aging type The PFC2 supports only absolute aging To configure the secure MAC address aging type on a port perform this task This example shows how to set the aging type to inactivity on Fast Ethernet Port 5 12 Router configure terminal Enter configuration commands one per line End with CNTL Z Route...

Page 835: ...rd to display secure MAC addresses with aging information for each address globally for the switch or per interface The display includes these values The maximum allowed number of secure MAC addresses for each interface The number of secure MAC addresses on the interface The number of security violations that have occurred The violation mode Command Purpose Step 1 Router config interface type1 slo...

Page 836: ...e 20 mins Aging type Inactivity SecureStatic address aging Enabled Security Violation count 0 This example displays the output from the show port security address privileged EXEC command Router show port security address Secure Mac Address Table Vlan Mac Address Type Ports Remaining Age mins 1 0001 0001 0001 SecureDynamic Fa5 1 15 I 1 0001 0001 0002 SecureDynamic Fa5 1 15 I 1 0001 0001 1111 Secure...

Page 837: ...on examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Understanding How CDP Works CDP is a protocol that runs over Layer 2 the data link layer on all Cisco routers bridges access servers and switches CDP allows network management applications to discover Cisco devices that are neigh...

Page 838: ...rform this task This example shows how to enable CDP globally Router config cdp run Displaying the CDP Global Configuration To display the CDP configuration perform this task This example shows how to display the CDP configuration Router show cdp Global CDP information Sending CDP packets every 120 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled Router For a...

Page 839: ... perform one or more of these tasks Command Purpose Step 1 Router config interface type1 slot port port channel number 1 type ethernet fastethernet gigabitethernet or tengigabitethernet Selects the port to configure Step 2 Router config if cdp enable Enables CDP on the port Router config if no cdp enable Disables CDP on the port Command Purpose Router show cdp interface type1 slot port port channe...

Page 840: ...AB03130104 Fas 5 9 152 T S WS C4003 2 48 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Router show cdp interface type1 slot port Displays information about interfaces on which CDP is enabled Router show cdp neighbors type1 ...

Page 841: ... 49 3 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Understanding How UDLD Works These sections describe how UDLD works UDLD Overview page 49 1 UDLD Aggressive Mode page 49 2 UDLD Overview The Cisco proprietary UDLD protoco...

Page 842: ...er 1 then UDLD at Layer 2 determines whether those fibers are connected correctly and whether traffic is flowing bidirectionally between the correct neighbors This check cannot be performed by autonegotiation because autonegotiation operates at Layer 1 The Cisco 7600 series router periodically transmits UDLD packets to neighbor devices on LAN ports with UDLD enabled If the packets are echoed back ...

Page 843: ... is not disabled In UDLD aggressive mode when a unidirectional error is detected the port is disabled Default UDLD Configuration Table 49 1 shows the default UDLD configuration Configuring UDLD These sections describe how to configure UDLD Enabling UDLD Globally page 49 3 Enabling UDLD on Individual LAN Interfaces page 49 4 Disabling UDLD on Fiber Optic LAN Interfaces page 49 4 Configuring the UDL...

Page 844: ... configure Step 2 Router config if udld port aggressive Enables UDLD on a specific LAN port Enter the aggressive keyword to enable aggressive mode On a fiber optic LAN port this command overrides the udld enable global configuration command setting Router config if no udld port aggressive Disables UDLD on a nonfiber optic LAN port Note On fiber optic LAN ports the no udld port command reverts the ...

Page 845: ... udld message time interval Configures the time between UDLD probe messages on ports that are in advertisement mode and are currently determined to be bidirectional valid values are from 7 to 90 seconds Router config no udld message Returns to the default value 60 seconds Step 2 Router show udld type1 slot number 1 type ethernet fastethernet gigabitethernet or tengigabitethernet Verifies the confi...

Page 846: ...2SX OL 4266 08 Chapter 49 Configuring UDLD Configuring UDLD Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html ...

Page 847: ...blications at this URL http www cisco com en US products sw iosswrel ps1838 tsd_products_support_series_home ht ml This chapter contains the following sections Understanding NetFlow page 50 1 Default NetFlow Configuration page 50 5 NetFlow Configuration Guidelines and Restrictions page 50 5 Configuring NetFlow page 50 6 Tip For additional information including configuration examples and troublesho...

Page 848: ...etFlow table entries and a large volume of statistics to export Less specific flow masks aggregate the traffic statistics into fewer NetFlow table entries and generate a lower volume of statistics Sampled NetFlow exports data for a subset of traffic in a flow which can greatly reduce the volume of statistics exported Sampled NetFlow does not reduce the volume of statistics collected NetFlow aggreg...

Page 849: ...ddress Statistics for all flows to a given destination IP address aggregate into this entry destination source A more specific flow mask The PFC maintains one entry for each source and destination IP address pair Statistics for all flows between the same source IP address and destination IP address aggregate into this entry destination source interface A more specific flow mask Adds the source VLA...

Page 850: ...es to be processed in software on the MSFC In the extreme case Feature Manager software gives priority to the feature that is configured first and rejects configuration requests for subsequent features When you attempt to configure a subsequent feature that the Feature Manager cannot accommodate you receive a failure message at the CLI Follow these guidelines to avoid problems with feature conflic...

Page 851: ...ranslated correctly if NAT is configured for overload For systems equipped with a PFC3B or PFC3BXL you can use the mls ip nat netflow frag l4 zero command to ensure that NAT functions correctly in this case Default NetFlow Configuration Table 50 2 shows the default NetFlow configuration NetFlow Configuration Guidelines and Restrictions When configuring NetFlow follow these guidelines and restricti...

Page 852: ...sk page 50 7 Configuring the MLS Aging Time page 50 8 Configuring NetFlow Aggregation on the PFC page 50 9 Enabling NetFlow for Ingress Bridged IP Traffic page 50 10 Enabling NetFlow for Multicast IP Traffic page 50 10 Displaying PFC Netflow Information page 50 10 NetFlow PFC Commands Summary Table 50 4 shows a summary of the NetFlow commands available on the PFC Table 50 3 NetFlow table utilizati...

Page 853: ...f the flow mask for the NetFlow table on the PFC The actual flow mask may be more specific than the level configured in the mls flow ip command if other configured features need a more specific flow mask see the Flow Mask Conflicts section on page 50 4 To set the minimum IP MLS flow mask perform this task This example shows how to set the minimum IP MLS flow mask Router config mls flow ip destinat...

Page 854: ...ion of the timer the flow entry is deleted from the table fast aging Configures an efficient process to age out entries created for flows that only switch a few packets and then are never used again The fast aging parameter uses the time keyword value to check if at least the threshold keyword value of packets have been switched for each flow If a flow has not switched the threshold number of pack...

Page 855: ...ormation for the PFC or DFCs perform this task Note The PFC and DFCs do not support NetFlow ToS based router Aggregation This example shows how to display the NetFlow Aggregation cache information Router show ip cache flow aggregation destination prefix module 1 IPFLOW_DST_PREFIX_AGGREGATION records and statistics for module 1 IP Flow Switching Cache 278544 bytes 2 active 4094 inactive 6 added 236...

Page 856: ...ic section on page 50 12 Enabling NetFlow for Multicast IP Traffic NetFlow for multicast IP traffic on the PFC is enabled when you configure NetFlow for multicast IP traffic on the MSFC NetFlow for multicast IP traffic is supported in Release 12 2 18 SXF and later releases For additional information see the Enabling NetFlow for Multicast IP Traffic section on page 50 13 Displaying PFC Netflow Info...

Page 857: ...ggregation cache export version 8 9 mask source minimum x Configure NetFlow aggregation Note that configuring aggregation on the MSFC also enables aggregation for the PFC Specifies aggregation data export format 8 or 9 Specifies the aggregation minimum mask ip flow ingress layer2 switched vlan x Enables NetFlow for Layer 2 switched traffic interface x ip multicast netflow ingress egress Enables Ne...

Page 858: ...statistics are available to the Sampled NetFlow feature see the NetFlow Sampling section on page 51 7 To enable NetFlow for bridged IP traffic on a VLAN you must create a corresponding VLAN interface assign it an IP address and enter the no shutdown command to bring up the interface To enable NetFlow for ingress bridged IP traffic in VLANs perform this task This example shows how to enable NetFlow...

Page 859: ...switching MDFS However this prerequisite does not apply when configuring NetFlow multicast support with Release 12 2 18 SXF and later 12 2SX releases Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Command Purpose Step 1 Rout...

Page 860: ...50 14 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 50 Configuring NetFlow Configuring NetFlow ...

Page 861: ...ce nf_book html The Release 12 2 publications at this URL http www cisco com en US products sw iosswrel ps1838 tsd_products_support_series_home ht ml NetFlow version 9 is supported See this document Cisco IOS NetFlow Configuration Guide This chapter contains the following sections Understanding NDE page 51 2 NDE Configuration Guidelines and Restrictions page 51 10 Configuring NDE page 51 10 Tip Fo...

Page 862: ... 18 SXF and later Exporting a large volume of statistics can significantly impact SP and RP CPU utilization You can control the volume of records exported by configuring NDE flow filters to include or exclude flows from the NDE export When you configure a filter NDE exports only the flows that match the filter criteria You can configure up to two external data collector addresses A second data col...

Page 863: ...SNMP ifIndex BGP AS These fields are populated by the software looking up the FIB table entry before sending out the NDE record to the collector Therefore these fields are blank when you use the show command to display the hardware NetFlow table NDE Versions Release 12 2 18 SXF and later releases support NetFlow version 9 NDE exports statistics for NetFlow aggregation flows using NDE version 8 See...

Page 864: ... version number 2 3 count Number of flows exported in this packet 1 30 4 7 SysUptime Current time in milliseconds since router booted 8 11 unix_secs Current seconds since 0000 UTC 1970 12 15 unix_nsecs Residual nanoseconds since 0000 UTC 1970 16 19 flow_sequence Sequence counter of total flows seen 20 21 engine_type Type of flow switching engine 21 23 engine_id Slot number of the flow switching en...

Page 865: ...s configured 0 A2 A A A A 16 19 dPkts Packets in the flow X X X X X X 20 23 dOctets Octets bytes in the flow X X X X X X 24 27 first SysUptime at start of the flow milliseconds X X X X X X 28 31 last SysUptime at the time the last packet of the flow was received milliseconds X X X X X X 32 33 srcport Layer 4 source port number or equivalent 0 0 0 0 X4 4 In PFC3BXL or PFC3B mode for ICMP traffic co...

Page 866: ...n the flow X X X X X X 20 23 dOctets Octets bytes in the flow X X X X X X 24 27 First SysUptime at start of the flow milliseconds X X X X X X 28 31 Last SysUptime at the time the last packet of the flow was received milliseconds X X X X X X 32 33 srcport Layer 4 source port number or equivalent 0 0 0 0 X4 4 In PFC3BXL or PFC3B mode for ICMP traffic contains the ICMP code and type values X4 34 35 d...

Page 867: ...isabled See the Configuring NDE Flow Filters section on page 51 16 for NDE filter configuration procedures NetFlow Sampling NetFlow sampling is used when you want to report statistics for a subset of the traffic flowing through your network The Netflow statistics can be exported to an external collector for further analysis There are two types of NetFlow sampling NetFlow traffic sampling and NetFl...

Page 868: ...ics on only a subset of the flows is useful when the volume of exported traffic created by reporting statistics for all of the flows will overwhelm the collector or result in an over subscription of an outbound interface NetFlow flow sampling is available on Cisco Catalyst 6500 series switches for hardware based NetFlow accounting on the PFCs and DFCs installed in the router NetFlow flow sampling ...

Page 869: ...et to exceed the sampling rate the last flow for which the counters were added to the bucket is sampled and exported The bucket counter is changed to 0 and the process of increasing the bucket counter is started over This method ensures that some flows for which the packet count never exceeds the sampling rate are selected for sampling and export Time based Netflow Flow Sampling Time based Netflow...

Page 870: ...rotocol Configuring NDE These sections describe how to configure NDE Configuring NDE on the PFC page 51 11 Configuring NDE on the MSFC page 51 13 Enabling NDE for Ingress Bridged IP Traffic page 51 15 Displaying the NDE Address and Port Configuration page 51 15 Configuring NDE Flow Filters page 51 16 Displaying the NDE Configuration page 51 18 Note You must enable NetFlow on the MSFC Layer 3 inter...

Page 871: ... sender This example shows how to enable NDE from the PFC and configure NDE version 5 Router config mls nde sender version 5 Command Purpose Router config mls nde sender version 5 7 Enables NDE from the PFC using version 7 records or version 5 records If you enter the mls nde sender command without using the version 5 7 keywords version 7 records are enabled by default Note If you are using NDE fo...

Page 872: ...onfiguring NetFlow Flow Sampling on a Layer 3 Interface page 51 13 Configuring NetFlow Flow Sampling Globally To configure NetFlow flow sampling globally perform this task When you configure NetFlow flow sampling globally note the following information The valid values for rate are 64 128 256 512 1024 2048 4096 and 8192 The valid values for the packet based export interval are from 8 000 through 1...

Page 873: ...yer 3 Interface page 51 13 Configuring the NDE Destination page 51 14 Configuring Netflow Flow Sampling page 51 14 Configuring the MSFC NDE Source Layer 3 Interface To configure the Layer 3 interface used as the source of the NDE packets containing statistics from the MSFC perform this task When configuring the MSFC NDE source Layer 3 interface note the following information You must select an int...

Page 874: ...ases Note that configuring two destinations increases the RP CPU utilization as you are exporting the data records twice This example shows how to configure the NDE flow destination IP address and UDP port Router config ip flow export destination 172 20 52 37 200 Note The destination address and UDP port number are saved in NVRAM and are preserved if NDE is disabled and reenabled or if the router ...

Page 875: ...e NDE Address and Port Configuration To display the NDE address and port configuration perform these tasks This example shows how to display the NDE export flow source IP address and UDP port configuration Router show mls nde Netflow Data Export enabled Exporting flows to 10 34 12 245 9999 Exporting flows from 10 6 58 7 55425 Version 7 Include Filter not configured Exclude Filter is source ip addr...

Page 876: ...ting using source interface FastEthernet5 8 Version 1 flow records 0 flows exported in 0 udp datagrams 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues Router Configuring NDE Flow Filters These sections describe NDE flow filters NDE Flow Filter Overview page 5...

Page 877: ...To configure a destination or source host flow filter perform this task This example shows how to configure a host flow filter to export only flows to destination host 172 20 52 37 Router config mls nde flow include destination 172 20 52 37 255 255 255 225 Router config Command Purpose Router config mls nde flow exclude include dest port number src port number Configures a port flow filter for an ...

Page 878: ...8 10 34 12 245 9999 Exporting flows from 10 6 58 7 57673 Version 7 Include Filter not configured Exclude Filter not configured Total Netflow Data Export Packets are 508 packets 0 no packets 3985 records Total Netflow Data Export Send Errors IPWRITE_NO_FIB 0 IPWRITE_ADJ_FAILED 0 IPWRITE_PROCESS 0 IPWRITE_ENQUEUE_FAILED 0 IPWRITE_IPC_FAILED 0 IPWRITE_OUTPUT_FAILED 0 IPWRITE_MTU_FAILED 0 IPWRITE_ENCA...

Page 879: ...mcl 12_2sx_mcl_book html OSM WAN ports and FlexWAN ports do not support SPAN RSPAN or ERSPAN PFC2 does not support ERSPAN This chapter consists of these sections Understanding How Local SPAN RSPAN and ERSPAN Work page 52 1 Local SPAN RSPAN and ERSPAN Configuration Guidelines and Restrictions page 52 6 Configuring Local SPAN RSPAN and ERSPAN page 52 14 Tip For additional information including confi...

Page 880: ...52 2 RSPAN Overview page 52 3 ERSPAN Overview page 52 4 Monitored Traffic page 52 4 Local SPAN Overview A local SPAN session is an association of source ports and source VLANs with one or more destination ports You configure a local SPAN session on a single router Local SPAN does not have separate source and destination sessions Local SPAN sessions do not copy locally sourced RSPAN VLAN traffic fr...

Page 881: ...ffic for each RSPAN session is carried as Layer 2 nonroutable traffic over a user specified RSPAN VLAN that is dedicated for that RSPAN session in all participating routers All participating routers must be trunk connected at Layer 2 RSPAN source sessions do not copy locally sourced RSPAN VLAN traffic from source trunk ports that carry RSPAN VLANs RSPAN source sessions do not copy locally sourced ...

Page 882: ...e source IP address ERSPAN ID number and optionally with a VRF name ERSPAN source sessions do not copy locally sourced RSPAN VLAN traffic from source trunk ports that carry RSPAN VLANs ERSPAN source sessions do not copy locally sourced ERSPAN GRE encapsulated traffic from source ports Each ERSPAN source session can have either ports or VLANs as sources but not both The ERSPAN source session copies...

Page 883: ... SPAN session both ingress and egress for two SPAN sources called s1 and s2 to a SPAN destination port called d1 if a packet enters the router through s1 and is sent for egress from the switch to s2 ingress SPAN at s1 sends a copy of the packet to SPAN destination d1 and egress SPAN at s2 sends a copy of the packet to SPAN destination d1 If the packet was Layer 2 switched from s1 to s2 both SPAN p...

Page 884: ...cal SPAN RSPAN and ERSPAN configuration guidelines and restrictions General Guidelines and Restrictions page 52 6 Feature Incompatiblities page 52 7 Local SPAN RSPAN and ERSPAN Session Limits page 52 8 Local SPAN RSPAN and ERSPAN Guidelines and Restrictions page 52 10 VSPAN Guidelines and Restrictions page 52 11 RSPAN Guidelines and Restrictions page 52 11 ERSPAN Guidelines and Restrictions page 5...

Page 885: ...not supported in egress multicast mode CSCsa95965 With a PFC3 EoMPLS ports cannot be SPAN sources CSCed51245 A port channel interface an EtherChannel can be a SPAN source but you cannot configure active member ports of an EtherChannel as SPAN source ports Inactive member ports of an EtherChannel can be configured as SPAN sources but they are put into the suspended state and carry no traffic With r...

Page 886: ...N session limits PFC3 page 52 8 PFC2 page 52 9 PFC3 These are the PFC3 local SPAN RSPAN and ERSPAN session limits These are the PFC3 local SPAN RSPAN and ERSPAN source and destination limits Total Sessions Local SPAN RSPAN Source or ERSPAN Source Sessions RSPAN Destination Sessions ERSPAN Destination Sessions 66 2 ingress or egress or both 64 23 In Each Local SPAN Session In Each RSPAN Source Sess...

Page 887: ...ation limits Total Sessions Local SPAN Sessions RSPAN Source Sessions RSPAN Destination Sessions 66 2 ingress or egress or both 0 64 1 ingress 1 ingress or egress or both 64 1 or 2 egress 0 64 In Each Local SPAN Session In Each RSPAN Source Session In Each RSPAN Destination Session Egress or both sources With releases earlier than Release 12 2 18 SXF2 1 0 with a remote SPAN source session configur...

Page 888: ...ll of the traffic from all the SPAN sources Note With Release 12 2 18 SXD and later releases you can configure destination trunk port VLAN filtering using allowed VLAN lists see the Configuring Destination Trunk Port VLAN Filtering section on page 52 25 With Release 12 2 18 SXE and later releases for local SPAN and RSPAN you can configure Source VLAN Filtering see the Configuring Source VLAN Filte...

Page 889: ...rt VSPAN These are VSPAN guidelines and restrictions For VSPAN sessions with both ingress and egress configured two packets are forwarded from the destination port if the packets get switched on the same VLAN one as ingress traffic from the ingress port and one as egress traffic from the egress port VSPAN only monitors traffic that leaves or enters Layer 2 ports in the VLAN If you configure a VLAN...

Page 890: ...N VLANs as sources in VSPAN sessions You can configure any VLAN as an RSPAN VLAN as long as all participating network devices support configuration of RSPAN VLANs and you use the same RSPAN VLAN for each RSPAN session in all participating network devices ERSPAN Guidelines and Restrictions These are ERSPAN guidelines and restrictions Release 12 2 18 SXE and later releases support ERSPAN Release 12 ...

Page 891: ...Support section on page 9 10 set the maximum Layer 3 packet size default is 1 500 bytes maximum is 9 216 bytes All participating routers must be connected at Layer 3 and the network path must support the size of the ERSPAN traffic ERSPAN does not support packet fragmentation The do not fragment bit is set in the IP header of ERSPAN packets ERSPAN destination sessions cannot reassemble fragmented E...

Page 892: ...on port permit list perform this task This example shows how to configure a destination port permit list that includes Gigabit Ethernet ports 5 1 through 5 4 and 6 1 Router configure terminal Router config monitor permit list Router config monitor permit list destination interface gigabitethernet 5 1 4 gigabitethernet 6 1 This example shows how to verify the configuration Router config do show mon...

Page 893: ...single_vlan is the ID number of a single VLAN vlan_list is single_vlan single_vlan single_vlan vlan_range is first_vlan_ID last_vlan_ID mixed_vlan_list is in any order single_vlan vlan_range To tag the monitored traffic as it leaves a destination port you must configure the destination port to trunk unconditionally before you configure it as a destination see the Configuring a Destination Port as ...

Page 894: ...ter config monitor session 1 destination interface fastethernet 5 48 For additional examples see the Configuration Examples section on page 52 27 Configuring RSPAN RSPAN uses a source session on one router and a destination session on a different router These sections describe how to configure RSPAN sessions Configuring RSPAN VLANs page 52 16 Configuring RSPAN Source Sessions page 52 17 Configurin...

Page 895: ...n vlan_range is first_vlan_ID last_vlan_ID mixed_vlan_list is in any order single_vlan vlan_range When clearing monitor sessions note the following information The no monitor session number command entered with no other parameters clears session session_number session_range is first_session_number last_session_number Note In the no monitor session range command do not enter spaces before or after ...

Page 896: ...iguring a Destination Port as an Unconditional Trunk section on page 52 24 RSPAN_destination_span_session_number can range from 1 to 66 single_interface is interface type slot port type is ethernet fastethernet gigabitethernet or tengigabitethernet interface_list is single_interface single_interface single_interface Note In lists you must enter a space before and after the comma In ranges you must...

Page 897: ... uses separate source and destination sessions You configure the source and destination sessions on different routers These sections describe how to configure ERSPAN sessions Configuring ERSPAN Source Sessions page 52 19 Configuring ERSPAN Destination Sessions page 52 22 Note With a PFC3 Release 12 2 18 SXE and later releases support ERSPAN see the ERSPAN Guidelines and Restrictions section on pag...

Page 898: ...an src dst ip address ip_address Configures the ERSPAN flow destination IP address which must also be configured on an interface on the destination router and be entered in the ERSPAN destination session configuration see the Configuring ERSPAN Destination Sessions section on page 52 22 Step 7 Step 9 Router config mon erspan src dst erspan id ERSPAN_flow_id Configures the ID number used by the sou...

Page 899: ...hange the origin IP address configured in all ERSPAN source sessions on the router ttl_value can range from 1 to 255 ipp_value can range from 0 to 7 dscp_value can range from 0 to 63 When clearing monitor sessions note the following information The no monitor session number command entered with no other parameters clears session session_number session_range is first_session_number last_session_num...

Page 900: ...al Describes the ERSPAN destination session Step 4 Router config mon erspan dst shutdown Default Inactivates the ERSPAN destination session Router config mon erspan dst no shutdown Activates the ERSPAN destination session Step 5 Router config mon erspan dst destination single_interface interface_list interface_range mixed_interface_list Associates the ERSPAN destination session number with the des...

Page 901: ...stination IP addresses see the Configuring ERSPAN Source Sessions section on page 52 19 Step 8 ERSPAN_flow_id can range from 1 to 1023 When clearing monitor sessions note the following information The no monitor session number command entered with no other parameters clears session session_number session_range is first_session_number last_session_number Note In the no monitor session range command...

Page 902: ...ort configure the destination port as a trunk To configure the destination port as a trunk perform this task Command Purpose Step 1 Router configure terminal Enters global configuration mode Step 2 Router config monitor session session_number filter single_vlan vlan_list vlan_range mixed_vlan_list Configures source VLAN filtering when the local SPAN or RSPAN source is a trunk port Router config no...

Page 903: ...ination trunk port note the following information The vlan parameter is either a single VLAN number from 1 through 4094 or a range of VLANs described by two VLAN numbers the lesser one first separated by a dash Do not enter any spaces between comma separated vlan parameters or in dash specified ranges All VLANs are allowed by default To remove all VLANs from the allowed list enter the switchport t...

Page 904: ...tchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 12 switchport mode trunk switchport nonegotiate interface GigabitEthernet1 4 description SPAN destination interface for VLAN 13 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 13 switchport mode trunk switchport nonegotiate monitor session 1 source vlan 10 13 monitor session 1 des...

Page 905: ...session 2 source interface fastethernet 5 15 7 3 rx Router config monitor session 2 source interface gigabitethernet 1 2 tx Router config monitor session 2 source interface port channel 102 Router config monitor session 2 source filter vlan 2 3 Router config monitor session 2 destination remote vlan 901 This example shows how to remove sources for a session Router config no monitor session 2 sourc...

Page 906: ...120 ip address 10 8 1 2 vrf gray This example shows the configuration of ERSPAN source session 13 monitor session 13 type erspan source source interface Gi6 1 tx destination erspan id 130 ip address 10 11 1 1 origin ip address 32 1 1 1 This example shows the configuration of ERSPAN destination session 13 monitor session 13 type erspan destination destination interface Gi6 1 source erspan id 130 ip...

Page 907: ...e documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Understanding SNMP IfIndex Persistence The SNMP ifIndex persistence feature provides an interface index ifIndex value that is retained and used when the router reboots The ifIndex value is a unique identifying number associated with a physical or logical interface There is no re...

Page 908: ... persistence Enabling SNMP IfIndex Persistence Globally page 53 2 Optional Enabling and Disabling SNMP IfIndex Persistence on Specific Interfaces page 53 3 Optional Note To verify that ifIndex commands have been configured use the more system running config command Enabling SNMP IfIndex Persistence Globally SNMP ifIndex persistence is disabled by default To globally enableSNMP ifIndex persistence ...

Page 909: ...IfIndex Persistence Configuration from a Specific Interface To clear the interface specific SNMP ifIndex persistence setting and configure the interface to use the global configuration setting perform this task Command Purpose Step 1 Router config interface vlan vlan_ID type1 slot port port channel port_channel_number 1 type any supported interface type Selects an interface to configure Step 2 Rou...

Page 910: ...ersistence is globally enabled SNMP ifIndex persistence will be enabled for Ethernet interface 3 1 If SNMP ifIndex persistence is globally disabled SNMP ifIndex persistence will be disabled for Ethernet interface 3 1 router config interface ethernet 3 1 router config if snmp ifindex clear router config if exit Tip For additional information including configuration examples and troubleshooting info...

Page 911: ...anding How Power Management Works page 54 1 Understanding How Environmental Monitoring Works page 54 10 Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Understanding How Power Management Works These sections describe power ma...

Page 912: ...ble to the system is the combined power capability of both power supplies The system powers up as many modules as the combined capacity allows However if one power supply fails and there is not enough power for all of the previously powered up modules the system powers down those modules To enable redundancy use the redundant keyword In a redundant configuration the total power drawn from both pow...

Page 913: ... supplies Modules marked power deny in the show power oper state field are brought up if there is sufficient power Power supply is removed with redundancy enabled System log and syslog messages are generated No change in module status because the power capability is unchanged Power supply is removed with redundancy disabled System log and syslog messages are generated System power is decreased to ...

Page 914: ...s A 42V State State 1 WS X6K SUP2 2GE 142 38 3 39 142 38 3 39 on on 2 142 38 3 39 5 WS X6248 RJ 45 112 98 2 69 112 98 2 69 on on Router You can view the current power status of a specific power supply by entering the show power command as follows Router show power status power supply 2 Power Capacity PS Fan Output Oper PS Type Watts A 42V Status Status State 1 WS CAC 6000W 2672 04 63 62 OK OK on 2...

Page 915: ...ommand displays the current system utilization of the hardware resources and displays a list of the currently available hardware capacities including the following Hardware forwarding table utilization Switch fabric utilization CPU s utilization Memory device flash DRAM NVRAM utilization This example shows how to display CPU capacity and utilization information for the route processor the switch p...

Page 916: ...capacity the bytes used and the percentage that is used for the flash and NVRAM resources present in the system Router show platform hardware capacity flash Flash NVRAM Resources Usage Module Device Bytes Total Used Used 1 RP bootflash 31981568 15688048 49 1 SP disk0 128577536 105621504 82 1 SP sup bootflash 31981568 29700644 93 1 SP const_nvram 129004 856 1 1 SP nvram 391160 22065 6 7 dfc 7 bootf...

Page 917: ...TCAM entries ACLmsk ACL TCAM masks AND ANDOR QoSent QoS TCAM entries QOSmsk QoS TCAM masks OR ORAND Lbl in ingress label Lbl eg egress label LOUsrc LOU source LOUdst LOU destination ADJ ACL adjacency Module ACLent ACLmsk QoSent QoSmsk Lbl in Lbl eg LOUsrc LOUdst AND OR ADJ 6 1 1 1 1 1 1 0 0 0 0 1 Router This example shows how to display the interface resources Router show platform hardware capacit...

Page 918: ... the capacity and utilization of QoS policer resources for each EARL in the Cisco 7600 series router Router show platform hardware capacity qos QoS Policer Resources Aggregate policers Module Total Used Used 1 1024 102 10 5 1024 1 1 Microflow policer configurations Module Total Used Used 1 64 32 50 5 64 1 1 Router This example shows how to display information about the key system resources Router ...

Page 919: ...shold 1 for module 1 outlet temperature sensor value 60 is system minor alarm threshold 2 for module 1 outlet temperature sensor value 70 is system major alarm module 1 inlet temperature 25C threshold 1 for module 1 inlet temperature sensor value 60 is system minor alarm threshold 2 for module 1 inlet temperature sensor value 70 is system major alarm module 1 device 1 temperature 30C threshold 1 f...

Page 920: ...rm thresholds cooling Displays fan tray status chassis cooling capacity ambient temperature and per slot cooling capacity status Displays field replaceable unit FRU operational status and power and temperature information temperature Displays FRU temperature information To view the system status information enter the show environment command Router show environment environmental alarms no alarms R...

Page 921: ...perature 31C module 2 inlet temperature 29C module 3 module 3 power output fail OK module 3 outlet temperature 36C module 3 inlet temperature 29C module 4 module 4 power output fail OK module 4 outlet temperature 32C module 4 inlet temperature 32C module 5 module 5 power output fail OK module 5 outlet temperature 39C module 5 inlet temperature 34C module 7 module 7 power output fail OK module 7 ou...

Page 922: ...daughter cards Major STATUS2 LED red3 2 A STATUS LED is located on the supervisor engine front panel and all module front panels 3 The STATUS LED is red on the failed supervisor engine If there is no redundant supervisor the SYSTEM LED is red also Generates syslog message and an SNMP trap If there is a redundancy situation the system switches to a redundant supervisor engine and the active supervi...

Page 923: ...l information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Understanding How Online Diagnostics Work With online diagnostics you can test and verify the hardware functionality of the Cisco 7600 series router while the router is connected to a live netwo...

Page 924: ...tics run at user designated intervals or specified times when the router is connected to a live network and health monitoring runs in the background Configuring Online Diagnostics These sections describe how to configure online diagnostics Setting Bootup Online Diagnostics Level page 55 2 Configuring On Demand Online Diagnostics page 55 3 Scheduling Online Diagnostics page 55 4 Configuring Health ...

Page 925: ...ostic content command Step 2 Run all tests in the relevant functional area Packet switching tests fall into specific functional areas When a problem is suspected in a particular functional area run all tests in that functional area If you are unsure about which functional area you need to test or if you want to run all available tests enter the complete keyword Step 3 Run the TestTrafficStress tes...

Page 926: ... monitor module 1 test all command To set the bootup diagnostic level perform this task This example shows how to set the on demand testing iteration count Router diagnostic ondemand iteration 3 Router This example shows how to set the execution action when an error is detected Router diagnostic ondemand action on error continue 2 Router Scheduling Online Diagnostics You can schedule online diagno...

Page 927: ...onitoring diagnostic testing perform this task This example shows how to configure the specified test to run every two minutes Router config diagnostic monitor interval module 1 test 1 min 2 Router config This example shows how to run the test if health monitoring has not previously been enabled Router config diagnostic monitor module 1 test 1 This example shows how to enable the generation of a s...

Page 928: ...p the entire system If you are running the tests on a module that is not the supervisor engine after the test is initiated and complete you must reset the module Starting and Stopping Online Diagnostic Tests After you configure diagnostic tests to run you can use the start and stop to begin or end a diagnostic test To start or stop an online diagnostic command perform one of these tasks This examp...

Page 929: ...terval ID Test Name Attributes day hh mm ss ms 1 TestScratchRegister N A 000 00 00 30 00 2 TestSPRPInbandPing N A 000 00 00 15 00 3 TestTransceiverIntegrity PD I not configured 4 TestActiveToStandbyLoopback M PDS I not configured 5 TestLoopback M PD I not configured 6 TestNewLearn M N I not configured 7 TestIndexLearn M N I not configured 8 TestDontLearn M N I not configured 9 TestConditionalLearn...

Page 930: ...ootup diagnostic level minimal Module 1 Overall Diagnostic Result for Module 1 PASS Diagnostic level at card bootup minimal Test results Pass F Fail U Untested 1 TestScratchRegister 2 TestSPRPInbandPing 3 TestGBICIntegrity Port 1 2 U U 4 TestActiveToStandbyLoopback Port 1 2 U U 5 TestLoopback Port 1 2 6 TestNewLearn 7 TestIndexLearn 8 TestDontLearn 9 TestConditionalLearn 10 TestBadBpdu 11 TestTrap...

Page 931: ...n count 330 Last test execution time May 12 2003 14 49 36 First test failure time n a Last test failure time n a Last test pass time May 12 2003 14 49 36 Total failure count 0 Consecutive failure count 0 ___________________________________________________________________________ 2 TestSPRPInbandPing Error code 0 DIAG_SUCCESS Total run count 660 Last test execution time May 12 2003 14 49 38 First t...

Page 932: ...omplete before running them Before you run any of the online diagnostic memory tests perform the following tasks Required tasks Isolate network traffic by disabling all connected ports Do not send test packets during a memory test Reset the system before returning the system to normal operating mode Turn off all background health monitoring tests using the no diagnostic monitor module 1 test all c...

Page 933: ...tion examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Understanding the Top N Utility These sections describe the Top N utility Top N Utility Overview page 56 1 Understanding Top N Utility Operation page 56 2 Top N Utility Overview The Top N utility allows you to collect and analy...

Page 934: ...ounters interface report command The Top N Utility displays only those reports that are completed For reports that are not completed the Top N Utility displays a short description of the Top N process information To terminate a Top N process enter the clear top counters interface report command Pressing Ctrl C does not terminate Top N processes The completed reports remain available for viewing un...

Page 935: ...eport creation for an interval of 76 seconds for the four ports with the highest utilization Router collect top 4 counters interface all sort by utilization interval 76 TopN collection started Displaying the Top N Utility Reports To display the Top N Utility reports perform this task Top N Utility statistics are not displayed in these situations If a port is not present during the first poll If a ...

Page 936: ...t Multicast In Buf width Tx Rx Tx Rx Tx Rx Tx Rx err ovflw Fa2 5 100 50 726047564 11344488 11344487 1 0 0 Fa2 48 100 35 508018905 7937789 0 43 0 0 Fa2 46 100 25 362860697 5669693 0 43 0 0 Fa2 47 100 22 323852889 4762539 4762495 43 0 0 Clearing Top N Utility Reports To clear Top N Utility reports perform one of these tasks This example shows how to remove all reports that have a status of done Rout...

Page 937: ...4266 08 Chapter 56 Using the Top N Utility Using the Top N Utility Tip For additional information including configuration examples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html ...

Page 938: ...56 6 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12 2SX OL 4266 08 Chapter 56 Using the Top N Utility Using the Top N Utility ...

Page 939: ...mples and troubleshooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Understanding the Layer 2 Traceroute Utility The Layer 2 traceroute utility identifies the Layer 2 path that a packet takes from a source device to a destination device Layer 2 traceroute supports only unicast source and destination MA...

Page 940: ...and destination MAC addresses that belong to different VLANs the Layer 2 path is not identified and an error message appears If you specify a multicast source or destination MAC address the path is not identified and an error message appears If the source or destination MAC address belongs to multiple VLANs you must specify the VLAN to which both the source and destination MAC addresses belong If ...

Page 941: ...destination device perform one of these tasks in privileged EXEC mode Command Purpose Router traceroute mac interface type interface_number source_mac_address interface type interface_number destination_mac_address vlan vlan_id detail Uses MAC addresses to trace the path that packets take through the network Router traceroute mac ip source_ip_address source_hostname destination_ip_address destinat...

Page 942: ...2 Fa0 1 Destination 0000 0201 0201 found on con2 WS C3550 24 2 2 2 2 Layer 2 trace completed Router Router traceroute mac 0001 0000 0204 0001 0000 0304 detail Source 0001 0000 0204 found on VAYU WS C6509 2 1 1 10 1 VAYU WS C6509 2 1 1 10 Gi6 1 full 1000M Po100 auto auto 2 PANI WS C6509 2 1 1 12 Po100 auto auto Po110 auto auto 3 BUMI WS C6509 2 1 1 13 Po110 auto auto Po120 auto auto 4 AGNI WS C6509...

Page 943: ... as a stress test is being performed with looping ports internally and external traffic might skew the test results The entire switch must be rebooted to bring the switch to normal operation When you issure the command to reload the switch the system will ask you if the configuration should be saved Do not save the configuration If you are running the tests on a supervisor engine after the test is...

Page 944: ...plication engine on the path from the switch processor to the route processor Packets are sent at 15 second intervals Ten consecutive failures of the test results in failover to the redundant supervisor engine default or reload of the supervisor engine if a redundant supervisor engine is not installed TestScratchRegister The TestScratchRegister test monitors the health of application specific inte...

Page 945: ...eLoopback page A 4 TestLoopback page A 4 TestActiveToStandbyLoopback page A 5 TestTransceiverIntegrity page A 5 TestNetflowInlineRewrite page A 5 Table A 2 TestScratchRegister Test Attributes Attribute Description Disruptive Nondisruptive Nondisruptive Recommendation Do not disable Default On Release 12 2 14 SX Corrective action Reset the malfunctioning supervisor engine or power down the module H...

Page 946: ...back in the port and returns to the supervisor engine on that same VLAN Table A 4 TestNonDisruptiveLoopback Test Attributes Attribute Description Disruptive Nondisruptive Nondisruptive Recommendation Do not disable Default On Release 12 2 18 SXF Corrective action Error disable a port after 10 consecutive failures Error disable a channel if all of its ports failed the test in one test cycle Reset t...

Page 947: ...deny functionality and the inline rewrite capabilities of the port ASIC The test packet will undergo a NetFlow table lookup to obtain the rewrite information The VLAN and the source and destination MAC addresses are rewritten when the packet reaches the targeted port Table A 6 TestActiveToStandbyLoopback Test Attributes Attribute Description Disruptive Nondisruptive Disruptive for looped back port...

Page 948: ... back ports Disruption is typically less than one second Duration of the disruption depends on configuration of loopback port for example Spanning Tree Protocol Recommendation Schedule during downtime Run this test during bootup only Default This test runs by default during bootup or after a reset or OIR Release 12 1 13 E 12 2 14 SX Corrective action None See the system message guide for more info...

Page 949: ...s section on page A 9 Table A 9 TestNewIndexLearn Test Attributes Attribute Description Disruptive Nondisruptive Nondisruptive Recommendation If you experience problems with the Layer 2 forwarding engine learning capability run this test on demand to verify the Layer 2 learning functionality This test can also be used as a health monitoring test Default This test runs by default during bootup or a...

Page 950: ...e Nondisruptive Disruptive Recommendation If you experience problems with the Layer 2 forwarding engine learning capability run this test on demand to verify the Layer 2 learning functionality This test can also be used as a health monitoring test Default This test runs by default during bootup or after a reset or OIR Release 12 1 13 E 12 2 14 SX Corrective action None See the system message guide...

Page 951: ... don t learn feature of the Layer 2 forwarding engine is working properly For DFC enabled modules the diagnostic packet is sent from the supervisor engine inband port through the switch fabric and looped back from one of the ports on the DFC enabled module The don t learn feature is verified during diagnostic packet lookup by the Layer 2 forwarding engine Table A 13 TestStaticEntry Test Attributes...

Page 952: ...pervisor engine the diagnostic packet is sent from the supervisor engine s inband port and performs a packet lookup using the supervisor engine Layer 2 forwarding engine For DFC enabled Table A 14 TestDontLearn Test Attributes Attribute Description Disruptive Nondisruptive Disruptive for looped back ports Disruption is typically less than one second Duration of the disruption depends on the config...

Page 953: ...irect packets to the switch processor This test verifies that the Trap feature of the Layer 2 forwarding engine is working properly When running the test on the supervisor engine the diagnostic packet is sent from the supervisor engine s inband port and performs Table A 16 TestIndexLearn Test Attributes Attribute Description Disruptive Nondisruptive Disruptive for looped back ports Disruption is t...

Page 954: ...and port through the switch fabric and looped back from one of the DFC ports The BPDU feature is verified during the diagnostic packet lookup by the Layer 2 forwarding engine Table A 18 TestTrap Test Attributes Attribute Description Disruptive Nondisruptive Disruptive for looped back ports Disruption is typically less than one second Duration of the disruption depends on the configuration of the l...

Page 955: ...ng the supervisor engine s Layer 2 forwarding engine For DFC enabled modules the diagnostic packet is sent from the supervisor engine s inband port through the switch fabric and looped back from one of the DFC ports The Capture feature is verified during the diagnostic packet lookup by the Layer 2 forwarding engine Table A 20 TestProtocolMatchChannel Test Attributes Attribute Description Disruptiv...

Page 956: ...stIPv4FibShortcut page A 15 TestIPv6FibShortcut page A 15 TestMPLSFibShortcut page A 16 TestNATFibShortcut page A 16 TestL3Capture2 page A 17 TestAclPermit page A 17 TestAclDeny page A 18 TestQoS page A 18 TestFibDevices The TestFibDevices test verifies whether the FIB TCAM and adjacency devices are functional One FIB entry is installed on each FIB TCAM device A diagnostic packet is sent to make s...

Page 957: ...s forwarded according to rewritten MAC and VLAN information Table A 23 TestFibDevices Test Attributes Attribute Description Disruptive Nondisruptive Nondisruptive Recommendation Run this test on demand to verify the Layer 3 forwarding functionality if you experience problems with the routing capability This test can also be used as a health monitoring test Default This test runs by default during ...

Page 958: ...ributes Attribute Description Disruptive Nondisruptive Nondisruptive Recommendation Run this test on demand to verify the Layer 3 forwarding functionality if you experience problems with the routing capability This test can also be used as a health monitoring test Default This test runs by default during bootup or after a reset or OIR Release 12 1 13 E 12 2 14 SX Corrective action None See the sys...

Page 959: ...monitoring test Use as a health monitoring test if the destination IP address is being rewritten for example if you are using NAT Default This test runs by default during bootup or after a reset or OIR Release 12 1 13 E 12 2 14 SX Corrective action None See the system message guide for more information Hardware support Supervisor engines and DFC enabled modules Table A 27 TestNATFibShortcut Test A...

Page 960: ...AN information TestQoS The TestQoS test verifies whether or not the QoS input and output TCAM is functional by programming the QoS input and output TCAM so that the ToS value of the diagnostic packet is changed to reflect either input or output Table A 30 TestACLDeny Test Attributes Attribute Description Disruptive Nondisruptive Disruptive Recommendation Do not disable Default On Release 12 1 13 E...

Page 961: ...s installed on each FIBTCAM device and a diagnostic packet is sent to make sure that the diagnostic packet is switched by the FIB TCAM entry installed on the TCAM device This is not an exhaustive TCAM device test Only one entry is installed on each TCAM device Note Compared to the IPv4FibShortcut and IPv6FibShortcut tests the TestFibDevices test tests all FIB and adjacency devices using IPv4 or IP...

Page 962: ...bDevices Test Attributes Attribute Description Disruptive Nondisruptive Disruptive for looped back ports Disruption is typically less than one second Duration of the disruption depends on the configuration of the looped back port for example Spanning Tree Protocol Recommendation Schedule during downtime Default This test runs by default during bootup or after a reset or OIR Release 12 1 13 E 12 2 ...

Page 963: ...tIPv6FibShortcut Test Attributes Attribute Description Disruptive Nondisruptive Disruptive for looped back ports Disruption is typically less than one second Duration of the disruption depends on the configuration of the looped back port for example Spanning Tree Protocol Recommendation This test runs by default during bootup or after a reset or OIR Default Off Release 12 1 13 E 12 2 14 SX Correct...

Page 964: ...and gets permitted and forwarded correctly Table A 37 TestNATFibShortcut Test Attributes Attribute Description Disruptive Nondisruptive Disruptive for looped back ports Disruption is typically less than one second Duration of the disruption depends on the configuration of the looped back port for example Spanning Tree Protocol Recommendation This test runs by default during bootup or after a reset...

Page 965: ...e disruption depends on the configuration of the looped back port for example Spanning Tree Protocol Recommendation This test runs by default during bootup or after a reset or OIR Default Off Release 12 1 13 E 12 2 14 SX Corrective action None See the system message guide for more information Hardware support Supervisor engines and DFC enabled modules Table A 40 TestACLDeny Test Attributes Attribu...

Page 966: ... packet onto two different VLANs After the diagnostic packet is sent out from the supervisor engine s inband port the test verifies that two packets are received back in the inband port on the two VLANs configured in the replication engine Recommendation Schedule during downtime Default This test runs by default during bootup or after a reset or OIR Release 12 1 13 E 12 2 14 SX Corrective action N...

Page 967: ...es of the replication engine Default This test runs by default during bootup or after a reset or OIR Release 12 1 13 E 12 2 14 SX Corrective action None See the system message guide for more information Hardware support Supervisor engines and WS 65xx WS 67xx and WS 68xx modules Table A 44 TestIngressSpan Test Attributes Attribute Description Disruptive Nondisruptive Disruptive for both SPAN sessio...

Page 968: ...nchronized to the fabric ASIC determines which test is used If it is synchronized the external snake test is used if it is not the internal snake test is used For both tests only the channels that are not synchronized to any modules are involved in the test The Forward direction indicates that the snaking direction is from the low numbered channel to the high numbered channel Recommendation Run th...

Page 969: ...ered channel TestSynchedFabChannel The TestSynchedFabChannel test periodically checks the fabric synchronization status for both the module and the fabric This test is available only for fabric enabled modules This test is not a packet switching test so it does not involve the data path This test sends an SCP control message to the module and fabric to query the synchronization status Table A 47 T...

Page 970: ...result in a fabric switchover Exhaustive Memory Tests The exhaustive memory tests include the following tests TestFibTcamSSRAM page A 29 TestAsicMemory page A 29 TestAclQosTcam page A 30 TestNetflowTcam page A 30 Table A 49 TestFabricSCh0Health Test Attributes Attribute Description Disruptive Nondisruptive Nondisruptive Recommendation Do not turn this test off Use as a health monitoring test Defau...

Page 971: ... Disruption is several hours Recommendation Use this test only if you suspect a problem with the hardware or before putting the hardware into a live network Do not run any traffic in the background on the module that you are testing The supervisor engine must be rebooted after running this test Default Off Release 12 1 20 E 12 2 14 SX 12 2 17a SX Corrective action Not applicable Hardware support A...

Page 972: ...ardware or before putting the hardware into a live network Do not run any traffic in the background on the module that you are testing The supervisor engine must be rebooted after running this test Default Off Release 12 2 18 SXD Corrective action Not applicable Hardware support All modules including supervisor engines Table A 54 TestNetflowTcam Test Attributes Attribute Description Disruptive Non...

Page 973: ...minutes and can vary depending on whether you are testing the PFC3A PFC3BXL or PFC3B Recommendation Use this test only if you suspect a problem with the hardware or before putting the hardware into a live network Do not run any traffic in the background on the module that you are testing The supervisor engine must be rebooted after running this test Default Off Release 12 2 18 SXD Corrective actio...

Page 974: ...hoPkt The TestHapiEchoPkt test sends a Hapi Echo packet to the crypto engine using the control path After the Hapi Echo packet is sent to the crypto engine it is echoed back from the crypto engine The packet is sent from the supervisor engine inband port to the crypto engine using index direct and is sent back using broadcast to a diagnostic VLAN Table A 56 TestIPSecClearPkt Test Attributes Attrib...

Page 975: ...ficStress test stress tests the switch and the installed modules by configuring all of the ports on the modules into pairs which then pass packets between each other After allowing the packets to pass through the switch for a predetermined period the test verifies that the packets are not dropped Table A 58 TestIPSecEncryptDecryptPkt Test Attributes Attribute Description Disruptive Nondisruptive N...

Page 976: ...e A 26 for a description of these tests TestL3HealthMonitoring The TestL3HealthMonitoring test triggers a set of diagnostic tests involving IPv4 and IPv6 packet switching on a local DFC whenever the system tries to self recover from a detected hardware fault The tests shut down the front panel port usually port 1 for testing purposes If the diagnostic tests are not passing it is an indication that...

Page 977: ...n SCP control message to the module and fabric to query the synchronization status Recommendation Do not disable Default On Release 12 2 14 SX Corrective action Not applicable Hardware support DFC equipped modules Table A 61 TestL3HealthMonitoring Test Attributes continued Table A 62 TestTxPathMonitoring Test Attributes Attribute Description Disruptive Nondisruptive Nondisruptive Recommendation Do...

Page 978: ...hooting information see the documents listed on this page http www cisco com en US products hw routers ps368 tsd_products_support_series_home html Table A 64 ScheduleSwitchover Test Attributes Attribute Description Disruptive Nondisruptive Disruptive Recommendation Schedule this test during downtime to test the ability of the standby supervisor engine to take over after a switchover Default Off Re...

Page 979: ...ol Support AMP Active Monitor Present APaRT Automated Packet Recognition and Translation ARP Address Resolution Protocol ATA Analog Telephone Adaptor ATM Asynchronous Transfer Mode AV attribute value BDD binary decision diagrams BECN backward explicit congestion notification BGP Border Gateway Protocol BPDU bridge protocol data unit BRF bridge relay function BSC Bisync BSTUN Block Serial Tunnel BU...

Page 980: ...ncentrator relay function CST Common Spanning Tree CUDD University of Colorado Decision Diagram DCC Data Country Code dCEF distributed Cisco Express Forwarding DDR dial on demand routing DE discard eligibility DEC Digital Equipment Corporation DFC Distributed Forwarding Card DFI Domain Specific Part Format Identifier DFP Dynamic Feedback Protocol DISL Dynamic Inter Switch Link DLC Data Link Contro...

Page 981: ...cation FM feature manager FRU field replaceable unit fsck file system consistency check FSM feasible successor metrics GARP General Attribute Registration Protocol GMRP GARP Multicast Registration Protocol GVRP GARP VLAN Registration Protocol HSRP Hot Standby Routing Protocol ICC Inter card Communication ICD International Code Designator ICMP Internet Control Message Protocol IDB interface descrip...

Page 982: ...link error monitor LER link error rate LES LAN Emulation Server LLC Logical Link Control LTL Local Target Logic MAC Media Access Control MD5 Message Digest 5 MFD multicast fast drop MSFC Multilayer Switch Feature Card MIB Management Information Base MII media independent interface MLS Multilayer Switching MLSE maintenance loop signaling entity MOP Maintenance Operation Protocol MOTD message of the...

Page 983: ...and Maintenance ODM order dependent merge OSI Open System Interconnection OSM Optical Services Module OSPF open shortest path first PAE port access entity PAgP Port Aggregation Protocol PBD packet buffer daughterboard PC Personal Computer formerly PCMCIA PCM pulse code modulation PCR peak cell rate PDP policy decision point PDU protocol data unit PEP policy enforcement point PFC Policy Feature Car...

Page 984: ...R route processor redundancy RPR route processor redundancy plus RSPAN remote SPAN RST reset RSVP ReSerVation Protocol SAID Security Association Identifier SAP service access point SCM service connection manager SCP Switch Module Configuration Protocol SDLC Synchronous Data Link Control SGBP Stack Group Bidding Protocol SIMM single in line memory module SLB server load balancing SLCP Supervisor Li...

Page 985: ...ol Protocol Internet Protocol TFTP Trivial File Transfer Protocol TIA Telecommunications Industry Association TopN Utility that allows the user to analyze port traffic by reports TOS type of service TLV type length value TTL Time To Live TVX valid transmission UDLD UniDirectional Link Detection Protocol UDP User Datagram Protocol UNI User Network Interface UTC Coordinated Universal Time VACL VLAN ...

Page 986: ...n Guide Release 12 2SX OL 4266 08 Appendix A Acronyms WCCP Web Cache Communications Protocol WFQ weighted fair queueing WRED weighted random early detection WRR weighted round robin XNS Xerox Network System Table A 1 List of Acronyms continued Acronym Expansion ...

Page 987: ...ol 13 A AAA 1 abbreviating commands 5 access control entries and lists 1 access enable host timeout not supported 2 access port configuring 14 ACEs and ACLs 1 acronyms list of 1 addresses IP see IP addresses MAC see MAC addresses advertisements VTP 3 aggregate label 2 4 aggregate policing see QoS policing aging time accelerated for MSTP 25 maximum for MSTP 26 aging time IP MLS 8 alarms major 11 mi...

Page 988: ...rmat 13 BPDU guard See STP BPDU guard bridge groups 2 bridge ID See STP bridge ID bridge priority STP 30 bridge protocol data units see BPDUs bridging 2 broadcast storms see traffic storm control C cautions for passwords encrypting 17 TACACS 17 CDP configuration task lists 2 enabling on an interface 3 monitoring and maintaining 3 overview 1 cdp enable command 3 CEF 1 configuring MSFC2 5 supervisor...

Page 989: ...nment variable description 25 config register command 23 config terminal command 10 configuration file saving 11 interfaces 8 to 10 register changing settings 23 configuration 21 to 24 settings at startup 22 configuration example EoMPLS port mode 17 20 EoMPLS VLAN mode 17 configuration register boot field listing value 24 modification tasks 23 configure command 9 configure terminal command 23 2 co...

Page 990: ...tion command 16 destination ip flow mask 3 destination source ip flow mask 3 DHCP binding database See DHCP snooping binding database DHCP binding table See DHCP snooping binding database DHCP option 82 circuit ID suboption 5 overview 3 packet format suboption circuit ID 5 remote ID 5 remote ID suboption 5 DHCP option 82 allow on untrusted port 10 DHCP snooping binding database See DHCP snooping b...

Page 991: ...imiters 8 15 IP errors rate limiters 10 19 IPv4 multicast rate limiters 10 19 IPv6 multicast rate limiters 20 Layer 2 PDU rate limiters 10 19 Layer 2 protocol tunneling rate limiters 10 19 MTU failure rate limiters 18 multicast directyly connected rate limiters 20 multicast FIB miss rate limiters 20 multicast IGMP snooping rate limiters 10 19 network under SYN attack 13 QoS ACLs 12 security ACLs 1...

Page 992: ...ess ACL support for remarked DSCP 62 egress replication performance improvement 14 Embedded CiscoView 2 enable command 10 23 enable mode 5 enable sticky secure MAC address 10 enabling IP MMLS on router interfaces 11 encapsulation 3 enhanced interface range command 4 environmental monitoring LED indications 11 SNMP traps 11 supervisor engine and switching modules 12 Syslog messages 11 using CLI com...

Page 993: ...tocol over LAN 1 F fabric switching mode See switch fabric module fabric switching mode allow dcef only command on Supervisor Engine 720 2 fall back bridging 2 fastethernet 2 fiber optic detecting unidirectional links 1 FIB TCAM 3 filters NDE destination host filter specifying 17 destination TCP UDP port specifying 17 protocol 18 source host and destination TCP UDP port 17 Flash memory configurati...

Page 994: ...ecifying custom 15 IEEE 802 1s See MST IEEE 802 1w See MST See RSTP IEEE 802 3ad See LACP IEEE 802 3x Flow Control 13 IEEE bridging protocol 2 IGMP configuration guidelines 8 7 enabling 10 Internet Group Management Protocol 1 join messages 2 leave processing enabling 12 queries 3 query interval configuring 11 snooping fast leave 5 joining multicast group 2 leaving multicast group 4 understanding 2...

Page 995: ...ol 14 set to default 14 IP CEF topology figure 4 ip flow export destination command 14 ip flow export source command 12 13 15 3 4 ip full flow mask 3 ip http server 1 ip interface full flow mask 3 IP MLS aging time 8 flow masks destination ip 3 destination source ip 3 interface destination source ip 3 ip full 3 ip interface full 3 minimum 7 overview 3 IP MMLS cache overview 2 configuration guideli...

Page 996: ...unk 8 defaults 5 interface modes 4 show interfaces 12 13 7 12 switching understanding 1 trunks understanding 3 VLAN interface assignment 12 Layer 2 Interfaces configuring 1 Layer 2 protocol tunneling configuring Layer 2 tunnels 2 overview 1 Layer 2 remarking 18 Layer 2 Traceroute 1 Layer 2 traceroute and ARP 2 and CDP 2 described 1 IP addresses and subnets 2 MAC addresses and VLANs 2 multicast tra...

Page 997: ...ooping query interval configuring 12 MLDv2 1 enabling 10 leave processing enabling 13 queries 5 snooping fast leave 7 joining multicast group 4 leaving multicast group 6 understanding 2 snooping querier enabling 9 understanding 2 MLDv2 Snooping 1 MLS configuring threshold 15 MSFC threshold 15 mls aging command configuring IP MLS 8 mls flow command configuring IP MLS 7 9 12 mls ip multicast command...

Page 998: ...9 MPLS QoS configuration class map to classify MPLS packets 20 MPLS VPN limitations and restrictions 11 MQC 1 not supported CAR 3 queuing 3 supported policy maps 3 MST 15 boundary ports 19 configuration 18 configuring 33 edge ports 20 enabling 34 hop count 20 instances 18 interoperability 16 interoperability with PVST 16 link type 20 master 20 message age 20 regions 18 19 MSTP boundary ports confi...

Page 999: ...lticast IGMP snooping and 9 MLDv2 snooping and 10 NetFlow statistics 10 non RPF 5 overview 1 PIM snooping 4 RGMP 1 multicast displaying routing table 21 Multicast enhancement egress replication performance improvement 14 Multicast Enhancement Replication Mode Detection 12 multicast flood blocking 1 multicast groups joining 2 leaving 6 4 multicast groups IPv6 joining 4 Multicast Listener Discovery ...

Page 1000: ...guring 1 nonaggregate label 2 4 non RPF multicast 5 Nonstop Forwarding See NSF nonvolatile random access memory See NVRAM normal range VLANs See VLANs NSF 1 NSF with SSO does not support IPv6 multicast traffic 1 NVRAM saving settings 11 O OIR 16 online diagnostics configuring 2 memory tests 10 overview 1 running tests 5 test descriptions 1 understanding 1 online diagnostic tests 1 online insertion...

Page 1001: ...guration guidelines 6 configuring initializing authentication of a client 11 manual reauthentication of a client 11 quiet period 12 RADIUS server 10 RADIUS server parameters on the switch 9 switch to authentication server retransmission time 14 switch to client EAP request frame retransmission time 13 switch to client frame retransmission number 14 switch to client retransmission time 12 default c...

Page 1002: ...enabling disabling redundancy 2 overview 1 powering modules up or down 3 system power requirements nine slot chassis 5 primary links 1 primary VLANs 2 priority overriding CoS 7 8 private VLANs 1 across multiple switches 5 and SVIs 6 benefits of 2 community VLANs 2 3 configuration guidelines 7 9 11 configuring 11 host ports 14 pomiscuous ports 15 routing secondary VLAN ingress traffic 13 secondary ...

Page 1003: ... CoS and ToS values 14 QoS internal DSCP values 12 QoS L3 Switching Engine classification marking and policing 11 feature summary 19 QoS labels definition 124 QoS mapping CoS values to DSCP values 85 88 DSCP markdown values 30 89 16 DSCP mutation 83 30 DSCP values to CoS values 90 IP precedence values to DSCP values 88 QoS markdown 23 QoS marking definition 124 trusted ports 17 untrusted ports 17 ...

Page 1004: ...col See RSTP rapid spanning tree protocol 15 receive queues see QoS receive queues recirculation 4 15 reduced MAC address 2 redundancy NSF 1 configuring BGP 14 CEF 13 EIGRP 19 IS IS 16 OSPF 15 configuring multicast NSF with SSO 13 configuring supervisor engine 10 routing protocols 4 redundancy RPR 1 configuring 6 configuring supervisor engine 5 displaying supervisor engine configuration 7 redundan...

Page 1005: ...inks 11 26 root ports 11 root port defined 10 See also MSTP S SAID 6 sample configuration 2 to 10 Sampled NetFlow description 8 saving the configuration file 11 scheduling see QoS secondary VLANs 2 Secure MAC Address Aging Type 12 security configuring 1 security port 2 security precautions with Flash memory card 25 serial interfaces clearing 18 synchronous maintaining 18 service policy command 67 ...

Page 1006: ...st summary displaying IP MMLS configuration 22 25 show mls nde command 18 displaying NDE flow IP address 15 show mls rp command displaying IP MLS configuration 8 show module command 7 show protocols command 17 show rif command 17 show running config command 10 16 17 show startup config command 11 show version command 9 23 24 17 shutdown command 18 shutdown interfaces result 18 Single Spanning Tree...

Page 1007: ...static route configuring 12 statistics 802 1X 16 Sticky ARP 34 sticky ARP 34 sticky MAC address 3 Sticky secure MAC addresses 10 11 storm control see traffic storm control STP configuring 22 bridge priority 30 enabling 22 24 forward delay time 32 hello time 31 maximum aging time 32 port cost 28 port priority 27 root bridge 24 secondary root switch 26 defaults 21 EtherChannel 5 understanding 2 802 ...

Page 1008: ...es 12 synchronizing configurations 20 7 Supervisor Engine 32 1 supervisor engine redundancy configuring 10 5 supervisor engines displaying redundancy configuration 7 Switched Port Analyzer See SPAN switch fabric functionality 2 configuring 4 monitoring 4 switch fabric module 1 configuring 3 monitoring 5 slot locations 2 switchport configuring 14 example 13 show interfaces 12 13 7 12 switchport acc...

Page 1009: ...r 2 and ARP 2 and CDP 2 described 1 IP addresses and subnets 2 MAC addresses and VLANs 2 multicast traffic 2 multiple devices on a port 2 unicast traffic 1 usage guidelines 2 traffic flood blocking 1 traffic storm control command broadcast 4 described 1 monitoring 5 thresholds 1 traffic suppression see traffic storm control translational bridge numbers defaults 6 transmit queues see QoS transmit q...

Page 1010: ...g See UMFB unknown unicast flood blocking See UUFB untrusted see QoS trust cos see QoS untrusted upgrade guidelines 15 UplinkFast See STP UplinkFast URD 10 User Based Rate Limiting 22 79 user EXEC mode 5 UUFB 1 V VACLs 2 configuring 4 examples 9 Layer 3 VLAN interfaces 8 Layer 4 port operations 7 logging configuration example 11 configuring 11 restrictions 11 MAC address based 5 multicast packets ...

Page 1011: ...ions 2 configuration guidelines 5 configuring IP phone for data traffic override CoS of incoming frame 7 8 configuring ports for voice traffic in 802 1Q frames 6 connecting to an IP phone 6 default configuration 5 overview 1 VPN configuration example 12 guidelines and restrictions 11 VTP advertisements 3 client configuring 9 configuration guidelines 5 default configuration 5 disabling 9 domains 2 ...

Reviews:

No comments

Related manuals for 7600 Series

Watchguard AP200 Setup Manual preview
AP200
Brand: Watchguard Pages: 40
3Com 3C3FE574BT Quick Start Manual preview
3C3FE574BT
Brand: 3Com Pages: 8
Tyco Electronics 8 Port 10/100Mbit/s Ethernet Smart Switch with Fibre Uplink Product User Manual preview
8 Port 10/100Mbit/s Ethernet Smart Switch with Fibre Uplink
Brand: Tyco Electronics Pages: 18
Quick Eagle Networks 5842 Specification Sheet preview
5842
Brand: Quick Eagle Networks Pages: 4
Juniper TX MATRIX PLUS Hardware Manual preview
TX MATRIX PLUS
Brand: Juniper Pages: 502
iDirect iQ Desktop+ Installation, Support, And Maintenance Manual preview
iQ Desktop+
Brand: iDirect Pages: 52
PaloAlto Networks ION 1200 Series Hardware Reference Manual preview
ION 1200 Series
Brand: PaloAlto Networks Pages: 90
SIIG ID-P20211-S1 Quick Installation Manual preview
ID-P20211-S1
Brand: SIIG Pages: 20
CELOT CTR-180 User Manual preview
CTR-180
Brand: CELOT Pages: 34
VoiceLine InnoMedia MTA 3328-2R Getting Started Manual preview
InnoMedia MTA 3328-2R
Brand: VoiceLine Pages: 18
ZALMAN CNPS5X PERFORMA User Manual preview
CNPS5X PERFORMA
Brand: ZALMAN Pages: 8
B&B Electronics Elinx EIR508 Series Quick Start Manual preview
Elinx EIR508 Series
Brand: B&B Electronics Pages: 2
Symantec SV1800 Series Safety And Regulatory Compliance Manual preview
SV1800 Series
Brand: Symantec Pages: 100
Boss Vocal Performer VE-20 Owner'S Manual preview
Vocal Performer VE-20
Brand: Boss Pages: 20
Supermicro AOC-STG-I2 User Manual preview
AOC-STG-I2
Brand: Supermicro Pages: 15
Sun Microsystems McDATA Eclipse 1620 Release Notes preview
McDATA Eclipse 1620
Brand: Sun Microsystems Pages: 9
Miranda Imagestore Intuition+ User Manual preview
Imagestore Intuition+
Brand: Miranda Pages: 60
EMC VNX5300 Block Hardware Information Manual preview
VNX5300 Block
Brand: EMC Pages: 88

Brands by name

Popular brands

Load more brands